Odoo Addons (MOVED TO GITHUB)

Need help with ACLs and record rule

Asked by OpenBMS JSC

Hello,

I want to configure the hr modules so that:

1. an employee can modify some of his/her details
2. an employee can view all other people info, , but cannot modify other's details
3. a member of 'Human Resources / Manager' group can modify everyone details.

I setup the follwowing (in addition to the default setup by module hr)

1. Assigned Read+Write to Employee group
2. Setup 3 record rules as following:

a) Employee: for employee to modify his/her own record => Read+Write, group 'Employee', domain=[('user_id','=',user.id)]

b) Employee Listing: for employee to see other info (no modification) => Read, group 'Employee'

c) Employee HR Manager: for people in 'Human Resources / Manager' group to do everything => Read+Write+Create+Unlink, group 'Human Resources / Manager'.

I login as a user in group 'Employee' only, and I can modify details (correct), but I when I click on the list of Employees, I can only see myself, instead of everyone. If I log into admin account, I can see everyone (as expected).

Could someone shed some lights on me what I'm missing in the rules/ACLs?

Thanks and best regards,

Phong.

Question information

Language:
English Edit question
Status:
Solved
For:
Odoo Addons (MOVED TO GITHUB) Edit question
Assignee:
No assignee Edit question
Solved by:
Stefan Rijnhart (Opener)
Solved:
Last query:
Last reply:
Revision history for this message
Best Stefan Rijnhart (Opener) (stefan-opener) said : 		#1

Hi,

Group-specific rules are combined together with a logical AND in case of multiple rules for the same group and mode. Try making rule 'a' apply for write-operations instead of read+write.

Cheers,
Stefan.

Revision history for this message
OpenBMS JSC (openbmsjsc) said : 		#2

Hi Stefan,

Thank you very much for your advice. I can now achieve objective 1 & 2 with the following

a) Create a record rule with Read permission for Employee group
b) Create a record rule with Write permission for Employee group, with domain: [('user_id','=',user.id)]

However, I cannot (yet) achieve objective (3): a member of 'Human Resources / Manager' group can modify everyone details.

I receive the following error, with full stack-trace below, even if I delete my rule (3) above (as HR Manager/HR User already have full access to hr.employee).

except_orm: (u'AccessError', u'Operation prohibited by access rules, or performed on an already deleted document (Operation: write, Document type: Employee).')

I guess my rules are AND not OR together when the user (hrm) is in groups HR Manger, HR User, Employee. If I remove the hrm from group Employee, then he cannot see any menu any more.

Any helps are greatly appreciated.

Thanks.

Environment Information :
System : Linux-2.6.32-24-generic-x86_64-with-Ubuntu-10.04-lucid
OS Name : posix
Distributor ID: Ubuntu
Description: Ubuntu 10.04.1 LTS
Release: 10.04
Codename: lucid
Operating System Release : 2.6.32-24-generic
Operating System Version : #38-Ubuntu SMP Mon Jul 5 09:20:59 UTC 2010
Operating System Architecture : 64bit
Operating System Locale : en_US.UTF8
Python Version : 2.6.5
OpenERP-Client Version : 6.0.2
Last revision No. & ID :Bazaar Package not Found !Traceback (most recent call last):
  File "/media/data/Projects/openerp-6.0/server/bin/netsvc.py", line 489, in dispatch
    result = ExportService.getService(service_name).dispatch(method, auth, params)
  File "/media/data/Projects/openerp-6.0/server/bin/service/web_services.py", line 599, in dispatch
    res = fn(db, uid, *params)
  File "/media/data/Projects/openerp-6.0/server/bin/osv/osv.py", line 126, in wrapper
    self.abortResponse(1, inst.name, 'warning', inst.value)
  File "/media/data/Projects/openerp-6.0/server/bin/osv/osv.py", line 122, in wrapper
    return f(self, dbname, *args, **kwargs)
  File "/media/data/Projects/openerp-6.0/server/bin/osv/osv.py", line 176, in execute
    res = self.execute_cr(cr, uid, obj, method, *args, **kw)
  File "/media/data/Projects/openerp-6.0/server/bin/osv/osv.py", line 167, in execute_cr
    return getattr(object, method)(cr, uid, *args, **kw)
  File "/var/local/software/6.0-trunk/server/bin/addons/oss_hr_employee/oss_hr_employee.py", line 299, in write
    return super(oss_hr_employee, self).write(cr, user, ids, vals, context)
  File "/media/data/Projects/openerp-6.0/server/bin/osv/orm.py", line 3405, in write
    self.check_access_rule(cr, user, ids, 'write', context=context)
  File "/media/data/Projects/openerp-6.0/server/bin/osv/orm.py", line 3194, in check_access_rule
    % (operation, self._description))
except_orm: (u'AccessError', u'Operation prohibited by access rules, or performed on an already deleted document (Operation: write, Document type: Employee).')

Revision history for this message
Stefan Rijnhart (Opener) (stefan-opener) said : 		#3

Hi Phong,

Please note that record rules only restrict existing ACLs. Therefore, I think you should configure the permissions of the HR manager under Administration -> Security -> Access Control Lists. If there is no additional restriction, you do not need a record rule on top of that.

Cheers,
Stefan.

Revision history for this message
OpenBMS JSC (openbmsjsc) said : 		#4

Thanks Stefan,

I ended up having the domain [(1,'=',1)] on my last rule and it work, but still don't know why it doesn't work without that domain clause. Anyway, thanks for all of your suggestions.

Revision history for this message
OpenBMS JSC (openbmsjsc) said : 		#5

Thanks Stefan Rijnhart (Therp), that solved my question.