From 2ba3ca12eb375b367e7f66c6f70d54afc0ab2b8a Mon Sep 17 00:00:00 2001 From: Suherdy Yacob Date: Wed, 17 Jun 2026 14:19:04 +0700 Subject: [PATCH] fix: restrict journal access enforcement to write, create, and delete operations to prevent read errors --- models/account_journal.py | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/models/account_journal.py b/models/account_journal.py index ae6faf1..5dfe845 100644 --- a/models/account_journal.py +++ b/models/account_journal.py @@ -40,7 +40,7 @@ class AccountJournal(models.Model): def check_access_rule(self, operation): """ Overridden to bypass multi-company record rules for allowed journals, - and enforce the allowed journals restriction for all operations. + and enforce the allowed journals restriction for write, create, and delete operations. """ if self.env.su: return super(AccountJournal, self).check_access_rule(operation) @@ -48,11 +48,16 @@ class AccountJournal(models.Model): user = self.env.user allowed_journals = user.sudo().allowed_journal_ids if allowed_journals: - # Enforce restriction: all records in self MUST be in allowed_journal_ids - if not all(j.id in allowed_journals.ids for j in self): - raise AccessError(_("You do not have access to this journal.")) - # If all records in self are allowed, bypass standard record rules - return + # Enforce restriction for write, create, and delete operations. + # Read operations are allowed to prevent access errors when loading + # documents (payments/moves) referencing other journals. + if operation in ('write', 'create', 'unlink'): + if not all(j.id in allowed_journals.ids for j in self): + raise AccessError(_("You do not have access to this journal.")) + + # If all records in self are allowed, bypass standard record rules. + if all(j.id in allowed_journals.ids for j in self): + return return super(AccountJournal, self).check_access_rule(operation)