openerp-india team mailing list archive

Thread
Date

[Bug 969198] Re: Can not set a access rights on particular records. Currently we can set access rights based on a object

To: openerp-india@xxxxxxxxxxxxxxxxxxx
From: Alan Lord <alanslists@xxxxxxxxx>
Date: Wed, 18 Apr 2012 12:28:15 -0000
Reply-to: Bug 969198 <969198@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hi,

I suspect that the suggestion mentioned in #4 would be one way to do it
but I not totally sure I understand the proposal.

I have spent some more time looking at this today and still can't see an
easy workaround to stop employees having full CRUD on every employees'
attachments.

There are required fields missing from ir.attachment...

Odony's suggestion in #1 of
['|',('res_model','!=','hr.employee'),('user_id','=',user.id)] doesn't
work because there is no "user_id" value in ir.attachment. The only
similar field is the "create_uid" but this is the user id of the person
who *added* the attachment in the first place (i.e. not necessarily the
employee to which the attachment belongs).

I still feel that this is a bug.

As it stands right now, *any* employee can read, create and delete
attachments from *any* other employee. Surely that is a bug?

--
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Server.
https://bugs.launchpad.net/bugs/969198

Title:
Can not set a access rights on particular records. Currently we can
set access rights based on a object

Status in OpenERP Server:
Confirmed

Bug description:
We are migrating a customer from 6.0 to 6.1. I raised this issue under
their OpenERP Enterprise contract [573293] but the support team have
asked me to report the bug here.

In the hr.employee module *any* other employee on the system can
create, read or DELETE attachments on any other employee's main page.
This occurs in both Web and GTK Clients.

In my opinion an Employee should be able to read *any* attachment on
their own employee record only. They should be able to remove (delete)
only those attachments which they themselves added.

The HR Manager (& possibly HR User) should be able to add, read and
remove attachments from any employees.

Unfortunately, I do not believe this configuration is possible
currently as the domain rules do not appear to have scope beyond a
single object and the employee_id doesn't match their user_id. I think
to achieve this you need to be able to read the res_id of the
ir.attachment object then, if the res_model is hr.employee, get the
user_id of the appropriate hr.employee record to match against.

I was trying to create an Access Rule like this:

[('user_id','=',user.id),('res_model','=','hr.employee'),('hr.employee[res_id].user_id','=',user.id)]

But of course it doesn't work.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-server/+bug/969198/+subscriptions