Closed aleuffre closed 5 months ago
cc @pedrobaeza and @rousseldenis as authors/contributors for both modules :)
@pedrobaeza @aleuffre @ilyasProgrammer I can reproduce the error, here are the steps briefly:
install product_multy_company in a fresh db
1) create 3 companies 2) create product template with 3 companies 3) assign 2 companies to marc demo 4) try to access product variant with marc demo:
Due to security restrictions, you are not allowed to access 'Companies' (res.company) records.
For some reason, this does not happen in an environment with 2 companies + a product template with 2 companies + marc demo with access to 1 company (this could be the reason why this bug has not been reported earlier)
I have just done that in runboat with no luck:
What is different?
My runboat is baseonly (I only installed product_multi_company)
@pedrobaeza reproduced in v15 too (module does not exist in v16)
Module
base_multi_company
product_multi_company
Describe the bug
Users without administrator access have an error when accessing product variants with
company_ids
set, when some of those companies are not active.To Reproduce
Affected versions:
Steps to reproduce the behavior:
Assuming a DB with demo data such as runboat, with
product_multi_company
installedCompanies
field of the product template, select all 3 companies --> This means that users from any of the 3 companies should be able to see itcompanies
field only "San Francisco" is shownExpected behavior User with only a single company active can see a product variant when the active company is among the allowed companies
Additional context
Administrator users can always see all companies even if they don't have them active, so the error is not present. For non-admin users, the error seems to happen when trying to read the field
company_ids
of product.product (and in fact, if the fieldcompany_ids
is removed from the view https://github.com/OCA/multi-company/blob/14.0/product_multi_company/views/product_template_view.xml there is no access error anymore.Upon inspecting the calls from the browser:
when reading the![image](https://github.com/OCA/multi-company/assets/78726989/e5283f09-4fcf-405a-be0e-c3c01bab568e)
product.template
, only company 1 is returned, even though really multiple companies are set on the fields. The other companies are not shown due to record rules filtering them. This is the correct and expected behaviourwhen reading the![image](https://github.com/OCA/multi-company/assets/78726989/4fbe0f39-d2bc-431a-bca9-20f47beffb31)
product.product
, all companies are returned; the actual error happens when the client makes a furtherread
call to read the names of these companies.My hypothesis is that the problem is due to the nature of
product.product
as a model that uses delegation inheritance. Thecompany_ids
field is really memorized onproduct.template
, and maybe that's why the companies are not being filtered correctly. I haven't had time to investigate further.