(one) Odoo authority mechanism

* Access Rights Management:
There are two mechanisms for the management of data access rights:
The first is model access Rights Management (Accessrule);
The second is record rule management.
Record rule is the refinement of Accessrule
If you do not set a rule for a module, by default only administator can access the data for this model
The record rule is not valid for Administator users, and access rule is still valid

# access Rule
It is usually managed by ir.model.access.csv files placed under the Security folder.
The file table header is as follows:
Id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink

Here's an example:
Id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
access_todo_task_group_user,todo.task.user,model_todo_task,base.group_user,1,1,1,1

Model name Todo.task Model_id:id corresponds to Model_todo_task, which is the rule of death.
Id,name's name is random, but it's a rule.
Group_id:id is a group
Below, 0 means no permissions, 1 means permission
Perm_read Read
Perm_write Write
Perm_create Building
Perm_unlink Delete

# Record Rule
It is usually managed by the module name _record_rules.xml file that is placed under the Security folder.
<?xml version= "1.0" encoding= "Utf-8"?>
<openerp>
<data noupdate= "1" >
<record id= "Todo_task_user_rule" model= "Ir.rule" >
<field name= "name" >todo Tasks only for owner</field>
<field name= "model_id" ref= "Model_todo_task"/>
<field name= "Domain_force" >[(' create_uid ', ' = ', user.id)]</field>
<field name= "Groups" eval= "[(4,ref (' Base.group_user ')]"/>
</record>
</data>
</openerp>

Record rule records are ir.rule models that exist in the Public.ir_rule table
Which model does model_id Act on?
Domain_force Some filtering operations on all records in the model
A noupdate value of 1 indicates that the upgrade module does not update this data
Base.group_user is a human resource/employee


* To a complete example of the explanation:

# Set up a group
<record id= "Group_department_project_admin" model= "res.groups" >
<field name= "Name" >A</field>
<fieldname= "category_id" ref= "B"/>
<field name= "Users" eval= "[(4, ref (' Base.user_root ')]"/>//Add Admin user to the group
</record>

@ Name Group name
@ category_id belongs to which application, or which module
Users in the @ Users group
This allows the B application to create a group called A. and initialized a user admin for Group A

# Group Control menu Display
A

<record model= "Ir.ui.menu" id= "Memu_id1" >
<field name= "Name" >menu1</field>
<field name= "groups_id" eval= "[(6,0,[ref (' A '), ref (' B ')]),]"/>
<field name= "sequence" >1</field>
</record>

@ Name Menu Name
@ groups_id which groups can access the menu
@ Sequence The number of the menu
This allows members of group A and group B to access the Menu1 menu, and the Menu1 menu is displayed in the order of 1
Note: After eval explanation, multiple group access is separated by ","

<menuitem id= "Menu_id2" name= "menu2" parent= "Menu_id1" sequence= "1" groups= "A, B"/>
@ Name Menu Name
@ Parent Class Menu If no parent can be written
@ Groups which groups can access the menu
So the Menu1 submenu menu2 can be accessed by members of Group A B

# permission Rules
<record model= "Ir.rule" id= "Rule1" >
<field name= "Name" >rule1</field>
<field name= "model_id" ref= "Model_model1"/>
<field name= "global" eval= "True"/>
<field name= "Domain_force" >[1, ' = ',1]</field>
<field name= "Groups" eval= "[(4,ref (' A ')]"/>
</record>

@ Name Rule name
@ model_id-dependent modules
If @ Global is a global
@ Domain_force Filter Conditions
@ groups belongs to which group

So that the members of Group A can fetch all the data from the Model_model1.

# Ir.model.access.csv
@id take it anywhere.
@name take it anywhere.
@model_id: ID This is the object you've defined.
@group_id: Which group
@perm_read "," Perm_write "," Perm_create "," Perm_unlink "and delete and modify permissions. 1 delegate has permission


# Eval

Many2many
(0,0,{values}) create a new record based on the information in the values.
(1,id,{values}) Update Id=id record (writes data inside values)
(2,id) Delete id=id data (call unlink method, delete data and entire master-slave data link relationship)
(3,id) cut off the link between master and slave data but do not delete this data
(4,id) adds a master-slave link to the Id=id data.
(5) Delete all links from the data is called to all from the data call (3,id)
(6,0,[ids]) replace the original record with the record in IDs (5) and execute the Loop IDs execution (4,id).

Example [(6, 0, [8, 5, 6, 4])] set Many2many to IDs [8, 5, 6, 4]
One2many
(0, 0,{values}) creates a new record based on the information in the values.
(1,id,{values}) Update Id=id record (execution of Id=id writes to data in values)
(2,id) Delete id=id data (call unlink method, delete data and entire master-slave data link relationship)
Example:
[(0,0,{' field_name ': Field_value_record1,...}), (0,0,{' field_name ': Field_value_record})]
Many2one fields are simple, fill in the ID of the existing data directly or fill in false to delete the original record.

# Common Tips for hiding

* Hide Directly
<group name= "owner" position= "Attributes" >
<attribute name= "Invisible" >True</attribute>
</group>

* Hide for certain conditions

<xpath expr= "//field[@name = ' parent_id ']" position= ' attributes ' >
<attribute name= "attrs" >{' invisible ': [(' passenger ', ' = ', True)]}</attribute>
</xpath>

<group col= "4" string= ' Traveler information ' attrs= ' {' Invisible ': [(' supplier ', ' = ', True)]} "></group>

* Hide by group
<xpath expr= "//field[@name = ' type ']" position= "Attributes" >
<attribute name= "Groups" >base.group_no_one</attribute>
</xpath>

* Menu Hidden
<record model= "Ir.ui.menu" id= "Crm.menu_crm_opportunities" >
<field eval= "[(6,0, [Ref (' Base.group_no_one '),])]" name= "groups_id"/>
</record>

(one) Odoo authority mechanism