HR Feature: built-in option to restrict visibility of employee attachments?
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Odoo Addons (MOVED TO GITHUB) |
Confirmed
|
Wishlist
|
OpenERP R&D Addons Team 1 |
Bug Description
We are migrating a customer from 6.0 to 6.1. I raised this issue under their OpenERP Enterprise contract [573293] but the support team have asked me to report the bug here.
In the hr.employee module *any* other employee on the system can create, read or DELETE attachments on any other employee's main page. This occurs in both Web and GTK Clients.
In my opinion an Employee should be able to read *any* attachment on their own employee record only. They should be able to remove (delete) only those attachments which they themselves added.
The HR Manager (& possibly HR User) should be able to add, read and remove attachments from any employees.
Unfortunately, I do not believe this configuration is possible currently as the domain rules do not appear to have scope beyond a single object and the employee_id doesn't match their user_id. I think to achieve this you need to be able to read the res_id of the ir.attachment object then, if the res_model is hr.employee, get the user_id of the appropriate hr.employee record to match against.
I was trying to create an Access Rule like this:
[('user_
But of course it doesn't work.
security vulnerability: | yes → no |
visibility: | private → public |
Hello Alan,
I'm not sure if this is a real bug or more of a specific customization that you want to add for certain companies...
You might be able to do it with a pair of Record Rules if you change your requirement to be: "employees can only see attachments that they created themselves, regardless". For example the normal employee group would have one rule to restrict access to employee attachments: ,('res_ model', '!=','hr. employee' ),('user_ id','=' ,user.id) ]
['|'
and the HR Manager/HR Officer groups would have a Rule that cancels the normal rule for employees:
[(1,'=',1)]
Now if you really need to have a special permission for your own employee attachments you probably need to extend the user model by adding an "employee_id" relationship that can be used to check for this special case: ('res_model' ,'!=',' hr.employee' ),'|',( 'user_id' ,'=',user. id),('res_ id','=' ,user.employee_ id.id)]
['|',
If the "employee_id" field was automatically computed by looking for the only employee that matches the user, it would make everything quite simple. We might add such a field in the future indeed, as there are many cases where this "reverse" relationship would be useful.