fix: Apply sudo() to user field access and enhance warehouse and location domain conditions across various access rules.

2026-02-16 11:36:57 +07:00 · 2026-02-16 11:36:57 +07:00 · 381bf9b354
commit 381bf9b354
parent f914c64c5f
2 changed files with 141 additions and 11 deletions
--- a/security/ir_rule.xml
+++ b/security/ir_rule.xml
@ -15,7 +15,7 @@
            <field name="domain_force">
                (
                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
-                [('id', 'in', user.allowed_warehouse_ids.ids)] if user.allowed_warehouse_ids else [(1, '=', 1)]
+                [('id', 'in', user.sudo().allowed_warehouse_ids.ids + user.sudo().allowed_location_ids.warehouse_id.ids)] if (user.sudo().allowed_warehouse_ids or user.sudo().allowed_location_ids) else [(1, '=', 1)]
                )
            </field>
        </record>
@ -28,7 +28,7 @@
            <field name="domain_force">
                (
                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
-                ['|', ('id', 'in', user.allowed_picking_type_ids.ids), ('warehouse_id', 'in', (user.allowed_warehouse_ids + user.allowed_location_ids.warehouse_id).ids)] if (user.allowed_picking_type_ids or user.allowed_warehouse_ids or user.allowed_location_ids) else [(1, '=', 1)]
+                ['|', ('id', 'in', user.sudo().allowed_picking_type_ids.ids), ('warehouse_id', 'in', user.sudo().allowed_warehouse_ids.ids + user.sudo().allowed_location_ids.warehouse_id.ids)] if (user.sudo().allowed_picking_type_ids or user.sudo().allowed_warehouse_ids or user.sudo().allowed_location_ids) else [(1, '=', 1)]
                )
            </field>
        </record>
@ -41,7 +41,7 @@
            <field name="domain_force">
                (
                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
-                ['|', '|', '|', ('id', 'in', user.allowed_location_ids.ids), ('id', 'child_of', user.allowed_location_ids.ids), ('id', 'parent_of', user.allowed_location_ids.ids), ('warehouse_id', 'in', (user.allowed_warehouse_ids + user.allowed_location_ids.warehouse_id).ids)] if (user.allowed_location_ids or user.allowed_warehouse_ids) else [(1, '=', 1)]
+                ['|', '|', '|', ('id', 'in', user.sudo().allowed_location_ids.ids), ('id', 'child_of', user.sudo().allowed_location_ids.ids), ('id', 'parent_of', user.sudo().allowed_location_ids.ids), ('warehouse_id', 'in', user.sudo().allowed_warehouse_ids.ids + user.sudo().allowed_location_ids.warehouse_id.ids)] if (user.sudo().allowed_location_ids or user.sudo().allowed_warehouse_ids) else [(1, '=', 1)]
                )
            </field>
        </record>
@ -54,7 +54,7 @@
            <field name="domain_force">
                (
                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
-                ['|', ('location_id', 'in', user.allowed_location_ids.ids), ('location_id', 'child_of', user.allowed_location_ids.ids)] if user.allowed_location_ids else [(1, '=', 1)]
+                ['|', '|', ('location_id', 'in', user.sudo().allowed_location_ids.ids), ('location_id', 'child_of', user.sudo().allowed_location_ids.ids), ('location_id.warehouse_id', 'in', user.sudo().allowed_warehouse_ids.ids + user.sudo().allowed_location_ids.warehouse_id.ids)] if (user.sudo().allowed_location_ids or user.sudo().allowed_warehouse_ids) else [(1, '=', 1)]
                )
            </field>
        </record>
@ -67,8 +67,8 @@
            <field name="domain_force">
                (
                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
-                ['|', '|', ('location_id', 'in', user.allowed_location_ids.ids), ('location_id', 'child_of', user.allowed_location_ids.ids),
+                ['|', '|', '|', '|', ('location_id', 'in', user.sudo().allowed_location_ids.ids), ('location_id', 'child_of', user.sudo().allowed_location_ids.ids), ('location_id.warehouse_id', 'in', user.sudo().allowed_warehouse_ids.ids + user.sudo().allowed_location_ids.warehouse_id.ids),
