Checking access rule after modification


(Prakhar) #1

Hi there,

Scenario -
I have 2 users roles (res.groups) working on the same record let us say group1 and group2. A user of group1 changes the state of the record through workflow the transition, and the record should become readonly for that user.

A record rule is written for the same, that when state is draft, the record should be writable and is assigned to group1 role.

Problem -
When pressing the button, the transition changes the state from draft to submit. On doing this, the system checks for record rules once again. This creates an error.

Traceback (most recent call last):
File “/opt/tryton/tryton50/lib/python3.6/site-packages/trytond-5.0.3-py3.6.egg/trytond/protocols/dispatcher.py”, line 176, in _dispatch
result = rpc.result(meth(*c_args, **c_kwargs))
File “/opt/tryton/tryton50/lib/python3.6/site-packages/trytond-5.0.3-py3.6.egg/trytond/model/modelview.py”, line 665, in wrapper
return func(cls, records, *args, **kwargs)
File “/opt/tryton/tryton50/lib/python3.6/site-packages/trytond_apar-5.0.0-py3.6.egg/trytond/modules/apar/apar.py”, line 74, in submit
EmployeeForm.submit_to_hod(record.employee_forms)
File “/opt/tryton/tryton50/lib/python3.6/site-packages/trytond-5.0.3-py3.6.egg/trytond/model/modelview.py”, line 665, in wrapper
return func(cls, records, *args, **kwargs)
File “/opt/tryton/tryton50/lib/python3.6/site-packages/trytond_apar-5.0.0-py3.6.egg/trytond/modules/apar/apar.py”, line 315, in submit_to_hod
cls.submit([record])
File “/opt/tryton/tryton50/lib/python3.6/site-packages/trytond-5.0.3-py3.6.egg/trytond/model/workflow.py”, line 43, in wrapper
cls._transition_state: state,
File “/opt/tryton/tryton50/lib/python3.6/site-packages/trytond-5.0.3-py3.6.egg/trytond/model/modelsql.py”, line 147, in wrapper
return func(cls, *args, **kwargs)
File “/opt/tryton/tryton50/lib/python3.6/site-packages/trytond-5.0.3-py3.6.egg/trytond/model/modelsql.py”, line 998, in write
cls.__check_domain_rule(all_ids, ‘write’)
File “/opt/tryton/tryton50/lib/python3.6/site-packages/trytond-5.0.3-py3.6.egg/trytond/model/modelsql.py”, line 1160, in __check_domain_rule
cls.raise_user_error(‘access_error’, cls.name)
File “/opt/tryton/tryton50/lib/python3.6/site-packages/trytond-5.0.3-py3.6.egg/trytond/error.py”, line 74, in raise_user_error
raise UserError(error)

trytond.exceptions.UserError: (‘UserError’, (‘You try to bypass an access rule.\n(Document type: apar.employee.form)’, ‘’))

There is a commit that corresponds to that change. I do not know the real reason behind this, but in my opinion, checking for record rule after writing the record raises another level of problems. (Ref - https://github.com/tryton/trytond/commit/6b06e3221d527210f9b8ab414b245bfe16926bb3)


(Sergi Almacellas Abellana) #2

Could you explain which rules are defined on the database for the model?


(Prakhar) #3

I defined a simple rule:

[[“state”, “in”, [“draft”]]]

Initially, when the state is in draft, Tryton gets the record and changes the state from draft to submitted. Once it is submitted, then it checks for the rule again and fails.

On my system, if I comment out the line https://github.com/tryton/trytond/blob/5.0/trytond/model/modelsql.py#L998, then it works fine.


(Cédric Krier) #4

It is because we want that changes made by a user, can be reverted by the user.

Indeed workflow transition is done with buttons so the access rights are not enforced when executing the code of the button. But the record rules are excluded from this pattern and always enforced until Issue 4080: Remove company record rules - Tryton issue tracker is solved.


(Prakhar) #5

So I guess, we will have to comment out the line that checks the rule again and go ahead with our installation.


(Cédric Krier) #6

The only way to skip record rule for now, is to switch to user root (id=0).