access_restriction_by_user/models/restricted_models.py

import logging
from odoo import models, api
from odoo.osv import expression

_logger = logging.getLogger(__name__)

def get_allowed_ids(env, table_name, col_name, user_id):
    # Use SQL to avoid ORM recursion or self-filtering issues
    query = f"SELECT {col_name} FROM {table_name} WHERE user_id = %s"
    env.cr.execute(query, (user_id,))
    return [r[0] for r in env.cr.fetchall()]

class StockWarehouse(models.Model):
    _inherit = 'stock.warehouse'

    @api.model
    def _search(self, domain, offset=0, limit=None, order=None):
        if self.env.context.get('bypass_user_restriction'):
            return super()._search(domain, offset=offset, limit=limit, order=order)
        if not self.env.su and not self.env.user.has_group('base.group_system'):
            allowed_ids = get_allowed_ids(self.env, 'res_users_stock_warehouse_rel', 'warehouse_id', self.env.user.id)
            if allowed_ids:
                domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
        return super()._search(domain, offset=offset, limit=limit, order=order)

class StockPickingType(models.Model):
    _inherit = 'stock.picking.type'

    @api.model
    def _search(self, domain, offset=0, limit=None, order=None):
        if self.env.context.get('bypass_user_restriction'):
            return super()._search(domain, offset=offset, limit=limit, order=order)
        if not self.env.su and not self.env.user.has_group('base.group_system'):
            allowed_ids = get_allowed_ids(self.env, 'res_users_stock_picking_type_rel', 'picking_type_id', self.env.user.id)
            if allowed_ids:
                domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
        return super()._search(domain, offset=offset, limit=limit, order=order)

class StockLocation(models.Model):
    _inherit = 'stock.location'

    @api.model
    def _search(self, domain, offset=0, limit=None, order=None):
        if self.env.context.get('bypass_user_restriction'):
            return super()._search(domain, offset=offset, limit=limit, order=order)
        if not self.env.su and not self.env.user.has_group('base.group_system'):
            allowed_ids = get_allowed_ids(self.env, 'res_users_stock_location_rel', 'location_id', self.env.user.id)
            if allowed_ids:
                restrict_domain = [
                    '|', '|',
                    ('id', 'parent_of', allowed_ids),
                    ('id', 'child_of', allowed_ids),
                    ('usage', 'not in', ['internal', 'transit'])
                ]
                domain = expression.AND([domain or [], restrict_domain])
        return super()._search(domain, offset=offset, limit=limit, order=order)

class MrpWorkcenter(models.Model):
    _inherit = 'mrp.workcenter'

    @api.model
    def _search(self, domain, offset=0, limit=None, order=None):
        if self.env.context.get('bypass_user_restriction'):
            return super()._search(domain, offset=offset, limit=limit, order=order)
        if not self.env.su and not self.env.user.has_group('base.group_system'):
            allowed_ids = get_allowed_ids(self.env, 'res_users_mrp_workcenter_rel', 'workcenter_id', self.env.user.id)
            if allowed_ids:
                domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
        return super()._search(domain, offset=offset, limit=limit, order=order)

class ApprovalCategory(models.Model):
    _inherit = 'approval.category'

    @api.model
    def _search(self, domain, offset=0, limit=None, order=None):
        if self.env.context.get('bypass_user_restriction'):
            return super()._search(domain, offset=offset, limit=limit, order=order)
        if not self.env.su and not self.env.user.has_group('base.group_system'):
            allowed_ids = get_allowed_ids(self.env, 'res_users_approval_category_rel', 'category_id', self.env.user.id)
            if allowed_ids:
                domain = expression.AND([domain or [], [('id', 'in', allowed_ids)]])
        return super()._search(domain, offset=offset, limit=limit, order=order)

class ApprovalRequest(models.Model):
    _inherit = 'approval.request'

    @api.model
    def _search(self, domain, offset=0, limit=None, order=None):
        if self.env.context.get('bypass_user_restriction'):
            return super()._search(domain, offset=offset, limit=limit, order=order)
        if not self.env.su and not self.env.user.has_group('base.group_system'):
            allowed_category_ids = get_allowed_ids(self.env, 'res_users_approval_category_rel', 'category_id', self.env.user.id)
            if allowed_category_ids:
                domain = expression.AND([domain or [], [('category_id', 'in', allowed_category_ids)]])
        return super()._search(domain, offset=offset, limit=limit, order=order)