← Back to team overview

c2c-oerpscenario team mailing list archive

[Bug 766982] Re: If you associate 2 or more groups to an ir.rule, rules are not correctly applied

 

Danger Anup!

Even though user1 now does see the first partner only, your solution is
not correct. With the operator change, you have now completely turned
the semantics of the rules upside down when multiple rules apply to
different groups of the same user.

Ask yourself, do you use groups in OpenERP to grant permissions or to
take them away? Before your changes, a user with more group memberships
would have broader permissions. In your version, adding the user to more
groups would further limit the user's permissions.

An example to illustrate the problem would be:

2- create 2 groups: 'group1' and 'group2'
3- create 2 rules on res.partner:
    - 'rule1' with domain: [('name','=','rule1')] and groups: 'group1'
    - 'rule2' with domain: [('ref','=','rule2')] and groups: 'group2'
4- create user 'test' and associate to 'group1' and 'group2'
5- create 2 partners:
    - with name: 'rule1' and ref: 'rule2'
    - with name: 'test' and ref: 'rule2'
6- login with user 'test'
7- you'll only see partner 'rule1'

You'll want to see both of partners instead.

The combined group rule in this example comes out as

     ['&', ('name', '=', 'rule1'), ('ref', '=', 'rule2')]

It needs to be

    ['|', ('name', '=', 'rule1'), ('ref', '=', 'rule2')]

Please undo, and start checking in line 118 whether the user is actually
in that group before adding the group rule.

Cheers,
Stefan.

-- 
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/766982

Title:
  If you associate 2 or more groups to an ir.rule, rules are not
  correctly applied

Status in OpenERP Server:
  Fix Committed

Bug description:
  Steps:
  1- create new db with only 'base' module
  2- create 2 groups: 'group1' and 'group2'
  3- create 2 rules on res.partner:
      - 'rule1' with domain: [('name','=','rule1')] and groups: 'group1'
      - 'rule2' with domain: [('ref','=','rule2')] and groups: 'group1' and 'group2'
  4- create user 'test' and associate to 'group1'
  5- create 2 partners:
      - with name: 'rule1' and ref: 'rule2'
      - with name: 'test' and ref: 'rule2'
  6- login with user 'test'
  7- you'll see both of partners

  This is wrong because since the user 'test' belongs to 'group1' and this group contains 2 rules, these rules must be combined with AND operator. So, user 'test' should see first partner only.
  This happens because second rule and both 2 rules are combined with OR:
  ((rule1 AND rule2) OR rule2)
  I suppose the problem to be connected with line 117 of ir_rule.py: http://bazaar.launchpad.net/~openerp/openobject-server/6.0/view/3404/bin/addons/base/ir/ir_rule.py#L115
  Instead of adding every group of the rule, you should check whether the user belongs to the group that will be added


References