can't access some user object once user has changed company
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Odoo Server (MOVED TO GITHUB) |
Fix Released
|
Low
|
OpenERP's Framework R&D |
Bug Description
ISSUE:
We are using ``project`` module, and have 2 company's registered in OpenERP (6.1 final).
When a user creates a task in a company, then changes their default company in their profile settings, other users registered only in the first company are unable to access the form view of the task. They receive a:
"Access Error" on operation "read" on document type "Users"
Although we can check that the task is correctly registered to be in the first company.
Notice that also, it's on "Users" that the AccessError is triggered and not Tasks...
MORE INFORMATION:
After looking deeper, it seems that "ir_rules" are involved in checking that current user is authorized to view the "res.users" record that describes the creator of the task. Information on the project.task creator is needed probably to display it's name.
The rule (in "ir_rules") concerning "res.users" object is set by default to this value (as of lp:openobject-server rev 4072):
in base/res/
['|',
Which will use "company_id" of the target user to check if we can access his "res.user" record.
If using "company_id" attribute makes sense in other objects as "project.tasks" to decide if a user can see it, it seems to me that it has a different meaning in "res.users" objects: it's the last context value of this user. It's some sort of a personnal configuration that shouldn't be used to check for granting permissions to other users to get access to my res.users record.
Instead, what seems important is to check "company_ids" (with a final 's') which list all companies in which this user is registered as a member.
My proposition would be to put something like this:
[('company_ids', 'child_of', user.company_
Any comments ?
there's the patch mentionned in the description changing 'force_domain' value to proposed value in base/res/ ir_security. xml