I have this message:
The requested operation can not be completed due to security
restrictions. Document type: Employee (hr.employee) Operation: read
User: 23 Fields: - contract_id (allowed for groups 'Employees /
Officer')
I would not like to add the user to the mentioned group because I want to restrict his actions, and this group has too many permissions. How can I know what permission is required for that specific field?
UPDATE
Create a module with just these lines. I am trying to overwrite the field by deleting the group but it doesn't work for me. What am I doing something wrong?
# -*- coding: utf-8 -*-
# Part of Odoo. See LICENSE file for full copyright and licensing details.
from odoo import api, fields, models
from odoo.osv import expression
class Employee(models.Model):
_inherit = "hr.employee"
contract_id = fields.Many2one('hr.contract', string='Current Contract',
domain="[('company_id', '=', company_id)]", help='Current contract of the employee')
Odoo is nice for once and is telling you which field on which model is restricted. So in this case you should look into the field definition and will find:
contract_id = fields.Many2one(
'hr.contract', string='Current Contract',
groups="hr.group_hr_user",
domain="[('company_id', '=', company_id), ('employee_id', '=', id)]",
help='Current contract of the employee')
You can see the groups parameter which will lead to a restriction of this field to the following groups. Here it is one: hr.group_hr_user which is created with the hr App and also mentioned in Odoo's Access Error: "Employees / Officer".
So you could change the field definition, but i don't advise to do that. I'm not sure why there is no possibility for an Employee to atleast see some of the current contract information of his own contract.
Related
How can I restrict the write permissions for a field to a specific group ?
I want to check if a user is in a specific group with id 46. If the user is in this group, he should be allowed to write in this field. If he is not in this group, he should not be allowed to write.
The field is a custom field, editing the domain with the studio app I think I should avoid.
My field:
<field name="customer_codename" placeholder="Codename" attrs="{'invisible':['|',('customer_rank','=', 0),('is_company','=', False)]}"/>
I tried the following, but it did not work:
I created a new field using the studio app. Field type is boolean.
In the advanced properties I wanted to define the compute for the field. In dependencies I gave "user_id" and in the compute field I gave
for record in self:
user_id.has_group('__export__.res_groups_46_eff9dc52')
The boolean field should be set to true if the user is in a certain group.
Not sure if I can give you the best answer there is.
But for me, I'd personally create a Boolean field in the view's associated model, with its default field a lambda function checking if the user belongs to the groups you mentioned.
Assuming groups_id is the name of the user groups in model res.users, we have:
class ResUsers(models.Model):
_inherit = "res.users"
can_write_codename = fields.Boolean(default=lambda self: self.groups_id in ("model_name.group_name"))
Then in your xml file, you can include can_write_codename inside attrs, like this:
<field name="customer_codename" placeholder="Codename" attrs="{'invisible':['|',('customer_rank','=', 0),('is_company','=', False)], 'readonly': [('can_write_codename', '=', 'True')]}"}"/>
Is this possible to do this by record rule?
Example:
user A have saleteam with member B,C,D. A is the leader of this team.
so if we login to A, and go to account.move, we can see records of A,B,C,D.
if we login to b, we only see B records.
Thanks you.
Note: Other solution are good too, no need to be record rule.
Thanks to Jainesh Shah(Aktiv Software)
I've found the answer, which is use the search_read() function:
# -*- coding: utf-8 -*-
from odoo import fields, models, api, _
class AccountMove(models.Model):
_inherit = 'account.move'
def search_read(self, domain=None, fields=None, offset=0, limit=None, order=None):
# find list members of sale team which leaded by current user (current user is leader of this sale team)
sale_teams = self.env['crm.team'].search([('user_id', '=', self.env.user.id)]).mapped('member_ids')
# if current user is in group crm_account_move_restrict_records and also the leader of a team
# then we will show all data of this user and members of the team that this user is leading
if self.env.user.has_group('z_crm_contract_for_baan.crm_account_move_restrict_records'):
if sale_teams:
# add domain
# get data by team members
domain += ['|', ('user_id', 'in', sale_teams.ids)]
# add domain
# get data by current user
domain += [('user_id', '=', self.env.user.id)]
return super(AccountMove, self).search_read(domain=domain, fields=fields, offset=offset, limit=limit, order=order)
Thanks you all for helping, especially Jainesh Shah(Aktiv Software).
