Access rules on fields.related in osv.TransientModel

Hi,

I guess not :(

Regards,

Maybe an OpenERP framework expert could take a look on this !

Hi Yann,

No, this is not a bug, its done intentionally to behave like this. we allow the user to read the value even if it comes from a model to which they have no access. the idea of related fields is to delegate the storage of the content to another object, so it seems logical to act exactly as if it was a field owned by the current model

Thanks,
Naresh Soni,
Team Lead,
OpenERP Enterprise Services

That's not what I reported, the behaviour is different between "osv.osv" and "osv.TransientModel".
Or maybe I miss something, fields.related bypass the user id by design for wizard (TransientModel) only ?

No, its not specific to TransientModel only. It's by design for all types of model in OpenERP(TransientModel and database-persisted models )

Can you elaborate a bit on this "the behaviour is different between "osv.osv" and "osv.TransientModel"." It will be good if you can have an example.

I just made a simple test and I can confirm the issue.

Following is a basic example that will display current user id in the related field display value.
To test it, you have to use admin and a another user (id=2 for example).

Create a MODEL_A (model.a) inherited from "osv.osv"
- Field A1 like fields.function(_get_field_a1, type="char", string='Field A1', readonly=True)

and define it like this:
    def _get_field_a1(self, cr, uid, ids, name, arg, context=None):
        return str(uid)

Create a MODEL_B (model.b) inherited from "osv.osv"
- Field MA like fields.many2one('model.a', "Model A"),
- Field B1 like fields.related('MA', 'A1', type='char', string='Related Field A1'),

Create a MODEL_C (model.c) inherited from "osv.TransientModel"
- Field MA like fields.many2one('model.a', "Model A"),
- Field C1 like fields.related('MA', 'A1', type='char', string='Related Field A1'),

You will see as output:

As admin
MODEL_B.MA == 1
MODEL_C.MA == 1

As user 2
MODEL_B.MA == 2
MODEL_C.MA == 1

Hello Yann,

Thanks for providing the test case . But I have a different result (As Expected) then yours.

I have :

*As admin(same results before and after save)*

MODEL_B.MA == 1
MODEL_C.MA == 1

(Related fied)MODEL_B.B1 == 1
(Related fied)MODEL_C.C1 ==1

*As user Demo(id 3)* :

While creating a new record and when the drop down menu is pressed. I have :

MODEL_B.MA == 3
MODEL_C.MA == 3
(Related fied) MODEL_B.B1 == False
(Related fied) MODEL_C.C1 == False

*As soon as I click save I have:*

MODEL_B.MA == 1
MODEL_C.MA == 1
(Related fied) MODEL_B.B1 == 1
(Related fied) MODEL_C.C1 == 1

 However I still don't think its a bug for the reason I already mentioned in my above comments, as when the
 related field is read it requires access to the third party models. Here in this case MODEL_A it may be possible that the MODEL_B, MODEL_C don't have rights on this MODEL_A. Here in the example above when you click save it will try to read the value of the related field with SUPERUSERID and as the related value is generated by a function field, it recalculates the value of the function field and hence you see the SUPER USER ID.

However, we can wait for some other experts inputs on this.

Thanks,
Naresh Soni
OpenERP Enterprise Services

Hello,

Before going to any decision meanwhile, Let put this as a Opinion for more conversation. and suggestion from the OpenERP framework experts.

Thanks and more suggestions are welcomed!

Hi everybody, we continue discussion on GitHub in related issue https://github.com/odoo/odoo/issues/6274