Can't attach a file without create permission over the register


(J. A. Arias) #1

You cannot attach a file to a register although you have write permission over the register model, unless you also have create permission.


(Cédric Krier) #2

Yes this is the design. The resource check the access right of the linked model for the same operation.


Permisos de usuario para archivos adjuntos (GNU Health)
(albert) #3

Yes, it’s the current design but as I see it we could think of attachments (and notes) as a one2many field that would be part of the current record. If that was the case, what we would expect is that the user would be able to add new records to that o2m if he has write permissions to the record.


(Cédric Krier) #4

Well, it would be a less powerful and flexible design and any way this can be customized.


(J. A. Arias) #5

I agree with Albert: I think that the user usually expects the same behaviour as for one2many fields so it had to be the standard implementation (not a customized one). Why it would be less powerful and flexible design?


(Cédric Krier) #6

Because instead of 3 access rights, there will be only one.


(Cédric Krier) #7

On a second though, I think it is probably the less astonishing behavior to check for ‘write’ access of resource on create and delete. But also that we need an easy way to modify one type of check into another (see Permisos de usuario para archivos adjuntos (GNU Health)).
So I propose that in Resource.check_access we have a method to convert the mode per model_name. This method by default will convert create and delete into write.


(J. A. Arias) #8

So, the change in http://hg.tryton.org/trytond/file/32cea659fb4e/trytond/ir/resource.py#l74 could be something like this (see the line inserted after #)?

@classmethod
def check_access(cls, ids, mode='read'):
    pool = Pool()
    ModelAccess = pool.get('ir.model.access')
    if ((Transaction().user == 0)
            or not Transaction().context.get('_check_access')):
        return
    model_names = set()
    with Transaction().set_context(_check_access=False):
        for record in cls.browse(ids):
            if record.resource:
                model_names.add(str(record.resource).split(',')[0])

    # Check whether model_names have write access to 'write', 'create' or 'delete' an attachment
    mode = 'write' if mode in ('delete', 'create') else mode

    for model_name in model_names:
        ModelAccess.check(model_name, mode=mode)

(Cédric Krier) #9

For me, it should be done via a method that takes also the model_name so it can be easy to extend it and add custom behavior per model.


(Cédric Krier) #10

I created Issue 7717: Use write mode to check create and delete of resources - Tryton issue tracker