Odoo Server (MOVED TO GITHUB)

Bug #1021378
Comment #14

Comment 14 for bug 1021378

Revision history for this message

Med Said BARA (diassynthesis) wrote on 2013-02-21:

#14

Hi Everybody;

Further Investigations

You can verify by yourself that this issue exist on the latest runbot releases for 7.0 and trunk but not for 6.0 and 6.1
http://trunk-4253.runbot.openerp.com
http://7-0-4260.runbot.openerp.com
.
.
.
http://6-1-4257.runbot.openerp.com

Also according to the content of openerp.log file :
<< 2013-02-20 18:36:39,023 8916 INFO gsctest werkzeug: 41.107.104.239 - - [20/Feb/2013 18:36:39] "POST /web/dataset/call_kw HTTP/1.1" 200 -
2013-02-20 18:36:49,286 8916 WARNING gsctest openerp.osv.orm: Access Denied by record rules for operation: create, uid: 12, model: res.partner
2013-02-20 18:36:49,286 8916 ERROR gsctest openerp.netsvc: Access Denied
The requested operation cannot be completed due to security restrictions. Please contact your system administrator.

(Document type: Partner, Operation: create)
Traceback (most recent call last):
  File "F:\Program Files (x86)\OpenERP 7.0alpha-20130107-000101\Server\server\.\openerp\netsvc.py", line 289, in dispatch_rpc
  File "F:\Program Files (x86)\OpenERP 7.0alpha-20130107-000101\Server\server\.\openerp\service\web_services.py", line 614, in dispatch
  File "F:\Program Files (x86)\OpenERP 7.0alpha-20130107-000101\Server\server\.\openerp\osv\osv.py", line 169, in execute_kw
  File "F:\Program Files (x86)\OpenERP 7.0alpha-20130107-000101\Server\server\.\openerp\osv\osv.py", line 125, in wrapper
except_osv: (u'Access Denied', u'The requested operation cannot be completed due to security restrictions. Please contact your system administrator.\n\n(Document type: Partner, Operation: create)')
2013-02-20 18:36:49,349 8916 INFO gsctest werkzeug: 41.107.104.239 - - [20/Feb/2013 18:36:49] "POST /web/dataset/call_kw HTTP/1.1" 200 - >>
We can see that this issue is related to access rights on the Model "res.partner" (also called Object in v6.0).
So what have changed since in Record Rules since v7.0 on res.partner ?

Searching in Record Rules for v6.0, v6.1, v7.0 and trunk, and comparing between the rules found,we will see:
1- there is one common rule: "res.partner company" on Partner Model with exactly the same rightsCRUD and Global
and exactly the same definition - ['|','|',('company_id.child_ids','child_of',[user.company_id.id]),('company_id','child_of',[user.company_id.id]),('company_id','=',False)]

2- There is a second rule for v7.0 and trunk: "res_partner: read access on my partner" on the same Model (res.partner)
with just "READ" Access right and defined for "Portal" and Anonymous" groups.

3- There is also another rule for v6.0 and 6.1: " Account Followup Statistics by Partner Rule" , but this is not important, cause it is on the object " Followup Statistics by Partner " and not the object "res.partner"

4- and the last rule: "Partner Bank company rule" whish also seems to be not important in our case cause it's related to res.partner.bank and not directly to res.partner

Conclusion:

The second rule (above) seems to be the cause of this issue.

Solution:
1- Put CRUD and Global rughts on this rule
2- Removing the access rights of users on "Portal" and "Anonymous" (Unchecking both)

Tested on runbot: the two solutions are not working

Tested on my development platform: the second solution is working fine

please, could someone test and confirm

best regards.

Hi Everybody;

Further Investigations

(Document type: Partner, Operation: create)
Traceback (most recent call last):
  File "F:\Program Files (x86)\OpenERP 7.0alpha-20130107-000101\Server\server\.\openerp\netsvc.py", line 289, in dispatch_rpc
  File "F:\Program Files (x86)\OpenERP 7.0alpha-20130107-000101\Server\server\.\openerp\service\web_services.py", line 614, in dispatch
  File "F:\Program Files (x86)\OpenERP 7.0alpha-20130107-000101\Server\server\.\openerp\osv\osv.py", line 169, in execute_kw
  File "F:\Program Files (x86)\OpenERP 7.0alpha-20130107-000101\Server\server\.\openerp\osv\osv.py", line 125, in wrapper
except_osv: (u'Access Denied', u'The requested operation cannot be completed due to security restrictions. Please contact your system administrator.\n\n(Document type: Partner, Operation: create)')
2013-02-20 18:36:49,349 8916 INFO gsctest werkzeug: 41.107.104.239 - - [20/Feb/2013 18:36:49] "POST /web/dataset/call_kw HTTP/1.1" 200 - >>
We can see that this issue is related to access rights on the Model "res.partner"  (also called Object in v6.0).
So what have changed since in Record Rules since v7.0 on res.partner ?

Searching in Record Rules for v6.0, v6.1, v7.0 and trunk, and comparing between the rules found,we will see:
1- there is one common rule: "res.partner company" on Partner Model with exactly the same rightsCRUD  and Global
     and exactly the same definition  - ['|','|',('company_id.child_ids','child_of',[user.company_id.id]),('company_id','child_of',[user.company_id.id]),('company_id','=',False)]

2- There is a second rule for v7.0 and trunk: "res_partner: read access on my partner" on the same Model (res.partner)
     with just "READ" Access right and defined for "Portal" and Anonymous" groups.

3- There is also another rule for v6.0 and 6.1: " 	Account Followup Statistics by Partner Rule" , but this is not important, cause it is on the object " 	Followup Statistics by Partner " and not the object "res.partner"

4- and the last rule: "Partner Bank company rule" whish also seems to be not important in our case cause it's related to res.partner.bank and not directly  to res.partner