multi company Access Denied Document type: Partner, Operation: read

Bug #1073087 reported by Давид on 2012-10-30
472
This bug affects 86 people
Affects Status Importance Assigned to Milestone
Odoo Server (MOVED TO GITHUB)
Fix Released
High
OpenERP Publisher's Warranty Team
OpenERP Community Backports (Server)
Status tracked in 7.0
7.0
High
arthru

Bug Description

Multi company, Access Denied Document type: Partner, Operation: read

Steps to produce.
------------------------

login with admin

install account, sales, hr expense.

create two company [companyA] and [companyB].

create [usera for comapanya] with all managerial rights and [userb for companyb] hr officer right.
Here both users's Allowed Companies = companyA, companyB.

login via userb and create new employee empb.

login via usera and try to create new [customer invoice]/SO for employee empb. Getting access error, even usera is manager?

Access Denied
The requested operation cannot be completed due to security restrictions. Please contact your system administrator.
(Document type: Partner, Operation: read)

It should not happen here, "OpenERP have somethings wrong configuration with access rights."

Thanks.
Kettor

Related branches

Hello Kettor ,

I checked your issue in latest trunk.And I have faced same problem as you define in bug. So, I am confirming this issue.

Thanks for reporting.

Changed in openobject-addons:
status: New → Confirmed
Amit Parik (amit-parik) on 2012-10-30
Changed in openobject-addons:
assignee: nobody → OpenERP R&D Addons Team 3 (openerp-dev-addons3)
importance: Undecided → Medium
Changed in openobject-addons:
status: Confirmed → In Progress
Changed in openobject-addons:
status: In Progress → Confirmed
Changed in openobject-addons:
status: Confirmed → In Progress
Changed in openobject-addons:
status: In Progress → Confirmed

I see the error also occurs in 7.0 without all these modules installed and with only 1 user with access to 1 company. Clearing the domain filter in the res.partner company rule will make this error go away, but then you will have read access to all the partners. When I try to debug the create method, it can not access the logged in user. (self.pool.get('res.users').browse(cr, uid, uid).name gives the same error)

After a quick look in the code of the server, I think I found what can causes this bug.

In the V7.0 because of the changes in res.partner and res.partner.address, the method name_search() has changed.

In the method in the V7.0, to get the ids to read, there is a sql request, so the request doesn't consider the companies and access rights.
If one of the ids is from the other company, then "Access Denied" is raised.

I'm maybe wrong but you can have a look in the file server/openerp/addons/base/res/res_partner.py

jclopezar (juancristobal) wrote :

We have observed that that error message can be avoided if:
Start the search with a number
then type de characters
then erase de numbers
then the search is performed properly and the error message is not shown.

Leo Tran (tung-tran) on 2013-01-16
description: updated
Asigot Tech (asigottech) wrote :

This bug also effect user rights on other areas, example: user with full rights can not create customer.
User with full rights can not create private projects.

This bug pretty much makes the CRM feature unusable

Ron (boyron) wrote :

In my case, i cannot create a customer/supplier or customer/supplier invoice by user who is an accountant/financial manager.
Do you know when this bug will be fixed? Any help will be appreciated.

Landis (larnold) wrote :

Brand New Install. USER A (me) who has all rights that I cannot set cannot create customers and cannot see customers created by ADMIN. I found one rule, that If I "deactivated" it I could then see the customers. Still, when I go to edit, cannot save.

Get the error also:

Access Denied

The requested operation cannot be completed due to security restrictions. Please contact your system administrator.

(Document type: Partner, Operation: create)

I will turn off all aspects of Multi Company next as a test. I only have one company installed anyway so far but need to have 2 or 3.

Landis (larnold) wrote :

Just did a quick Review of USER Rights.

Somehow USER A had been toggled to EMPLOYEE in HRO. Set to Manager was able to see contacts of admin and Save a New Contact.

This is after 2 Hours of Looking for problems in rules.

I do see that I am still a member of HR Employees Group, but also HR Officer and HR Manager

I am suprised that a Employee cannot edit a Customer contact or Create a new one even though those rights are called out.

SEPARATELY, I found that the "Sharing" right needs to be BLANK so that other users can be simply assigned as managers or followers of projects, and to see Projects created by others. This seems wrong logic.

Landis (larnold) wrote :

Still Though (follow up to #9) User A cannot change anything in "Settings/Config/General Settings)

Access Denied

Sorry, you are not allowed to modify this document. Please contact your system administrator if you think this is an error.

