Tasks should show up only if the user has been assigned it

OpenERP/Odoo has two kinds of security restrictions that can be assigned to a user group:

  • Access Rights are CRUD yes/no flags (similar to Unix FS permissions), and allow per-model access control. They state whether members of this group may perform a Create, Read, Update, and Delete operation on any document of a certain document model (e.g. a project task). The default policy is DENY, so by default any operation will be refused if the user does not explicitly have the right to perform it via one of her groups' access rights.
  • Record Rules are filters applied on CRUD operations, and allow per-document access-control, once access right are already granted. Users will only be able to perform an operation on a given document if the document matches at least one of the record rules. The default policy is ALLOW, so if no rule exists for a given model, all documents of that model may be accessed by users who have the necessary access rights.

Both Access Rights and Record Rules may also be defined globally without assigning them to a specific group, in which case they apply to everyone. There is one pitfall for Record Rules: global rules may NOT be relaxed by other rules (on purpose!), so use with care.

In your case it looks like you should define one extra Record Rule on the Project User group that explicitly restricts access on Project Tasks to your own tasks (and presumably those that are not assigned yet). You need to create a new entry in the Security Rules menu with these parameters:

  • object/model: project.task
  • name: See own tasks only
  • domain: ['|',('user_id','=',False),('user_id','=',user.id)]
    • (means: your own tasks and unassigned ones)
  • apply for read: [x]
  • apply for write: [x]
  • apply for create: [x]
  • apply for delete: [x]
  • groups: Project / User

The domain of a record rule is a standard OpenERP/Odoo domain that is evaluated on the records on which you are trying to perform the operation, and can refer to a user variable that contains the current user's data (technically, a browse_record on the current user). The documentation has a description of domain.

If you want to allow special users (e.g. Project Managers) to view all tasks in the system, you can relax this rule for them by adding another rule to the Project Manager group which allows access to all tasks. There is a special "domain filter" that means "ALLOW ALL" and is useful to relax another stricter rule: [(1,'=',1)].

Note 1: Have a look at the existing Record Rules to see what they're doing first, and be sure to read the explanations on the Record Rule form when you are adding yours. One important thing to keep in mind is that group-specific rules are combined with an OR operator. So if you add the rule I described above, you may not see any restriction effect because other group-specific rules are still giving access. You may have to disable them, edit them, or change the user group they apply to, to get the exact effect you want.

Note 2: Remember that if you do something wrong with Access Rights and Record Rules, you can always fix the mess with the admin account, as these security restrictions do not apply to the admin (similarly to the root user on Unix).


Note: In OpenERP 7 you have to modify or disable the defualt rule called

Project/Task: employees: public, portal, employee or following or assigned

To get your rule working.

Tags:

Openerp