コンテンツへスキップ
この質問にフラグが付けられました
2 返信
508 ビュー
アバター
alshehri.hass@gmail.com

Hi all,

The user can view their own draft invoices, but gets an AccessError​ when attempting to access their own posted invoicescreate_uid​ remains correct for both draft and posted states.


I have the following record rule on account.move:

[('create_uid', '=', user.id)]

Permissions: read, write, create (no delete).

EDIT: This record-rule is part of a new custom group called Accounting / Invoicing: Own Documents Only​.


Why does the rule not apply to posted invoices?


NOTE: I'm using Odoo Online

Error Messag:

Access Error
Uh-oh! Looks like you have stumbled upon some top-secret records.

Sorry, test user (id=21) doesn't have 'read' access to:
- Journal Entry (account.move)

If you really, really need access, perhaps you can win over your friendly administrator with a batch of freshly baked cookies.

Traceback:

Traceback (most recent call last):
  File "/home/odoo/src/odoo/18.0/odoo/http.py", line 1957, in _transactioning
    return service_model.retrying(func, env=self.env)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/odoo/service/model.py", line 137, in retrying
    result = func()
             ^^^^^^
  File "/home/odoo/src/odoo/18.0/odoo/http.py", line 1924, in _serve_ir_http
    response = self.dispatcher.dispatch(rule.endpoint, args)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/odoo/http.py", line 2171, in dispatch
    result = self.request.registry['ir.http']._dispatch(endpoint)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/odoo/addons/base/models/ir_http.py", line 329, in _dispatch
    result = endpoint(**request.params)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/odoo/http.py", line 727, in route_wrapper
    result = endpoint(self, *args, **params_ok)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/addons/web/controllers/dataset.py", line 35, in call_kw
    return call_kw(request.env[model], method, args, kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/odoo/api.py", line 517, in call_kw
    result = getattr(recs, name)(*args, **kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/addons/web/models/models.py", line 163, in web_read
    for vals in co_records.web_read(field_spec['fields'])
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/addons/web/models/models.py", line 86, in web_read
    values_list: list[dict] = self.read(fields_to_read, load=None)
                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/odoo/models.py", line 3800, in read
    self._origin.fetch(fields)
  File "/home/odoo/src/odoo/18.0/odoo/models.py", line 4101, in fetch
    raise self.env['ir.rule']._make_access_error('read', forbidden)
odoo.exceptions.AccessError: Uh-oh! Looks like you have stumbled upon some top-secret records.

Sorry, test user (id=21) doesn't have 'read' access to:
- Journal Entry (account.move)

If you really, really need access, perhaps you can win over your friendly administrator with a batch of freshly baked cookies.
アバター
破棄
アバター
John
最善の回答

Hi, 
I hope this will help,

['|', ('create_uid', '=', user.id), ('state', '=', 'posted')]

If the user needs access to posted invoices:

  1. Assign them to the Accounting / Accountant group (group_account_user).
    • This group typically has the required permissions for posted invoices.
  2. If full access isn't appropriate, consider creating a new group with limited permissions and assign it to the user.


アバター
破棄
alshehri.hass@gmail.com
著作者

Hi John,

Thanks for your input! I’ve created a new group called **`Accounting / Invoicing: Own Documents Only`** and added the following record rule:
```python
[('create_uid', '=', user.id)]
```
The goal is to ensure users can only see **their own invoices**.

The domain filter you suggested, however, would allow users to view **posted invoices created by others**, which isn’t the behavior I’m looking for.

Appreciate your suggestion! Let me know if you have any other thoughts.

アバター
Cybrosys Techno Solutions Pvt.Ltd
最善の回答

Hi,

1. Update the rule to include invoices in the posted state.

[('create_uid', '=', user.id), '|', ('state', '=', 'draft'), ('state', '=', 'posted')]

2. Ensure no other record rule conflicts with this rule.


Hope it helps

アバター
破棄
alshehri.hass@gmail.com
著作者

Thanks for your reply. I'm still getting the same access error with your suggested record rule. I have a feeling the `user.id` field is not available during the record rule evaluation when the invoice is posted.