HR Feature: built-in option to restrict visibility of employee attachments?
|OpenERP R&D Addons Team 1|
We are migrating a customer from 6.0 to 6.1. I raised this issue under their OpenERP Enterprise contract  but the support team have asked me to report the bug here.
In the hr.employee module *any* other employee on the system can create, read or DELETE attachments on any other employee's main page. This occurs in both Web and GTK Clients.
In my opinion an Employee should be able to read *any* attachment on their own employee record only. They should be able to remove (delete) only those attachments which they themselves added.
The HR Manager (& possibly HR User) should be able to add, read and remove attachments from any employees.
Unfortunately, I do not believe this configuration is possible currently as the domain rules do not appear to have scope beyond a single object and the employee_id doesn't match their user_id. I think to achieve this you need to be able to read the res_id of the ir.attachment object then, if the res_model is hr.employee, get the user_id of the appropriate hr.employee record to match against.
I was trying to create an Access Rule like this:
But of course it doesn't work.
|security vulnerability:||yes → no|
|visibility:||private → public|
|Amit Parik (amit-parik) wrote : Re: Can not set a access rights on particular records. Currently we can set access rights based on a object||#3|
- Any Employee has full CRUD of every other Employee's Attachments
+ Can not set a access rights on particular records. Currently we can set
+ access rights based on a object
|affects:||openobject-addons → openobject-server|
|Changed in openobject-server:|
|assignee:||nobody → OpenERP's Framework R&D (openerp-dev-framework)|
|importance:||Undecided → Wishlist|
|status:||New → Confirmed|
|affects:||openobject-server → openobject-addons|
|Changed in openobject-addons:|
|assignee:||OpenERP's Framework R&D (openerp-dev-framework) → OpenERP R&D Addons Team 1 (openerp-dev-addons1)|
- Can not set a access rights on particular records. Currently we can set
- access rights based on a object
+ HR Feature: built-in option to restrict visibility of employee