For some models, we allow “admin rights” to users. For instance, creating products for opportunities.
But, if we intend to sell those products, we need to validate some details (accounting, customs, measurements) and then prevent user to update data once the product is validated. In this case, we use the nan-tic module https://github.com/NaN-tic/trytond-product_validate which add a “validate” boolean field on the template form. This field is only writeable by a specific group “product_validation”.
Once a product is validated, users having “product admin” rights should not update this product. This could only be done by user in “product_validation” group.
So i add this rule to prevent users in “product_admin” group to write in product model if field “validated” is true:
With this rule, i only see validated products and i can’t write them which is correct.
But my products which are not validated are not displayed !
So i’ve 2 groups:
product_admin
product_validation
Product_admin has the default rights to create, update, delete product but can’t “validate” a product. Once a product is validated, product_admin can no more update product.
Product_validation group has all rights on product (validate, and also updating a validated product).
Need some help to set correct rules depending of this behaviour. Thanks!
In contrary to other access rights, the Rules are removing access instead of giving (it is a kind of filter).
So your rule limit the read access for the group to only product validated.
Instead you must reverse the rules to give write access to only non-validated products.
To ensure the value of a <field/> through update, you must always have it declared.
Removing a <field/> from the XML means that you do not care anymore of its value.
So i define a group product_management similar to product_admin.
Only group product_admin can write boolean field “validate” on product template.
Product_management group can not update nor delete product template having field validate = ‘True’
I define a rule to allow write/delete permission on group product_management when validated field is False.
Products with validated field = True are not visible… even for admin (But i need to see all products!)
As admin, i can’t save a template with validated=True (not allowed to write records… because of my rule).
There is no special rule for admin. So if you create a new group you should assign it to the admin user so he is able to perform this operation also. As the admin user is created with an xml record, you can assign the group on your xml group so this is automatically done when updating your module. You can have a look at the account module to see how it’s done.
I don’t want admin user to be part of this new group ‘product_management’. Admin is part of group “product_admin” with all the rights on products. Product_management group will be similar of group “product_admin” except i don’t want people of this group could update or delete products having “validated” field = True.
So i try to define a rule for this: Everybody can see all products, product_admin can do anything, product_management can do anything except updating or deleting validated products.
Nice question I’m always in for a challenge so I fiddled around a bit.
I’ve tried your idea on the trunk version of Tryton, so no idea if it will work with your version of Tryton. Also I made a small change to your idea, I used the salable field and made the rules in the GUI rather then in XML. I will leave that to you.
I’ve created a record rule with an empty domain.
model: product.template
only ‘read’ access
both ‘global’ and ‘default’ unchecked
domain, leave it empty or add '[]'
Just create a special group for them and add the empty rule, but also add all the rights on the product.template model on the model access tab
Create a new record rule with [["salable", "=", True"]] as domain
model: product.template
all access
both ‘global’ and ‘default’ unchecked
Create a new group, and add all access on the product.template model like the group above. Also add the two newly created record rules to the group.
It’s very rough but hopefully it will help you a bit.
Since my last post, i met some problem with field access rules to duplicate a record. (Setting perm_write=False to a field doesn’t allow to duplicate a record). So i update my code to set field ‘readonly’ depending on field state attribute instead on field access rules.
To resume, i need to allow some users to have some rights to manage products but they are not product_admin.
So, i’ve defined a new group product_management similar to product_admin.
I’ve added a boolean field “Validated” on product template. Only group product_admin can write boolean field “validate” on product template.
Product_management group can not update nor delete product template once field validate is ‘True’.
Here’s my code:
product.py
from trytond.model import fields
from trytond.pool import PoolMeta
from trytond.pyson import Eval, Id
class Template(metaclass=PoolMeta):
__name__ = 'product.template'
validated = fields.Boolean('Validated',
states={
'readonly': ~Id('product', 'group_product_admin').in_(
Eval('context', {}).get('groups', [])),
})
@classmethod
def default_validated(cls):
return False
@classmethod
def copy(cls, templates, default=None):
if default is None:
default = {}
else:
default = default.copy()
default.setdefault('validated', False)
return super().copy(templates, default=default)
<?xml version="1.0"?>
<!-- The COPYRIGHT file at the top level of this repository contains the full
copyright notices and license terms. -->
<data>
<xpath expr="/form/notebook" position="before">
<label name="validated"/>
<field name="validated"/>
</xpath>
</data>