diff --git a/__manifest__.py b/__manifest__.py
index 53f1499..34b8f00 100644
--- a/__manifest__.py
+++ b/__manifest__.py
@@ -20,6 +20,7 @@
     'data': [
         'security/ir.model.access.csv',
         'security/ir_rule.xml',
+        'security/ir_actions_act_window.xml',
         'views/res_users_views.xml',
     ],
     'installable': True,
diff --git a/models/__pycache__/restricted_models.cpython-312.pyc b/models/__pycache__/restricted_models.cpython-312.pyc
index 056312a..ffa2433 100644
Binary files a/models/__pycache__/restricted_models.cpython-312.pyc and b/models/__pycache__/restricted_models.cpython-312.pyc differ
diff --git a/models/restricted_models.py b/models/restricted_models.py
index 34904e3..c16d2db 100644
--- a/models/restricted_models.py
+++ b/models/restricted_models.py
@@ -4,9 +4,9 @@ from odoo.osv import expression
 
 _logger = logging.getLogger(__name__)
 
-def get_allowed_ids(env, field_name, table_name, user_id):
+def get_allowed_ids(env, table_name, col_name, user_id):
     # Use SQL to avoid ORM recursion or self-filtering issues
-    query = f"SELECT {field_name.replace('_ids', '')}_id FROM {table_name} WHERE user_id = %s"
+    query = f"SELECT {col_name} FROM {table_name} WHERE user_id = %s"
     env.cr.execute(query, (user_id,))
     return [r[0] for r in env.cr.fetchall()]
 
@@ -16,8 +16,9 @@ class StockWarehouse(models.Model):
     @api.model
     def _search(self, domain, offset=0, limit=None, order=None):
         if not self.env.su and not self.env.user.has_group('base.group_system'):
-            allowed_ids = get_allowed_ids(self.env, 'warehouse_ids', 'res_users_stock_warehouse_rel', self.env.user.id)
-            domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
+            allowed_ids = get_allowed_ids(self.env, 'res_users_stock_warehouse_rel', 'warehouse_id', self.env.user.id)
+            if allowed_ids:
+                domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
         return super()._search(domain, offset=offset, limit=limit, order=order)
 
 class StockPickingType(models.Model):
@@ -26,8 +27,9 @@ class StockPickingType(models.Model):
     @api.model
     def _search(self, domain, offset=0, limit=None, order=None):
         if not self.env.su and not self.env.user.has_group('base.group_system'):
-            allowed_ids = get_allowed_ids(self.env, 'picking_type_ids', 'res_users_stock_picking_type_rel', self.env.user.id)
-            domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
+            allowed_ids = get_allowed_ids(self.env, 'res_users_stock_picking_type_rel', 'picking_type_id', self.env.user.id)
+            if allowed_ids:
+                domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
         return super()._search(domain, offset=offset, limit=limit, order=order)
 
 class StockLocation(models.Model):
@@ -36,20 +38,15 @@ class StockLocation(models.Model):
     @api.model
     def _search(self, domain, offset=0, limit=None, order=None):
         if not self.env.su and not self.env.user.has_group('base.group_system'):
-            allowed_ids = get_allowed_ids(self.env, 'location_ids', 'res_users_stock_location_rel', self.env.user.id)
-            
-            # Robust filtering for Locations
-            # We allow:
-            # 1. Any record that is a 'parent_of' an allowed ID (to compute path names like WH/Stock)
-            # 2. Any record that is a 'child_of' an allowed ID (to allow access to bins within allowed locations)
-            # 3. Non-internal locations (Virtual/Partner) for system movements and reporting
-            restrict_domain = [
-                '|', '|',
-                ('id', 'parent_of', allowed_ids),
-                ('id', 'child_of', allowed_ids),
-                ('usage', 'not in', ['internal', 'transit'])
-            ]
-            domain = expression.AND([domain or [], restrict_domain])
+            allowed_ids = get_allowed_ids(self.env, 'res_users_stock_location_rel', 'location_id', self.env.user.id)
+            if allowed_ids:
+                restrict_domain = [
+                    '|', '|',
+                    ('id', 'parent_of', allowed_ids),
+                    ('id', 'child_of', allowed_ids),
+                    ('usage', 'not in', ['internal', 'transit'])
+                ]
+                domain = expression.AND([domain or [], restrict_domain])
         return super()._search(domain, offset=offset, limit=limit, order=order)
 
 class MrpWorkcenter(models.Model):
@@ -58,8 +55,9 @@ class MrpWorkcenter(models.Model):
     @api.model
     def _search(self, domain, offset=0, limit=None, order=None):
         if not self.env.su and not self.env.user.has_group('base.group_system'):
-            allowed_ids = get_allowed_ids(self.env, 'workcenter_ids', 'res_users_mrp_workcenter_rel', self.env.user.id)
-            domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
+            allowed_ids = get_allowed_ids(self.env, 'res_users_mrp_workcenter_rel', 'workcenter_id', self.env.user.id)
+            if allowed_ids:
+                domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
         return super()._search(domain, offset=offset, limit=limit, order=order)
 
 class ApprovalCategory(models.Model):
@@ -68,6 +66,18 @@ class ApprovalCategory(models.Model):
     @api.model
     def _search(self, domain, offset=0, limit=None, order=None):
         if not self.env.su and not self.env.user.has_group('base.group_system'):
-            allowed_ids = get_allowed_ids(self.env, 'approval_category_ids', 'res_users_approval_category_rel', self.env.user.id)
-            domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
+            allowed_ids = get_allowed_ids(self.env, 'res_users_approval_category_rel', 'category_id', self.env.user.id)
+            if allowed_ids:
+                domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
+        return super()._search(domain, offset=offset, limit=limit, order=order)
+
+class ApprovalRequest(models.Model):
+    _inherit = 'approval.request'
+
+    @api.model
+    def _search(self, domain, offset=0, limit=None, order=None):
+        if not self.env.su and not self.env.user.has_group('base.group_system'):
+            allowed_category_ids = get_allowed_ids(self.env, 'res_users_approval_category_rel', 'category_id', self.env.user.id)
+            if allowed_category_ids:
+                domain = expression.AND([domain or [], [('category_id', 'in', allowed_category_ids)]])
         return super()._search(domain, offset=offset, limit=limit, order=order)
diff --git a/security/ir_actions_act_window.xml b/security/ir_actions_act_window.xml
new file mode 100644
index 0000000..2144ad8
--- /dev/null
+++ b/security/ir_actions_act_window.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+<odoo>
+    <data>
+        <!-- Fix hardcoded Action Domain on All Approvals -->
+        <record id="approvals.approval_request_action_all" model="ir.actions.act_window">
+            <field name="domain">[]</field>
+        </record>
+    </data>
+</odoo>