(Document model: ir.config_parameter)

(Set up to control Administration Settings under USER PANEL. I assume that is higher level than "ACCESS CONTROL".

Landis (larnold) wrote :

Looking at the "Multiple Companies" subject. I was not able to edit General Settings, as mentioned, from USER 1. However, I went in via ADMIN and again clicked on "Manage Multiple Companies" in General Settings. Then I applied.

At that point, though we only have installed one Company in the Database I found that USER 1 could modify the General Settings Penel. ( Clicked on "Activate the Customer Portal).

(Note: we do have a parallel Sample Data Database on the server).

For now I get to focus on how to "import csv" in a consistent manner. Last night it took about 10 tries and I have done plenty of Data Merges over the years. Documentation would help, but at least there is a FAQ there (not so helpful. but that is the only guidance I have seen in the whole system).

Landis (larnold) wrote :

Evidently a LAG. Now USER 1 (me) Cannot see other USERS in Projects or Save in General settings. SO BACK TO WHERE I STARTED. Cannot See other USERS in Settings either.

Very difficult NEXUS on this.

Multi-Company
Sharing
Portal

Then all turned off, generally normal behavior returns. I can see other users. I can see other Contacts and Customers.

I cannot however, Save in General Settings agiain (this started in "Question/Answer" but the two problems are Merged in terms of coincidence).

Landis (larnold) wrote :

The video above in comments illustrates how to allow access to a user to 2 Companies.

I am not seeing how to do this in Full install this weekend (Windows Client). Admin is enabled for "multi company" but it seems only one of the two companies (1 just basic) can be choosen for any user.

Probably more of a "How To" is needed but not sure.

Oba (oba-p) wrote :

Landis in your tests can you be specific about which error you get when you say you can not Save in General Settings.
I got two variants.
                                    Document model: ir.config_parameter
                                    Document type: Partner, Operation: create

After removing
                                       Multi-Company
                                       Sharing
                                       Portal
                                            &
                                      Import Export
I could save

I then added a group that I belonged to to ir_config_parameter and checked everything under the rule

in General settings
checked import Export

and could save with no errors.

As a test I select all the rules with partners and users and a blank group and added my group.
checked Multi-company
                     Sharing
                     Portal

got an error when applying "constraint error" applied again

could save from then on and could see other users in settings->users.

Hope this helps I will restart the test from scratch i.e new db.

Is there any documentation on the rules and do we know which ones should be blank etc...

Oba (oba-p) wrote :

I have to point out I am only testing new admin users accessing general settings and seeing other users.
From a new DB after installing CRM and Multiple Company Module which has dependencies the only error I run into is

Document model: ir.config_parameter

If I add the admin group to the rule it goes away.

Landis (larnold) wrote :

I will learn how to add the "admin group" to the rule.... not sure if that is my issue or not.

I have found 2 things:

Multi-Companies can be enabled but I cannot get any user to be assigned to two companies (likely a trick).

Customers of the Company Dissappear for USER 1 if "Portal" is selected for USER 1 in Settings.

I will be Testing Portal on the outside (if I can) next.

Landis (larnold) wrote :

Ok,
Modules Multi-Companies Installed from Modules

ADMIN User Assigned to have Multi-Company rights under "users"

ADMIN opens USER 1 and gets "Allowed Companies" ... ..

Then additional companies can be given to USER 1, or others.

However, USER 1 still gets the error in General Settings upon Save: Access Denied

         Sorry, you are not allowed to modify this document. Please contact your system administrator if you think this is an error.

         (Document model: ir.config_parameter)

As OBA recomends, I looked at ir.config_parameter in ACL. It is set to READ (being checked) all else is unchecked, No Group is defined. When I searched for "Admin Group" I do not find one. Ther is "Administration / Settings" and "Administration / Access Rights". Should it be set to the Settings Group? (I would expect so, but why is that not pre-defined?"

It is a bug that has been reported an verified, waiting for a fix.

A workaoround is disable de multicompany acess rules, you will see
something like
bpartner_multicompany and so one ....

