fix: restrict journal access enforcement to write, create, and delete operations to prevent read errors

2026-06-17 14:19:04 +07:00 · 2026-06-17 14:19:04 +07:00 · 2ba3ca12eb
commit 2ba3ca12eb
parent eceeef248d
1 changed files with 11 additions and 6 deletions
--- a/models/account_journal.py
+++ b/models/account_journal.py
@ -40,7 +40,7 @@ class AccountJournal(models.Model):
    def check_access_rule(self, operation):
        """
        Overridden to bypass multi-company record rules for allowed journals,
-        and enforce the allowed journals restriction for all operations.
+        and enforce the allowed journals restriction for write, create, and delete operations.
        """
        if self.env.su:
            return super(AccountJournal, self).check_access_rule(operation)
@ -48,11 +48,16 @@ class AccountJournal(models.Model):
        user = self.env.user
        allowed_journals = user.sudo().allowed_journal_ids
        if allowed_journals:
-            # Enforce restriction: all records in self MUST be in allowed_journal_ids
-            if not all(j.id in allowed_journals.ids for j in self):
-                raise AccessError(_("You do not have access to this journal."))
-            # If all records in self are allowed, bypass standard record rules
-            return
+            # Enforce restriction for write, create, and delete operations.
+            # Read operations are allowed to prevent access errors when loading
+            # documents (payments/moves) referencing other journals.
+            if operation in ('write', 'create', 'unlink'):
+                if not all(j.id in allowed_journals.ids for j in self):
+                    raise AccessError(_("You do not have access to this journal."))
+            
+            # If all records in self are allowed, bypass standard record rules.
+            if all(j.id in allowed_journals.ids for j in self):
+                return

        return super(AccountJournal, self).check_access_rule(operation)