If you associate 2 or more groups to an ir.rule, rules are not correctly applied
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Odoo Server (MOVED TO GITHUB) |
Fix Released
|
Low
|
OpenERP Publisher's Warranty Team |
Bug Description
Steps:
1- create new db with only 'base' module
2- create 2 groups: 'group1' and 'group2'
3- create 2 rules on res.partner:
- 'rule1' with domain: [('name'
- 'rule2' with domain: [('ref'
4- create user 'test' and associate to 'group1'
5- create 2 partners:
- with name: 'rule1' and ref: 'rule2'
- with name: 'test' and ref: 'rule2'
6- login with user 'test'
7- you'll see both of partners
This is wrong because since the user 'test' belongs to 'group1' and this group contains 2 rules, these rules must be combined with AND operator. So, user 'test' should see first partner only.
This happens because second rule and both 2 rules are combined with OR:
((rule1 AND rule2) OR rule2)
I suppose the problem to be connected with line 117 of ir_rule.py: http://
Instead of adding every group of the rule, you should check whether the user belongs to the group that will be added
Related branches
- Lorenzo Battistini (community): Approve
- Olivier Dony (Odoo): Approve
- Stephane Wirtel (OpenERP): Pending requested
- Jay Vora (Serpent Consulting Services): Pending requested
-
Diff: 13 lines (+2/-1)1 file modifiedbin/addons/base/ir/ir_rule.py (+2/-1)
Changed in openobject-server: | |
assignee: | OpenERP's Framework R&D (openerp-dev-framework) → OpenERP Publisher's Warranty Team (openerp-opw) |
tags: | added: maintenance |
Hi Lorenzo,
The documentation explicitely states "If there are multiple rules on same object, then all of them are joined using OR operator". If I understand correctly, that is precisely what is happening in your case.
See http:// doc.openerp. com/v6. 0/book/ 8/8_20_ Config/ 8_20_Config_ accessRights. html
If I understand correctly, you can add the restriction of rule2 to rule1 and remove group1 from rule2 to get the desired results.
Cheers,
Stefan.