Inventory & Stock access permissions

pokoli · January 18, 2023, 9:42am

Hi,

I’m customizing the Inventory & Stock menu permissions. Our need is to allow purchase users group to see the pending moves menú ( Inventrory & Stock → Moves menú)

In order to do so, I added the Purchase group to the Inventory & Stock menú

After that I get acess also to the Customer Shipments and Inventories menú but after entering to them I get an access error because the purchase user is not allowed to see such menus.

I will expect that an user is not allowed to see a menu option linked to an action that he is not allowed to see. I’m wondering if this is something that can be implemented in a generic way or we need to define access records for each menu item linked to the user that is not allowed to see. This will mean adding a group for shipments, inventories, lots and other menu options. Is this something that should be added as part of default accesses? Or we should do it as customization (as we are opening the parent menu).

albert · January 18, 2023, 9:55am

In one way or another I think that it makes most sense that users in purchase group can access incoming moves, specially to track planned_dates and replan accordingly.

pokoli · January 18, 2023, 9:58am

This is already possible but just from the relate of purchases to moves.

But what we want is to get the overview of all of the pending purchases, but my problem is also with other menu items that are not accessible.

I guess you will be also interested in Add supplier as optional on moves list

edbo · January 18, 2023, 10:03am

I had the same question for another part. See Related menu entries on party are not restricted by the different groups (#11589) · Issues · Tryton / Tryton · GitLab and Issue 419541003: trytond: Skip keyword action window for which user has not read access - Code Review. Maybe something similar can be implemented for this.

pokoli · January 18, 2023, 10:05am

I see your problem was related to relate actions and it has been fixed for 6.6 series.
It will be great to implement something generic to filter menus that the user is not allowed to access it’s action. But I’m not sure if this is easly doable.

maxx · January 18, 2023, 10:15am

In our case, we added a sub-menu “Incoming Moves” in the Purchase Menu.

        <record model="ir.action.act_window" id="act_move_form_incoming">
            <field name="name">Incoming Moves</field>
            <field name="res_model">stock.move</field>
            <field name="domain"
                eval="[['OR', ('from_location.type', '=', 'supplier'), ('shipment', 'like', 'stock.shipment.in,%')], ('state', '=', 'draft')]"
                pyson="1"/>
        </record>
        <record model="ir.action.act_window.view" id="act_move_form_incoming_view1">
            <field name="sequence" eval="10"/>
            <field name="view" ref="purchase_move_view_list"/>
            <field name="act_window" ref="act_move_form_incoming"/>
        </record>
        <record model="ir.action.act_window.view" id="act_move_form_incoming_view2">
            <field name="sequence" eval="20"/>
            <field name="view" ref="purchase_move_view_form_planning"/>
            <field name="act_window" ref="act_move_form_incoming"/>
        </record>
        <record model="ir.action.act_window.domain"
            id="act_move_form_incoming_domain_all">
            <field name="name">All</field>
            <field name="sequence" eval="10"/>
            <field name="domain"></field>
            <field name="act_window" ref="act_move_form_incoming"/>
        </record>
        <record model="ir.action.act_window.domain"
            id="act_move_form_incoming_domain_supplier">
            <field name="name">From Suppliers</field>
            <field name="sequence" eval="20"/>
            <field name="domain"
                eval="[('from_location.type', '=', 'supplier')]"
                pyson="1"/>
            <field name="act_window" ref="act_move_form_incoming"/>
        </record>
        <record model="ir.action.act_window.domain"
            id="act_move_form_incoming_domain_inventory">
            <field name="name">Inventory</field>
            <field name="sequence" eval="30"/>
            <field name="domain"
                eval="[('from_location.type', '!=', 'supplier')]"
                pyson="1"/>
            <field name="act_window" ref="act_move_form_incoming"/>
        </record>
        <record model="ir.action.act_window.domain"
            id="act_move_form_incoming_domain_mine">
            <field name="name">Mine</field>
            <field name="sequence" eval="40"/>
            <field name="domain"
                eval="[('origin.requests.origin.requisition.employee', '=', Eval('context', {}).get('employee', -1), 'purchase.line', 'purchase.requisition.line')]"
                pyson="1"/>
            <field name="act_window" ref="act_move_form_incoming"/>
        </record>
        <menuitem parent="purchase.menu_purchase" sequence="40"
            action="act_move_form_incoming"
            id="menu_move_form_incoming"/>
        <record model="ir.ui.menu-res.group"
            id="menu_move_incoming_group_purchase">
            <field name="menu" ref="menu_move_form_incoming"/>
            <field name="group"
                ref="purchase.group_purchase"/>
        </record>

ced · January 18, 2023, 11:01am

I do not think it is doable to write a record rule because it depends on all the actions linked to the menu entry and on the ModelAccess.check method.

But maybe a similar filter like before the access rule could be added back.

pokoli · June 14, 2023, 9:50am

I think we should go with a generic solution as the issue is not only present for Inventory & Stock menu, but also for Purchase amendments (and probably much more menu entries).

So I filled a new issue: Hide menus related to acctions the user is not allowed to access (#12322) · Issues · Tryton / Tryton · GitLab