User Can View Draft Invoices but Not Posted Invoices with Record Rule on create_uid

Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:

CRM
e-Commerce
Apskaita
Atsarga
PoS
Project
MRP

All apps

All Posts People Badges

Žymos (View all)

odoo accounting v14 pos v15

About this forum

Pagalba

User Can View Draft Invoices but Not Posted Invoices with Record Rule on create_uid

2 Replies

506 Rodiniai

alshehri.hass@gmail.com

Hi all,

The user can view their own draft invoices, but gets an AccessError when attempting to access their own posted invoices. create_uid remains correct for both draft and posted states.

I have the following record rule on account.move:

[('create_uid', '=', user.id)]

Permissions: read, write, create (no delete).

EDIT: This record-rule is part of a new custom group called Accounting / Invoicing: Own Documents Only.

Why does the rule not apply to posted invoices?

NOTE: I'm using Odoo Online

Error Messag:

Access Error

Uh-oh! Looks like you have stumbled upon some top-secret records. Sorry, test user (id=21) doesn't have 'read' access to: - Journal Entry (account.move) If you really, really need access, perhaps you can win over your friendly administrator with a batch of freshly baked cookies.

Traceback:

Traceback (most recent call last):
  File "/home/odoo/src/odoo/18.0/odoo/http.py", line 1957, in _transactioning
    return service_model.retrying(func, env=self.env)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/odoo/service/model.py", line 137, in retrying
    result = func()
             ^^^^^^
  File "/home/odoo/src/odoo/18.0/odoo/http.py", line 1924, in _serve_ir_http
    response = self.dispatcher.dispatch(rule.endpoint, args)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/odoo/http.py", line 2171, in dispatch
    result = self.request.registry['ir.http']._dispatch(endpoint)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/odoo/addons/base/models/ir_http.py", line 329, in _dispatch
    result = endpoint(**request.params)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/odoo/http.py", line 727, in route_wrapper
    result = endpoint(self, *args, **params_ok)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/addons/web/controllers/dataset.py", line 35, in call_kw
    return call_kw(request.env[model], method, args, kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/odoo/api.py", line 517, in call_kw
    result = getattr(recs, name)(*args, **kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/addons/web/models/models.py", line 163, in web_read
    for vals in co_records.web_read(field_spec['fields'])
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/addons/web/models/models.py", line 86, in web_read
    values_list: list[dict] = self.read(fields_to_read, load=None)
                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/odoo/models.py", line 3800, in read
    self._origin.fetch(fields)
  File "/home/odoo/src/odoo/18.0/odoo/models.py", line 4101, in fetch
    raise self.env['ir.rule']._make_access_error('read', forbidden)
odoo.exceptions.AccessError: Uh-oh! Looks like you have stumbled upon some top-secret records.

Sorry, test user (id=21) doesn't have 'read' access to:
- Journal Entry (account.move)

If you really, really need access, perhaps you can win over your friendly administrator with a batch of freshly baked cookies.

John

Hi,
I hope this will help,

['|', ('create_uid', '=', user.id), ('state', '=', 'posted')]

If the user needs access to posted invoices:

Assign them to the Accounting / Accountant group (group_account_user).
- This group typically has the required permissions for posted invoices.
If full access isn't appropriate, consider creating a new group with limited permissions and assign it to the user.

alshehri.hass@gmail.com

Autorius

Hi John,

Thanks for your input! I’ve created a new group called **`Accounting / Invoicing: Own Documents Only`** and added the following record rule:
```python
[('create_uid', '=', user.id)]
```
The goal is to ensure users can only see **their own invoices**.

The domain filter you suggested, however, would allow users to view **posted invoices created by others**, which isn’t the behavior I’m looking for.

Appreciate your suggestion! Let me know if you have any other thoughts.

Cybrosys Techno Solutions Pvt.Ltd

Hi,

1. Update the rule to include invoices in the posted state.

[('create_uid', '=', user.id), '|', ('state', '=', 'draft'), ('state', '=', 'posted')]

2. Ensure no other record rule conflicts with this rule.

Hope it helps

alshehri.hass@gmail.com

Autorius

Thanks for your reply. I'm still getting the same access error with your suggested record rule. I have a feeling the `user.id` field is not available during the record rule evaluation when the invoice is posted.

Enjoying the discussion? Don't just read, join in!

Create an account today to enjoy exclusive features and engage with our awesome community!

Registracija

This question has been flagged

Access Error

Enjoying the discussion? Don't just read, join in!