Odoo Addons (MOVED TO GITHUB)

Bug #969198
Comment #7

Comment 7 for bug 969198

Revision history for this message

Olivier Dony (Odoo) (odo-openerp) wrote on 2014-02-05: Re: Can not set a access rights on particular records. Currently we can set access rights based on a object

I think this deserves a status update:

The default access control system for attachments mirrors exactly the access rights of the record on which they are attached. This means a user can view an attachment only if they can read the record, delete an attachment only if they have the right to delete the record, and add an attachment only if they have the right to create new records of the same kind). This is the behavior implemented in the framework itself, and has been like this since OpenERP 6.0.

This behavior changes when the `document` (DMS) module is installed, because it introduces a transversal view for attachments, based on a filesystem-like directory hierarchy. Attachments can then be filed into directories with their own access control, and the access control of the directories applies in addition to the default access control.

Based on the above and the default access control for Employee records, any employee should by default be able to view the attachments on any other employee record they can access, but they should not be able to add or delete attachments, only HR Officers/Managers would be able to do that.
There was previously a bug in the `document` module that broke this logic and allowed adding and deleting attachments as soon as you were able to read a record. This was fixed a while ago in OpenERP 7.0 [1], and I have just tested it on runbot - seems to work fine.

The missing part in this default behavior is that you would like to completely prevent normal employees from even viewing the attachments on other employee records. This is currently not built-in but can be done using an extra ir.rule filter, similarly to what I suggested in comment #1. In OpenERP 7.0 the HR module adds an "employee_ids" relationship on user records, so the rule could be as follows:
['|',('res_model','!=','hr.employee'),('res_id','in',[e.id for e in user.employee_ids])]
If you add this rule to the "Employee" group (everyone), you will presumably need to add a reciprocal rule on the "HR Officer" in order to re-authorize them to access all employee attachments, as follows:
[('res_model','=','hr.employee')]

I have just tested the combination of these two ir.rules on 7.0 and it seems to work as intended.

The question remains: should this combination of 2 rules become a built-in option in the HR Settings, or should it remain an extra customization? If this is a frequent feature request we could consider adding it.
Meanwhile I think the above explanation will mitigate the original bug report.

Note: re-targetting the bug to `addons` as this is mainly a concern of the HR module (and was never really a server bug)

[1] revision 9306 revid:<email address hidden>

I think this deserves a status update:

The missing part in this default behavior is that you would like to completely prevent normal employees from even viewing the attachments on other employee records. This is currently not built-in but can be done using an extra ir.rule filter, similarly to what I suggested in comment #1. In OpenERP 7.0 the HR module adds an "employee_ids" relationship on user records, so the rule could be as follows:
  ['|',('res_model','!=','hr.employee'),('res_id','in',[e.id for e in user.employee_ids])]
If you add this rule to the "Employee" group (everyone), you will presumably need to add a reciprocal rule on the "HR Officer" in order to re-authorize them to access all employee attachments, as follows:
  [('res_model','=','hr.employee')]

I have just tested the combination of these two ir.rules on 7.0 and it seems to work as intended.

Note: re-targetting the bug to `addons` as this is mainly a concern of the HR module (and was never really a server bug)

[1] revision 9306 revid:mat@openerp.com-20130722133615-wniqec4k60ssw4ui