feat: override check_access_rule to enforce custom journal restrictions and bypass multi-company record rules

models/account_journal.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 from odoo import api, fields, models, _
-from odoo.exceptions import UserError
+from odoo.exceptions import UserError, AccessError
 
 class AccountJournal(models.Model):
     _inherit = 'account.journal'
@@ -32,9 +32,30 @@ class AccountJournal(models.Model):
             if not bypass:
                 allowed_ids = user.sudo().allowed_journal_ids.ids
                 domain = [('id', 'in', allowed_ids)] + list(domain)
+                # Run the search as sudo to bypass standard multi-company rules
+                return self.sudo()._search(domain, offset=offset, limit=limit, order=order, **kwargs)
                  
         return super(AccountJournal, self)._search(domain, offset=offset, limit=limit, order=order, **kwargs)
 
+    def check_access_rule(self, operation):
+        """
+        Overridden to bypass multi-company record rules for allowed journals,
+        and enforce the allowed journals restriction for all operations.
+        """
+        if self.env.su:
+            return super(AccountJournal, self).check_access_rule(operation)
+
+        user = self.env.user
+        allowed_journals = user.sudo().allowed_journal_ids
+        if allowed_journals:
+            # Enforce restriction: all records in self MUST be in allowed_journal_ids
+            if not all(j.id in allowed_journals.ids for j in self):
+                raise AccessError(_("You do not have access to this journal."))
+            # If all records in self are allowed, bypass standard record rules
+            return
+
+        return super(AccountJournal, self).check_access_rule(operation)
+
     def write(self, vals):
         """
         Restrict write access to allowed journals only.