Record Rule help


(Jonathan Levy) #1

I am struggling to get record rules to work. I have a ModelSQL called timeclock_event, which has an “employee” attribute. The goal is to generally allow employees access to timeclock_events only where they are the employee, but to have a “Timeclock Admin” group with access to all records. I have the first part working (restricting users to their own records), but can’t get the admin group to work.

Here is the relevant code:

    <record model="res.group" id="timeclock_admin">
        <field name="name">Timeclock Admin</field>
    </record>

   <!-- The general rule, which is working -->
   <record model="ir.rule.group" id="rule_your_timeclock_events">
        <field name="model" search="[('model', '=', 'timeclock_event')]"/>
        <field name="global_p" eval="False"/>
        <field name="default_p" eval="True"/>
        <field name="perm_read" eval="True"/>
        <field name="perm_write" eval="True"/>
        <field name="perm_delete" eval="True"/>
        <field name="perm_create" eval="True"/>
   </record>
   <record model="ir.rule" id="rule_your_timeclock_line1">
 <field name="domain">[('employee', '=', user.employee and user.employee.id or None)]</field>
     <field name="rule_group" ref="rule_your_timeclock_events"/>
   </record>

    <!-- Not working: Granting broader access to timeclock admin group member -->
    <record model="ir.model.access" id="access_admin_all_timeclock_events">
        <field name="model" search="[('model', '=', 'timeclock_event')]"/>
        <field name="group" ref="timeclock_admin"/>
        <field name="perm_read" eval="True"/>
        <field name="perm_write" eval="True"/>
        <field name="perm_create" eval="True"/>
        <field name="perm_delete" eval="True"/>
    </record>
   <record model="ir.rule.group" id="rule_all_timeclock_events">
        <field name="model" search="[('model', '=', 'timeclock_event')]"/>
        <field name="global_p" eval="False"/>
        <field name="default_p" eval="False"/>
        <field name="perm_read" eval="True"/>
        <field name="perm_write" eval="True"/>
        <field name="perm_delete" eval="True"/>
        <field name="perm_create" eval="True"/>
   </record>
   <!--  I've also tried including this, but it doesn't help
   <record model="ir.rule" id="rule_all_timeclock_line1">
 <field name="domain">[]</field>
     <field name="rule_group" ref="rule_all_timeclock_events"/>
   </record>
 -->
   <record model="ir.rule.group-res.group"
       id="rule_all_timeclock_events_timeclock_admin">
       <field name="rule_group" ref="rule_all_timeclock_events"/>
       <field name="group" ref="timeclock_admin"/>
    </record>

(Cédric Krier) #2

I think access_admin_all_timeclock_events should be explicitly put as non-global.


(Jonathan Levy) #3

Thank you for the advice, but I don’t understand it. access_admin_timeclock_events is an instance of ir.model.access, and I don’t see how to mark it as non-global. It doesn’t have a global attribute.

Pool().get('ir.model.access')._fields.keys()
> ['rec_name', 'create_uid', 'create_date', 'description', 'write_date',
   'write_uid', 'perm_read', 'perm_create', 'perm_write', 'group',
   'model', 'perm_delete', 'id']

The analogous ir.rule.group (i.e., rule_all_timeclock_events) already has global_p set to False.


(Cédric Krier) #4

My bad, I was meaning this but I wrongly read it.

But is the admin user in the group “Timeclock Admin”?
And are you sure that the global_p is correctly set to False for rule_all_timeclock_events in the database. Sometimes during development, the update does not work because if incompatible changes made in the XML.


(Jonathan Levy) #5

Right now, when any user accesses the timeclock events menu, they will see the timeclock events of that user’s employee. The goal is that, in addition to that behavior, members of the timeclock_admin group should be able to see all timeclock events (but this aspect is not working).

I confirmed in the gtk that rule_all_timeclock_events has both “global” and “default” unchecked.

Thanks, again, for your help and attention.


(Cédric Krier) #6

And rule_your_timeclock_events also?


(Jonathan Levy) #7

The rule_your_timeclock_events was marked as non-global, but default. I experimented with changing it to non-default and, to my surprise, this did not affect the behavior. I was expecting that, without default checked, it would not apply unless the user was designated for it to apply in some way, but that it not the case. (?)


(Cédric Krier) #8

This made me think that your domain should probably be wrong.
And indeed they are. They must be PYSON statement and they should look like:

<field name="domain" eval="[('employee', '=', Eval('user', {}).get('employee'))]" pyson="1"/>

(Jonathan Levy) #9

This gives me an error, NameError: name 'Eval' is not defined.

(I had tried this format previously, based on the examples at [1], but received this error. I then searched standard modules, which led me to the <field.>domain</field) syntax.)

Btw, I am using 3.4. I did a search of standard 3.4 modules and did not locate pyson=, so I am thinking this may have changed since my version?

[1] https://groups.google.com/forum/#!topic/tryton/JeXK9tJ5ctE


(Sergi Almacellas Abellana) #10

The pyson=“1” syntax was introduced on version 3.6

You can have a look at the timesheet module for a similar rule on 3.4 version


(Jonathan Levy) #11

Thanks very much for the suggestion. I was using that syntax originally (see the above code), and it halfway worked: I was able to add a rule to restrict users to records where the record’s employee field matched their user’s employee. However, I also wanted to create a timeclock_admin group that was able to see all the record, but I was unable to make this more permissive rule work to override the default rule.

Thanks, again, though for the suggestion.


(Cédric Krier) #12

I think the only left solution is to look at the SQL query generated to understand what WHERE clause is used.