[Openerp-community] Per-field permissions

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Openerp-community] Per-field permissions

Ludwik Trammer
Note: I've already posted this message to the @mail.odoo.com mailing list. It was suggested to me that I should also post it here.

Hi,

I learned about Odoo just four months ago. Since then I've done quite a lot of work with the Odoo programming framework - I created almost 20 Odoo modules for two clients, started a blog about Odoo development and posted answers to a dozen Odoo related questions on Stack Overflow.

The more I develop with Odoo the more I feel there is one area that is really lacking - per field permissions.

Yes, I know about the "groups" attribute - one can specify it on a model field to make it available to selected groups only. That's certainly a start. But this is not enough for more advanced uses.

Couple of example of things that would be very useful (or in my case - necessary) in that area:

1. Something similar to the "groups" attribute, but limited to the "write" permissions. It would make other groups able to read the field, but only chosen groups would be able to modify it.
This should both make the field appear readonly in forms (for users without modify privileges for that field) and validate the privileges when saving the model.

2. Rule-based per-field permissions. Something similar to ir.rule, but checked per individual field. This could look like this:

members = fields.many2many(
    'res.users',
    read_rule="[('members', '=', user.id)]",
    write_rule="[('manager', '=', user.id)]",
)

Let's say this is a filed on a Project model. This would mean that only manager of this project is able to add/remove its members and only members of this project are able to see other members (readonly).

You are not able to achieve anything even remotely similar using only group permissions.

For consistency, the way group based per-field permissions ("groups" and "grups_modify") would interact with rule based per-field permissions would mirror the way ir.model.access and ir.rule interact.

3. Record rules should be reflected in the way views are presented to the user. If user doesn't have "write" access to the given object she should not be presented with an "edit" button. Similarly lack of "unlink" permissions should hide the "remove" option. Currently this works with access rules (ir.model.access), but not with record rules (ir.rule)
This issue confuses the heck out of my users (understandably). This means I'll be forced to roll my own solution for the issue, but this seams as something that should be dealt with on the framework layer.

Are those issue something that the Odoo Team is currently looking into? Are there any plans for improvements in Odoo 9?

Ludwik Trammer

_______________________________________________
Mailing list: https://launchpad.net/~openerp-community
Post to     : [hidden email]
Unsubscribe : https://launchpad.net/~openerp-community
More help   : https://help.launchpad.net/ListHelp
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Openerp-community] Per-field permissions

Aristóbulo Meneses
Hi Ludwick,

I reported something related to this, you can check the issue here:




2015-01-02 15:26 GMT+01:00 Ludwik Trammer <[hidden email]>:
Note: I've already posted this message to the @mail.odoo.com mailing list. It was suggested to me that I should also post it here.

Hi,

I learned about Odoo just four months ago. Since then I've done quite a lot of work with the Odoo programming framework - I created almost 20 Odoo modules for two clients, started a blog about Odoo development and posted answers to a dozen Odoo related questions on Stack Overflow.

The more I develop with Odoo the more I feel there is one area that is really lacking - per field permissions.

Yes, I know about the "groups" attribute - one can specify it on a model field to make it available to selected groups only. That's certainly a start. But this is not enough for more advanced uses.

Couple of example of things that would be very useful (or in my case - necessary) in that area:

1. Something similar to the "groups" attribute, but limited to the "write" permissions. It would make other groups able to read the field, but only chosen groups would be able to modify it.
This should both make the field appear readonly in forms (for users without modify privileges for that field) and validate the privileges when saving the model.

2. Rule-based per-field permissions. Something similar to ir.rule, but checked per individual field. This could look like this:

members = fields.many2many(
    'res.users',
    read_rule="[('members', '=', user.id)]",
    write_rule="[('manager', '=', user.id)]",
)

Let's say this is a filed on a Project model. This would mean that only manager of this project is able to add/remove its members and only members of this project are able to see other members (readonly).

You are not able to achieve anything even remotely similar using only group permissions.

For consistency, the way group based per-field permissions ("groups" and "grups_modify") would interact with rule based per-field permissions would mirror the way ir.model.access and ir.rule interact.

3. Record rules should be reflected in the way views are presented to the user. If user doesn't have "write" access to the given object she should not be presented with an "edit" button. Similarly lack of "unlink" permissions should hide the "remove" option. Currently this works with access rules (ir.model.access), but not with record rules (ir.rule)
This issue confuses the heck out of my users (understandably). This means I'll be forced to roll my own solution for the issue, but this seams as something that should be dealt with on the framework layer.

Are those issue something that the Odoo Team is currently looking into? Are there any plans for improvements in Odoo 9?

