跳至内容
此问题已终结
2 回复
503 查看
形象
alshehri.hass@gmail.com

Hi all,

The user can view their own draft invoices, but gets an AccessError​ when attempting to access their own posted invoicescreate_uid​ remains correct for both draft and posted states.


I have the following record rule on account.move:

[('create_uid', '=', user.id)]

Permissions: read, write, create (no delete).

EDIT: This record-rule is part of a new custom group called Accounting / Invoicing: Own Documents Only​.


Why does the rule not apply to posted invoices?


NOTE: I'm using Odoo Online

Error Messag:

Access Error
Uh-oh! Looks like you have stumbled upon some top-secret records.

Sorry, test user (id=21) doesn't have 'read' access to:
- Journal Entry (account.move)

If you really, really need access, perhaps you can win over your friendly administrator with a batch of freshly baked cookies.

Traceback:

Traceback (most recent call last):
  File "/home/odoo/src/odoo/18.0/odoo/http.py", line 1957, in _transactioning
    return service_model.retrying(func, env=self.env)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/odoo/service/model.py", line 137, in retrying
    result = func()
             ^^^^^^
  File "/home/odoo/src/odoo/18.0/odoo/http.py", line 1924, in _serve_ir_http
    response = self.dispatcher.dispatch(rule.endpoint, args)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/odoo/http.py", line 2171, in dispatch
    result = self.request.registry['ir.http']._dispatch(endpoint)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/odoo/addons/base/models/ir_http.py", line 329, in _dispatch
    result = endpoint(**request.params)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/odoo/http.py", line 727, in route_wrapper
    result = endpoint(self, *args, **params_ok)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/addons/web/controllers/dataset.py", line 35, in call_kw
    return call_kw(request.env[model], method, args, kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/odoo/api.py", line 517, in call_kw
    result = getattr(recs, name)(*args, **kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/addons/web/models/models.py", line 163, in web_read
    for vals in co_records.web_read(field_spec['fields'])
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/addons/web/models/models.py", line 86, in web_read
    values_list: list[dict] = self.read(fields_to_read, load=None)
                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/odoo/src/odoo/18.0/odoo/models.py", line 3800, in read
    self._origin.fetch(fields)
  File "/home/odoo/src/odoo/18.0/odoo/models.py", line 4101, in fetch
    raise self.env['ir.rule']._make_access_error('read', forbidden)
odoo.exceptions.AccessError: Uh-oh! Looks like you have stumbled upon some top-secret records.

Sorry, test user (id=21) doesn't have 'read' access to:
- Journal Entry (account.move)

If you really, really need access, perhaps you can win over your friendly administrator with a batch of freshly baked cookies.
形象
丢弃
形象
John
最佳答案

Hi, 
I hope this will help,

['|', ('create_uid', '=', user.id), ('state', '=', 'posted')]

If the user needs access to posted invoices:

  1. Assign them to the Accounting / Accountant group (group_account_user).
    • This group typically has the required permissions for posted invoices.
  2. If full access isn't appropriate, consider creating a new group with limited permissions and assign it to the user.


形象
丢弃
alshehri.hass@gmail.com
编写者

Hi John,

Thanks for your input! I’ve created a new group called **`Accounting / Invoicing: Own Documents Only`** and added the following record rule:
```python
[('create_uid', '=', user.id)]
```
The goal is to ensure users can only see **their own invoices**.

The domain filter you suggested, however, would allow users to view **posted invoices created by others**, which isn’t the behavior I’m looking for.

Appreciate your suggestion! Let me know if you have any other thoughts.

形象
Cybrosys Techno Solutions Pvt.Ltd
最佳答案

Hi,

1. Update the rule to include invoices in the posted state.

[('create_uid', '=', user.id), '|', ('state', '=', 'draft'), ('state', '=', 'posted')]

2. Ensure no other record rule conflicts with this rule.


Hope it helps

形象
丢弃
alshehri.hass@gmail.com
编写者

Thanks for your reply. I'm still getting the same access error with your suggested record rule. I have a feeling the `user.id` field is not available during the record rule evaluation when the invoice is posted.