Skip to Content
This question has been flagged
5 Replies
3779 Views
Avatar
Ignatius Cronjé

Hi all,


I would like some guidance regarding the configuration to allow internal users to see only the contacts for which they are assigned as Salesman.


I have added a record rule: "User can update own contacts" with the domain filter [('user_id', '=', user.id)]  with access rights for Read, Write, Create and Delete on the Contacts model. The record rule is assigned to the group Sales / User: Own Documents Only


According to https://www.odoo.com/forum/help-1/restrict-users-to-see-only-his-own-contacts-155427 the res.partner.rule.private.employee rule can be removed.

Now, removing this rule does help, but with the rule removed, the user can not login. Trying to login with the rule disabled, results in an access error:


Does anyone have suggestions on how to resolve this?


Regards


Ignatius

Avatar
Discard
Avatar
Sing Wang Ho
Best Answer

I got it to work in Odoo15.  Let's clarify some fields first in the context.

user_id is an optional field in the partner model for assigning a Sales Person.  This field is mapped to a User's ID not Contact's ID.

id is the Contact's ID

user.id is the current User's ID

user.partner_id.id is current user's Contact's ID.


So if you want an internal user to only see their contact, the access rights should be:

'id', '=', user.partner_id.id

This adds the user itself and will allow him to login.

Next, you want to allow this user to view any contact is is assigned to, so add:

'user_id','=',user.id

Finally, I would also add the "OdooBot" contact...

'id', '=', 2


So the record rule should be:

['|','|',

('id', '=', 2),

('id','=',user.partner_id.id),

('user_id','=',user.id)]

Avatar
Discard
Avatar
Adithya
Best Answer

This issue occurs because res.partner.rule.private.employee record rule is ['|', ('type', '!=', 'private'), ('type', '=', False)] is assigned to the group "Internal Users" which is applicable to all the users created as internal type. 


One way to override this is, you can create a new group say "xyz" and give the res. Partner. Rule. Private. Employee record rule to this group and remove the record rule for "internal user" group Assign this xyz group to admin and the users for whom all contacts are to be visible. Then create further record rules and groups to users for whom the domain filter has to be applied as per requirement of that particular user without giving them xyz group access. 

Avatar
Discard
Avatar
Ignatius Cronjé
Author Best Answer

Hi Alouna.

I have tried the record rule [('user_id', '=', user.id)]  and assigned the group as suggested. The behaviour does change according to the requirement, but the authentication issue remains.

It seems like there are conflicting requirements on the Contact model from this perspective.

Avatar
Discard
alouna ahmad

could you provide me with all record rules you have applied so far?
So, i can better analyze the solution for this issue.

Ignatius Cronjé
Author

Hi,

Rules applied / changed as follows:

Disable default res.partner.rule.private.employee

Add rule for All Contacts [(1, '=', 1)] and assign groups Administrator / Access Rights; Purchase / Administrator; Sales / Administrator; Sales / User: All Documents to it with Read, Write, Create, Delete access on Contact model.

Add Rule ['|', '|', ('create_uid', '=', user.partner_id.id), ('user_id', '=', user.partner_id.id), ('user_id', '=', user.id)] and add goups Technical / Contacts Edit Own; Sales / User: Own Documents only with Read, Write, Create, Deleta access rights on Contact model.

Thanks in advance.

Avatar
MUHAMMAD Imran
Best Answer

For reference, the default res.partner.rule.private.employee record rule is ['|', ('type', '!=', 'private'), ('type', '=', False)] inactive it or inherit it. Then replace. ['|', ('type', '!=', 'private'), ('type', '=', False)]  with [('user_id', '=', user.id)] 

Avatar
Discard
Ignatius Cronjé
Author

Thank you for teh response.

Through inheritence of res.partner.rule.private.employee have no affect. Implementation of the rule as you suggest changes the behaviour as long as the user is authenticated when the change is made.

As soon as the user logs out, the 403-error is displayd and the authentication fails.

When the default res.partner.rule.private.employee is assigned for Read only, the authentication works, but, the user can then still see all contacts. He can, however, only change the contacts for which he is the Sale Peron which is partly the correct behaviour we require.

Avatar
alouna ahmad
Best Answer

Hello,

you can try this way:

  1. Assign Salesperson on Contact Form.
  2. Create the following record rule on Contact (res.partner) object.
['|', '|', ('create_uid', '=', user.partner_id.id), ('user_id', '=', user.partner_id.id), ('user_id', '=', user.id)]

and apply it for read, write, create, delete.

the result would be: when salesperson open Contacts he will only see contacts which has been assigned to him, also when he creates a sale order the system will fetch only those contacts with his name as a salesperson.

Hope this will help.

Avatar
Discard
Ignatius Cronjé
Author

Thank you, Alouna.

The filter works fine and is in many regards a better solution than the one I implemented.

The outcome only works if I disable the default res.partner.rule.private.employee rule which is similar to the behaviour I saw with my previous filter.

Now, with the new filter and the disabled filter both in place, the user can not authenticate to the ODOO database as per the screenshot provided above.

REgards

Ignatius Cronjé
Author

To clarify my previous response a bit more, just the following:

When I enable the default res.partner.rule.private.employee rule, hte user can authenticate, but then he can also read all contacts when he opens Contacts and while creating sales orders.

For reference, the default res.partner.rule.private.employee record rule is ['|', ('type', '!=', 'private'), ('type', '=', False)]

It seems like the authentication engine uses the Contacts model to authenticate users and when the read access is removed, the user is unable to login to the website.

Maybe there is a more complex solution to this problem.

Regards

alouna ahmad

then just try to use this record:
[('user_id', '=', user.id)]
Hope it will help!

alouna ahmad

and assign a group under record rule:
Sales / User: Own Documents Only