Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Odoo 12 Development Essentials

You're reading from   Odoo 12 Development Essentials Fast-track your Odoo development skills to build powerful business applications

Arrow left icon
Product type Paperback
Published in Dec 2018
Publisher Packt
ISBN-13 9781789532470
Length 404 pages
Edition 4th Edition
Languages
Tools
Concepts
Arrow right icon
Author (1):
Arrow left icon
Daniel Reis Daniel Reis
Author Profile Icon Daniel Reis
Daniel Reis
Arrow right icon
View More author details
Toc

Table of Contents (17) Chapters Close

Preface 1. Quick Start Using the Developer Mode FREE CHAPTER 2. Preparing the Development Environment 3. Your First Odoo Application 4. Extending Modules 5. Import, Export, and Module Data 6. Models – Structuring the Application Data 7. Recordsets – Working with Model Data 8. Business Logic – Supporting Business Processes 9. External API – Integrating with Other Systems 10. Backend Views – Designing the User Interface 11. Kanban Views and Client-Side QWeb 12. Reports and Server-Side QWeb 13. Creating Website Frontend Features 14. Deploying and Maintaining Production Instances 15. Assessments 16. Other Books You May Enjoy

Configuring access control security

Odoo includes built-in access control mechanisms. A user will only be able to use the features he was granted access to. This means that the library features we created are not accessible by regular users, even the admin user.

Changes in Odoo 12
The admin user is now subject to access control like all other users. In previous Odoo versions, the admin user was special, and bypassed security rules. This is no longer true, and we need to grant access privileges to be able to access Model data.

The central pieces for access security are the security groups, where the access rules are defined. Access for each user will depend on the groups he belongs to. For our project, we will create a to-do user group, to be assigned to the users we want to have access to this feature.

We give a group read or write access to particular Models using ACL. For our project, we need to add read and write access to the newly created to-do item model.

Furthermore, we can also set access rules for the record ranges users can access in a particular Model. For our project, we want the To-do Items to be private for each user, so to-do users should only be able to access the records created by themselves. This is done using the security record rules.

Security groups

Access control is based on groups. A security group is given access to Models, and this will determine the menu items available to the users belonging to that group. For more fine-grained control, we can also give access to specific menu Items, views, fields, and even data records (with Record Rules).

The security groups are also organized around apps, and typically each app provides at least two groups: Users, capable of performing the daily tasks, and Manager, able to perform all configurations for that app.

Let's create a new security group. In the Settings top menu, navigate to Users & Companies | Groups. Create a new record using the following values:

  • Application: Leave empty
  • Name: To-do User
  • Inherited tab: Add the User types / Internal User item

This is how it should look like:

The to-do app is not available yet in the Application selection list, so we added it directly from the Group form.

We also made it inherit the Internal User group. This means that members of this group will also be made members of the Inherited groups (recursively), effectively having the permissions granted to all of them. Internal User is the basic access group, and app security groups usually inherit it.

Changes in Odoo 12
Before Odoo 12, the Internal User group was called Employee. This was just a cosmetic change, and the technical identifier (XML Id) is still the same as in previous versions: base.group_user.

Security access control lists

Now, we can grant access to specific Models to the Group / To-do User. We can use the Access Rights tab of the Groups form for this. Add an item there, using these values:

  • Name: To-do Item User Access
  • Object: Select To-do Item from the list
  • Read Access, Write Access, Create Access, and Delete Access: Checked

Model access can also be managed from the Technical | Security | Access Rights menu item.

We don't need to add access to the Partner Model because the Group is inheriting the Internal Users group, which already has access to it.

We can now try these new security settings, by adding our admin user to this new Group:

  1. Select the Users & Companies | Users menu item, select the Mitchell Admin user from the list, and Edit the form:
  1. In the Access Rights tab, in the Other section, we can see a To-do User checkbox to enable the security group for this user. Select it, and Save the form.

If everything was done correctly, you should be able to see the to-do top menu; use it to add to-do items. We should see only our own items and won't be able to access other users'.

Security record rules

When given access to a Model, by default users will be able to access all its records. But in some cases, we need to restrict the particular records each user should be able to access. This is possible using record rules, which define domain filters to automatically be enforced when performing read or write operations.

For example, in our to-do app, the To-do Items are expected to be private, so we want users to only be able to see their own items. We need a record rule to filter only the records created by the current user:

  • The create_uid field is automatically added by the framework, and stores the user that created the record, and we can use it to see who owns each record
  • The current user is available in the user variable, a user variable browse object available in the context where the domain filter is evaluated

We can use this in a domain expression to achieve our goal: [('create_uid', '=', user.id)].

Record rules are available in the Settings | Technical | Security | Record Rules menu. Navigate there and create a new Record Rules, with the following values:

  • Name: A descriptive title, such as To-do Own Items
  • Object: Select the Model from the list, To-do Item in our case
  • Access Rights: The actions where the rule will be applied; leave all checked
  • Rule Definition: The Domain Filter, [('create_uid', '=', user.id)]
  • Groups: The security groups it applies to; select and add the To-do User group

This is how the Record Rules definition will look like:

And we're done. You can now try this new rule by creating a couple of to-do items with both the Admin and Demo users. Each should be able to see only their own items. The Record Rules can be switched off through the box button in the upper-right corner of the form. If you try that and check the to-do item list, you should see all the items from all users.

The superuser account

In previous Odoo versions, the admin user was special and bypassed access security. In version 12 this has changed, and the admin account belongs to all app security groups, but is a regular user. We still have a superuser that bypasses access security, but it doesn't have a login.

We can still work as a superuser. When logged in as a user with the Admin \ Setting group, the Become Superuser option is in the developer menu, Or, use the Login as superuser hidden option in the login screen, visible if the Developer mode is enabled.

When the superuser is enabled, in the upper-right corner the current user is shown as OdooBot, and the colors in the upper-right area change to yellow and black stripes, to make it clear the superuser is enabled.

This should be used only if absolutely necessary. The fact that the superuser bypasses access security can lead to data inconsistencies, for example in a multi-company context, and should be avoided.

You have been reading a chapter from
Odoo 12 Development Essentials - Fourth Edition
Published in: Dec 2018
Publisher: Packt
ISBN-13: 9781789532470
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image