I've installed a very basic custom module (contains one tiny model) and when i try to use it in a form i get the following error:
Sorry, you are not allowed to access this document. Please contact
your system administrator if you think this is an error.
(Document model: {model name here}) - (Operation: read, User: 2)
While i'm logged in as admin and have developer mode on (should be irrelevant). I haven't altered anything in the security directory that was generated by odoo-bin scaffold ...
Since Odoo 12 the user OdooBot user (ID 1) is now the super user and doesn't need rights explicitly. But user Admin (ID 2) needs them now. I bet your tiny module does not have any right definition (ir.model.access.csv) in it.
So either implement rights or for testing purposes switch to OdooBot (developer mode context menu).
In case anyone is having similar problem and have properly configured security definition then check if you spelled your reference model right. In may case I was referencing res.user (which does not exists) instead of res.users and got that error
Related
When POS tries to push orders data to the server, it always appears error like this (on the picture). I've already added access right ir.filters to the user group. But it does not help anything. Only the Administrator can do without this error appear.
[EDIT]
Here is the setting :
Please check "ir.filters" model there is no access rights on given model to particular user.
as admin he have a full access rights on same model.
So now please Just go to settings → Users → groups → check your user group who can not access the records.
Just go to form view of group and Access right tab there please try to check access right given on "ir.filters" model may be there is only given read rights to particular group of user just add few more there then you can create record then.
you also need to go to menu Technical → Security → Record Rules. then search for all record rules related to ir.filters model. make sure that the user is not restricted by any of them.
Let us know if it will work for you.
I installed odoo 12 and create a custom module
I got this message while creating a record by the normal user
Sorry, you are not allowed to access this document. Only users with the following access level are currently allowed to do that:
- Administration/Access Rights
(Document model: ir.rule) - (Operation: read, User: 6)
Please help me, to fix this
Please go through the below link.
https://medium.com/#reedrehg/becoming-a-superuser-in-odoo-12-0-f6fc2de3a62e
If you are aware of the Odoo 10 and below versions, you will understand this.
Apart from all of this add access rights for newly creating classes in Odoo on file ir.model.access.csv.
For example:
id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
access_industry_section,access_industry_section,model_industry_section,base.group_user,1,1,1,1
I'm trying to make the "Edit" button on the Project form to only be visible if the user logged into the system is the Project Manager of that project. I've been reading various answers online regarding this, gathering some understanding of Access Rights vs. Record Rules but I haven't been able to get this working. To my understanding, Access Rights over-ride Record Rules. So, if I create a record rule under the group "Project/User" that has read and write access with the domain as the following:
[('user_id','=',user.id)]
This will be over-ridden by the Access Rights for Project/User anyway? So How would I get this to work?
Thanks to anyone who can help.
As far as I know, Record Rules can override Access Rights.
Here is an example where record rules are used to change the base_user edit capabilities depending on the Task state: https://github.com/OCA/project-service/tree/8.0/project_baseuser/security
However, the "edit" button is not dynamically visible depending on the Task Status: it's always visible but the rules may or may not allow to write upon "Save".
Access Control List is checked before Record Rules.
Because Access Control List is a CRUD security on models (create/read/update/delete).
Only if ACL is passed next record level security comes in.
As far as I understood you want to give Project User permission to edit his own projects (he is in group Project User not Project Manager but set as Project Manager for exact Project by Project Manager group user LOL).
I did this by doing the following:
1) Give project users Project Manager role.
2) Restrict them to only modify own projects by creating a Global rule (no group is set) with the following domain on update / delete operations:
['|', ('user_id','=',user.id),('create_uid','=',user.id)]
P,S, Here is screenshot - http://awesomescreenshot.com/0083nqyf76
For the model project.project, provide the write permission only to the group project manager.Go to settings/techical/security. There you can see the access control list. CHeck what all group is provided to the project.project model.for every group other than project manager, remove the write permission
I have a script that is using manage_setLocalRoles to assign a specific role to certain users specified. See below for snippet
context.manage_setLocalRoles(username, (‘Editor’, ‘Reviewer’))
context.reindexObjectSecurity()
After that script runs, you can go to the Sharing tab of the page and see the user specified with Reviewer and Editor checked. However, that user does not have any of the rights that go with those roles.
For testing, I have performed the following checks
context.getMyRolesInContext() does not return any of the roles set above.
context.get_local_roles_for_userid(username) only displays the roles set above, and not any global roles set (when testing as site manager and the like).
context.portal_membership.checkPermission(“Modify portal content”) returns a False.
With Editor role I should have Modify portal content permission. I did verify in the workflow of the content type to make sure the roles are set correctly for the permissions in each state. And as a double check, I ran this script on the content.
username = context.getCurrentUserName()
roles = context.rolesOfPermission('Modify portal content')
member = context.portal_membership.getMemberById(username)
for role in roles:
if role['selected']!='':
print role['name']
print member.has_role(role['name'], context)
return printed
This was my result:
Editor
0
Manager
1
Reviewer
0
Site Administrator
0
Those results are from my site manager role, but after I ran the manage_setLocalRoles on my user to add Editor and Reviewer.
Any thoughts as to why the roles aren’t recognized everywhere? Or am I using the wrong process for what I am trying to accomplish?
NOTE - I have already looked at this answer, and as my code reflects I am already doing what it suggests.
EDIT
Adding versions per comment. We have quite a few add-ons, but none of them seem like they would be related. Mostly jQuery integrations, and types like PFG, True Gallery, FullCalendar. We are using a custom theme and all custom content types and workflows. Excluding the content type I am currently creating for this project both the theme and all other content types were created before I got here. The types are Archetypes extensions.
OS - Red Hat Enterprise Linux Server release 5.11 (Tikanga)
Plone - 4.3.2
Products.ATContentTypes - 2.1.13
AccessControl - 3.0.8
The problem boiled down to case sensitivity. Our users are fed from an Active Directory plugin. Some of the usernames are all caps, and others are all lower. Somehow the username being used in my set roles command were always lowercase. As a result, user was getting the roles, when it should have been USER.
My Solution was to first get the actual member from portal_membership, then grab the username from the member.
pm = getToolByName(self, 'portal_membership')
user = pm.getMemberById(username)
self.manage_setLocalRoles(member.getUserName(), ('Reviewer', 'Editor'))
self.reindexObjectSecurity()
Apparently getMemberById() is not case sensitive, and it returns the correct username in the correct case. So I was just missing that extra check/filter.
By following the instructions given in http://quickblox.com/developers/Custom_Objects#Permissions
every new record created (using REST interface) seems to get the ORIGNAL Class permission values instead of the edited ones.
In addition to this, the "use class permission" check box makes no difference on those problematic records. If a single record is created or edited using the web admin panel, then the permissions are working on the client app also.
Thanks
Janne
I see some misunderstanding in your explanation.
Class Permissions and Records permissions - they aren't related to each other.
If you edit Class Permissions, then Records permissions won't be touched.
And vice-a-versa.
If you don't use "use class permission" check box - then Records permissions will be used to determine access level of the record
If you on "use class permission" check box - then Class Permissions (that you set in Admin panel) will be used to determine access level of the record and Records permissions will be ignored.
Default Record permissions are:
Read: Open
Update: Owner
Delete: Owner
Got it?