From 381bf9b354e4c26ab8a2e2d221f442090895ed10 Mon Sep 17 00:00:00 2001
From: Suherdy Yacob <suherdy.yacob@mapan.co.id>
Date: Mon, 16 Feb 2026 11:36:57 +0700
Subject: [PATCH] fix: Apply `sudo()` to user field access and enhance
 warehouse and location domain conditions across various access rules.

---
 security/ir_rule.xml     |  22 +++----
 security/ir_rule.xml.bak | 130 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 141 insertions(+), 11 deletions(-)
 create mode 100644 security/ir_rule.xml.bak

diff --git a/security/ir_rule.xml b/security/ir_rule.xml
index 44a08d9..347a32a 100644
--- a/security/ir_rule.xml
+++ b/security/ir_rule.xml
@@ -15,7 +15,7 @@
             <field name="domain_force">
                 (
                 [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
-                [('id', 'in', user.allowed_warehouse_ids.ids)] if user.allowed_warehouse_ids else [(1, '=', 1)]
+                [('id', 'in', user.sudo().allowed_warehouse_ids.ids + user.sudo().allowed_location_ids.warehouse_id.ids)] if (user.sudo().allowed_warehouse_ids or user.sudo().allowed_location_ids) else [(1, '=', 1)]
                 )
             </field>
         </record>
@@ -28,7 +28,7 @@
             <field name="domain_force">
                 (
                 [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
-                ['|', ('id', 'in', user.allowed_picking_type_ids.ids), ('warehouse_id', 'in', (user.allowed_warehouse_ids + user.allowed_location_ids.warehouse_id).ids)] if (user.allowed_picking_type_ids or user.allowed_warehouse_ids or user.allowed_location_ids) else [(1, '=', 1)]
+                ['|', ('id', 'in', user.sudo().allowed_picking_type_ids.ids), ('warehouse_id', 'in', user.sudo().allowed_warehouse_ids.ids + user.sudo().allowed_location_ids.warehouse_id.ids)] if (user.sudo().allowed_picking_type_ids or user.sudo().allowed_warehouse_ids or user.sudo().allowed_location_ids) else [(1, '=', 1)]
                 )
             </field>
         </record>
@@ -41,7 +41,7 @@
             <field name="domain_force">
                 (
                 [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
-                ['|', '|', '|', ('id', 'in', user.allowed_location_ids.ids), ('id', 'child_of', user.allowed_location_ids.ids), ('id', 'parent_of', user.allowed_location_ids.ids), ('warehouse_id', 'in', (user.allowed_warehouse_ids + user.allowed_location_ids.warehouse_id).ids)] if (user.allowed_location_ids or user.allowed_warehouse_ids) else [(1, '=', 1)]
+                ['|', '|', '|', ('id', 'in', user.sudo().allowed_location_ids.ids), ('id', 'child_of', user.sudo().allowed_location_ids.ids), ('id', 'parent_of', user.sudo().allowed_location_ids.ids), ('warehouse_id', 'in', user.sudo().allowed_warehouse_ids.ids + user.sudo().allowed_location_ids.warehouse_id.ids)] if (user.sudo().allowed_location_ids or user.sudo().allowed_warehouse_ids) else [(1, '=', 1)]
                 )
             </field>
         </record>
@@ -54,7 +54,7 @@
             <field name="domain_force">
                 (
                 [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
-                ['|', ('location_id', 'in', user.allowed_location_ids.ids), ('location_id', 'child_of', user.allowed_location_ids.ids)] if user.allowed_location_ids else [(1, '=', 1)]
+                ['|', '|', ('location_id', 'in', user.sudo().allowed_location_ids.ids), ('location_id', 'child_of', user.sudo().allowed_location_ids.ids), ('location_id.warehouse_id', 'in', user.sudo().allowed_warehouse_ids.ids + user.sudo().allowed_location_ids.warehouse_id.ids)] if (user.sudo().allowed_location_ids or user.sudo().allowed_warehouse_ids) else [(1, '=', 1)]
                 )
             </field>
         </record>
@@ -67,8 +67,8 @@
             <field name="domain_force">
                 (
                 [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
-                ['|', '|', ('location_id', 'in', user.allowed_location_ids.ids), ('location_id', 'child_of', user.allowed_location_ids.ids),
