← Back to team overview

openerp-community team mailing list archive

Per-field permissions


*Note: I've already posted this message to the @mail.odoo.com
<http://mail.odoo.com> mailing list. It was suggested to me that I should
also post it here.*


I learned about Odoo just four months ago. Since then I've done quite a lot
of work with the Odoo programming framework - I created almost 20 Odoo
modules for two clients, started a blog about Odoo development and posted
answers to a dozen Odoo related questions on Stack Overflow.

The more I develop with Odoo the more I feel there is one area that is
really lacking - per field permissions.

Yes, I know about the "groups" attribute - one can specify it on a model
field to make it available to selected groups only. That's certainly a
start. But this is not enough for more advanced uses.

Couple of example of things that would be very useful (or in my case -
necessary) in that area:

1. Something similar to the "groups" attribute, but limited to the "write"
permissions. It would make other groups able to read the field, but only
chosen groups would be able to modify it.
This should both make the field appear readonly in forms (for users without
modify privileges for that field) and validate the privileges when saving
the model.

2. Rule-based per-field permissions. Something similar to ir.rule, but
checked per individual field. This could look like this:

*members = fields.many2many(*
*    'res.users',*
*    read_rule="[('members', '=', user.id <http://user.id>)]",*
*    write_rule="[('manager', '=', user.id <http://user.id>)]",*

Let's say this is a filed on a Project model. This would mean that only
manager of this project is able to add/remove its members and only members
of this project are able to see other members (readonly).

You are not able to achieve anything even remotely similar using only group

For consistency, the way group based per-field permissions ("groups" and
"grups_modify") would interact with rule based per-field permissions would
mirror the way ir.model.access and ir.rule interact.

3. Record rules should be reflected in the way views are presented to the
user. If user doesn't have "write" access to the given object she should
not be presented with an "edit" button. Similarly lack of "unlink"
permissions should hide the "remove" option. Currently this works with
access rules (ir.model.access), but not with record rules (ir.rule)
This issue confuses the heck out of my users (understandably). This means
I'll be forced to roll my own solution for the issue, but this seams as
something that should be dealt with on the framework layer.

Are those issue something that the Odoo Team is currently looking into? Are
there any plans for improvements in Odoo 9?

Ludwik Trammer

Follow ups