-                 '|', ('location_dest_id', 'in', user.allowed_location_ids.ids), ('location_dest_id', 'child_of', user.allowed_location_ids.ids)] if user.allowed_location_ids else [(1, '=', 1)]
+                 '|', '|', ('location_dest_id', 'in', user.sudo().allowed_location_ids.ids), ('location_dest_id', 'child_of', user.sudo().allowed_location_ids.ids), ('location_dest_id.warehouse_id', 'in', user.sudo().allowed_warehouse_ids.ids + user.sudo().allowed_location_ids.warehouse_id.ids)] if (user.sudo().allowed_location_ids or user.sudo().allowed_warehouse_ids) else [(1, '=', 1)]
                )
            </field>
        </record>
@ -81,8 +81,8 @@
            <field name="domain_force">
                (
                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
-                ['|', '|', ('location_id', 'in', user.allowed_location_ids.ids), ('location_id', 'child_of', user.allowed_location_ids.ids),
+                ['|', '|', '|', '|', ('location_id', 'in', user.sudo().allowed_location_ids.ids), ('location_id', 'child_of', user.sudo().allowed_location_ids.ids), ('location_id.warehouse_id', 'in', user.sudo().allowed_warehouse_ids.ids + user.sudo().allowed_location_ids.warehouse_id.ids),
-                 '|', ('location_dest_id', 'in', user.allowed_location_ids.ids), ('location_dest_id', 'child_of', user.allowed_location_ids.ids)] if user.allowed_location_ids else [(1, '=', 1)]
+                 '|', '|', ('location_dest_id', 'in', user.sudo().allowed_location_ids.ids), ('location_dest_id', 'child_of', user.sudo().allowed_location_ids.ids), ('location_dest_id.warehouse_id', 'in', user.sudo().allowed_warehouse_ids.ids + user.sudo().allowed_location_ids.warehouse_id.ids)] if (user.sudo().allowed_location_ids or user.sudo().allowed_warehouse_ids) else [(1, '=', 1)]
                )
            </field>
        </record>
@ -95,7 +95,7 @@
            <field name="domain_force">
                (
                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
-                [('id', 'in', user.allowed_workcenter_ids.ids)] if user.allowed_workcenter_ids else [(1, '=', 1)]
+                [('id', 'in', user.sudo().allowed_workcenter_ids.ids)] if user.sudo().allowed_workcenter_ids else [(1, '=', 1)]
                )
            </field>
        </record>
@ -108,7 +108,7 @@
            <field name="domain_force">
                (
                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
-                [('id', 'in', user.allowed_approval_category_ids.ids)] if user.allowed_approval_category_ids else [(1, '=', 1)]
+                [('id', 'in', user.sudo().allowed_approval_category_ids.ids)] if user.sudo().allowed_approval_category_ids else [(1, '=', 1)]
                )
            </field>
        </record>
@ -121,7 +121,7 @@
            <field name="domain_force">
                (
                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
-                [('warehouse_id', 'in', (user.allowed_warehouse_ids + user.allowed_location_ids.warehouse_id).ids)] if (user.allowed_warehouse_ids or user.allowed_location_ids) else [(1, '=', 1)]
+                [('warehouse_id', 'in', user.sudo().allowed_warehouse_ids.ids + user.sudo().allowed_location_ids.warehouse_id.ids)] if (user.sudo().allowed_warehouse_ids or user.sudo().allowed_location_ids) else [(1, '=', 1)]
                )
            </field>
        </record>
--- a/security/ir_rule.xml.bak
+++ b/security/ir_rule.xml.bak
@ -0,0 +1,130 @@
 <?xml version="1.0" encoding="utf-8"?>
 <odoo>
    <data>
        <!-- 
            RESTRICTIVE RULES 
            These rules restrict access based on User's allowed fields.
            They include a context check 'bypass_user_restriction' to allow system/sudo operations to pass if needed.