-                 '|', ('location_dest_id', 'in', user.allowed_location_ids.ids), ('location_dest_id', 'child_of', user.allowed_location_ids.ids)] if user.allowed_location_ids else [(1, '=', 1)]
+                ['|', '|', '|', '|', ('location_id', 'in', user.sudo().allowed_location_ids.ids), ('location_id', 'child_of', user.sudo().allowed_location_ids.ids), ('location_id.warehouse_id', 'in', user.sudo().allowed_warehouse_ids.ids + user.sudo().allowed_location_ids.warehouse_id.ids),
+                 '|', '|', ('location_dest_id', 'in', user.sudo().allowed_location_ids.ids), ('location_dest_id', 'child_of', user.sudo().allowed_location_ids.ids), ('location_dest_id.warehouse_id', 'in', user.sudo().allowed_warehouse_ids.ids + user.sudo().allowed_location_ids.warehouse_id.ids)] if (user.sudo().allowed_location_ids or user.sudo().allowed_warehouse_ids) else [(1, '=', 1)]
                 )
             </field>
         </record>
@@ -81,8 +81,8 @@
             <field name="domain_force">
                 (
                 [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
-                ['|', '|', ('location_id', 'in', user.allowed_location_ids.ids), ('location_id', 'child_of', user.allowed_location_ids.ids),
-                 '|', ('location_dest_id', 'in', user.allowed_location_ids.ids), ('location_dest_id', 'child_of', user.allowed_location_ids.ids)] if user.allowed_location_ids else [(1, '=', 1)]
+                ['|', '|', '|', '|', ('location_id', 'in', user.sudo().allowed_location_ids.ids), ('location_id', 'child_of', user.sudo().allowed_location_ids.ids), ('location_id.warehouse_id', 'in', user.sudo().allowed_warehouse_ids.ids + user.sudo().allowed_location_ids.warehouse_id.ids),
+                 '|', '|', ('location_dest_id', 'in', user.sudo().allowed_location_ids.ids), ('location_dest_id', 'child_of', user.sudo().allowed_location_ids.ids), ('location_dest_id.warehouse_id', 'in', user.sudo().allowed_warehouse_ids.ids + user.sudo().allowed_location_ids.warehouse_id.ids)] if (user.sudo().allowed_location_ids or user.sudo().allowed_warehouse_ids) else [(1, '=', 1)]
                 )
             </field>
         </record>
@@ -95,7 +95,7 @@
             <field name="domain_force">
                 (
                 [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
-                [('id', 'in', user.allowed_workcenter_ids.ids)] if user.allowed_workcenter_ids else [(1, '=', 1)]
+                [('id', 'in', user.sudo().allowed_workcenter_ids.ids)] if user.sudo().allowed_workcenter_ids else [(1, '=', 1)]
                 )
             </field>
         </record>
@@ -108,7 +108,7 @@
             <field name="domain_force">
                 (
                 [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
-                [('id', 'in', user.allowed_approval_category_ids.ids)] if user.allowed_approval_category_ids else [(1, '=', 1)]
+                [('id', 'in', user.sudo().allowed_approval_category_ids.ids)] if user.sudo().allowed_approval_category_ids else [(1, '=', 1)]
                 )
             </field>
         </record>
@@ -121,7 +121,7 @@
             <field name="domain_force">
                 (
                 [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
-                [('warehouse_id', 'in', (user.allowed_warehouse_ids + user.allowed_location_ids.warehouse_id).ids)] if (user.allowed_warehouse_ids or user.allowed_location_ids) else [(1, '=', 1)]
+                [('warehouse_id', 'in', user.sudo().allowed_warehouse_ids.ids + user.sudo().allowed_location_ids.warehouse_id.ids)] if (user.sudo().allowed_warehouse_ids or user.sudo().allowed_location_ids) else [(1, '=', 1)]
                 )
             </field>
         </record>
diff --git a/security/ir_rule.xml.bak b/security/ir_rule.xml.bak
new file mode 100644
index 0000000..c54478b
--- /dev/null
+++ b/security/ir_rule.xml.bak
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="utf-8"?>
+<odoo>
+    <data>
+        <!-- 
+            RESTRICTIVE RULES 
+            These rules restrict access based on User's allowed fields.
+            They include a context check 'bypass_user_restriction' to allow system/sudo operations to pass if needed.
