openerp-india team mailing list archive

[Launchpad Bug Tracker <969198@xxxxxxxxxxxxxxxxxx>]

You have been subscribed to a public bug:

We are migrating a customer from 6.0 to 6.1. I raised this issue under
their OpenERP Enterprise contract [573293] but the support team have
asked me to report the bug here.

In the hr.employee module *any* other employee on the system can create,
read or DELETE attachments on any other employee's main page.  This
occurs in both Web and GTK Clients.

In my opinion an Employee should be able to read *any* attachment on
their own employee record only. They should be able to remove (delete)
only those attachments which they themselves added.

The HR Manager (& possibly HR User) should be able to add, read and
remove attachments from any employees.

Unfortunately, I do not believe this configuration is possible currently
as the domain rules do not appear to have scope beyond a single object
and the employee_id doesn't match their user_id. I think to achieve this
you need to be able to read the res_id of the ir.attachment object then,
if the res_model is hr.employee, get the user_id of the appropriate
hr.employee record to match against.

I was trying to create an Access Rule like this:

[('user_id','=',user.id),('res_model','=','hr.employee'),('hr.employee[res_id].user_id','=',user.id)]

But of course it doesn't work.

** Affects: openobject-addons
     Importance: Wishlist
     Assignee: OpenERP's Framework R&D (openerp-dev-framework)
         Status: Confirmed

-- 
Can not set a access rights on particular records. Currently we can set access rights based on a object
https://bugs.launchpad.net/bugs/969198
You received this bug notification because you are a member of OpenERP Indian Team, which is subscribed to OpenERP Addons.