On Thu, Jan 31, 2013 at 2:28 PM, Landis <email address hidden> wrote:

> Ok,
> Modules Multi-Companies Installed from Modules
>
> ADMIN User Assigned to have Multi-Company rights under "users"
>
> ADMIN opens USER 1 and gets "Allowed Companies" ... ..
>
> Then additional companies can be given to USER 1, or others.
>
> However, USER 1 still gets the error in General Settings upon Save:
> Access Denied
>
> Sorry, you are not allowed to modify this document. Please
> contact your system administrator if you think this is an error.
>
> (Document model: ir.config_parameter)
>
> As OBA recomends, I looked at ir.config_parameter in ACL. It is set to
> READ (being checked) all else is unchecked, No Group is defined. When
> I searched for "Admin Group" I do not find one. Ther is "Administration
> / Settings" and "Administration / Access Rights". Should it be set to
> the Settings Group? (I would expect so, but why is that not pre-
> defined?"
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1073087
>
> Title:
> multi company Access Denied Document type: Partner, Operation: read
>
> Status in OpenERP Addons (modules):
> Confirmed
>
> Bug description:
> Multi company, Access Denied Document type: Partner, Operation: read
>
> Steps to produce.
> ------------------------
>
> login with admin
>
> install account, sales, hr expense.
>
> create two company [companyA] and [companyB].
>
> create [usera for comapanya] with all managerial rights and [userb for
> companyb] hr officer right.
> Here both users's Allowed Companies = companyA, companyB.
>
> login via userb and create new employee empb.
>
> login via usera and try to create new [customer invoice]/SO for
> employee empb. Getting access error, even usera is manager?
>
> Access Denied
> The requested operation cannot be completed due to security
> restrictions. Please contact your system administrator.
> (Document type: Partner, Operation: read)
>
> It should not happen here, "OpenERP have somethings wrong
> configuration with access rights."
>
> Thanks.
> Kettor
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/openobject-addons/+bug/1073087/+subscriptions
>

--
Juan Cristobal Lopez Arrieta
http://www.openerp.com/node/560 +54376 4437686
Celular: +549376 4376481
skype : jclopezar

Ian Beardslee (ibeardslee) wrote :

Would be good if this bug report https://bugs.launchpad.net/openobject-server/+bug/1025534 (Allow for different user role/group per Company.) was built into the fix for this.

Landis (larnold) wrote :

Today, the work around was to actually give ADMIN a Check Mark on Multi Companies in USER Settings.

It also works to take that off of USER 1 but if USER 1 is set to CHECK, and ADMIN not, then USER 1 Cannot Create a New Project.

(Fix of just now anyway).
All the comments because I am working to set up a new system and I keep getting knocked by a few issues.

tags: added: maintenance
Denis Karataev (dskarataev) wrote :

Guys, fix it please! The bug affects us too. Very big problem to deploy the database with multi company!

Hope it will be fixed soon!

kothu devil (ko90thu) wrote :

Hi Everybody,

I have an error "Document Type: payslip, Operation: create" when i was click any button in pay slip form.
Please help me.
I try for that many times but i can't still get it.

Hello,

Could you please test this patch and provide your feedback?

Thanks.

Erwin van der Linde (erwin-7) wrote :

Hi Rifakat,

I removed the two lines and added the new one. After a restart service the same issues seem to occur. I still cannot create any customers for example with any user other than admin.

Sorry

Jānis (janisjanis) wrote :

I tested this on http://7-0-3380.runbot.openerp.com/
and i still got warning:

Access Denied

The requested operation cannot be completed due to security restrictions. Please contact your system administrator.

(Document type: Partner, Operation: read)

Steps to reproduce:
1. Make new root company (Your Company 2).
2. Make chart of accounts for new company.
3. Make new user user2 (with password user2) with access rights only to Your Company 2 and Purchase - Manager | Contact Creation - True.
4. Log in with new user and try to make new supplier - warning.

Dawn Richardson (r-dawn) wrote :

Rifakat, I tested your patch on our version 7.0 (7.0-20130122-001415) and it fixes the issues I had with Access Denied when using the search bar. Can also just remove "if args:" two lines before your addition which will do the same thing and ensures 'ids' only contains partners the company can access.

The patch doesn't address the original issue with multi-companies and creating partners, but definitely fixed my searching problem. Thanks :)

Yaroslav Alpizar (yazalpizar) wrote :

Hi, I want to test the patch created by Rifakat. But I'm newbie using Ubuntu+bazaar. Running "bzr update /addons/" didn't work. Can anyone point out on the right direction? I even asked on the newly created Q/A site created for OpenERP

http://help.openerp.com/question/1010/ubuntubazaar-update-openerp-through-command-line/

Yaroslav Alpizar (yazalpizar) wrote :

Ok, the $ bzr patch will take care of it. But I do not see any /openerp/addons/base/res/res_partner.py file to apply the patch on. Then maybe just this patch does not applies to my current situation where I'm having same multi-companies bug.

An automatic creation of the partner(User A) for the newly created user(say user A) is defaulted with Administrator's(who created User A) company which is Your Company. This leads to access rights problem.

