From fc3bb1bfef0e2f312bc88625fe5a10805b13ca80 Mon Sep 17 00:00:00 2001
From: Suherdy Yacob <suherdy.yacob@mapan.co.id>
Date: Thu, 28 May 2026 17:09:08 +0700
Subject: [PATCH] refactor: move record rule definitions from _register_hook to
 XML and add product dependency

---
 __manifest__.py                               |   2 +-
 .../__pycache__/hr_employee.cpython-312.pyc   | Bin 7324 -> 5212 bytes
 models/hr_employee.py                         |  48 ------------------
 security/hr_security.xml                      |  12 +++++
 4 files changed, 13 insertions(+), 49 deletions(-)

diff --git a/__manifest__.py b/__manifest__.py
index 9766418..1c64679 100644
--- a/__manifest__.py
+++ b/__manifest__.py
@@ -8,7 +8,7 @@
         It allows an employee to be associated with multiple branch companies.
     """,
     'author': 'Suherdy Yacob',
-    'depends': ['hr', 'pos_hr', 'hr_attendance'],
+    'depends': ['hr', 'pos_hr', 'hr_attendance', 'product'],
     'data': [
         'security/hr_security.xml',
         'security/hr_attendance_security.xml',
diff --git a/models/__pycache__/hr_employee.cpython-312.pyc b/models/__pycache__/hr_employee.cpython-312.pyc
index cc5ba1dae6c9e82a8a148a10760e4488890af4bc..dbabc2200466cf1b1dda596d61a672b6fe38ffc0 100644
GIT binary patch
delta 252
zcmbPZc}IiqG%qg~0}!+dOJrT=o5**V)qs(Kp?&gyDeK9Cj5lS)IvCOzQ$$-hSA$dm
zL6lGjLj_}$a4>_W_-1{kCw$zR%tcH<2|qtgk;&4Mt0$k9G+;bB`H$owwl7SQtWk`U
z??@fB@dc_V@&gh6AR+)nuz-j_5TOntlt6?$h>!yjkuV~0@?B|T#>mNnGP*$0UPjg_
z7AOUDB}1_RkodsN$jEq~LH#m=`WKc6M#d<{31ZV_Cdzza0CT?7FmW)lO(>gQGqL6?
J1CR-}0ss$WIfVcK

delta 2053
zcmah~&2Jk;6rb_>+nem#PU3tuapEF-+hSUxHcCHI5N(8jCP8o@De2;RH}$5DH=1>*
zYi;Br71cSQ##$jufKU+!Dun}xGZ#=RBo3_OAUjqOJ@gN-Xs8Mj5;GfnQ<t`k<lnw|
z^XC12^WJ#(PUN$(_Mh9@+yIZ<Ux9@OeTDWPZSOz;u4&)<j%i-F6$s?PJQO;wy4Fb)
z9<x5ty)dlFFc9dv>NLInJjlS=j<*2U{hh;duYEj@)0o4GEeikc@5A^pEP}MTwCYyD
zM>YVOnIKTXf>rz0?bo&`f4=|)%h%MpWhZ_Gst~;>SXV46TySdjwhs5jQ2@{oo_e%`
ztuNeWCN>ShrdlMp-q6#U|EOSZ$xo>i&hJ>Us?>th%wQU-wLwQclg|2dI%f-=O|@Y<
z*NR=WJ(14dptC)b&i-^dcMF|Ebr^I`)$v3+XM@hML&rV2n9fJ(T%=t_>7QfFGMR?p
zxnLH4#ihCyytqldIS4L;5J>x)aeD!xAeh14OCUqdfJ>00C$pXBV~Q9>qQWo5P&y?d
z9xW%u2@ckLC?+W)FU|8QInB?@%PAo%pAD<w13?2K;pPq{5kn$zpTIB?ODZCFAgIX{
zog+>hC8pB6JdY=Fd2uP0y39+0f<q$V-FfTwxf(6Vi!mvMc~M-<4kl1Efp~FoDJfqT
zMSf}dd{T<@WV@j^TY5y;u0*V1IQL&3Db*?^xIcK-kUeLJY6zBu=(2+AAqh=wWEzzO
zBj_=&sSNMh-A`h3_?S=0GnXAOtKX~yslIv6Y}?t$p+;Q~adX+8B_s>W@pQED+${h{
zAr3b>YZ*E*!MRZvwrlM?5-&(OC5;b}kmZXA|A|43LgGA{!WQZ#u#fociWo!j1nMCZ
z*Xc}LTuMuFiu0ge;;|A@HAY6#1t}Fv@;j}mc?_*Pt*CiZ;-$tyqdPU)SkE<1R`Wd)
z(e&+vG)~hJ(e!mJO3Gp^9Z!gYSr!HD!Lk$&hM+mFpaDEb(-^WnucFh9s}ju_RWOS%
zM|OUQUsDgSfP2oiRY%D=u;~m|8UOXnYUaASs_OkCKiTqXnVHO6w>(VU2?nPv`6(Px
zVS*(lcw=gV8L6@zMOVS4c`EEsi5<Ez{>@2!_?1oe)ZMP$Vxo{JCJRYDbV{E&ms?Ag
zyZF3k%hOf2fT1*{(|f8+Z-oh$n6SS8_y%*l%Jx;*V2KTu+2INsDY228QT^!aI`_sV
zd#2tFy8DZnLZ+w|RDCZ=xu%u_e4gI&1nv$U)aijL(^p|4B_^UD7~f#Vt8D*{sxlj@
zusN>8ayQ5IV`ubzlbh^R-QAM!r2h5{$v11{!;8a*{x9R>3GG&ww;Bq6HTK2Wm&Yoh
z!==z+eRN7cGF=Y6snah9t8}nJkCy1sU+J-jcbM)!0Cah`Xtqw_=idr>LEY*+IAI63
z?XC$Qb=wOu;tNeaN0XCWr}ltdx1ee5bMFZJP22GPFi^Mj*k)n<2(Y`Z&3rI(-|~XZ
zd!GV!W}8^rC%#+9NuSX<0z85D2#^mXiV+AC7$z`Cz_>XQu?Q5jPyHiM(thzjkMSS>
zo|hJ}mwefjC<ZJW!rwu-48q&i*DTPx)>Z5;^lt-VZ@+7GLi^hLq*;FgY#Idr0>Pdy
AHvj+t

