From c70ce3d70e4f8016c80c6004d6636785a74b062c Mon Sep 17 00:00:00 2001
From: Suherdy Yacob <suherdy.yacob@mapan.co.id>
Date: Fri, 29 May 2026 11:22:28 +0700
Subject: [PATCH] feat: add multi-company access support for POS sessions and
 employees by overriding partner security rules and load methods

---
 models/__init__.py                            |   1 +
 models/__pycache__/__init__.cpython-312.pyc   | Bin 292 -> 327 bytes
 .../__pycache__/hr_employee.cpython-312.pyc   | Bin 5212 -> 7288 bytes
 models/hr_employee.py                         |  34 ++++++++++++++++++
 models/pos_session.py                         |  22 ++++++++++++
 security/hr_security.xml                      |   6 +++-
 6 files changed, 62 insertions(+), 1 deletion(-)
 create mode 100644 models/pos_session.py

diff --git a/models/__init__.py b/models/__init__.py
index ab87c94..26e4cbc 100644
--- a/models/__init__.py
+++ b/models/__init__.py
@@ -1,3 +1,4 @@
 from . import hr_employee
 from . import pos_config
+from . import pos_session
 from . import res_users
diff --git a/models/__pycache__/__init__.cpython-312.pyc b/models/__pycache__/__init__.cpython-312.pyc
index e5fbc03f6a0ad96ddae3f9b6d743ff311ab7818c..459921e65cafb545fe3472fcc8508673df00f2eb 100644
GIT binary patch
delta 133
zcmZ3&bexIzG%qg~0}yx$OJ=1`<dtMJnW(NQkiw9{lEaY862-#EP|2#vHZeq1pSvKx
zIKDWwxHvOEPm}Q$XHjZ#d}(oNQL&#U>n(;NW}qQOEFgjvM6gYqQlQKYWHAD9u^^E6
Yz|6?Vc$Y!)E`tP+yvHD3#0eAy03pyF;s5{u

delta 98
zcmX@kw1kQGG%qg~0}v$r6wmUW$ScXHF;QKUrIJOHbz*|5G-pw2aeQfUYEiMDCd(~`
sB4(h<A{G$AI&n*Z0!Sw#5Et_Si4V+-jEr{~B=0gv++z?g;s6Q(0D=b<fB*mh

