Record Rule to allow a User to update their own Employee record without belonging to Officer group

0
votes

I am trying to define a Record Rule within OpenERP 7.0 that allows a User who is not in the Officer group to change their own Employee record only, while still keeping the existing global rule allowing users in the Officer group full rights. I've gotten as far as setting up a custom rule with the following details:

  • Name: User_edit_own_employee_rule
  • Object: Employee
  • Apply for Read: checked
  • Apply for Write: checked
  • Rule Definition: [('user_id', '=', user.id)]

However, all this seems to do is remove the ability of the User to read any Employee record except for their own. As far as I can tell, I need to combine this rule with a logical OR operator with Group rule applying to users in the Officer group. Can anyone give me any pointers for how to accomplish this?

Edit: My desired behaviour is thus:

  • All users (Employee group) can search and read all Employee records.
  • Users in the Employee group can edit their own Employee record, but not others.
  • Users in the Officer group can edit all Employee records (this is default behaviour for the HR module).

Tried thus far:

  • Modify the Record Rule described above (User_edit_own_employee_rule) to apply only for Write operations, not Read operations (users can see all Employee records, but not edit any records including their own).
  • Modify the hr.employee system user Access Control rule to allow Write operations (users can now edit all Employee records).

One clue I have is that, using the API to return an employee's user_id in the shell, OpenERP returns [5, 'Joe Bloggs']. I wonder whether my Record Rule is querying the foreign key relationship properly?

1
openerp

1 Answers

3
votes

Providing access rule is one part of the solution. If you look at "Access Control List" in "Settings > Technical > Security > Access Controls Lists", you can see that the group Hr Employee has only read access to the model hr.employee. So first you have to provide write access also to model hr.employee for group Employee. After you have allowed write access to the group Employee for model hr.employee,

  • Create a new record rule from Settings > Technical > Security > Record Rules named User_edit_own_employee_rule (As you wish).
  • Provide domain for this group User_edit_own_employee_rule as [('user_id', '=', user.id)]. And this domain should apply for Read and Write. ie; by check "Apply for Read" and "Apply for Write" Boolean field.
  • Create another record rule named User_edit_own_employee_rule_1
  • Provide domain for this group User_edit_own_employee_rule as [('user_id', '!=', user.id)]. And this domain should apply for Read only. ie; check "Apply for Read".

Now by creating two record rule for the group Employee, we can provide access to read and write his/her own record but only to read other employee records.

Let me summarize:

Provide write access in access control list to model hr.employee for group Employee. Create two record rule:

User_edit_own_employee_rule :

  • Name : User_edit_own_employee_rule
  • Object : Employee
  • Apply for Read : Checked
  • Apply for Write : Checked
  • Rule Definition : [('user_id', '=', user.id)]
  • Groups : Human Resources / Employee

User_edit_own_employee_rule_1 :

  • Name : User_edit_own_employee_rule_1
  • Object : Employee
  • Apply for Read : Checked
  • Apply for Write : Un Checked
  • Rule Definition : [('user_id', '!=', user.id)]
  • Groups : Human Resources / Employee

Hope This Helps....