← Back to team overview

openerp-india team mailing list archive

[Bug 969198] Re: Can not set a access rights on particular records. Currently we can set access rights based on a object

 

I think this deserves a status update:

The default access control system for attachments mirrors exactly the
access rights of the record on which they are attached. This means a
user can view an attachment only if they can read the record, delete an
attachment only if they have the right to delete the record, and add an
attachment only if they have the right to create new records of the same
kind). This is the behavior implemented in the framework itself, and has
been like this since OpenERP 6.0.

This behavior changes when the `document` (DMS) module is installed,
because it introduces a transversal view for attachments, based on a
filesystem-like directory hierarchy. Attachments can then be filed into
directories with their own access control, and the access control of the
directories applies in addition to the default access control.

Based on the above and the default access control for Employee records, any employee should by default be able to view the attachments on any other employee record they can access, but they should not be able to add or delete attachments, only HR Officers/Managers would be able to do that.
There was previously a bug in the `document` module that broke this logic and allowed adding and deleting attachments as soon as you were able to read a record. This was fixed a while ago in OpenERP 7.0 [1], and I have just tested it on runbot - seems to work fine.


The missing part in this default behavior is that you would like to completely prevent normal employees from even viewing the attachments on other employee records. This is currently not built-in but can be done using an extra ir.rule filter, similarly to what I suggested in comment #1. In OpenERP 7.0 the HR module adds an "employee_ids" relationship on user records, so the rule could be as follows:
  ['|',('res_model','!=','hr.employee'),('res_id','in',[e.id for e in user.employee_ids])]
If you add this rule to the "Employee" group (everyone), you will presumably need to add a reciprocal rule on the "HR Officer" in order to re-authorize them to access all employee attachments, as follows:
  [('res_model','=','hr.employee')]

I have just tested the combination of these two ir.rules on 7.0 and it
seems to work as intended.

The question remains: should this combination of 2 rules become a built-in option in the HR Settings, or should it remain an extra customization? If this is a frequent feature request we could consider adding it.
Meanwhile I think the above explanation will mitigate the original bug report.

Note: re-targetting the bug to `addons` as this is mainly a concern of
the HR module (and was never really a server bug)

[1] revision 9306 revid:mat@xxxxxxxxxxx-20130722133615-wniqec4k60ssw4ui

** Project changed: openobject-server => openobject-addons

** Changed in: openobject-addons
     Assignee: OpenERP's Framework R&D (openerp-dev-framework) => OpenERP R&D Addons Team 1 (openerp-dev-addons1)

** Summary changed:

- Can not set a access rights on particular records. Currently we can set access rights based on a object
+ HR Feature: built-in option to restrict visibility of employee attachments?

-- 
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Addons.
https://bugs.launchpad.net/bugs/969198

Title:
  HR Feature: built-in option to restrict visibility of employee
  attachments?

Status in OpenERP Addons (modules):
  Confirmed

Bug description:
  We are migrating a customer from 6.0 to 6.1. I raised this issue under
  their OpenERP Enterprise contract [573293] but the support team have
  asked me to report the bug here.

  In the hr.employee module *any* other employee on the system can
  create, read or DELETE attachments on any other employee's main page.
  This occurs in both Web and GTK Clients.

  In my opinion an Employee should be able to read *any* attachment on
  their own employee record only. They should be able to remove (delete)
  only those attachments which they themselves added.

  The HR Manager (& possibly HR User) should be able to add, read and
  remove attachments from any employees.

  Unfortunately, I do not believe this configuration is possible
  currently as the domain rules do not appear to have scope beyond a
  single object and the employee_id doesn't match their user_id. I think
  to achieve this you need to be able to read the res_id of the
  ir.attachment object then, if the res_model is hr.employee, get the
  user_id of the appropriate hr.employee record to match against.

  I was trying to create an Access Rule like this:

  [('user_id','=',user.id),('res_model','=','hr.employee'),('hr.employee[res_id].user_id','=',user.id)]

  But of course it doesn't work.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-addons/+bug/969198/+subscriptions