Comment 13 for bug 766982

Danger Anup!

Even though user1 now does see the first partner only, your solution is not correct. With the operator change, you have now completely turned the semantics of the rules upside down when multiple rules apply to different groups of the same user.

Ask yourself, do you use groups in OpenERP to grant permissions or to take them away? Before your changes, a user with more group memberships would have broader permissions. In your version, adding the user to more groups would further limit the user's permissions.

An example to illustrate the problem would be:

2- create 2 groups: 'group1' and 'group2'
3- create 2 rules on res.partner:
    - 'rule1' with domain: [('name','=','rule1')] and groups: 'group1'
    - 'rule2' with domain: [('ref','=','rule2')] and groups: 'group2'
4- create user 'test' and associate to 'group1' and 'group2'
5- create 2 partners:
    - with name: 'rule1' and ref: 'rule2'
    - with name: 'test' and ref: 'rule2'
6- login with user 'test'
7- you'll only see partner 'rule1'

You'll want to see both of partners instead.

The combined group rule in this example comes out as

     ['&', ('name', '=', 'rule1'), ('ref', '=', 'rule2')]

It needs to be

    ['|', ('name', '=', 'rule1'), ('ref', '=', 'rule2')]

Please undo, and start checking in line 118 whether the user is actually in that group before adding the group rule.

Cheers,
Stefan.