        -->
        <!-- Stock Warehouse -->
        <record id="stock_warehouse_allowed_rule" model="ir.rule">
            <field name="name">Stock Warehouse Allowed Access</field>
            <field name="model_id" ref="stock.model_stock_warehouse"/>
            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
            <field name="domain_force">
                (
                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
                [('id', 'in', user.allowed_warehouse_ids.ids)] if user.allowed_warehouse_ids else [(1, '=', 1)]
                )
            </field>
        </record>
        <!-- Stock Picking Type -->
        <record id="stock_picking_type_allowed_rule" model="ir.rule">
            <field name="name">Stock Picking Type Allowed Access</field>
            <field name="model_id" ref="stock.model_stock_picking_type"/>
            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
            <field name="domain_force">
                (
                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
                ['|', ('id', 'in', user.allowed_picking_type_ids.ids), ('warehouse_id', 'in', user.allowed_warehouse_ids.ids + user.sudo().allowed_location_ids.warehouse_id.ids)] if (user.allowed_picking_type_ids or user.allowed_warehouse_ids or user.allowed_location_ids) else [(1, '=', 1)]
                )
            </field>
        </record>
        <!-- Stock Location -->
        <record id="stock_location_allowed_rule" model="ir.rule">
            <field name="name">Stock Location Allowed Access</field>
            <field name="model_id" ref="stock.model_stock_location"/>
            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
            <field name="domain_force">
                (
                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
                ['|', '|', '|', ('id', 'in', user.allowed_location_ids.ids), ('id', 'child_of', user.allowed_location_ids.ids), ('id', 'parent_of', user.allowed_location_ids.ids), ('warehouse_id', 'in', user.allowed_warehouse_ids.ids + user.sudo().allowed_location_ids.warehouse_id.ids)] if (user.allowed_location_ids or user.allowed_warehouse_ids) else [(1, '=', 1)]
                )
            </field>
        </record>
        <!-- Stock Quant (The critical one for Reports) -->
        <record id="stock_quant_allowed_rule" model="ir.rule">
            <field name="name">Stock Quant Allowed Access</field>
            <field name="model_id" ref="stock.model_stock_quant"/>
            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
            <field name="domain_force">
                (
                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
                ['|', ('location_id', 'in', user.allowed_location_ids.ids), ('location_id', 'child_of', user.allowed_location_ids.ids)] if user.allowed_location_ids else [(1, '=', 1)]
                )
            </field>
        </record>
        <!-- Stock Move -->
        <record id="stock_move_allowed_rule" model="ir.rule">
            <field name="name">Stock Move Allowed Access</field>
            <field name="model_id" ref="stock.model_stock_move"/>
            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
            <field name="domain_force">
                (
                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
                ['|', '|', ('location_id', 'in', user.allowed_location_ids.ids), ('location_id', 'child_of', user.allowed_location_ids.ids),
                 '|', ('location_dest_id', 'in', user.allowed_location_ids.ids), ('location_dest_id', 'child_of', user.allowed_location_ids.ids)] if user.allowed_location_ids else [(1, '=', 1)]
                )
            </field>
        </record>
        <!-- Stock Move Line -->
        <record id="stock_move_line_allowed_rule" model="ir.rule">
            <field name="name">Stock Move Line Allowed Access</field>
            <field name="model_id" ref="stock.model_stock_move_line"/>
            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
            <field name="domain_force">
                (
                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
                ['|', '|', ('location_id', 'in', user.allowed_location_ids.ids), ('location_id', 'child_of', user.allowed_location_ids.ids),
                 '|', ('location_dest_id', 'in', user.allowed_location_ids.ids), ('location_dest_id', 'child_of', user.allowed_location_ids.ids)] if user.allowed_location_ids else [(1, '=', 1)]
                )
            </field>
        </record>
        <!-- MRP Workcenter -->
        <record id="mrp_workcenter_allowed_rule" model="ir.rule">
            <field name="name">MRP Workcenter Allowed Access</field>
            <field name="model_id" ref="mrp.model_mrp_workcenter"/>
            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
            <field name="domain_force">
                (
                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
                [('id', 'in', user.allowed_workcenter_ids.ids)] if user.allowed_workcenter_ids else [(1, '=', 1)]
                )
            </field>
        </record>
        <!-- Approval Category -->
        <record id="approval_category_allowed_rule" model="ir.rule">
            <field name="name">Approval Category Allowed Access</field>
            <field name="model_id" ref="approvals.model_approval_category"/>
            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
            <field name="domain_force">
                (
                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
                [('id', 'in', user.allowed_approval_category_ids.ids)] if user.allowed_approval_category_ids else [(1, '=', 1)]
                )
            </field>
        </record>
        <!-- Report Stock Quantity -->
        <record id="report_stock_quantity_allowed_rule" model="ir.rule">
            <field name="name">Report Stock Quantity Allowed Access</field>
            <field name="model_id" ref="stock.model_report_stock_quantity"/>
            <field name="global" eval="True"/>
            <field name="domain_force">
                (
                [(1, '=', 1)] if user.env.context.get('bypass_user_restriction') or user.has_group('base.group_system') else
                [('warehouse_id', 'in', user.allowed_warehouse_ids.ids + user.sudo().allowed_location_ids.warehouse_id.ids)] if (user.allowed_warehouse_ids or user.allowed_location_ids) else [(1, '=', 1)]
                )
            </field>
        </record>
    </data>
 </odoo>