Ludwik Trammer

_______________________________________________
Mailing list: https://launchpad.net/~openerp-community
Post to     : [hidden email]
Unsubscribe : https://launchpad.net/~openerp-community
More help   : https://help.launchpad.net/ListHelp




--
La experiencia es la más dura maestra;
primero pone la prueba, luego dá la explicación...
-------------------------------------------------------------------------

_______________________________________________
Mailing list: https://launchpad.net/~openerp-community
Post to     : [hidden email]
Unsubscribe : https://launchpad.net/~openerp-community
More help   : https://help.launchpad.net/ListHelp
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Openerp-community] Per-field permissions

Omal Bastin
In reply to this post by Ludwik Trammer

On Fri, Jan 2, 2015 at 7:56 PM, Ludwik Trammer <[hidden email]> wrote:
Note: I've already posted this message to the @mail.odoo.com mailing list. It was suggested to me that I should also post it here.

Hi,

I learned about Odoo just four months ago. Since then I've done quite a lot of work with the Odoo programming framework - I created almost 20 Odoo modules for two clients, started a blog about Odoo development and posted answers to a dozen Odoo related questions on Stack Overflow.

The more I develop with Odoo the more I feel there is one area that is really lacking - per field permissions.

Yes, I know about the "groups" attribute - one can specify it on a model field to make it available to selected groups only. That's certainly a start. But this is not enough for more advanced uses.

Couple of example of things that would be very useful (or in my case - necessary) in that area:

1. Something similar to the "groups" attribute, but limited to the "write" permissions. It would make other groups able to read the field, but only chosen groups would be able to modify it.
This should both make the field appear readonly in forms (for users without modify privileges for that field) and validate the privileges when saving the model.

2. Rule-based per-field permissions. Something similar to ir.rule, but checked per individual field. This could look like this:

members = fields.many2many(
    'res.users',
    read_rule="[('members', '=', user.id)]",
    write_rule="[('manager', '=', user.id)]",
)

Let's say this is a filed on a Project model. This would mean that only manager of this project is able to add/remove its members and only members of this project are able to see other members (readonly).

You are not able to achieve anything even remotely similar using only group permissions.

For consistency, the way group based per-field permissions ("groups" and "grups_modify") would interact with rule based per-field permissions would mirror the way ir.model.access and ir.rule interact.

3. Record rules should be reflected in the way views are presented to the user. If user doesn't have "write" access to the given object she should not be presented with an "edit" button. Similarly lack of "unlink" permissions should hide the "remove" option. Currently this works with access rules (ir.model.access), but not with record rules (ir.rule)
This issue confuses the heck out of my users (understandably). This means I'll be forced to roll my own solution for the issue, but this seams as something that should be dealt with on the framework layer.

Are those issue something that the Odoo Team is currently looking into? Are there any plans for improvements in Odoo 9?

Ludwik Trammer

_______________________________________________
Mailing list: https://launchpad.net/~openerp-community
Post to     : [hidden email]
Unsubscribe : https://launchpad.net/~openerp-community
More help   : https://help.launchpad.net/ListHelp




--
Omal Bastin

_______________________________________________
Mailing list: https://launchpad.net/~openerp-community
Post to     : [hidden email]
Unsubscribe : https://launchpad.net/~openerp-community
More help   : https://help.launchpad.net/ListHelp
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Openerp-community] Per-field permissions

Ludwik Trammer

This would solve the first point from my letter, I believe. Unfortunately I don't think this works in Odoo 8 - I tried and it doesn't seem to have any effect. Additionally it doesn't appear anywhere in the documentation and is not used by any module from the official Odoo repository. This approach might work in the past, but I don't think it is still valid.

Ludwik

_______________________________________________
Mailing list: https://launchpad.net/~openerp-community
Post to     : [hidden email]
Unsubscribe : https://launchpad.net/~openerp-community
More help   : https://help.launchpad.net/ListHelp
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Openerp-community] Per-field permissions

Stephen Mack
At first I was excited but then I tested some of it on runbot.odoo.com.  It seems that this functionality was available in version 6.1 but is not in version 7.0 forward.  Maybe it caused a performance issue?

--Stephen

On Mon, Jan 5, 2015 at 7:07 AM, Ludwik Trammer <[hidden email]> wrote:

This would solve the first point from my letter, I believe. Unfortunately I don't think this works in Odoo 8 - I tried and it doesn't seem to have any effect. Additionally it doesn't appear anywhere in the documentation and is not used by any module from the official Odoo repository. This approach might work in the past, but I don't think it is still valid.

Ludwik

_______________________________________________
Mailing list: https://launchpad.net/~openerp-community
Post to     : [hidden email]
Unsubscribe : https://launchpad.net/~openerp-community
More help   : https://help.launchpad.net/ListHelp
Loading...