← Back to team overview

openerp-community team mailing list archive

Re: Per-field permissions

 

Hi,
I think point 2 is actually solved in the openerp 7 itself. Refer
http://stackoverflow.com/questions/11580150/field-readonly-and-groups-attribute
also refer
https://answers.launchpad.net/openobject-server/+question/178779

On Fri, Jan 2, 2015 at 7:56 PM, Ludwik Trammer <ludwik@xxxxxxxxxx> wrote:

> *Note: I've already posted this message to the @mail.odoo.com
> <http://mail.odoo.com> mailing list. It was suggested to me that I should
> also post it here.*
>
> Hi,
>
> I learned about Odoo just four months ago. Since then I've done quite a
> lot of work with the Odoo programming framework - I created almost 20 Odoo
> modules for two clients, started a blog about Odoo development and posted
> answers to a dozen Odoo related questions on Stack Overflow.
>
> The more I develop with Odoo the more I feel there is one area that is
> really lacking - per field permissions.
>
> Yes, I know about the "groups" attribute - one can specify it on a model
> field to make it available to selected groups only. That's certainly a
> start. But this is not enough for more advanced uses.
>
> Couple of example of things that would be very useful (or in my case -
> necessary) in that area:
>
> 1. Something similar to the "groups" attribute, but limited to the "write"
> permissions. It would make other groups able to read the field, but only
> chosen groups would be able to modify it.
> This should both make the field appear readonly in forms (for users
> without modify privileges for that field) and validate the privileges when
> saving the model.
>
> 2. Rule-based per-field permissions. Something similar to ir.rule, but
> checked per individual field. This could look like this:
>
> *members = fields.many2many(*
> *    'res.users',*
> *    read_rule="[('members', '=', user.id <http://user.id>)]",*
> *    write_rule="[('manager', '=', user.id <http://user.id>)]",*
> *)*
>
> Let's say this is a filed on a Project model. This would mean that only
> manager of this project is able to add/remove its members and only members
> of this project are able to see other members (readonly).
>
> You are not able to achieve anything even remotely similar using only
> group permissions.
>
> For consistency, the way group based per-field permissions ("groups" and
> "grups_modify") would interact with rule based per-field permissions would
> mirror the way ir.model.access and ir.rule interact.
>
> 3. Record rules should be reflected in the way views are presented to the
> user. If user doesn't have "write" access to the given object she should
> not be presented with an "edit" button. Similarly lack of "unlink"
> permissions should hide the "remove" option. Currently this works with
> access rules (ir.model.access), but not with record rules (ir.rule)
> This issue confuses the heck out of my users (understandably). This means
> I'll be forced to roll my own solution for the issue, but this seams as
> something that should be dealt with on the framework layer.
>
> Are those issue something that the Odoo Team is currently looking into?
> Are there any plans for improvements in Odoo 9?
>
> Ludwik Trammer
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openerp-community
> Post to     : openerp-community@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openerp-community
> More help   : https://help.launchpad.net/ListHelp
>
>


-- 
Omal Bastin

Follow ups

References