First, I’m upgrading an installation from 5.4 to version 6.4. Everything went smooth until access rights (which was kind of expected).
In this case we have a form where timesheet lines are shown. This is a
Function field (
one2many) which gets the timesheet lines based on the timesheet added (
timesheet.work). This gives something like:
timesheet = fields.Many2One('timesheet.work', 'Timesheet') timesheet_lines = fields.Function( fields.One2Many('timesheet.line', None, 'Timesheet Lines', domain=[('work', '=', Eval('timesheet'))], depends=['timesheet']), '_get_timesheet_lines') def _get_timesheet_lines(self, name): if self.timesheet: return [t.id for t in self.timesheet.timesheet_lines] return 
The timesheet lines then are restricted to only show the timesheet lines of the user. For this a new group was created and a new
Record Rule added to the group which filters the timesheet lines based on the
employee. This is where things go wrong. We now get an
UserError which says that the user is not allowed to read records with
id ... ... etc. And the list of timesheet lines is empty.
We tracked the error back to version 6.0. From that version the error shows up. The strange thing is that when the user directly goes to
Timesheet -> Lines via the menu, it still works. The user only gets it’s own timesheet lines.
It seems we clearly missing something here. In the release notes of version 6.0 there is a sentence saying:
“The record rules are now only applied if
_check_access is set in the context. This improves the multi-company support.”
Adding a print statement to the
_get_timesheet_lines indeed the
False. Change the
True didn’t help either.
def _get_timesheet_lines(self, name): with Transaction().set_context(_check_access=True): if self.timesheet: return [t.id for t in self.timesheet.timesheet_lines] return 
What are we doing wrong here?
Adding an extra domain to the list is not an option because a group higher up is allowed to see all the timesheet lines from all the users on that timesheet.