Assign user's company to partner "User A" and problem should be solved now.
Could you please test this?

Thanks,
Rifakat Haradwala

Dawn Richardson (r-dawn) wrote :

Rifakat, I have tested and that does seem to the problem. Is this being/been fixed to be done automatically? If a user wants to change companies multiple times using 'Preferences', this won't update the associated partner's company and so each switch is causing access rights problems and will have to be painfully fixed by the adminstrator.

Felix Schubert (input-fescon) wrote :

Even without having multicompany enabled - my users are still not able to create a customer - using nightly build from last night and tried the patch

Felix Schubert (input-fescon) wrote :

Sorry - now it works

Felix Schubert (input-fescon) wrote :

Sorry second time still occurs used the admin - with regular user error still occurs

Landis (larnold) wrote :

Have updated to most recent Server/Addons/Webs

UserA has been given access rights to Company1 and Company2 by Admin

UserA however cannot see any thing regarding Company2. When "Typed" to add Company2 by User2 into User2's own rights, given "Create Company" Dialog.

UserA basically cannot get any functional access to Company2 even though Admin can see and get access to Company2 (Admin created Company2).

Not getting persistent "permission denied" errors as I had been getting before new Branch Insert today.

How to fix/ how to use Multi Companies.

Landis (larnold) wrote :

When User1 goes to create a Company, all appears normal until "Save" clicked.

Error:
OpenERP Warning

Access Denied

The requested operation cannot be completed due to security restrictions. Please contact your system administrator.

(Document type: Companies, Operation: create)

USER1 has been granted all possible rights by Admin. Rights themselves can be saved by User1.

Felix Schubert (input-fescon) wrote :

In my installation the bug is definitely caused by the portal modules - removed portal, portal_sale and portal_crm and now everythings fine. Now I reinstalled portal, portal_sale and portal_crm but give the user NOT the right for portal - still fine.

Gave the user portal access in the users settings - after a reload of the UI:
AttributeError: 'str' object has no attribute 'getquoted'
Logged in an out:
Access Denied

The requested operation cannot be completed due to security restrictions. Please contact your system administrator.

(Document type: Partner, Operation: create)

Removed the users setting for portal access - everythings fine

Scribder (scribder) wrote :

Hi Felix & others,

im also consirned by this issue, and steel searching to make this working perfectly, i have same remarques as you Felix about portal modules....and then i have now some emergencys about "res.Users", "res.partner" Objects, and i can't wait Untill Best fix of this issue, this is what i Did to let my situation go, its all about conditions in record rules:

- i Gone to the only record rule of res.users, change it from Global, by affecting all Groups ( I try to bypass the "AND" logic).
- Added a new record rule with Condition [(1,'=',1)]...and Affect there groups concerned...(project managers and admins in my case..).

- Same for Record rules for "Res.partner", change all Global rules , and affect to theme all groups,
- Add new True record rule, and affect to it all concerned Groups...

Hope we can make this fixed properly,

Regards,

Alvin Benavides (abenavides-6) wrote :

Hi. I'm new to OpenERP, I waited for v7 to be released in order to start using it, so I apologize if my contributions are not the bests.

I'm using my installation for more than one company, so multi-company is the only environment I've test and I had this error. Basically any other user but administrator get this error trying to create or even to see his own preferences

---------
Access Denied
The requested operation cannot be completed due to security restrictions. Please contact your system administrator.
(Document type: Partner, Operation: read)
----------

I renamed the default company created with the installation (Your Company) with the name "All Companies" and made it the parent company for all the others and this fix the "Access Denied" error for all the user but then I saw another problem.

In projects, the users could see the tasks assigned to them but the company projects were not listed in their projects page (admin ok, only created users). I change the analytic account to be part of the company they were assigned and that fix the project list.

Hope this can help to find out how to solve this issue.

Regards

Scribder (scribder) wrote :

Hi Alvin,

And yes, i didn't test what you describde, but im sure now, that we need just to take a little bit more focussing Record Rules, i Think its all about that, and then maybe some good patchs, changing Security files, respecting Portal and Anonymous modules, should fix all that, ??

What do you think everybody, any idea ??

Regards,
--
Youness

affects: openobject-addons → openobject-server
Changed in openobject-server:
assignee: OpenERP R&D Addons Team 3 (openerp-dev-addons3) → OpenERP's Framework R&D (openerp-dev-framework)
Changed in openobject-server:
status: Confirmed → Fix Committed
status: Fix Committed → Confirmed
29 comments hidden view all 108 comments

Thanks a lot Paulius,

I tested your patch: "partner_access_rights_fix.patch" and the problem is fixed.
Your patch is working.

