Skip to Content
Musisz się zarejestrować, aby móc wchodzić w interakcje z tą społecznością.
Wszystkie posty Osoby Odznaki
Tagi (Zobacz wszystko)
odoo accounting v14 pos v15
O tym forum
To pytanie dostało ostrzeżenie
securityaccounting
1 Odpowiedz
637 Widoki
Awatar
SIA, MILWELL HUI

In Odoo if you are member of any accounting group, you can access both AR and AP records

Using groups in menus can separate access, but this can easily be bypassed by bookmarking the URL  like "http://odoo16/web#action=249&model=account.payment&view_type=list&cids=1"

Is there a more secure way of preventing access?  I'm thinking of a custom search function.  But is there a better way? 

Awatar
Odrzuć
Awatar
SIA, MILWELL HUI
Autor Najlepsza odpowiedź

I have found solution by overriding the controller

import logging
from odoo.addons.web.controllers.action import Action
from odoo.exceptions import AccessDenied
from odoo.http import Controller, request, route


_logger = logging.getLogger(__name__)


class SecureAction(Action):

    @route('/web/action/load', type='json', auth="user")
    def load(self, action_id, additional_context=None):
        retval = super().load(action_id, additional_context)
        if 'id' in retval:
            window_action = request.env['ir.actions.act_window'].sudo().browse(retval.get('id'))
            if window_action.allowed_groups_id:
                if not any(allowed_group in request.env.user.groups_id for allowed_group in window_action.allowed_groups_id):
                    raise AccessDenied(
                        '{} ({}) can only be accessed by {}'.format(
                            window_action.display_name,window_action.xml_id,', '.join(window_action.mapped('allowed_groups_id.full_name')))
                    )
        return retval

Also adding special field in Window Action

from odoo import models, fields, api, _
from datetime import datetime, timedelta
import logging

_logger = logging.getLogger(__name__)

class WindowAction(models.Model):
    _inherit = 'ir.actions.act_window'

    allowed_groups_id = fields.Many2many('res.groups',relation="rel_allowed_groups_window_action")

View code

<odoo>
    <record id="view_window_action_form" model="ir.ui.view">
        <field name="inherit_id" ref="base.view_window_action_form"/>
        <field name="model">ir.actions.act_window</field>
        <field name="arch" type="xml">
            <notebook>
                <page name="allowed_groups" string="Allowed Groups">
                    <field name="allowed_groups_id" nolabel="1">
                        <tree editable="bottom">
                            <field name="full_name"/>
                        </tree>
                    </field>
                </page>
            </notebook>
        </field>
    </record>
</odoo>

Anybody else have another idea? 







Awatar
Odrzuć
Powiązane posty Odpowiedzi Widoki Czynność
Can I perform multi-division accounting and security?
security salesteams accounting
Awatar
0
mar 15
3679
simplified chart of accounts for non-profit organization
accounting
Awatar
1
sie 25
251
Why does the same bank transaction appear on different bank statements? How can I fix it?
accounting
Awatar
0
sie 25
186
Bill import template
accounting
Awatar
Awatar
Awatar
2
sie 25
189
Analytical distributions by amount in accounting app Rozwiązane
accounting
Awatar
Awatar
Awatar
2
sie 25
773