Multi-company product variant access error

aleuffre commented 5 months ago

Module

base_multi_company
product_multi_company

Describe the bug

Users without administrator access have an error when accessing product variants with company_ids set, when some of those companies are not active.

To Reproduce

Affected versions:

14.0 (Tested on runboat)
Other versions untested so far

Steps to reproduce the behavior:

Assuming a DB with demo data such as runboat, with product_multi_company installed

As admin user, create a product template.
In the Companies field of the product template, select all 3 companies --> This means that users from any of the 3 companies should be able to see it
Even if you only activate company San Francisco, the user can see all 3 companies in the
Login as demo user (any user with multi-company access, but without administrator rights), only have company "San Francisco active"
Try to access the product template you created earlier --> OK. in the companies field only "San Francisco" is shown
Try to access the product variant related to the template (from the product variants menu up top, not from the smart button in the product template, they are different views) --> Access error related to trying to access the other 2, inactive companies.

Expected behavior User with only a single company active can see a product variant when the active company is among the allowed companies

Additional context

Administrator users can always see all companies even if they don't have them active, so the error is not present. For non-admin users, the error seems to happen when trying to read the field company_ids of product.product (and in fact, if the field company_ids is removed from the view https://github.com/OCA/multi-company/blob/14.0/product_multi_company/views/product_template_view.xml there is no access error anymore.

Upon inspecting the calls from the browser:

when reading the product.template, only company 1 is returned, even though really multiple companies are set on the fields. The other companies are not shown due to record rules filtering them. This is the correct and expected behaviour
when reading the product.product, all companies are returned; the actual error happens when the client makes a further read call to read the names of these companies.

My hypothesis is that the problem is due to the nature of product.product as a model that uses delegation inheritance. The company_ids field is really memorized on product.template, and maybe that's why the companies are not being filtered correctly. I haven't had time to investigate further.

francesco-ooops commented 5 months ago

cc @pedrobaeza and @rousseldenis as authors/contributors for both modules :)

francesco-ooops commented 5 months ago

@pedrobaeza @aleuffre @ilyasProgrammer I can reproduce the error, here are the steps briefly:

install product_multy_company in a fresh db

1) create 3 companies 2) create product template with 3 companies 3) assign 2 companies to marc demo 4) try to access product variant with marc demo:

Due to security restrictions, you are not allowed to access 'Companies' (res.company) records.

For some reason, this does not happen in an environment with 2 companies + a product template with 2 companies + marc demo with access to 1 company (this could be the reason why this bug has not been reported earlier)

https://recordit.co/1UVrfH26pm

pedrobaeza commented 5 months ago

I have just done that in runboat with no luck:

What is different?

francesco-ooops commented 5 months ago

My runboat is baseonly (I only installed product_multi_company)

francesco-ooops commented 5 months ago

@pedrobaeza reproduced in v15 too (module does not exist in v16)

OCA / multi-company