NOTE: The branch lp:openobject-server/7.0 in revno 4950 is an auto translate commit, and your patch is not merged on this revno.

Regards.

OpenERP Team,
Do you have a answer for this?

Dawn Richardson (r-dawn) wrote :

The patch in #68 has solved all of our multi-company access issues so far. Thank you Paulius!

Would like to see this fix merged as soon as possible.

Hi Guys,

I think the problem is related with the newly created user's partner's company. When an admin user
creates a new user in multi company environment, a partner is created for this new user and that
partner's company should be as per this new user's allowed company, and not admin's company itself.

I think patch on #68 does not fix the root, could you please check this fix and let me know,
https://code.launchpad.net/~openerp-dev/openobject-server/7.0-opw-591308-jam/+merge/158311

Thanks,
rifakatHusen

Changed in openobject-server:
assignee: OpenERP's Framework R&D (openerp-dev-framework) → OpenERP Publisher's Warranty Team (openerp-opw)
no longer affects: openobject-addons/7.0
Changed in openobject-server:
milestone: none → 7.0
importance: Medium → High

Hi,

There's a bit of confusion regarding this issue, so let's try to clear it up.
The problem arises in multi-company environments when the company of a user, say "UserA" is different from the company of the partner "UserA" that is linked to that user. In this situation it is normal to see access errors in many cases, and the error will always mention "Document type: Partner".

This is *not* a problem with the implementation of the record rule system in OpenERP, nor a problem a with the record rules themselves, it's a problem of *data*.

In OpenERP 7.0 a user is always linked to a partner record (visible in the Customers menu if you remove the default "Customers" filter). When the error occurs it will look like this in the database:

   Partner "UserB" - Company A
     |
   User "UserB" - Company B

Why does this happen? In most cases it is because the admin who creates UserB for CompanyB is currently set to work in CompanyA. So both the user "UserB" and the partner "UserB" are initially created in CompanyA. Then the admin will change the user "UserB" to be in CompanyB, but the *partner* "UserB" will still be in CompanyA.

As Rifakat tried to explain in comment #29, this is simple to fix manually for each user if you want to convince yourself: go to the partner "UserB" and change its company to "Company B" and the problem will go away.

Then you can fix all your users at once by executing the following SQL queries:

  -- To show the partners with this issue
  SELECT p.id AS partner_id, p.name, p.company_id AS partner_company,
         u.company_id AS user_company
  FROM res_partner p JOIN res_users u ON (u.partner_id = p.id)
  WHERE p.company_id IS NOT NULL AND p.company_id != u.company_id;

  -- To fix the partners
  UPDATE res_partner p SET company_id = u.company_id
  FROM res_users u
  WHERE u.partner_id = p.id AND p.company_id IS NOT NULL;

There's a merge proposal that fixes the problem by making sure to always synchronize the company of the user with the company of the related partner: https://code.launchpad.net/~openerp-dev/openobject-server/7.0-opw-591308-jam/+merge/158311 This merge proposal is being reviewed right now and will solve the problem in the future.

Thanks,

PS: the patch proposed by Paulius Sladkevičius in comment #68 is fine as a temporary workaround but it will not solve the problem in 100% of cases (sometimes the company of the partner will still be used and it will not be correct), so it is best to fix the database with the suggested SQL query *and* to apply the patch to prevent this situation from happening in the future.

Changed in openobject-server:
status: Confirmed → Fix Committed
Landis (larnold) wrote :

A very informative post. There should be more of this sort. I am not sure this covers all the "access denied" issues out there, for example all of our User assignments have been for the master company) but it is likely that some of those errors are related to different subjects anyway. (This bug is about "Read" Access, and many of the errors I have seen have been about "Write" access and in our small org I just fix by logging in as Admin.

In every event, full explanations as Oliver has done here are extremely helpful! Thank you.

Ian Beardslee (ibeardslee) wrote :

Ouch, if I understand Olivier in #73 correctly, that makes OpenERP well and truly broken for use in a Multi-company environment .. it actually just creates a database that can hold a number of companies.

Our example of how it needs to work ..

CompanyA (biggest company of a group, a lot of the additional support comes from here ..eg accounts payroll)
CompanyB (smaller company hat replies on CompanyA for some business support)

UserA (accounts person employed/paid by CompanyA, but also processes invoices for CompanyB)

Our take on this is that UserA is employed by CompanyA (and works FOR them, paid by them) but also does work ON CompanyB's invoices. They use the preferences to change what company they will be working on at the time (so they only see that companies clients, invoicing etc) .