I'm following the external APIs documentation : https://www.odoo.com/documentation/13.0/webservices/odoo.html
to implement our companies requirements. I'm required to create a sales order and automatically create an invoice after that. The sales order part is done but I cant seem to be able to attach the Invoice to the Sales order
I've tried linking it via the 'invoice_ids' field but the documentation does not mention how to provide a many2many field in it. here is the code:
many2manyInvoice = [(4, invoice_id)]
common = xmlrpc.client.ServerProxy('{}/xmlrpc/2/common'.format(url))
#Admin user Id
uid = common.authenticate(db, username, password, {})
models = xmlrpc.client.ServerProxy('{}/xmlrpc/2/object'.format(url))
models.execute_kw(db, uid, password, 'sale.order', 'write', [[sales_order_id], {'invoice_ids':many2manyInvoice}])
The response returned is 200 , but nothing is happening on the sales order level. I think its the way that I defined the field that might be incorrect.
Can someone help with this issue ? Thanks in advance
Nothing is happening on the sales order level because you are not creating a sales record, writing to it without doing anything. Not sure if this would work in your specific case but here is what I would do.
Use the Pro-forma invoice https://www.odoo.com/documentation/user/13.0/sales/invoicing/proforma.html
Then when a sales record is created run the "Send pro-forma invoice" method using the web api. This takes care of the db linking, as it can get very complicated.
In odoo 9, I have added a record rule on the model mrp.production as:
['|', ('user_id', '=', user.id), ('user_id', '=', False)]
This will show users only the MOs that belongs to them. Now when I am trying to confirm the sale order which will then create a MO for the lines in that sale order I am getting an access error as:
The requested operation cannot be completed due to security restrictions. Please contact your system administrator.
(Document type: mrp.production, Operation: read)
Diagnosing more I found that it is causing due to the missing_ids. Take a look at this.
Before that I have used the same solution in openerp 7 and it is still working perfect without any access error while confirming SO.
From which user you are trying ? i think you are trying with admin login, and you write security rule that only user of that record can access that. I think that is the problem.
Finally I found the reason of this issue.
In opernep/addons/mrp/procurement.py there is line
production_obj.create(cr, SUPERUSER_ID, vals, context=dict(context, force_company=procurement.company_id.id))
which is using SUPERUSER_ID to create the production order from the procurement.
I don't know why they changed it to use SUPERUSER_ID. May be to enable non mrp users or external users to create mrp orders even if they have not rights. BTW I have not such requirement and I have solved my problem by replacing this SUPERUSER_ID with uid.
I have installed HR module and created following record rules on hr.employee model to make employee to access their own details.
Object: Employee
Apply for Read: checked
Apply for write: checked
Apply for create: checked
Apply for delete: checked
Rule Definition: [('user_id', '=', user.id)]
When employee apply leave from leave management module it display following Error
AccessError
The requested operation cannot be completed due to security restrictions. Please contact your system administrator.
(Document type: hr.employee, Operation: read)
You have rule on the Group hr.employee which state that [('user_id', '=', user.id)] i.e. Employees can not see other Employees. Due to this access rule, Access Error Warning is being raised.
Try to find Send Email Function in hr.holidays. This function extracts Employee's Mangers Email ID to send Leave approval Email. But due to this Access Rule, you are not allowed access Manager's Email Id as Manager is also an Employee.
So I made a little change in Send Email function, and extracted Manager's Email ID as a Super User. Super user by-passess Access Rights.