1. Base env : odoo17, windows 10
2. I'm coding a new module, a new model , trying to diplay page fields changed history by inheriting the [mail] models:
    _inherit = ['mail.thread', 'mail.activity.mixin']
3. the attachment field is defined as :
   op_contract_attachment_ids = fields.Many2many('ir.attachment', string="attach files", copy=False, tracking=False)
4. "Access Denied by record rules for operation:...." pops up when an other user tries to open a newly created record with an attachment file, even though I added the user to the "Followers".
5. In the create user's page, the attachment file isn't added to the message history column in the right part of the page when the record is newly created, and it is ok as expected.
6. But, when the record is updated (delete the old attachment file and add a new one)，the page can be opened by an other user without error message disregarding the login user is in the followers or not.
7. If a new file is added without removing the old attachment file, the page is still can NOT be opened by an other user.
8. After the page was edited and commited, the attachment files updated will be displayed in the message history column in the right part of the page. It seems like that the "tracking=False" in the field definition was disregarded.
9. The newly created record CAN be opened without displaying the attachment filed in the page by an user who has NO access right to the field. I think this is because that I defined the attachment filed with groups specified in the XML file as:
   
10. For the user who has no right to access to the attachment field:
11. 1. if a new file is added without removing the old one, he CAN NOT open the page
    2. if a new file is added with removing the old one, he can open the page, even though he is not a follower.
12. In the "10.b" above, the attachment file field is not displayed in the page main body according to the "groups" specified. BUT the attachment file is displayed in the message history column in the right part of the page. And this is not  appreciated, because that user is NOT expected to see the attachment file.
13. My ultimate objective is ：
14. 1. Users in special groups(specified in secrurity.xml or in setting page) can open the newly created record.
    2. In the message history column, I need to control the attachment file displaying or not according to the login user's rights through system security settings or python code/xml  based logic control.
    3. In the message history column, the user who has no access rights to the attachment file, he can read other messages yet.
    4. If the attachment file update info is included in one message record, the user who has no access right to the attachment file can also read the rest part of the message record except the info about the attachment file field.

How should I do ?

Thanks a lot!

31 July, 2024