I am showing certain notebook/page according to user groups in Odoo11 form.
As per my architecture i am unable to use access record rule as per groups for all employee but as an alternative i made all fields invisible employee form(except employee name) for other employee and user can see full information for his/her record only. But now i can see security issue with inspect element(developer tool) where users able to see other employee information by removing class(.o_invisible_modifier) from developer tool. So, how i can secure my system by removing this issue?
Note: I am already block keyboard short-cuts and events for inspect element by J query.
Please suggest me best solution.
Thanks in advance.
For same reason Employee model is changed starting form Odoo 13.
Now its split between 2 models. Where personal info is present on one model and public info is on the other model.
But you can maybe do extra manual check. When you overwrite write and i think it was read.
https://github.com/odoo/odoo/blob/5b335396addb16456d61273ae6b0446913f7f489/addons/project/models/project.py#L1607
https://github.com/odoo/odoo/blob/5b335396addb16456d61273ae6b0446913f7f489/addons/project/models/project.py#L1625
Related
We use a construction software, Viewpoint. We need a report to print the GL Accounts associated only with the user running the report. I was wondering if anyone had any ideas on how I could easily and efficiently achieve this? My "last-resort alternative" is just creating separate reports for each GL that pulls only that GL's info.
It depends on how the accounts are associated to the user. If there is a link, you can simply create a user parameter that asks for the user name. Then in the record select of the report you only pull accounts that match the user name in the parameter.
So, for example your parameter is called {?userName}. In the Record Select the formula would something like {Accounts.Salesman} = {?userName}, where {Accounts.Salesman} would be the field that links the user with the account.
You can get the current user name and use it to filter the records in your report. There are 2 ways to do this :
create a parameter, hide it and automatically fill the value. You
will need a special viewer for this scenario. Let me know if this is
what would you prefer I can give you some links. If you leave the
parameter visible the user can insert any value and view any records
use an UFL . For example this one:
http://www.viksoe.dk/code/u2lwin32.htm provides a function LoginName
which will return currently logged user. There are other UFLs which
support similar functionality, check if your company is already
using something . This one is free. You need to register the UFL on
each system which will run the report . Once registered the
available functions will become available for formulas.
I personally prefer the viewer solution because it is more flexible and will cover other scenarios too. However if you need just the username UFL will be a better approach.
A user is not able to edit a form. The user had editor access and i've tried to replicate the issue using a test user and providing the same access as the user, but to no avail. I came across a link which told me that there is something called as additional ACL control in Lotus Administrator. I'm not sure if this actually can influence the editing privileges. I don't think that could be the problem. Anyway, please let me know if you can figure out the problem.
Additional info:
The user is a part of a distribution list(multipurpose group) and the group has editor access.
The default access to the form is Author, with a authors field in the form.
The user has 2 names mentioned in the names.nsf person document. An old name and a new name.
The required user roles are assigned to the group.
Let me know if you need additional info.
With Editor rights she should be able to edit. Please check her rights by placing a Computed Text with #UserAccess on the form.
Or if she is using a Notes client she can simply click the "Security" icon in the bottom toolbar of the Notes, near the right corner. It will open a dialog box telling what is her access level to the database.
A few things to check:
is the user listed explicitly in the ACL? If so, those rights will take precedence over any groups she's in.
check the authors field carefully. Best option is to look at the properties of the doc she's editing via the Notes client and examine the authors field in the dialog. That will let you see if any code altered the list of allowed authors. If she's an editor this shouldn't matter but based on the behavior you are seeing it sounds like she's acting as an author.
Make sure that the names in the authors fields are being stored in the canonical format and are not abbreviated or in common name. EG: using Herny Newberry/MyOrg does not work while using CN=Henry Newberry/O=MyOrg does.
The issue is solved. There was some problem with the user configuration. Thats the reason she was getting author access even though she was an editor. After reconfiguration of her Notes client, she'd able to edit the form now. Thanks to all of you for your help.
Although already answered and a solution found, it should be noted that user-names listed in the 'fullname' field of the NAB person record should list the current or 'newname' first as other names may not be recognized.
I am working on Notes in MS CRM 2011.
I have many roles over many entities.
I want role based security to notes for any entity records.
let me explain what i want:
Suppose i have an entity namely E1.
Role R1 and R2 has read and write access to E1.
But i want that user having role R2 can only upload and view notes for any record of entity E1.