diff --git a/models/__pycache__/hr_employee.cpython-312.pyc b/models/__pycache__/hr_employee.cpython-312.pyc
index dbabc2200466cf1b1dda596d61a672b6fe38ffc0..4c07b77c523f9b69bdd79c5f2e3bf688a3417dba 100644
GIT binary patch
delta 2281
zcmZ`(TWs6b89s*>iK4HvVoQl{r&StRaiF?zY7}YUpmEZrz>u|dFe5?>juww?x)iA%
z%61$`QHlkq4HT#iZm_okL)NDZ?n45<WDmpI0)6U>nP8L0ZdlNlc5hme4c&kO`;ROo
zPOu)3KY#xB%SZlo=)0HNziew$5u8)8gY##)*V_}vFTvXeGLV5Sl;uys!g(Pp<i)I*
zm$Fh`&dL}G=tsy9uOUOC!hEZ@F2~kCjI`IKGDt&@rAmvkjML$N@GR%oe>);yzzDtX
z{h{k+FN**2N_+*)V59q5WQ!ZX$#zk7{@Fc#KQ(%;p+`2c6?6$_4@{zTVmmB+E8xNH
zn&e`f@{G{O__^(H_<M|px8=yBfXB8kw%ix-+3g>9yoK>;?{}T2&*a2?p=IFt`-87}
zWx@t3p?Tn*KC8l3Ls}L~cwU62dz0MvsZ$aS{E4t7?1{^gH`3mtt_aYjcum>Do}(TL
zm1T&~0uc_qRSuOxXV8b?oM57y@V0_bIa~@G(n0Vqg+1W|RYGM2WYQV*b^)}JQlz1k
z7ZFnoxvUx?kcCfzhdtiZuJXOyQe)mtHP!=$A~&?jK6QIjU8$=TPzy$+td>+TQhBtJ
z(lqDQ7%lahB1Y@~(X};n?OgW(lTb;TgnlsG<?s?pcPxAa)BDLHWy~}vDLRBv-5@ky
zu$;;=rNq#SIvFzUoV8$>_AFU)*gIOzv5R`HsF?<N9vs|EL1#sqvb0JXXUQzi5qH6G
zhSJ1!NKSX>Ov=cDOPNcS<{X#S`Ap8q7j%0WBDutHsB5Q+WG@*dmEs(I6tG?qFQ}0!
z<&wv~;L06mX_4rA4d}TXbzK5&IgB_qapBE`r&FMI=26fKb9Ap&9+=Ub!=MbEQKDNg
zhKjLFW=yL{88yiCGSMtYH?)G|YJ4b~;pBDGCew7rVUO$7VUUY_P;=mRjQ8G{g6R@h
zpP}UItG^&iGzCc<+ggUKmVSxbL$l4^2wSjdMjdSq^VKvCB%VCCAO9T5F}NQ9`p_@&
z23p1Qh+`+-z&MB>9r$*nI<BVG6yRzSv2M_%<>0_9a~2BquJXFA&r$}vV9$e+rGW%(
zx@Bp5Hn5{W1d<j45!Mle00uMWtjp7pt84%s|5Z*}dVbo_$1jhZV`n*vV6>ShCs)xp
z#xf@@C#PHPI52xI??3=|2*`I=(PpTc81)mQ)x?;e7`vVP<M8i?t0yM?6O+{wQ~rsm
zoy62t#0J5*UTY9;6d%aCkvHu?)i~5N=2#STrfueRD+uqwu)+elp_$fM&M|19XiZKm
zfVZRpO)Ek7lZ9(DCbbNgB_M4e@g@SL2@v)s7xn@Ko1t7yw*fAut<3@YsS$MR#-eWL
zXvNT)Xy&*N4m9d}LYi)2hj_$r1D5Op?^WWWR-PGVSchxS@_21-(A^B|Hml$T1k!Xt
zqd^zY0t}_nG~$~c;SnW1C$|MyLVngnU45ZJ?5Pp(+?NM_aJTi<Y7odh23Unf);dvF
zPc=I1M~82`dN(?{61rE34{VgyOWu`g{HPy4dSmRiyc0iqH$J}7y4%xV?K$H29Qmqs
z>VYW4)o;|c)nrXZkpndaJu_4#6F!-^OU~{n{kt!}{^$NTZXVw>t{?x^{Efr@KxU`^
zjUD9>(0hr)_fcEqHN0|ew<EqOtzNm_>vtU6jgvKLw~`)NQ#SkVbROA_9^5><K5%`k
znmpwvPgRo>K3vfWuv?e*DaZZfcr|(2hbwxzuDr)1-6Mxr&aF-Pt^K>n7jMqpF5a^J
z<k?S6KlwVyvwkbt9em;D(Cy>5GXCHzpFZago&)($Gk041YQ4O=+5qb8+fjP|b3cg&
z-o$PQ2KU*Kwuxg>T4emQI)6Uh?ftuROJI5LH_=Rp@8A8KcPIM!KutI(XL0Q%6pFlm
z@x6=x6o}mSKt!RAhn(|%-Sx#u8?2eb3I9c~cRAq^7~>?x$+Mi)KO_G6vdc~KbMK?r
zXa|2yM}ja1uw_nre~P8>W$*h~|3n2e{Ac980Hh{jjK4zde@CgiDD_Y(VcfUYv(dNS
X_YiUZ;T2KAp|wT6^?xB?>lyzC&Uce|

delta 371
zcmexiaYuviG%qg~0}!+dOJrT=o5&}jQvl>mXGmd4Va#F3WsG9XWr||TWsYLbWr<>8
zWME=&XGmdcVMt+4Wz6E57$wcm1{Pug3b8_jWH>9?G}&K*Or5yOfYpGJfuVi!1u5&v
zQj9lc#X1<$7*j-BI9G$@fgnn#gQ0>kN;sH7Q+%@t(+eg>xy`by#f*$<lP9t*VpQ2|
z!v2?$QERgiXD}0^>E<@>Pt1%in=AQa7#STWUlVZR)?_YX0-EFJrztY|jl}B7b0oFd
zn1KStM<<_^JjC{eNs={+aq?QJqf)*=(IP((;SVALKm-ej2%Ov_Ex{EDVuFao$?K$z
z*+DEnO^(SQq}3TCCril4I>iD-fSzF}HUJVIm>C%v?=z@hW>Eja62S-zs0m`zWhTme
cVE}W!)G%={vP~$PUNf=gD+7>OBoEXC0DuHm8~^|S

