[7.0] Access control: allow create, disable write

Asked by Li Wee, Ong on 2012-11-21

In 6.1, I am able to restrict the user's access privileges, i.e. allow product creation, disallow product modification

Implementation steps in 6.1
1. Install CRM, Sales module
2. Add test user
3. Settings->user->edit test user->Access Rights tab->Under sales, set "User - own leads only"
4. Settings->group->edit "User - own leads only"->Access Rights tab
5. Check "create permission" for product.product sale use
6. Check "create permission" for product.template sale use
7. Add new access rights based on model "stock.warehouse.orderpoint / Minimum Inventory Rule"
8. Check "read permission" for Minimum Inventory Rule
9. Save

With these steps, the test user is able to create products but unable to edit existing products.

However, when I try to follow these steps in 7.0, I am unable to find module "stock.warehouse.orderpoint / Minimum Inventory Rule". Furthermore, the error message also seem to indicate that there is now no distinction between create and write accesss? Please see error below

2012-11-21 00:38:45,785 2234 WARNING None openerp.addons.base.ir.ir_model: Access Denied by ACLs for operation: write, uid: 321, model: product.product
2012-11-21 00:38:45,786 2234 ERROR None openerp.netsvc: Access Denied
Sorry, you are not allowed to modify this document. Only users with the following access level are currently allowed to do that:
- Sales/Manager

(Document model: product.product)
Traceback (most recent call last):
  File "/opt/openerp/server/openerp/netsvc.py", line 361, in dispatch_rpc
    result = ExportService.getService(service_name).dispatch(method, params)
  File "/opt/openerp/server/openerp/service/web_services.py", line 596, in dispatch
    res = fn(db, uid, *params)
  File "/opt/openerp/server/openerp/osv/osv.py", line 167, in execute_kw
    return self.execute(db, uid, obj, method, *args, **kw or {})
  File "/opt/openerp/server/openerp/osv/osv.py", line 123, in wrapper
    raise except_osv(inst.name, inst.value)
except_osv: ('Access Denied', u'Sorry, you are not allowed to modify this document. Only users with the following access level are currently allowed to do that:\n- Sales/Manager\n\n(Document model: product.product)')

Question information

English Edit question
Odoo Addons (MOVED TO GITHUB) Edit question
No assignee Edit question
Solved by:
Li Wee, Ong
Last query:
Last reply:
Li Wee, Ong (liwee-ong) said : #1

Hello Li Wee,

As I said on bug report you have to assign write's rights of product.product object then you can create the product.

First of all we don't allow to create product on Sale/Own Lead User, that's why We have give only read's right to that user. Then after if you want to create the product by this user you have to assign create and write object both rights to the groups . This not only affected to product.product object but also same for all orm objects because this is out framework architecture.

As per our framework architecture whenever you pressed the "Create" button then ORM's create method will call. Same way when you are going to press "Save" button our ORM objects write method will call.

So finally If you want to create any object you should also assign that object's write rights also.

Hope this will help.

Thank you!

Li Wee, Ong (liwee-ong) said : #3

Hi Twinkle Christian,

Thanks for taking the time to answer my question and I apologize for submitting this wrongly as a bug.
It seems that I managed to separate "create" & "write" access in 6.1 by accident.
Nevertheless, is there a way within the Access Control Framework to separate create / write access?

Not sure if our scenario is unique but the core data (e.g. products / customers) is maintain by the administrator.
But daily opportunities / quotation entries may involve new customers / products which will initially be entered by the sales team and subsequently assigned a unique internal id by the administrator.
To prevent accidental writes to this unique internal id and key fields, we would like to restrict write access if possible.

If there is no easy way to do this, we will try to think of another solution on our end.
Thank you for your time.

Li Wee

Li Wee, Ong (liwee-ong) said : #4

The separation of write / create seems to work again in the latest version of openerp 7.0
Thank you

Landis (larnold) said : #5

Is there a Pointer to the fundamental way to Control ACL in OpenERP 7.0?

I have enabled "technical access" for the two users in the system.

However, there is no further guidance other than a daunting set of unexplained ACL rules.

Specifically I need that User1 can assign tasks to User2 (and indeed invite User2 as a follower) the way Admin can to both Users -- right now in Project Mode.

This though, is the tip of the iceburg I know, so I want to have a better understanding of ACL's. Is there a Module I can install for controlling ACL's? Important to any implemenation.

Thank you.