I am trying to define a Record Rule within OpenERP that allows a User who is not in the Officer group to change their own Employee record only, while still keeping the existing global rule allowing users in the Officer group to edit all Employee records. I've gotten as far as setting up a custom rule with the following details:
- Object: Employee
- Apply for Read: checked
- Apply for Write: checked
- Rule Definition:
[('user_id', '=', user.id)]
However, all this seems to do is remove the ability of the User to read any Employee record except for their own. As far as I can tell, I need to combine something like the rule above with a logical OR operator to the Access Control rule applying to users in the "Officer" group. Can anyone give me any pointers for how to accomplish this?
Edit: My desired behaviour is thus:
- All users (Employee group) can search and read all Employee records.
- Users in the Employee group can edit their own Employee record, but not others.
- Users in the Officer group can edit all Employee records (this is default behaviour for the HR module).
Tried thus far:
- Modify the Record Rule described above (User_edit_own_employee_rule) to apply only for Write operations, not Read operations (users can see all Employee records, but not edit any records including their own).
- Modify the hr.employee system user Access Control rule to allow Write operations (users can now edit all Employee records).
One clue I have is that, using the API to return an employee's user_id in the shell, OpenERP returns [5, 'Joe Bloggs']. I wonder whether my Record Rule is querying the foreign key relationship properly?
