Odoo Server (MOVED TO GITHUB)

partner search & record rules & muliticompanies

Bug #1094212 reported by Joannes Landy on 2012-12-28

This bug affects 18 people

Affects		Status	Importance	Assigned to	Milestone
	Odoo Server (MOVED TO GITHUB)	Fix Released	Medium	OpenERP's Framework R&D	Odoo Server (MOVED TO GITHUB) 7.0
	7.0	Fix Released	Undecided	Unassigned

Bug Description

The search function of the partner view don't work when there is a acces rules change.

For example, in a multi compagnies context: if there is a access rules change on "res.partner company" like:
only see the partner of your company and his childs: ['|',('company_id','child_of',[user.company_id.id]),('company_id','=',False)]

Before the access rules was : "res.partner company" ['|','|',('company_id.child_ids','child_of',[user.company_id.id]),('company_id','child_of',[user.company_id.id]),('company_id','=',False)]

the access rules work fine, a user in a new company can see only the partner of his company, BUT

the search function of the tree form always return an "access denied", so it's not possible to filter the partner list.
The message is:

Access Denied
The requested operation cannot be completed due to security restrictions. Please contact your system administrator.
(Document type: Partner, Operation: read)

It's problably the "name_search" function in partner class who don't take care of access rule.

See original description

Related branches

lp://qastaging/~openerp-community/openobject-server/fix-1094212-multicompany-res_partner

Merged into lp://qastaging/openobject-server/7.0 at revision 4858

Fabien (Open ERP): Needs Fixing on 2013-01-04

Revision history for this message

Amit Parik (amit-parik) wrote on 2013-01-01:

Hello,

See the lp:1085981 (producible steps).

Thank you!

Amit Bhavsar (Open ERP) (amb-openerp) on 2013-01-01

Changed in openobject-server:
status:	New → Confirmed
importance:	Undecided → Medium
assignee:	nobody → OpenERP's Framework R&D (openerp-dev-framework)

Revision history for this message

Niels Huylebroeck (red15) wrote on 2013-01-03:

I found this to be a very simple fix and have also reported this on maintenance contract (but did not receive response - not even case number - yet)

See attached branch now.

Revision history for this message

Niels Huylebroeck (red15) wrote on 2013-01-03:

The problem:

The result of cr.execute is bad (why hasn't everyone at openerp been brainwashed yet?) because it will contain results not appropriate for the current user (because of un-applied record rules)

The solution:

After we fetched the result cr.execute I now force the search to be executed (unconditionally) which is no problem even if "args" was not passed (see beginning of function where it is set to [] if it was None). Doing this search it will pass all the ids we have found so far but will also apply or record rules, thus filtering out the unreadable partner ids in the process.

Revision history for this message

Joannes Landy (j-landy) wrote on 2013-01-03:

Hi Niels,

i have tested your solution, that is working fine for me.

I waiting the merge by OpenERP.

Thank's

Revision history for this message

Joannes Landy (j-landy) wrote on 2013-02-07:

patch_module Edit (2.6 KiB, application/zip)

Hi,

The previous solution don't work everytime.

Finaly, i resolve the problem by rewritting the search_name function of partner (the file is attached).
I bypass the search name function of the orm. (it's not compatible with the record rule for the partner)

For the Record Rules, i authorised the patner linking to the users and the companies. Because, it's used for the internal message.

This solution is ok for me now.

regard

Revision history for this message

Xavier ALT (dex-phx) wrote on 2013-02-25:

Hi,

Fix landed on stable server v7.0 branch with revision-id:

Regards,
Xavier