diff --git a/models/hr_employee.py b/models/hr_employee.py
index 01d63c0..252478d 100644
--- a/models/hr_employee.py
+++ b/models/hr_employee.py
@@ -1,3 +1,4 @@
+import hashlib
 from odoo import models, fields, api, _
 
 class HrEmployee(models.Model):
@@ -91,7 +92,40 @@ class HrEmployee(models.Model):
         return super()._search(domain, offset=offset, limit=limit, order=order, **kwargs)
 
 
+    @api.model
+    def _load_pos_data_read(self, records, config):
+        """Override to read employee data (including work_contact_id / res.partner)
+        with sudo() so cashier users whose user.company_ids doesn't include the
+        employee partner's company_id don't get a read access error on session open.
+        The employee records are already filtered by _load_pos_data_domain before
+        arriving here, so sudo() is safe — we're only relaxing the partner rule.
+        """
+        fields = self._load_pos_data_fields(config)
+        # Read with sudo to bypass res.partner multi-company rule for work_contact_id
+        read_records = records.sudo().read(fields, load=False)
+        manager_ids = records.filtered(
+            lambda emp: config.group_pos_manager_id.id in emp.user_id.all_group_ids.ids
+        ).ids
 
+        employees_barcode_pin = records.get_barcodes_and_pin_hashed()
+        bp_per_employee_id = {bp_e['id']: bp_e for bp_e in employees_barcode_pin}
+
+        for employee in read_records:
+            if employee['id'] in manager_ids:
+                role = 'manager'
+                employee['_user_role'] = 'admin'
+            elif employee['id'] in config.advanced_employee_ids.ids:
+                role = 'manager'
+            elif employee['id'] in config.minimal_employee_ids.ids:
+                role = 'minimal'
+            else:
+                role = 'cashier'
+
+            employee['_role'] = role
+            employee['_barcode'] = bp_per_employee_id[employee['id']]['barcode']
+            employee['_pin'] = bp_per_employee_id[employee['id']]['pin']
+
+        return read_records
 
 
 class HrEmployeePublic(models.Model):
diff --git a/models/pos_session.py b/models/pos_session.py
new file mode 100644
index 0000000..24287c8
--- /dev/null
+++ b/models/pos_session.py
@@ -0,0 +1,22 @@
+from odoo import models
+
+
+class PosSession(models.Model):
+    _inherit = 'pos.session'
+
+    def _get_message_author(self):
+        """Override to read employee partner with sudo() to avoid res.partner
+        access errors when the cashier's allowed companies don't include the
+        company_id set on work_contact_id (caused by hr_multi_company_employee
+        assigning employees to branch companies).
+        """
+        if not self.employee_id:
+            return None
+
+        # Use sudo() to bypass multi-company partner rule when reading
+        # the employee's work_contact_id or user partner for message posting.
+        employee = self.employee_id.sudo()
+        if related_partners := employee._get_related_partners():
+            return related_partners[0]
+
+        return self.sudo().user_id.partner_id
diff --git a/security/hr_security.xml b/security/hr_security.xml
index d2bf101..6b6e66f 100644
--- a/security/hr_security.xml
+++ b/security/hr_security.xml
@@ -16,7 +16,11 @@
         </record>
 
         <record id="base.res_partner_rule" model="ir.rule">
-            <field name="domain_force">['|', '|', ('partner_share', '=', False), ('company_id', 'parent_of', company_ids), ('company_id', '=', False)]</field>
+            <!-- Override: allow access if company_id is in ANY of the user's allowed companies
+                 (user.company_ids), not only the currently active session companies (company_ids).
+                 This fixes the "read access to res.partner" error when viewing employees whose
+                 partner belongs to a non-active but permitted company. -->
+            <field name="domain_force">['|', '|', '|', ('partner_share', '=', False), ('company_id', 'parent_of', company_ids), ('company_id', 'in', user.company_ids.ids), ('company_id', '=', False)]</field>
         </record>
 
         <record id="base.res_company_rule_employee" model="ir.rule">