HR > Leave Requests. User can write date fields of an already approved Leave Request

Hello,

    This issue has been fixed in https://code.launchpad.net/~openerp-dev/openerp-web/trunk-bug-1082009-bth.

Thanks.

See
1https://code.launchpad.net/~openerp-dev/openerp-web/trunk-bug-1082009-bth/+merge/136596/comments/299342

Hello Martin,

The permissions seem ok to me. Your video shows an expected behavior because you are using the Administrator account, which has all the rights. But if you proceed to the same test (change the start date of an approved leave request) with the demo user, you'll get an "Access Denied" error, as expected.

In the code of hr_holidays.py, this restriction is formulated as followed:
'date_from': fields.datetime('Start Date', readonly=True, states={'draft':[('readonly',False)], 'confirm':[('readonly',False)]}, select=True)

Hope that helps !

Regards,
Anto.

Hello Anto,

I think you do not understand the issue properly and make this bug as a invalid.

Give me a chance to elaborate more specific here.

@Anto:
First of all here not an issue with user. Not affected that we are login with Administrator cause. You can If user is Administrator then after he should not be able to change the read only field 's value. Second you got the error "Access Denied" with demo user this is not an issue cause you don't have enough rights , If you assign the "HR/Manager" group to Demo user then you 'll see the problem clearly.

Also you told that we have put the 'states' which is fine but it doesn't affect to calender view (this is the actual problem).

Let me give you clear step to reproduce the bug.

1) Create a leave request. Validate it and approve it.
2) See Start date and end date is read-only which is fine as we put the 'states' on datetime field. So we can not changed the value from form view (even the user is admin and has a super power ;-) ).
3) Now go to calender view. You can change that value via drag and drop feature which should not be possible cause field is on read-only mode.

*Solution as per fme*

He suggested the we have to override the write method and raise the error, If it is on readonly state.

@Fme
Do you think this is the feasible solution that we have to fix this issue from addons side. Let me show you clear picture if we are going to fix this issue from addons side then we have to fix this on following view also.

*Holidays (Leave request)
* Meeting
* Event
* Sale Order
* Project task
* Project phases
* project Issue
* Purchase Order
* Manufacturing Order etc....(All view have a calender view and has a date field on read only mode as per specific state)

So I think your suggested solution is correct. Also same thing possible on gantt view also see lp:1084591. Strange for me You have consider lp:1084591 this on web (gantt view) and transfer this one t addons (Really I do not understand).

I am reopening this bug, and my strong opinion is this should be fix from web side. Right now it is on addons. Addons and web team can take the decision where this issue should be fix.

Thank you!

Hello,

Thanks for your intervention Amit ! After a review with al, fp and qdp, the behavior of the hr_holidays' calendar view seems ok to us:
- any administrator, hr officier or hr manager can move a confirmed leave request anywhere, which is normal.
- any other user (hr employee) won't be able to do so: drag'n'dropping the request somewhere else will result in an error. This behavior has been introduced by fp's merge, revno 7969, which overrides the write() method of hr_holidays.

That beeing, as you said, read only values should prevent a leave request from beeing moved in such cases (gantt and calendar views). Moreover, it's not really efficient to override the write() method every time we need that kind of feature.
But this is a more important problem that will be handled later. Two tasks have just been created regarding this issue:
- Calendar's drag'n'drop usability
- Model state field inducing readonly mechanism

Hope that helped ;)

Regards,
Anto