If I understand it correctly, what Olivier is suggesting is that when changing the preferences that UserA wouldnow essentially be seen that they are now working for CompanyB while the are processing their accounts.

That is going to cause a mess if while they are doing that someone needs to create a report about employees in CompanyA .. leave owed, across the board payrise. UserA will be excluded from all that. Or imagine if while UserA is 'working' for CompanyB, someone deducts the 3 days leave from everyone that CompanyB had closed during Xmas/NewYear.

Going through the list of people and manually is NOT a feature of an ERP system.

Unless there is some other way to differentiate how UserA is employed by CompanyA, but at that point in time is doing some process for CompanyB.

1 comments hidden view all 108 comments
Will Stokes (will-q) wrote :

Oops, I apologise for my previous post (now hidden), obviously it was
only for a colleague who is also struggling with this multi-company issue.

I'm sorry for using the words that I used, I did not meant them to be as
insulting as they would have come across.

What I was trying to get across was that it seems redundant to have two
fields if they are required to have the same value to avoid errors.
That if we keep them as meaning 'works for' and 'working on' then we can
have a more versatile solution. The last bugfix submitted here appears
to be working for us in that regard so far.

Apologies again,
Will.

On 11/05/13 10:08, Ian Beardslee wrote:
> Ouch, if I understand Olivier in #73 correctly, that makes OpenERP well
> and truly broken for use in a Multi-company environment .. it actually
> just creates a database that can hold a number of companies.
>
> Our example of how it needs to work ..
>
> CompanyA (biggest company of a group, a lot of the additional support comes from here ..eg accounts payroll)
> CompanyB (smaller company hat replies on CompanyA for some business support)
>
> UserA (accounts person employed/paid by CompanyA, but also processes
> invoices for CompanyB)
>
> Our take on this is that UserA is employed by CompanyA (and works FOR
> them, paid by them) but also does work ON CompanyB's invoices. They use
> the preferences to change what company they will be working on at the
> time (so they only see that companies clients, invoicing etc) .
>
> If I understand it correctly, what Olivier is suggesting is that when
> changing the preferences that UserA wouldnow essentially be seen that
> they are now working for CompanyB while the are processing their
> accounts.
>
> That is going to cause a mess if while they are doing that someone needs
> to create a report about employees in CompanyA .. leave owed, across the
> board payrise. UserA will be excluded from all that. Or imagine if
> while UserA is 'working' for CompanyB, someone deducts the 3 days leave
> from everyone that CompanyB had closed during Xmas/NewYear.
>
> Going through the list of people and manually is NOT a feature of an ERP
> system.
>
> Unless there is some other way to differentiate how UserA is employed by
> CompanyA, but at that point in time is doing some process for CompanyB.
>

Rogerfflores (rogerfflores) wrote :

We are having problems with the security in OpenERP.

I have a user "roger" that have configured the same rights as admin user.

The admin user can confirm sales order in the sales module.
The user "roger" can not confirm sales order. we got a message indicating the document location has no read access.

if i delete the access rule corresponding to the location object, then it works.

Here is the logged error

context
File "/usr/lib/pymodules/python2.7/openerp/addons/stock/stock.py", line 239, $
if location.chained_location_type == 'customer':
  File "/usr/lib/pymodules/python2.7/openerp/osv/orm.py", line 484, in __getatt$
    return self[name]
  File "/usr/lib/pymodules/python2.7/openerp/osv/orm.py", line 399, in __getite$
    field_values = self._table.read(self._cr, self._uid, ids, field_names, cont$
  File "/usr/lib/pymodules/python2.7/openerp/osv/orm.py", line 3604, in read
    result = self._read_flat(cr, user, select, fields, context, load)
  File "/usr/lib/pymodules/python2.7/openerp/osv/orm.py", line 3659, in _read_f$
self._check_record_rules_result_count(cr, user, sub_ids, result_ids, 'read'$
File "/usr/lib/pymodules/python2.7/openerp/osv/orm.py", line 3862, in _check_$
(self._description, operation))
except_orm: (u'Access Denied', u'The requested operation cannot be completed du$
2013-05-21 15:56:06,684 1149 ERROR doger openerp.netsvc: Access Denied
The requested
--

Jogle Klez (jogle05) on 2013-06-19
Changed in openobject-server:
status: Fix Committed → Fix Released

Resetting to Fix Committed, as per proposal status.

