openerp-expert-framework team mailing list archive

Thread
Date

Re: RFC: behaviour of ir.rule

To: openerp-expert-framework@xxxxxxxxxxxxxxxxxxx
From: Olivier Dony <odo@xxxxxxxxxxx>
Date: Thu, 08 Apr 2010 12:36:54 +0200
Cc: Fabien Pinckaers <fp@xxxxxxxxxxx>
In-reply-to: <201004071954.00833.xrg@hellug.gr>
Organization: OpenERP/Tiny
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.9pre) Gecko/20100217 Shredder/3.0.3pre

On 07/04/10 18:53, P. Christeas wrote:
> If you notice at the Rules form, it says "Rules are OR-ed together, lines are 
> AND-ed". This is not true, since the trunk implementation ANDs all lines, 
> accross all Rules. 

In fact I just checked and to me the text seems to match the
implementation, even if badly worded. The ir.rule.group edition screen says:

 "The rule is satisfied if all tests are True (AND)"
 "Multiple rules on the same objects are joined using operator OR"

The first line talks about rule lines (tests), which are indeed ANDed
within their own group.
The second line talks about rule groups (rules), which are indeed ORed
when defined on the same object.

A quick scan of domain_get() reveals the same behavior (see around lines
155 and 181 in server/addons/base/ir/ir_rule.py)

> My question is: how do you use those Rules? Do you ever write multiple 
> rules/lines per orm object?

It could happen, but indeed the need to write multiple rule lines/tests
on the same object has been greatly reduced since the introduction of
the new syntax for complex domains using !, & and |.
Previously it was the only way of doing complex domain combinations.

As for the idea of simplifying things and keeping only the concept of
rules (lines) as suggested, I'm not sure I see a valid reason to do so.
Even if the new domain syntax allows one-line complex rules, it may be
useful for less experienced admins to be able to combine them explicitly.
And having rules groups also allows to create per-group (*user* group)
rules, by unchecking the "global" flag and adding them in the user group
form. (global rules are ORed with per-group rules at the moment)

> IMHO, the right thing to do would be to AND ir.rule.groups together, while OR-
> ing the ir.rules (=lines) inside each Rule. The OR operator would allow us to 
> write simple expressions in each Rule (now, we do have many "['|',
> (child_id,'=', 1),(child_id,'=',None)] " ). The idea is that Rules are 
> "restrictive" as in /all restrictions must apply/, 
> not 'permissive' as in /any rule can grant permission/.

What operator you choose to combine the rule lines/tests inside a rule
group is a matter of taste and convention I guess. It's true that for
multicompany rules we use a lot of ORs, but we use complex domains so it
doesn't matter.

Now the operator for combining groups is a more important decision, as
e.g. we wouldn't want admins to remove multicompany restrictions
inadvertently when trying to restrict things for a specific user group.

So perhaps we need to change the default to AND between groups in v6 for
this reason, but perhaps the rest is fine for now, isn't it? (still,
this would require appropriate migration - perhaps even manual)

> As a side-effect, the wording of the r/w/c/d boolean fields should change into 
> something like "apply in r/w/c/d" rather than "Read permission".. It will help 
> the users more.

Indeed.

-- 
Olivier Dony

begin:vcard
fn:Olivier Dony
n:Dony;Olivier
org:OpenERP Belgium
adr;quoted-printable:;;Chauss=C3=A9e de Namur, 40;Grand-Rosiere;;1367;Belgium
email;internet:odo@xxxxxxxxxxx
x-mozilla-html:FALSE
url:www.openerp.com
version:2.1
end:vcard

References

RFC: behaviour of ir.rule
From: P. Christeas, 2010-04-07