c2c-oerpscenario team mailing list archive

Thread
Date

[Bug 766982] Re: If you associate 2 or more groups to an ir.rule, rules are not correctly applied

To: c2c-oerpscenario@xxxxxxxxxxxxxxxxxxx
From: "Stefan Rijnhart \(Therp\)" <766982@xxxxxxxxxxxxxxxxxx>
Date: Thu, 21 Apr 2011 20:59:11 -0000
Reply-to: Bug 766982 <766982@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

The semantics are important when two rules interact. If a rule grants
access, then the two different rules grant the user access to the two
partners. If a rule restricts access, then the two restrictions joinly
grant the user access to the second partner only.

Based on your results I had guessed the former. Looking at the code
however makes it clear to me now that the record rules apply the latter
(as supported by remark 2 on the form) and I can only subscribe to your
analysis that the resulting domain contains a clause that should not be
there because the keys in 'group_rule' are not filtered against the
user's actual groups.

Thanks,
Stefan.

-- 
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/766982

Title:
  If you associate 2 or more groups to an ir.rule, rules are not
  correctly applied

Status in OpenERP Server:
  New

Bug description:
  Steps:
  1- create new db with only 'base' module
  2- create 2 groups: 'group1' and 'group2'
  3- create 2 rules on res.partner:
      - 'rule1' with domain: [('name','=','rule1')] and groups: 'group1'
      - 'rule2' with domain: [('ref','=','rule2')] and groups: 'group1' and 'group2'
  4- create user 'test' and associate to 'group1'
  5- create 2 partners:
      - with name: 'rule1' and ref: 'rule2'
      - with name: 'test' and ref: 'rule2'
  6- login with user 'test'
  7- you'll see both of partners

  This is wrong because since the user 'test' belongs to 'group1' and this group contains 2 rules, these rules must be combined with AND operator. So, user 'test' should see first partner only.
  This happens because second rule and both 2 rules are combined with OR:
  ((rule1 AND rule2) OR rule2)
  I suppose the problem to be connected with line 117 of ir_rule.py: http://bazaar.launchpad.net/~openerp/openobject-server/6.0/view/3404/bin/addons/base/ir/ir_rule.py#L115
  Instead of adding every group of the rule, you should check whether the user belongs to the group that will be added

References

[Bug 766982] [NEW] If you associate 2 or more groups to an ir.rule, rules are not correctly applied
From: Lorenzo Battistini - agilebg.com, 2011-04-20