diff --git a/models/hr_employee.py b/models/hr_employee.py
index ba5a631..01d63c0 100644
--- a/models/hr_employee.py
+++ b/models/hr_employee.py
@@ -90,55 +90,7 @@ class HrEmployee(models.Model):
             domain = replace_company_leaf(domain)
         return super()._search(domain, offset=offset, limit=limit, order=order, **kwargs)
 
-    @api.model
-    def _register_hook(self):
-        super()._register_hook()
-        rule = self.env.ref('base.res_partner_rule', raise_if_not_found=False)
-        if rule:
-            # Revert res_partner_rule to standard Odoo 19 domain.
-            # The custom override traversed `employee_ids` (hr.employee relation), which throws AccessError
-            # for portal/public/new/guest users who do not have access to the hr.employee model.
-            original_domain = "['|', '|', ('partner_share', '=', False), ('company_id', 'parent_of', company_ids), ('company_id', '=', False)]"
-            if rule.domain_force != original_domain:
-                rule.sudo().write({'domain_force': original_domain})
 
-        rule_public = self.env.ref('hr.hr_employee_public_comp_rule', raise_if_not_found=False)
-        if rule_public:
-            new_domain_public = "['|', '|', '|', '|', ('company_ids', 'in', company_ids), ('company_id', 'in', company_ids + [False]), ('parent_id.user_id', '=', user.id), ('id', '=', user.employee_id.parent_id.id), ('user_id', '=', user.id)]"
-            if rule_public.domain_force != new_domain_public:
-                rule_public.sudo().write({'domain_force': new_domain_public})
-
-        # Allow branch users to read the parent company (OT) record.
-        # This is needed because POS payment methods and journals reference
-        # the parent company via Many2one fields (parent_company_id).
-        # Standard rule: [('id','in', company_ids)]
-        # New rule: also include parent companies (child_of reverses to include parents)
-        rule_company = self.env.ref('base.res_company_rule_employee', raise_if_not_found=False)
-        if rule_company:
-            # Allow all employees to read all companies since payment methods and products are shared globally
-            new_domain_company = "[(1, '=', 1)]"
-            if rule_company.domain_force != new_domain_company:
-                rule_company.sudo().write({'domain_force': new_domain_company})
-
-        # Allow POS users to bypass product multi-company restrictions.
-        # Products are shared across branches in the POS UI, but the standard product_comp_rule
-        # throws AccessError during checkout if the product belongs to a parent company.
-        rule_product = self.env.ref('product.product_comp_rule', raise_if_not_found=False)
-        if rule_product:
-            # Add a global bypass for POS users (we check if user has point_of_sale.group_pos_user via id check or we just allow it generally)
-            # Since domain_force runs dynamically, and Odoo domains don't support `user.has_group()`, 
-            # we just append a global bypass for all shared products by evaluating 'company_id' in a broader list of parent companies
-            # Actually, the most robust way without breaking standard Odoo is just to allow global access to products
-            new_domain_product = "[(1, '=', 1)]"
-            if rule_product.domain_force != new_domain_product:
-                rule_product.sudo().write({'domain_force': new_domain_product})
-
-        # Proactively synchronize company_ids for all existing employees to cure current mismatches
-        try:
-            mismatched_employees = self.sudo().search([('user_id', '!=', False)])
-            mismatched_employees._sync_user_company_ids()
-        except Exception:
-            pass
 
 
 
diff --git a/security/hr_security.xml b/security/hr_security.xml
index 44203f2..d2bf101 100644
--- a/security/hr_security.xml
+++ b/security/hr_security.xml
@@ -14,5 +14,17 @@
             <field name="global" eval="True"/>
             <field name="domain_force">['|', '|', '|', '|', ('company_ids', 'in', company_ids), ('company_id', 'in', company_ids + [False]), ('parent_id.user_id', '=', user.id), ('id', '=', user.employee_id.parent_id.id), ('user_id', '=', user.id)]</field>
         </record>
+
+        <record id="base.res_partner_rule" model="ir.rule">
+            <field name="domain_force">['|', '|', ('partner_share', '=', False), ('company_id', 'parent_of', company_ids), ('company_id', '=', False)]</field>
+        </record>
+
+        <record id="base.res_company_rule_employee" model="ir.rule">
+            <field name="domain_force">[(1, '=', 1)]</field>
+        </record>
+
+        <record id="product.product_comp_rule" model="ir.rule">
+            <field name="domain_force">[(1, '=', 1)]</field>
+        </record>
     </data>
 </odoo>