2 Record Rules, same object, same group, different domain

0
votes

Human logic vs OpenERP logic, hard times.

Very simple idea: a project user should be able to see/read all the tasks, but only be able to edit/write his assigned tasks.

Easy, Record Rules on project.task:

  • 1st rule: [('user_id','!=',user.id)], grants Read
  • 2nd rule: [('user_id','=',user.id)], grants RW

Nope, 2nd rule overwrites the 1st one.

Is it me or it is really complicated to do real simple things? Have I missed something?

Thanks

Edit: To clarify my point here are my rules 1 & 2:

    <record model="ir.rule" id="project_task_user_rule">
        <field name="name">Project/task: user: read others tasks</field>
        <field name="model_id" ref="project.model_project_task"/>
        <field name="domain_force">[('user_id','not in',[user.id])]</field>
        <field name="groups" eval="[(4,ref('project.group_project_user'))]"/>
        <field eval="1" name="perm_read"/>
        <field eval="0" name="perm_write"/>
        <field eval="0" name="perm_create"/>
        <field eval="0" name="perm_unlink"/>
    </record>

    <record model="ir.rule" id="project_task_user_rule">
        <field name="name">Project/task: user: RW rights on his tasks</field>
        <field name="model_id" ref="project.model_project_task"/>
        <field name="domain_force">[('user_id','=',user.id)]</field>
        <field name="groups" eval="[(4,ref('project.group_project_user'))]"/>
        <field eval="1" name="perm_read"/>
        <field eval="1" name="perm_write"/>
        <field eval="0" name="perm_create"/>
        <field eval="0" name="perm_unlink"/>
    </record>

In this case, the user sees only his tasks and can modify them. If I put the second rule over the first one, user can see all the tasks, but is not able to edit any, neither his own.

2
openerpopenerp-7

2 Answers

0
votes

No they don't overwrite each other, they are cumulative: The access rule engine looks for a positive permission for the action to be done (read, create, write, unlink) in any of the available rules.

That same method is used in the OCA module project_baseuser to limit helpdesk end users to have write access only on draft/new Tasks. Once Tasks move to a started stage only Project Users can edit them. See: https://github.com/OCA/project/blob/29caef1cd8029e755c2c27d54541202d52b9c744/project_baseuser/security/project_security.xml#L79

0
votes

Alright while editing my post I figured out that I made a huge beginner mistake...

If you look at the id I gave to my records, they are the same, thus the second overwrites the first while being read. With two different ids, of course that now works!

Thanks @Daniel Reis, somehow made me aware of that.

Cheers!