+        -->
+
+        <!-- Stock Warehouse -->
+        <record id="stock_warehouse_allowed_rule" model="ir.rule">
+            <field name="name">Stock Warehouse Allowed Access</field>
+            <field name="model_id" ref="stock.model_stock_warehouse"/>
+            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
+            <field name="domain_force">
+                (
+                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
+                [('id', 'in', user.allowed_warehouse_ids.ids)] if user.allowed_warehouse_ids else [(1, '=', 1)]
+                )
+            </field>
+        </record>
+
+        <!-- Stock Picking Type -->
+        <record id="stock_picking_type_allowed_rule" model="ir.rule">
+            <field name="name">Stock Picking Type Allowed Access</field>
+            <field name="model_id" ref="stock.model_stock_picking_type"/>
+            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
+            <field name="domain_force">
+                (
+                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
+                ['|', ('id', 'in', user.allowed_picking_type_ids.ids), ('warehouse_id', 'in', user.allowed_warehouse_ids.ids + user.sudo().allowed_location_ids.warehouse_id.ids)] if (user.allowed_picking_type_ids or user.allowed_warehouse_ids or user.allowed_location_ids) else [(1, '=', 1)]
+                )
+            </field>
+        </record>
+
+        <!-- Stock Location -->
+        <record id="stock_location_allowed_rule" model="ir.rule">
+            <field name="name">Stock Location Allowed Access</field>
+            <field name="model_id" ref="stock.model_stock_location"/>
+            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
+            <field name="domain_force">
+                (
+                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
+                ['|', '|', '|', ('id', 'in', user.allowed_location_ids.ids), ('id', 'child_of', user.allowed_location_ids.ids), ('id', 'parent_of', user.allowed_location_ids.ids), ('warehouse_id', 'in', user.allowed_warehouse_ids.ids + user.sudo().allowed_location_ids.warehouse_id.ids)] if (user.allowed_location_ids or user.allowed_warehouse_ids) else [(1, '=', 1)]
+                )
+            </field>
+        </record>
+
+        <!-- Stock Quant (The critical one for Reports) -->
+        <record id="stock_quant_allowed_rule" model="ir.rule">
+            <field name="name">Stock Quant Allowed Access</field>
+            <field name="model_id" ref="stock.model_stock_quant"/>
+            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
+            <field name="domain_force">
+                (
+                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
+                ['|', ('location_id', 'in', user.allowed_location_ids.ids), ('location_id', 'child_of', user.allowed_location_ids.ids)] if user.allowed_location_ids else [(1, '=', 1)]
+                )
+            </field>
+        </record>
+
+        <!-- Stock Move -->
+        <record id="stock_move_allowed_rule" model="ir.rule">
+            <field name="name">Stock Move Allowed Access</field>
+            <field name="model_id" ref="stock.model_stock_move"/>
+            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
+            <field name="domain_force">
+                (
+                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
+                ['|', '|', ('location_id', 'in', user.allowed_location_ids.ids), ('location_id', 'child_of', user.allowed_location_ids.ids),
+                 '|', ('location_dest_id', 'in', user.allowed_location_ids.ids), ('location_dest_id', 'child_of', user.allowed_location_ids.ids)] if user.allowed_location_ids else [(1, '=', 1)]
+                )
+            </field>
+        </record>
+
+        <!-- Stock Move Line -->
+        <record id="stock_move_line_allowed_rule" model="ir.rule">
+            <field name="name">Stock Move Line Allowed Access</field>
+            <field name="model_id" ref="stock.model_stock_move_line"/>
+            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
+            <field name="domain_force">
+                (
+                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
+                ['|', '|', ('location_id', 'in', user.allowed_location_ids.ids), ('location_id', 'child_of', user.allowed_location_ids.ids),
+                 '|', ('location_dest_id', 'in', user.allowed_location_ids.ids), ('location_dest_id', 'child_of', user.allowed_location_ids.ids)] if user.allowed_location_ids else [(1, '=', 1)]
+                )
+            </field>
+        </record>
+
+        <!-- MRP Workcenter -->
+        <record id="mrp_workcenter_allowed_rule" model="ir.rule">
+            <field name="name">MRP Workcenter Allowed Access</field>
+            <field name="model_id" ref="mrp.model_mrp_workcenter"/>
+            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
+            <field name="domain_force">
+                (
+                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
+                [('id', 'in', user.allowed_workcenter_ids.ids)] if user.allowed_workcenter_ids else [(1, '=', 1)]
+                )
+            </field>
+        </record>
+        
+        <!-- Approval Category -->
+        <record id="approval_category_allowed_rule" model="ir.rule">
+            <field name="name">Approval Category Allowed Access</field>
+            <field name="model_id" ref="approvals.model_approval_category"/>
+            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
+            <field name="domain_force">
+                (
+                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
+                [('id', 'in', user.allowed_approval_category_ids.ids)] if user.allowed_approval_category_ids else [(1, '=', 1)]
+                )
+            </field>
+        </record>
+
+        <!-- Report Stock Quantity -->
+        <record id="report_stock_quantity_allowed_rule" model="ir.rule">
+            <field name="name">Report Stock Quantity Allowed Access</field>
+            <field name="model_id" ref="stock.model_report_stock_quantity"/>
+            <field name="global" eval="True"/>
+            <field name="domain_force">
+                (
+                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
+                [('warehouse_id', 'in', user.allowed_warehouse_ids.ids + user.sudo().allowed_location_ids.warehouse_id.ids)] if (user.allowed_warehouse_ids or user.allowed_location_ids) else [(1, '=', 1)]
+                )
+            </field>
+        </record>
+
+    </data>
+</odoo>