2

I want to create a rule for projects:

Users must only see the projects whose responsibles are themselves. This means that you must only see projects whose user_id field is equal to your current user.id.

I've done it (I know it is not a good idea to create global rules but I did it only for testing, to avoid disabling the existing rules and see what my rule does quickly):

<record model="ir.rule" id="project_project_all_rule">
    <field name="name">Project: global rule: see own projects and projects with own tasks</field>
    <field name="model_id" ref="project.model_project_project"/>
    <field name="domain_force">[
        ('user_id', '=', user.id),
    ]</field>
</record>

This works great. Now, the tricky part:

Users can also see the projects whose task assignees are themselves. This means that you can also see projects whose task_ids.user_ids field contains your current user.id. And this is what I am not able to do. This is my current attempt:

<record model="ir.rule" id="project_project_all_rule">
    <field name="name">Project: global rule: see own projects and projects with own tasks</field>
    <field name="model_id" ref="project.model_project_project"/>
    <field name="domain_force">[
        '|', ('user_id', '=', user.id),
        ('task_ids.user_ids', 'in', [user.id]),
    ]</field>
</record>

1st EDIT

And it seems to work OK for all users. But when I open the project menu, with a specific user, I get an access error.

Yesterday I was able to modify the project action in order to show a simple tree view, and then when I opened the project menu I did not get an access error and I got three projects. So I was able to check that the error is triggered by one project with other responsible, but with a task whose assignee is this user. So the domain works OK but I cannot get rid of this access error. Besides, the developer mode message which supposedly gives you a hint, leaves the key empty:

This restriction is due to the following rules: ... [no info here]

Does anyone know what happens here?

2nd EDIT

You can replicate this problem on Odoo 15 if you create a new database loading demo data and then install project module. You will see that the responsible of the Renovations project is Mitchell Admin, but there is a task inside this project named Entry Hall whose assignee is Marc Demo (when you open that project, the task link button indicates 0 tasks, but it is not taking into account the tasks in Done stage).

With that situation, if you introduce my rule, Mitchell Admin will see the right projects (the rule works perfect), but Marc Demo will get the Access Error when clicking on Projects menu.

I was digging a lot and finally I ended up modifying the project action (project.open_view_project_all) to open a simple tree view with a few basic fields. After doing that, Marc Demo does not get the Access Error when clicking on Projects menu, and he can see the right projects as if the rule was working perfect. However, when he opens the form of the Renovations project, he gets the error again. So I started to modify the form view and make it easier in order to find out if there are any fields triggering the error. And I've found out that if I remove this code...

<field name="message_follower_ids" options="{'post_refresh':True}" help="Follow this project to automatically track the events associated to tasks and issues of this project." groups="base.group_user"/>
<field name="activity_ids"/>

... Marc Demo can open the form view with no Access Error.

I am getting closer, but is this logical for someone? Could you give me a hint on how to solve this without removing those fields? Because I do not see anything weird on the read accesses of those models (mail.follower, mail.activity) for Marc Demo security groups.

forvas
  • 9,801
  • 7
  • 62
  • 158
  • 1
    Can you check what happens when you create a task in the empty project, but not for the user you're testing? – CZoellner Feb 14 '23 at 17:23
  • @CZoellner same error. I log in with Marc Demo. When I open projects, I get an access error. If I change the action which opens the project views in order to show a simple tree view with the `name` of the project and the `user_id`, I do not get the error, so I can see that there are three projects. Two with Marc Demo as `user_id`, one named _Renovations_ (this is demo data) with Mitchell Admin as `user_id` and with one task now, whose assignee is also Mitchell Admin. If I try to open this project, I get the error. Why is this project included by that domain I wrote in the question? – forvas Feb 15 '23 at 08:59
  • @CZoellner I made a mistake. The "third" project in fact has a task with Marc Demo as assignee, but the Tasks link button of the project form did not count it because the task was done... So I've edited the question with the new situation. – forvas Feb 15 '23 at 10:52
  • That's difficult to solve. I would debug into that to find a clue :/ – CZoellner Feb 15 '23 at 12:11
  • @CZoellner I've made a second edit after doing a lot of tests. I don't know if now you have another idea to help me. Thank you anyway! – forvas Feb 15 '23 at 15:07
  • `message_follower_ids` could be a reason, because IIRC there are rules using them. Shouldn't mess up opening a view, but it's just a wild guess. – CZoellner Feb 16 '23 at 09:47
  • This ir.rule name: `This restriction is due to the following rules: ... [no info here]` would help to understand which model user is unable to read. Anyway, Odoo 15 already has a project visibility feature, i would suggest to not override those rules. You can set a project privacy to private and add followers to it to grant visibility – icra Feb 16 '23 at 22:25
  • @icra yeah, that message should be filled in with the "guilty" rule (as usual), but it is empty, there are no rule names in the message, so that is a nonsense, Odoo is blaming a rule, but it can't find it. – forvas Feb 17 '23 at 10:29

0 Answers0