odoo/odoo#163329
Created by Bugfix, Séna Serge Nshimiyimana (sesn)
Merged
at 3be00fa01ed400c2bd7b4fda49871fd14869a48d
Statuses:
- legal/cla: Contributor License Agreement check
- ci/runbot: Odoo Test Suite
- ci/upgrade_enterprise: Test upgrades for enterprise master
- ci/template: Contact runbot team on discord for help.
- ci/style: Optional style check. Ignore it only if strictly necessary.
- ci/security: Required security check. Can only be ignored by security team.
- label
- odoo-dev:saas-16.4-opw-3858685-sale_admin_invoice_access-sesn
- head
- 8f62c5717ddcc0cdc8d994a8adb45e51bc4e3acf
- merged
- 5 months ago by Platform, Brice Bartoletti (bib)
| odoo/odoo | |
|---|---|
| saas-16.4 | #163329 |
| 17.0 | #163412 |
| saas-17.1 | #163427 |
| saas-17.2 | #163439 |
| master | #163452 |
[FIX] account_edi: allow users to read account.edi.format/documnet
Steps to Reproduce
- Install
sale_managementandaccount_edi. - Create a user with admin access in sales but no rights in accounting.
- Log in as the new user.
- Navigate to a Sales Order that has been invoiced and attempt to view its invoice via the 'Invoices' stat button.
Expected Behavior: The user should be able to view the invoice.
Actual Behavior: An access error is encountered when attempting to view the invoice.
Cause
The access error arises due to restricted permissions for account.edi.format and account.edi.document. Prior to commit 604a47ead80eb8a07102a978f364d82776f69da3, all users had access to these models. However, this commit restricted access solely to users with the account.group_account_readonly role, as part of a broader security enhancement to minimize unnecessary access by portal users.