Separate groups for AR and AP user

Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:

客戶關係
e-Commerce
會計
庫存
PoS
Project
MRP

All apps

所有帖文人獎章

標籤（查看所有）

odoo accounting v14 pos v15

關於此討論區

支援

Separate groups for AR and AP user

security accounting

1 回覆

644 瀏覽次數

SIA, MILWELL HUI

In Odoo if you are member of any accounting group, you can access both AR and AP records

Using groups in menus can separate access, but this can easily be bypassed by bookmarking the URL like "http://odoo16/web#action=249&model=account.payment&view_type=list&cids=1"

Is there a more secure way of preventing access? I'm thinking of a custom search function. But is there a better way?

SIA, MILWELL HUI

作者

I have found solution by overriding the controller

import logging
from odoo.addons.web.controllers.action import Action
from odoo.exceptions import AccessDenied
from odoo.http import Controller, request, route


_logger = logging.getLogger(__name__)


class SecureAction(Action):

    @route('/web/action/load', type='json', auth="user")
    def load(self, action_id, additional_context=None):
        retval = super().load(action_id, additional_context)
        if 'id' in retval:
            window_action = request.env['ir.actions.act_window'].sudo().browse(retval.get('id'))
            if window_action.allowed_groups_id:
                if not any(allowed_group in request.env.user.groups_id for allowed_group in window_action.allowed_groups_id):
                    raise AccessDenied(
                        '{} ({}) can only be accessed by {}'.format(
                            window_action.display_name,window_action.xml_id,', '.join(window_action.mapped('allowed_groups_id.full_name')))
                    )
        return retval

Also adding special field in Window Action

from odoo import models, fields, api, _
from datetime import datetime, timedelta
import logging

_logger = logging.getLogger(__name__)

class WindowAction(models.Model):
    _inherit = 'ir.actions.act_window'

    allowed_groups_id = fields.Many2many('res.groups',relation="rel_allowed_groups_window_action")

View code

<odoo>
    <record id="view_window_action_form" model="ir.ui.view">
        <field name="inherit_id" ref="base.view_window_action_form"/>
        <field name="model">ir.actions.act_window</field>
        <field name="arch" type="xml">
            <notebook>
                <page name="allowed_groups" string="Allowed Groups">
                    <field name="allowed_groups_id" nolabel="1">
                        <tree editable="bottom">
                            <field name="full_name"/>
                        </tree>
                    </field>
                </page>
            </notebook>
        </field>
    </record>
</odoo>

Anybody else have another idea?

喜歡這則討論？不要只閱讀，加入發表意見吧！

今天就建立帳戶，享受獨家功能，與我們精彩的社群互動！

註冊

相關帖文	回覆	瀏覽次數
Can I perform multi-division accounting and security? security salesteams accounting	0 3月 15	3683
Listing all Invoices with their line items and custom Product fields accounting	0 8月 25	128
simplified chart of accounts for non-profit organization accounting	1 8月 25	270
Why does the same bank transaction appear on different bank statements? How can I fix it? accounting	0 8月 25	195
Bill import template accounting	2 8月 25	216

此問題已被標幟

喜歡這則討論？不要只閱讀，加入發表意見吧！