Overslaan naar inhoud
Je moet geregistreerd zijn om te kunnen communiceren met de community.
Alle posts Personen Badges
Labels (Bekijk alle)
odoo accounting v14 pos v15
Over dit forum
Deze vraag is gerapporteerd
securityaccounting
1 Beantwoorden
1116 Weergaven
Avatar
SIA, MILWELL HUI

In Odoo if you are member of any accounting group, you can access both AR and AP records

Using groups in menus can separate access, but this can easily be bypassed by bookmarking the URL  like "http://odoo16/web#action=249&model=account.payment&view_type=list&cids=1"

Is there a more secure way of preventing access?  I'm thinking of a custom search function.  But is there a better way? 

Avatar
Annuleer
Avatar
SIA, MILWELL HUI
Auteur Beste antwoord

I have found solution by overriding the controller

import logging
from odoo.addons.web.controllers.action import Action
from odoo.exceptions import AccessDenied
from odoo.http import Controller, request, route


_logger = logging.getLogger(__name__)


class SecureAction(Action):

    @route('/web/action/load', type='json', auth="user")
    def load(self, action_id, additional_context=None):
        retval = super().load(action_id, additional_context)
        if 'id' in retval:
            window_action = request.env['ir.actions.act_window'].sudo().browse(retval.get('id'))
            if window_action.allowed_groups_id:
                if not any(allowed_group in request.env.user.groups_id for allowed_group in window_action.allowed_groups_id):
                    raise AccessDenied(
                        '{} ({}) can only be accessed by {}'.format(
                            window_action.display_name,window_action.xml_id,', '.join(window_action.mapped('allowed_groups_id.full_name')))
                    )
        return retval

Also adding special field in Window Action

from odoo import models, fields, api, _
from datetime import datetime, timedelta
import logging

_logger = logging.getLogger(__name__)

class WindowAction(models.Model):
    _inherit = 'ir.actions.act_window'

    allowed_groups_id = fields.Many2many('res.groups',relation="rel_allowed_groups_window_action")

View code

<odoo>
    <record id="view_window_action_form" model="ir.ui.view">
        <field name="inherit_id" ref="base.view_window_action_form"/>
        <field name="model">ir.actions.act_window</field>
        <field name="arch" type="xml">
            <notebook>
                <page name="allowed_groups" string="Allowed Groups">
                    <field name="allowed_groups_id" nolabel="1">
                        <tree editable="bottom">
                            <field name="full_name"/>
                        </tree>
                    </field>
                </page>
            </notebook>
        </field>
    </record>
</odoo>

Anybody else have another idea? 







Avatar
Annuleer
Gerelateerde posts Antwoorden Weergaven Activiteit
Can I perform multi-division accounting and security?
security salesteams accounting
Avatar
0
mrt. 15
4330
I found a small typo in the Odoo 19 Chart of Accounts — and it made my day 😆 Opgelost
accounting
Avatar
Avatar
Avatar
2
nov. 25
276
Invoice-Digitize-Individual Line Items
accounting
Avatar
Avatar
1
nov. 25
463
How can I manipulate the email template when sending an email in Accounting so that my PDF with the XML is inserted instead of the standard view with XML?
accounting
Avatar
Avatar
1
nov. 25
335
PDF facture de vente s'imprime trop large
accounting
Avatar
Avatar
1
nov. 25
392