permission level
- The first level is the access rule , that is, the table-level (object) authority, which controls whether the user group has the authority to create, read, modify, and delete an object. It is generally managed by the security/ir.model.access.csv file. .
- The second level is row-level permissions, which control the access permissions of user groups to data rows in the table, which can be written in the views/views.xml file.
- The third level is field-level permissions, access rights to certain fields on an object or table.
- The fourth level is the menu-level permission , and users who do not belong to the group contained in the specified menu cannot see the menu.
Create a module
Version: odoo8
(python 2.7 environment )
python ./odoo.py scaffold academy ./openerp/addons_testSwitch user to developer mode
User in the upper right corner, click About, "Activate developer mode" in the upper right corner of the page
Update Modules List
Settings->Modules->Update Modules List
Install the module
Settings-> Search for the module name in the upper right corner
1. Table-level permissions
Create a new modelacademy/models.py
class Teachers(models.Model):
_name = 'academy.teachers'
name = fields.Char('Teacher Name')
biography = fields.Html()
user_id = fields.Many2one('res.users', string="User", ondelete='cascade', required="true")
class Courses(models.Model):
_name = 'academy.courses'
name = fields.Char()
teacher_id = fields.Many2one('academy.teachers', string="Teacher")
course_ids = fields.One2many('academy.courses', 'teacher_id', string="Courses")
Add basic views to two tables and create two new menus
academy/views.xml
<openerp>
<data>
<record id="action_academy_teachers" model="ir.actions.act_window">
<field name="name">Academy teachers</field>
<field name="res_model">academy.teachers</field>
</record>
<record id="academy_teacher_tree" model="ir.ui.view">
<field name="name">Academy teachers: tree</field>
<field name="model">academy.teachers</field>
<field name="arch" type="xml">
<tree>
<field name="user_id"/>
</tree>
</field>
</record>
<record id="academy_teacher_form" model="ir.ui.view">
<field name="name">Academy teachers: form</field>
<field name="model">academy.teachers</field>
<field name="arch" type="xml">
<form>
<sheet>
<label for="user_id"/> <field name="user_id"/>
<label for="biography"/>
<field name="biography"/>
</sheet>
</form>
</field>
</record>
<record id="action_academy_courses" model="ir.actions.act_window">
<field name="name">Academy courses</field>
<field name="res_model">academy.courses</field>
</record>
<record id="academy_course_search" model="ir.ui.view">
<field name="name">Academy courses: search</field>
<field name="model">academy.courses</field>
<field name="arch" type="xml">
<search>
<field name="name"/>
<field name="teacher_id"/>
</search>
</field>
</record>
<record id="academy_course_list" model="ir.ui.view">
<field name="name">Academy courses: list</field>
<field name="model">academy.courses</field>
<field name="arch" type="xml">
<tree string="Courses">
<field name="name"/>
<field name="teacher_id"/>
</tree>
</field>
</record>
<record id="academy_course_form" model="ir.ui.view">
<field name="name">Academy courses: form</field>
<field name="model">academy.courses</field>
<field name="arch" type="xml">
<form>
<sheet>
<label for="name"/>
<field name="name"/>
<label for="teacher_id"/>
<field name="teacher_id"/>
</sheet>
<div class="oe_chatter">
<field name="message_follower_ids" widget="mail_followers"/>
<field name="message_ids" widget="mail_thread"/>
</div>
</form>
</field>
</record>
<menuitem sequence="0" id="menu_academy" name="Academy"/>
<menuitem id="menu_academy_content"
parent="menu_academy"
name="Academy Content"/>
<menuitem id="menu_academy_content_teachers"
parent="menu_academy_content"
action="action_academy_teachers"/>
<menuitem id="menu_academy_content_courses"
parent="menu_academy_content"
action="action_academy_courses"/>
</data>
</openerp>
The table-level access control file is in academy/security/ir.model.access.csv
id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink access_academy_teachers,access_academy_teachers,model_academy_teachers,,1,0,0,0
The above group_id is not added, that is, the read permission of the teacher table is exposed to all groups, restart odoo and upgrade (admin), switch users (non-admin), and you can see the effect page:
It can be seen that the user only has the right to read the teacher, but cannot add, modify, or delete.
2. Row-level permissions
For example, to access the "customer" object, the salesperson can only have access rights to the customer created by himself, while the manager can access all the "customer" objects of the salesperson under his jurisdiction. Rules are defined in the ir.rule model and stored in the public.ir_rule table.