Hope now my requirement is clear to all of you.
Please suggest me how can i achieve it using MS CRM 2011.
I can think of two ways to do this.
You can create a plugin on create/update of the annotation(note) and check if the note is related to entity E1 and check the roles of the user making the change and see if they only have the R2 role. If that is the case you can throw an InvalidPluginExecutionException with a message like 'You do not have permissions to edit/create these records'.
You can try using role based forms or JS to hide the notes area for R1 users.
You probably want to use a combination of #1 & #2. The users can still access the notes via advanced find and thus will be able to edit those notes. The plugin will prevent that fringe case as well.
*Edit
There are a couple more things that you might be able to deal with the advanced find records. You can remove the annotation entity from advanced find via the unsupported method described here.
Otherwise there is one more thing you can do if you want to prevent those results showing up at all, and you want to stay supported. You can write a plugin on Post-RetrieveMultiple of the annotation entity to strip out the results directly from the return result. There are a couple downsides to this though.
You are executing your plug-in every time the retrieve multiple is called on the entity. So this code will need to be as efficient as possible since that delay will be noticeable by the end user whenever they retrieve these records.
Things like advanced find will display odd results. For example if your paging is set to 50 records and you strip out 10, they will only see 40 records on their page and the total record count will include the records you are stripping out.
Through roles i don't know a way to do that, because you configure the access to notes generic, so applies to all entities. You have to access with Javascript navigating in DOM. Check a example:
document.getElementById("notescontrol").contentWindow.document.getElementById("NotesTable")
You can check this with the help of a develeper tool in your browser.
I am new to stackoverflow because I almost never ask questions in forums as there are plenty of questions out there already answered. However my head is about to explode from trying to figure out how to do this app.
First I do this using XCode 4.5.2 for OSX 10.8 deployment of a personal (that is for my use only) double entry accounting software.
Each accounting entry consists of a header of various text fields such as the entry date, a serial number, etc. which I created an Entity called "Entry". Also each such entry has multiple lines such as the various accounts related to that entry, amounts, etc. called an Entity "EntryLine" linked in the model nice and easy.
The thing is that I intended to use text field for the basic header info and below it a linked Table View for each of the line. Being an accounting software there are several checks (validations) that I need to make and I need full control of what is going on. Already tried binding two array controllers, one for each entity and linking the two and saving them to the sqlite file but to no avail!
Now I have an app with just the header up and running by manually getting and setting the info in the top text fields as I please and saving them to the file. But I have no idea how to do the part with the Entry Lines in the Table view. Can I do that manually too or is it better to do bindings through an array controller?
Also tried already with array controller but I get "Table View Cell" when I add a new line in the table. Any ideas on that?
In the Table View there is also an "Account Name" part that is NOT part of the EntryLine entity but my intention is to obtain this information from another entity called "Account" that stores the Account Number and Account Name. On input of the account number that is, the app would skip the name field and move to particulars for input but also bring up the name of the account already inputted. Is this even possible?
Sorry for being a bit vague in my questions but I come from routine program oriented languages and not object oriented one, though I have some Java experience. Any help would be appreciated. No screenshot sorry as I am not yet allowed:(
I need to display account notes across all opportunities. typically a MSCRM creates a blank Notes section for each new Opportunity you create inside a account, but I need to display a running Account dialog of conversations to review in one continues notepad (means display all notes).
Can anyone tell me how I can display all notes in the opportunity form?
Is this possible without coding (or in fact, with coding!)
Thanks in advance,
SD
Well you can do this a few different ways.
1) The easiest way is to add an IFRAME and then point to the applicable Account notes container. You'd have to set the "id" attribute based on the account. Here's what your IFRAME url will look like:
/_controls/notes/notesdata.aspx?EnableInlineEdit=true&EnableInsert=true&id=%7bEF88BCAA-C3EB-E111-B142-78E7D162EE67%7d&ParentEntity=1
2) If you are only wanting to display the notes and not allow for a user to edit them (read-only), then you'll need to use fetch to query the annotations where the related id equals the account.
Just to be clear the on requirement here.
I believe you are saying: Each Account has multiple Opportunities, each Opportunity has many Notes. On the Account you want to show all the Notes for all the Opportunities.
I don't think you can achieve this with out of the box functionaility, I would suggest creating an SSRS report and iFrame'ing it in.