Record Rules For Objects in Odoo
Record Rules For Objects
Record rules determine who can access the objects, depending on the rules set for the particular object. A record rule has some tests to be performed on objects.
You can manage four access modes on objects independently, depending on the test:
Read access : can read the data in the object,
Create access : can create a new record in the object,
Write access : can modify the contents of records in the object,
Delete access : can delete records from the object.
To configure a rule on an object, use the menu Administration ‣ Security ‣ Record Rules. The fields in the ir.rule object describe:
Object : Object on which to have the rule
Name : Name of the rule
Global : If global is checked, then that rule would be applied for all the groups; and if it is unchecked, then that rule would be applied only for the groups selected for it
Domain : A list of all the tests for the object. It is specified through a Python expression as a list of tuples.
If there are multiple tests on same object, then all of them are joined using AND operator, and depending on the result the rule would be satisfied
Access Modes : Read, Write, Create, Delete as described earlier
If only one access mode is checked, then only that mode would be applied
If all of them are checked, then all the access modes would be applied
But at least one access mode has to be checked, all of them cannot be unchecked. If all of them are unchecked, it would raise an exception.
For example : We can have a rule defined on res.partner object, which tests if the user is the dedicated salesman of the partner [('user_id', '=', user.id)]. We check only the create and write access modes and keep other access modes unchecked.
This would mean that a user in the group for which the rule is applied can only create/write records where he himself serves as the dedicated salesman, and cannot create/write records where he is not the dedicated salesman. As other access modes are unchecked, the user cannot read/delete the records of partners where he is not the dedicated salesman .
Each tuple in the search domain needs to have 3 elements, in the form:
('field_name', 'operator', value),
field_name must be a valid name of field of the object model, possibly following many-to-one relationships using dot-notation, e.g 'street' or 'partner_id.country' are valid values.
operator must be a string with a valid comparison operator from this list: =, !=, >, >=, <, <=, like, ilike, in, not in, child_of, parent_left, parent_right The semantics of most of these operators are obvious. The child_of operator will look for records who are children or grand-children of a given record, according to the semantics of this model (i.e following the relationship field named by self._parent_name, by default parent_id.
Value must be a valid value to compare with the values of field_name, depending on its type .
Note: uid = the id of the curent user
Domain criteria can be combined using 3 logical operators than can be added between tuples: '&' (logical AND, default), '|' (logical OR), '!' (logical NOT). These are prefix operators and the arity of the '&' and '|' operator is 2, while the arity of the '!' is just 1. Be very careful about this when you combine them the first time.
Priority Rule for Logical Operators :
NAO (NOT AND OR)
Here is an example of searching for Partners named ABC from Belgium and Germany whose language is not english ::
[('name','=','ABC'),'!',('language.code','=','en_US'),'|',('country_id.code','=','be'),('country_id.code','=','de')]
The '&' is omitted as it is the default, and of course we could have used '!=' for the language, but what this domain really represents is::
(name is 'ABC' AND (language is NOT english) AND (country is Belgium OR Germany))
Record rules determine who can access the objects, depending on the rules set for the particular object. A record rule has some tests to be performed on objects.
You can manage four access modes on objects independently, depending on the test:
Read access : can read the data in the object,
Create access : can create a new record in the object,
Write access : can modify the contents of records in the object,
Delete access : can delete records from the object.
To configure a rule on an object, use the menu Administration ‣ Security ‣ Record Rules. The fields in the ir.rule object describe:
Object : Object on which to have the rule
Name : Name of the rule
Global : If global is checked, then that rule would be applied for all the groups; and if it is unchecked, then that rule would be applied only for the groups selected for it
Domain : A list of all the tests for the object. It is specified through a Python expression as a list of tuples.
If there are multiple tests on same object, then all of them are joined using AND operator, and depending on the result the rule would be satisfied
Access Modes : Read, Write, Create, Delete as described earlier
If only one access mode is checked, then only that mode would be applied
If all of them are checked, then all the access modes would be applied
But at least one access mode has to be checked, all of them cannot be unchecked. If all of them are unchecked, it would raise an exception.
For example : We can have a rule defined on res.partner object, which tests if the user is the dedicated salesman of the partner [('user_id', '=', user.id)]. We check only the create and write access modes and keep other access modes unchecked.
This would mean that a user in the group for which the rule is applied can only create/write records where he himself serves as the dedicated salesman, and cannot create/write records where he is not the dedicated salesman. As other access modes are unchecked, the user cannot read/delete the records of partners where he is not the dedicated salesman .
Each tuple in the search domain needs to have 3 elements, in the form:
('field_name', 'operator', value),
field_name must be a valid name of field of the object model, possibly following many-to-one relationships using dot-notation, e.g 'street' or 'partner_id.country' are valid values.
operator must be a string with a valid comparison operator from this list: =, !=, >, >=, <, <=, like, ilike, in, not in, child_of, parent_left, parent_right The semantics of most of these operators are obvious. The child_of operator will look for records who are children or grand-children of a given record, according to the semantics of this model (i.e following the relationship field named by self._parent_name, by default parent_id.
Value must be a valid value to compare with the values of field_name, depending on its type .
Note: uid = the id of the curent user
Domain criteria can be combined using 3 logical operators than can be added between tuples: '&' (logical AND, default), '|' (logical OR), '!' (logical NOT). These are prefix operators and the arity of the '&' and '|' operator is 2, while the arity of the '!' is just 1. Be very careful about this when you combine them the first time.
Priority Rule for Logical Operators :
NAO (NOT AND OR)
Here is an example of searching for Partners named ABC from Belgium and Germany whose language is not english ::
[('name','=','ABC'),'!',('language.code','=','en_US'),'|',('country_id.code','=','be'),('country_id.code','=','de')]
The '&' is omitted as it is the default, and of course we could have used '!=' for the language, but what this domain really represents is::
(name is 'ABC' AND (language is NOT english) AND (country is Belgium OR Germany))
0 comments:
Post a Comment