Create a new rule file security/academy_record_rules.xml and register it in the data attribute of __openerp__.py.
security/academy_record_rules.xml
<?xml version="1.0" encoding="utf-8"?>
<openerp>
<data noupdate="1">
<record id="academy_user_rule" model="ir.rule">
<field name="name">Academy only for owner</field>
<field name="model_id" ref="model_academy_teachers"/>
<field name="domain_force">
[('create_uid','=',user.id)]
</field>
<!--<field name="groups" eval="[(4,ref('base.group_user'))]"/>-->
</record>
</data>
</openerp>
name The model global corresponding to the rule name model_id
is a global
domain_force filter condition. When the creation id is equal to the current user id, the record will be displayed
Which group the groups belong to base.group_user is all groups, can not write
security/ir.model.access.csv
id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink access_academy_teachers,access_academy_teachers,model_academy_teachers,,1,1,1,1 access_academy_courses,access_academy_courses,model_academy_courses,,1,0,0,0
First open all permissions of the teacher module to all groups, restart Odoo and upgrade the academy, log in to the non-admin user, you can see that the teacher can be newly created, and only the data created by yourself can be seen.
Notes
(4, ID) Add a master-slave link relationship to the object with id=ID.
(3, ID) Remove the master-slave link relationship with the object with id=ID, but do not delete the object
(2, ID) Remove the master-slave link relationship with the object with id=ID, and delete this object (call the unlink method)
(5) Remove all link relationships, that is, loop all slave data and call (3, ID)
(6,0,[IDs]) Replace the original linked record with the record in IDs, that is, execute (5) first and then loop through IDs to execute (4,ID)
3. Field-level permissions
Create a user's permission group using record records, which are stored in res.groups
security/academy_groups.xml
<?xml version="1.0" encoding="utf-8"?>
<openerp>
<data noupdate="1">
<record model="ir.module.category" id="module_category_academy_test">
<field name="name">academy test</field>
</record>
<record id="academy_teachers_group" model="res.groups">
<field name="name">Academy teachers group</field>
<field name="comment">the comment of the group.</field>
<field name="category_id" ref="module_category_academy_test"/>
<!--<field name="implied_ids" eval="[(4, ref('base.group_user'))]"/>-->
<!--<field name="users" eval="[(4, ref('base.user_root'))]"/>-->
</record>
<record id="academy_managers_group" model="res.groups">
<field name="name">Academy managers group</field>
<field name="comment">the comment of the group.</field>
<field name="category_id" ref="module_category_academy_test"/>
</record>
</data>
</openerp>
First define the group category, and then define that the two groups belong to the same group (you can also write no group).
Notes
name group name
comment group comment
category_id belongs to which module
users predefined users belonging to the group
implied_ids
Add two records in demo.xml and create two users
demo.xml
<record id="user_teacher_a" model="res.users">
<field name="name">teacherA</field>
<field name="login">[email protected]</field>
<field name="password">academy</field>
</record>
<record id="user_teacher_b" model="res.users">
<field name="name">teacherB</field>
<field name="login">[email protected]</field>
<field name="password">academy</field>
</record>
<record id="teacher_a" model="academy.teachers">
<field name="name">TeacherA</field>
<field name="work_email">[email protected]</field>
<field name="user_id" ref="academy.user_teacher_a"/>
</record>
<record id="teacher_b" model="academy.teachers">
<field name="name">TeacherB</field>
<field name="work_email">[email protected]</field>
<field name="user_id" ref="academy.user_teacher_b"/>
</record>
Log in to admin and add teacherA to the academy_teachers_group group. Settings->Users find teacherA to edit, and you will see that there are more groups of permissions. Check the Academy teachers group.
There are two places to add group permissions to fields
Add the groups attribute to the field in the view
academy/views.xml
<record id="academy_teacher_tree" model="ir.ui.view">
<field name="name">Academy teachers: tree</field>
<field name="model">academy.teachers</field>
<field name="arch" type="xml">
<tree>
<field name="user_id"/>
<field name="name"/>
<field name="biography" groups="academy.academy_teachers_group"/>
<field name="show_group_teacher"/>
</tree>
</field>
</record>
Or add the groups attribute where the field is defined
academy/models.py
class Teachers(models.Model):
_name = 'academy.teachers'
name = fields.Char('Teacher Name')
biography = fields.Html()
user_id = fields.Many2one('res.users', string="User", ondelete='cascade', required="true")
show_group_teacher = fields.Char('Show For Teacher', groups="academy.academy_teachers_group")
Restart odoo and upgrade the academy, you can log in to TeacherA and TeacherB to view the effect.
4. Menu level permissions
Add the groups attribute (or groups_id) to the menu definitionacademy/views.xml
<menuitem id="menu_academy_content_courses"
parent="menu_academy_content"
action="action_academy_courses"
groups="academy.academy_teachers_group"/>
Restart odoo and upgrade the academy, you can log in to TeacherA and TeacherB to view the effect.