Changed in openobject-server:
status: Fix Released → Fix Committed
Lithin T (lithint-mail) on 2013-07-01
Changed in openobject-server:
status: Fix Committed → Fix Released

This merge isn't into 7.0

Please set the correct status 'Fix Committed' or merge it.

Hi,
I just reset status to Fix Committed. It will be merge very soon in 7.0.
@Lithin T (lithint-mail), do not change status please. We mark status as Fix Released as soon as we merge it.

Regards,
Rifakat

Changed in openobject-server:
status: Fix Released → Fix Committed
Shyam (shyam1joshi) on 2013-07-23
Changed in openobject-server:
status: Fix Committed → Fix Released

Resetting status to 'Fix Released' (sigh)

Changed in openobject-server:
status: Fix Released → Fix Committed

Oh wait, Fix Committed (which I actually did)

1 comments hidden view all 108 comments
geyunfei (geyf) wrote :

sorry ...

Changed in openobject-server:
status: Fix Committed → Fix Released
Changed in openobject-server:
status: Fix Released → Fix Committed

Based on my recent experience, I found out that you get errors on demo data for sure!

Normally, the company_id on partner and its contacts SHOULD be same...but if its not, you will get accesswarning.

Thanks.

Is this Fix committed to Stable 7.0? As of this morning 7-25-2013 with current revision 5034 still having this problems with multi company access rules

if logged in as Admin everything seems to work fine.

when logged in as user with multiple company access the following Errors occur.

****when loging in****

Access Denied

The requested operation cannot be completed due to security restrictions. Please contact your system administrator.

(Document type: Users, Operation: read)

****when creating new customer****

Access Denied

The requested operation cannot be completed due to security restrictions. Please contact your system administrator.

(Document type: Currency, Operation: read)

****when adding new sales order line****

Access Denied

The requested operation cannot be completed due to security restrictions. Please contact your system administrator.

(Document type: Location, Operation: read)

***************************

Hi S Levenhagen,

let me clarify. When bug status is 'Fix committed', this means that a fix has been developed but not yet available in the main branch. Usually, you will find a 'related branch' that contains the proposed fix. The branch will be then marked as 'ready for review'. Everyone can review and test the suggested code changes and approve the branch or ask for improvements. The OpenERP core developers will at one point decide to merge this branch into the main branch. The branch status will then change to 'Merged', and the bug status can be set to 'Fix released'.

Thanks for the clarification.

Willem Hulshof (hulshofw) wrote :

Has anybody tried to create a new database with the fix applied? I did and it does not work. As soon as I had undone the res.partner patch code , it worked again.
I have seen remarks in the forum on this problem and the comment from the patch-code was literally in the log.
This seems to be a stubborn SOAB bug!

Willem,

you are right. The database creation breaks at assigning the main company to the main partner. Similarly, in an existing database you cannot create a new partner without a company, then edit the user and assign a company to it. It will lead to the same error, "You can not change the company as the partner/user has mutiple user linked with different companies.". Seems easy to fix by checking if the partner is associated with any users at all.

I did some testing merged lp:~openerp-dev/openobject-server/7.0-opw-591308-jam into openerp-server 7.0 at revision 5034

seems to have fixed Access denied errors in Sales Orders and when changing companies but still had similar error when attempting to create purchase orders

I did some testing merged lp:~openerp-dev/openobject-server/7.0-opw-591308-jam into openerp-server 7.0 at revision 5034

seems to have fixed Access denied errors in Sales Orders and when changing companies but still had similar error when attempting to create purchase orders

I did some testing merged lp:~openerp-dev/openobject-server/7.0-opw-591308-jam into openerp-server 7.0 at revision 5034

seems to have fixed Access denied errors in Sales Orders and when changing companies but still had similar error when attempting to create purchase orders

@slevenhagen, your error concers the currency table, and this could be related to lp:1111298. For the fix to take effect, you might need to remove the company manually from the currencies that you are using.

@Stefan yes this fixes it... many thanks!

I have opened a ticket with OpenERP support team regarding this bug and they are working on it.

If reate a company B in Multi-Company environment with an exisiting company A and user A and
Then switch to company B then go to Settings/configuration/Accounting/Company has check has own chart of accounts
Then install chart of accounts template.

Now set User A created in company A with multi company rights Add company B to its Allowed companies.

Log in as user A and change to company B in Preferences

IF you attempt to create a customer or sale order or purchase order and you will get "Access denied" errors.

Now open partner related to that user A in Sales/Customers. ( This partner A will only appear in company B if the company setting under the Sales & Purchasing table for this partner A is not set to any company).

