0

I'd really like to understand Odoo access rights and rules, everything seems beautiful and perfect but the actual fact is that it's almost impossible to make them work OK.

An example of what I'm refering to is this kind of situations (I had this one time ago and I had to avoid using rules to solve it): Are Odoo rules working OK actually?

Now I'm facing another problem: I'm using multicompany, and there are some users whose behaviour affects the rest. For example, I have this company tree:

Main Company
|_ Company A
|_ Company B

The user Administrator belongs to Main Company. Then I have an user named Forvas who belongs to Company B and only can work with customers /suppliers of that company. Now, I'm moving the Administrator from Main Company, to work with Company A. From that moment on, the user Forvas can't see customers or suppliers of Company B (something that he was able to do earlier), and he just gets the Access Rights error: res.users - Operation: read each time he tries to open any customer or supplier he's expected to see. You can just tell me that the user Administrator must be always in the Main Company and never move himself to work with other one, so I'll respect that, but the problem is that other users who can work with Main Company also spark the same error when they start working with other company (like Company A). For example, an user named The Chief can work with all companies, but he decides to work with Company A. Well, user Forvas stops seeing customers/suppliers of Company B, he gets the Access Rights error when he tries to open anyone...

Then I added some log lines to fields.py file, to try to find the problem. Then I realized that there's a field made by myself which is giving the problem, but the field isn't such an uncommon one. It's a Float which is computed, declared in res.partner model. I've modified the field to simplify it (although the code now is a nosense since the field always values 0.0).

@api.multi
@api.depends('whatever')
def _compute_available_credit(self):
    for partner in self:
        partner.available_credit = 0.0

available_credit = fields.Float(
    compute='_compute_available_credit',
    string='Available credit',
)

I wrote whatever inside the @api.depends, it's not a field, but it doesn't matter which field I write there, the compute method always sparks the error.

However, if I comment the compute parameter in the field declaration, the problem disappears...

So, can anyone explain me why? I'm fed up with dealing with Odoo security problems, I'm pretty sure that everyone must have these unexpected behaviours too because they happen to me every now and again.

forvas
  • 9,801
  • 7
  • 62
  • 158
  • Have you tried computing the field values as admin by setting the [`compute_sudo`](https://www.odoo.com/documentation/8.0/reference/orm.html#field-computed) field attribute to `True`? – Naglis Feb 20 '18 at 20:19
  • Are you executing a search query that return record that the user is not allowed to see, when you loop through them the error is raised? – Charif DZ Feb 20 '18 at 20:40
  • This must be a Record Rule issue – sfx Feb 21 '18 at 03:56
  • Thank you for your answers. @Naglis, good idea, I added `compute_sudo=True` to the parameters of the `available_credit` field, unfortunately, after updating, the error persists. @Cherif at the beginning the compute method depended on the `credit` field (an accounting field which must have a lot of operations behind it), but I made the compute method depend on simplier fields (like `name`, for example) and I avoided complex operations to perform the compute (now, I only set `available_credit = 0.0`). So what can be happening? – forvas Feb 21 '18 at 10:35

1 Answers1

0

I tried to reproduce the error you mentioned and failed.

The error you got(Access Rights error: res.users - Operation:) shows that your user is not allowed to see the model res.users. There is a many2one relation in customers(res.partner) to res.users(salesperson). Does your custom field depends on this field?

So my best guess is that there is some rule preventing your user(Forvas) from viewing users of other company and your customer records map to a user from other company(Admin).

Check your user's access rules from settings/ Technical/Security/ Record Rules and settings/ Technical/Security/ Access Control List.

Amal
  • 244
  • 3
  • 9
  • Due to the error message, that's what I thought too, but, if I comment the `compute` parameter in the `available_credit` field, I don't get the error and I can see the whole partner data (including the `salesperson` field). My custom field doesn't depend on any `res.users` field, in fact I was modifying the compute method to make it as simplier as posible, making it depend on the partner `name`, for example, and taking always the 0.0 value doing no operations nor searches. – forvas Feb 21 '18 at 10:23
  • Have you tried giving the user read access to all res.users rules. – Amal Feb 21 '18 at 16:34