openerp-india team mailing list archive

["Amit Parik \(OpenERP\)" <amp@xxxxxxxxxxx>]

Hello Alan,

As you replied and reported a bug you have stated like this.

1)Employee Group: -Can read all employee's attachment.
                                 :- Can edit and delete only those attachment which is created by him/her.

2)HR/User or Manager Group : Can able to add, read and remove
attachments from any employees.

Your 2nd point which is working fine with access rights of OpenERP and
currently we can stratified this kind of visibility/security in OpenERP
because in OpenERP we have provided a security in three different ways
as follow.

1) Groups : It gives us a object(menu) and action(button) based visibility (Either this group can seen or not).
2) Access rights : Create , read, write, delete (all access) access based on object, It means that either group can read all the record or can not read any of the record.

3) Record Rule : Which is most important, We can give visibility based
on record, means by using record rules we can set security like groups
can see only particular record. If you have created a record rule then
you can seen only those record which will satisfied this domain. So also
by using record rule we can not set a access right on particular record.

As per your requirement you need a particular rights on your particular
record. Above all three option will not solve your issue.

This issue doesn't affect only for attachment, It will apply as  a
generic way also we can not say this as a bug rather than it's good
improvement.

We have to consider this as a feature request and implement this type of
security in feature which will solve many this type of issues. That's
why I am considering this as a wishlist and as a generic way assign to
the sever side.

Thank you!


** Summary changed:

- Any Employee has full CRUD of every other Employee's Attachments
+ Can not set a access rights on particular records. Currently we can set access rights based on a object

** Project changed: openobject-addons => openobject-server

** Changed in: openobject-server
   Importance: Undecided => Wishlist

** Changed in: openobject-server
       Status: New => Confirmed

** Changed in: openobject-server
     Assignee: (unassigned) => OpenERP's Framework R&D (openerp-dev-framework)

-- 
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Addons.
https://bugs.launchpad.net/bugs/969198

Title:
  Can not set a access rights on particular records. Currently we can
  set access rights based on a object

Status in OpenERP Server:
  Confirmed

Bug description:
  We are migrating a customer from 6.0 to 6.1. I raised this issue under
  their OpenERP Enterprise contract [573293] but the support team have
  asked me to report the bug here.

  In the hr.employee module *any* other employee on the system can
  create, read or DELETE attachments on any other employee's main page.
  This occurs in both Web and GTK Clients.

  In my opinion an Employee should be able to read *any* attachment on
  their own employee record only. They should be able to remove (delete)
  only those attachments which they themselves added.

  The HR Manager (& possibly HR User) should be able to add, read and
  remove attachments from any employees.

  Unfortunately, I do not believe this configuration is possible
  currently as the domain rules do not appear to have scope beyond a
  single object and the employee_id doesn't match their user_id. I think
  to achieve this you need to be able to read the res_id of the
  ir.attachment object then, if the res_model is hr.employee, get the
  user_id of the appropriate hr.employee record to match against.

  I was trying to create an Access Rule like this:

  [('user_id','=',user.id),('res_model','=','hr.employee'),('hr.employee[res_id].user_id','=',user.id)]

  But of course it doesn't work.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-server/+bug/969198/+subscriptions