Open the users partner to edit you will find the Accounts Payable and Accounts Receivable not filled in, Set these fields. Also under the Sales and Purchasing tab set the company field to company B and save. Once you have done this you should then be able to create sales orders purchase orders and partners with out access errors.

Now to again be able to switch companies with user A Again edit partner A related to the user A in the "Customer Form" setting Company back to blank in the Sales & Purchasing. If you don't do this Access Denied will occur.

Hi Serpent Consulting Services, Willem Hulshof and Stefan Rijnhart,

Yes, it crashes when we create a new database as from data file it tries to update company for a partner which does not have any user associated. This test was not covered in the earlier fix.

r5042, <email address hidden> - the actual fix and
r5043, <email address hidden> - little code improvement, in,
lp:~openerp-dev/openobject-server/7.0-opw-591308-jam

Thanks a lot for your notification.
Best regards,
Rifakat Haradwala

@rha-openerp

I tested the scenario provided in the bug description on a vanilla database and I did not face any error message.

The correction has landed in server 7.0 at revision 5070 rev-id: <email address hidden>.

Thanks for reporting and for your patience!

Changed in openobject-server:
status: Fix Committed → Fix Released
Nhomar - Vauxoo (nhomar) wrote :

Eureka!

A lot of time waiting for it.

IMHO the test yaml is necesary but great to hear it is merged long wait..

Regards.

2013/9/9 Olivier Dony (OpenERP) <email address hidden>

> The correction has landed in server 7.0 at revision 5070 rev-id:
> <email address hidden>.
>
> Thanks for reporting and for your patience!
>
> ** Changed in: openobject-server
> Status: Fix Committed => Fix Released
>
> --
> You received this bug notification because you are subscribed to OpenERP
> Project Group.
> https://bugs.launchpad.net/bugs/1073087
>
> Title:
> multi company Access Denied Document type: Partner, Operation: read
>
> Status in OpenERP Community Backports (Server):
> Fix Released
> Status in OpenERP Community Backports (Server) 7.0 series:
> Fix Released
> Status in OpenERP Server:
> Fix Released
>
> Bug description:
> Multi company, Access Denied Document type: Partner, Operation: read
>
> Steps to produce.
> ------------------------
>
> login with admin
>
> install account, sales, hr expense.
>
> create two company [companyA] and [companyB].
>
> create [usera for comapanya] with all managerial rights and [userb for
> companyb] hr officer right.
> Here both users's Allowed Companies = companyA, companyB.
>
> login via userb and create new employee empb.
>
> login via usera and try to create new [customer invoice]/SO for
> employee empb. Getting access error, even usera is manager?
>
> Access Denied
> The requested operation cannot be completed due to security
> restrictions. Please contact your system administrator.
> (Document type: Partner, Operation: read)
>
> It should not happen here, "OpenERP have somethings wrong
> configuration with access rights."
>
> Thanks.
> Kettor
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ocb-server/+bug/1073087/+subscriptions
>

--
--------------------
Saludos Cordiales

Nhomar G. Hernandez M.
+58-414-4110269
Skype: nhomar00
Web-Blog: http://geronimo.com.ve
Servicios IT: http://vauxoo.com
Linux-Counter: 467724
Correos:
<email address hidden>
<email address hidden>
twitter @nhomar

Telewelt GmbH (rs.telewelt) wrote :

Hi,

I've updated to latest nightly. But the bug isn't fixed for me.
The interesting thing is, that I've 3 companies and it works for 2 but not for the third.

If the user switches to the context of the third company and tries to set the customer on an invoice he gets the "Access Denied" error. The error comes up when the second char is entered. Entering only one char a list of customers is viewed.
Unfortunately the "Search more" function is also not accessible.

Regards.

The same problem for me - the user of company a can no longer add a company to the to a contact because if he types in even just one letter he will get an "access denied" message before he did even select anything - i think the onchange event messes things up here.

I am facing same problem I created a child company and create a user for this company when I logged on from this user and try to create invoace, purchase order etc I got error "Access Denied
The requested operation cannot be completed due to security restrictions. Please contact your system administrator.
(Document type: Currency, Operation: read)"

Then I download latest source of openerp and replace with old one and create new database and execute same scenario that mention above then i did not get any error, after that I restored old database and follow the same steps but again i got same error. anyone can give me solution what should i do?

Was the patch applyed on trunk?, I'm testing openerp from trunk and I got this issue.

Displaying first 40 and last 40 comments. View all 108 comments or add a comment.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers