feat: Introduce permissive ir.rules and SQL-based ID retrieval for access restrictions, improving stock location visibility and adding stock_account dependency.

__manifest__.py

@@ -16,8 +16,10 @@
     """,
     'category': 'Extra Tools',
     'author': 'Suherdy Yacob',
-    'depends': ['base', 'stock', 'mrp', 'approvals'],
+    'depends': ['base', 'stock', 'mrp', 'approvals', 'stock_account'],
     'data': [
+        'security/ir.model.access.csv',
+        'security/ir_rule.xml',
         'views/res_users_views.xml',
     ],
     'installable': True,

models/restricted_models.py

@@ -1,13 +1,23 @@
+import logging
 from odoo import models, api
 from odoo.osv import expression
 
+_logger = logging.getLogger(__name__)
+
+def get_allowed_ids(env, field_name, table_name, user_id):
+    # Use SQL to avoid ORM recursion or self-filtering issues
+    query = f"SELECT {field_name.replace('_ids', '')}_id FROM {table_name} WHERE user_id = %s"
+    env.cr.execute(query, (user_id,))
+    return [r[0] for r in env.cr.fetchall()]
+
 class StockWarehouse(models.Model):
     _inherit = 'stock.warehouse'
 
     @api.model
     def _search(self, domain, offset=0, limit=None, order=None):
         if not self.env.su and not self.env.user.has_group('base.group_system'):
-            domain = expression.AND([domain or [], [('id', 'in', self.env.user.allowed_warehouse_ids.ids)]])
+            allowed_ids = get_allowed_ids(self.env, 'warehouse_ids', 'res_users_stock_warehouse_rel', self.env.user.id)
+            domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
         return super()._search(domain, offset=offset, limit=limit, order=order)
 
 class StockPickingType(models.Model):
@@ -16,7 +26,8 @@ class StockPickingType(models.Model):
     @api.model
     def _search(self, domain, offset=0, limit=None, order=None):
         if not self.env.su and not self.env.user.has_group('base.group_system'):
-            domain = expression.AND([domain or [], [('id', 'in', self.env.user.allowed_picking_type_ids.ids)]])
+            allowed_ids = get_allowed_ids(self.env, 'picking_type_ids', 'res_users_stock_picking_type_rel', self.env.user.id)
+            domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
         return super()._search(domain, offset=offset, limit=limit, order=order)
 
 class StockLocation(models.Model):
@@ -25,7 +36,20 @@ class StockLocation(models.Model):
     @api.model
     def _search(self, domain, offset=0, limit=None, order=None):
         if not self.env.su and not self.env.user.has_group('base.group_system'):
-            domain = expression.AND([domain or [], [('id', 'in', self.env.user.allowed_location_ids.ids)]])
+            allowed_ids = get_allowed_ids(self.env, 'location_ids', 'res_users_stock_location_rel', self.env.user.id)
+            
+            # Robust filtering for Locations
+            # We allow:
+            # 1. Any record that is a 'parent_of' an allowed ID (to compute path names like WH/Stock)
+            # 2. Any record that is a 'child_of' an allowed ID (to allow access to bins within allowed locations)
+            # 3. Non-internal locations (Virtual/Partner) for system movements and reporting
+            restrict_domain = [
+                '|', '|',
+                ('id', 'parent_of', allowed_ids),
+                ('id', 'child_of', allowed_ids),
+                ('usage', 'not in', ['internal', 'transit'])
+            ]
+            domain = expression.AND([domain or [], restrict_domain])
         return super()._search(domain, offset=offset, limit=limit, order=order)
 
 class MrpWorkcenter(models.Model):
@@ -34,7 +58,8 @@ class MrpWorkcenter(models.Model):
     @api.model
     def _search(self, domain, offset=0, limit=None, order=None):
         if not self.env.su and not self.env.user.has_group('base.group_system'):
-            domain = expression.AND([domain or [], [('id', 'in', self.env.user.allowed_workcenter_ids.ids)]])
+            allowed_ids = get_allowed_ids(self.env, 'workcenter_ids', 'res_users_mrp_workcenter_rel', self.env.user.id)
+            domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
         return super()._search(domain, offset=offset, limit=limit, order=order)
 
 class ApprovalCategory(models.Model):
@@ -43,5 +68,6 @@ class ApprovalCategory(models.Model):
     @api.model
     def _search(self, domain, offset=0, limit=None, order=None):
         if not self.env.su and not self.env.user.has_group('base.group_system'):
-            domain = expression.AND([domain or [], [('id', 'in', self.env.user.allowed_approval_category_ids.ids)]])
+            allowed_ids = get_allowed_ids(self.env, 'approval_category_ids', 'res_users_approval_category_rel', self.env.user.id)
+            domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
         return super()._search(domain, offset=offset, limit=limit, order=order)

