odoo/odoo#149306
Created by fw-bot
Statuses:
- legal/cla: Contributor License Agreement check
- ci/runbot: Odoo Test Suite
- ci/upgrade_enterprise: Test upgrades for enterprise master
- ci/template: Contact runbot team on discord for help.
- ci/style: Optional style check. Ignore it only if strictly necessary.
- ci/security: Required security check. Can only be ignored by security team.
- ci/documentation: (runtime 112s)
- label
- odoo-dev:16.0-15.0-account-fix_tag_access-r5YF-fw
- head
- 4b286e9820c61fcda55d1a51f1a6fbd163005a93
- merged
- 2 years ago by Cedric Snauwaert (csn)
| odoo/odoo | |
|---|---|
| 15.0 | #146787 |
| saas-15.2 | #149298 |
| 16.0 | #149306 |
| saas-16.1 | #151617 |
| saas-16.2 | #151639 |
| saas-16.3 | #152157 |
| saas-16.4 | #152164 |
| 17.0 | #152169 |
| saas-17.1 | #173753 |
| saas-17.2 | #173761 |
| saas-17.4 | #173763 |
| 18.0 | |
| saas-18.2 | |
| saas-18.3 | |
| saas-18.4 | |
| 19.0 | |
| saas-19.1 | |
| saas-19.2 | |
| saas-19.3 | |
| master | #173972 |
[FW][FIX] account: allow users to see products after configuring taxes
The account module adds the tax_string field to product forms: https://github.com/odoo/odoo/blob/ceb8b785fba1055deeff8d9075ccc707f2317278/addons/account/views/product_view.xml#L76
That field calls Model(account.tax).compute_all(): https://github.com/odoo/odoo/blob/ceb8b785fba1055deeff8d9075ccc707f2317278/addons/account/models/product.py#L71
That method needs access to account.account.tag records: https://github.com/odoo/odoo/blob/ceb8b785fba1055deeff8d9075ccc707f2317278/addons/account/models/account_tax.py#L563 https://github.com/odoo/odoo/blob/ceb8b785fba1055deeff8d9075ccc707f2317278/addons/account/models/account_tax.py#L632 https://github.com/odoo/odoo/blob/ceb8b785fba1055deeff8d9075ccc707f2317278/addons/account/models/account_tax.py#L648 https://github.com/odoo/odoo/blob/ceb8b785fba1055deeff8d9075ccc707f2317278/addons/account/models/account_tax.py#L671
Internal users were able to read account.tax and account.tax.repartition.line records, but they couldn't read account.account.tag records.
So, this lead to the absurd situation where a user with permissions to read products (like stock, PoS or event users) couldn't be able to see the product form anymore whenever that product happened to have a tax with a repartition line with a tag:
https://github.com/odoo/odoo/assets/973709/1801eef5-8f1a-4883-8051-858cdd457e74
This is a regression from Odoo 14, introduced in #74138 and #73602.
I'm granting all internal users read permission over account.account.tag, just like the one they have for account.tax and account.tax.repartition.line. BTW that's the fix suggested by Odoo helpdesk.
@moduon MT-4390
opw-3636032
I confirm I have signed the CLA and read the PR guidelines at www.odoo.com/submit-pr
Forward-Port-Of: #146787