security/ir.model.access.csv

@@ -0,0 +1,2 @@
+id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
+access_stock_valuation_layer_internal_user,stock.valuation.layer.internal.user,stock_account.model_stock_valuation_layer,base.group_user,1,0,0,0

security/ir_rule.xml

@@ -0,0 +1,97 @@
+<?xml version="1.0" encoding="utf-8"?>
+<odoo>
+    <data>
+        <!-- Permissive Rules to allow Read access, avoiding Access Errors.
+             Actual visibility restriction is handled by _search method in models/restricted_models.py. -->
+
+        <record id="stock_warehouse_permissive_rule" model="ir.rule">
+            <field name="name">Stock Warehouse Permissive Access</field>
+            <field name="model_id" ref="stock.model_stock_warehouse"/>
+            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
+            <field name="domain_force">[(1, '=', 1)]</field>
+            <field name="perm_read" eval="True"/>
+            <field name="perm_write" eval="False"/>
+            <field name="perm_create" eval="False"/>
+            <field name="perm_unlink" eval="False"/>
+        </record>
+
+        <record id="stock_picking_type_permissive_rule" model="ir.rule">
+            <field name="name">Stock Picking Type Permissive Access</field>
+            <field name="model_id" ref="stock.model_stock_picking_type"/>
+            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
+            <field name="domain_force">[(1, '=', 1)]</field>
+            <field name="perm_read" eval="True"/>
+            <field name="perm_write" eval="False"/>
+            <field name="perm_create" eval="False"/>
+            <field name="perm_unlink" eval="False"/>
+        </record>
+
+        <record id="stock_location_permissive_rule" model="ir.rule">
+            <field name="name">Stock Location Permissive Access</field>
+            <field name="model_id" ref="stock.model_stock_location"/>
+            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
+            <field name="domain_force">[(1, '=', 1)]</field>
+            <field name="perm_read" eval="True"/>
+            <field name="perm_write" eval="False"/>
+            <field name="perm_create" eval="False"/>
+            <field name="perm_unlink" eval="False"/>
+        </record>
+
+        <record id="mrp_workcenter_permissive_rule" model="ir.rule">
+            <field name="name">MRP Workcenter Permissive Access</field>
+            <field name="model_id" ref="mrp.model_mrp_workcenter"/>
+            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
+            <field name="domain_force">[(1, '=', 1)]</field>
+            <field name="perm_read" eval="True"/>
+            <field name="perm_write" eval="False"/>
+            <field name="perm_create" eval="False"/>
+            <field name="perm_unlink" eval="False"/>
+        </record>
+
+        <record id="approval_category_permissive_rule" model="ir.rule">
+            <field name="name">Approval Category Permissive Access</field>
+            <field name="model_id" ref="approvals.model_approval_category"/>
+            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
+            <field name="domain_force">[(1, '=', 1)]</field>
+            <field name="perm_read" eval="True"/>
+            <field name="perm_write" eval="False"/>
+            <field name="perm_create" eval="False"/>
+            <field name="perm_unlink" eval="False"/>
+        </record>
+
+        <!-- New rules to satisfy Inventory Reporting requirements -->
+        <record id="stock_valuation_layer_permissive_rule" model="ir.rule">
+            <field name="name">Stock Valuation Layer Permissive Access</field>
+            <field name="model_id" ref="stock_account.model_stock_valuation_layer"/>
+            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
+            <field name="domain_force">[(1, '=', 1)]</field>
+            <field name="perm_read" eval="True"/>
+            <field name="perm_write" eval="False"/>
+            <field name="perm_create" eval="False"/>
+            <field name="perm_unlink" eval="False"/>
+        </record>
+
+        <record id="stock_quant_permissive_rule" model="ir.rule">
+            <field name="name">Stock Quant Permissive Access</field>
+            <field name="model_id" ref="stock.model_stock_quant"/>
+            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
+            <field name="domain_force">[(1, '=', 1)]</field>
+            <field name="perm_read" eval="True"/>
+            <field name="perm_write" eval="False"/>
+            <field name="perm_create" eval="False"/>
+            <field name="perm_unlink" eval="False"/>
+        </record>
+
+        <record id="approval_request_permissive_rule" model="ir.rule">
+            <field name="name">Approval Request Permissive Access</field>
+            <field name="model_id" ref="approvals.model_approval_request"/>
+            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
+            <field name="domain_force">[(1, '=', 1)]</field>
+            <field name="perm_read" eval="True"/>
+            <field name="perm_write" eval="False"/>
+            <field name="perm_create" eval="False"/>
+            <field name="perm_unlink" eval="False"/>
+        </record>
+
+    </data>
+</odoo>