From d15d9e43032b92425727654c66d16fb960983084 Mon Sep 17 00:00:00 2001 From: gsinghpal Date: Wed, 20 May 2026 23:11:37 -0400 Subject: [PATCH] fix(fusion_repairs): admin + office users get full read/schedule access When admin (gsingh, uid=2) opened a repair on the dashboard: "Sorry, Gurpreet Singh (id=2) doesn't have 'read' access to: - Repair Order, RO-202605-04 (repair.order: 34) Blame the following rules: - Repair Order: Technician sees own repairs" Root cause: per-group record rules in Odoo are OR'd within the same model. Admin had been added directly to fusion_tasks.group_field_technician in this database (verified via res_groups_users_rel - direct=1), so the technician's restrictive rule ('only repairs you are assigned to') kicked in. Until now there was no per-group rule for the Repairs Office groups to OR against, so the restrictive rule won by default. Fix - added two pairs of permissive rules: rule_repair_order_repairs_user_full - User can read/write/create rule_repair_order_repairs_manager_unlink - Manager also can delete rule_technician_task_repairs_office - User can read/write/create tasks rule_technician_task_repairs_manager_unlink - Manager also can delete tasks Both have domain_force=[(1,'=',1)] so they grant unrestricted access for the Repairs groups. OR'd with the field_technician rule, admin and other office users now see everything. Field technicians who do NOT have any Repairs group still see only their assigned repairs (rule unchanged). Also added the matching ir.model.access.csv entries - record rules don't fire if the user has no model-level ACL. This is the second fix ('office users can schedule') from the same complaint - Repairs User now has read/write/create on fusion.technician.task; Repairs Manager also gets unlink. Verified end-to-end on westin-v19: Admin can see 17 repairs (was 0 before fix) Admin can read RO-202605-04 -> 'Gurpreet Singh' (the exact failing record) Admin can create fusion.technician.task -> permission check passes (model's own time-overlap business validation correctly rejects an overlap, but that is a value error not a permission error) Bumped to 19.0.1.0.7. Co-authored-by: Cursor --- fusion_repairs/__manifest__.py | 2 +- fusion_repairs/security/ir.model.access.csv | 4 ++ fusion_repairs/security/security.xml | 56 ++++++++++++++++++++- 3 files changed, 60 insertions(+), 2 deletions(-) diff --git a/fusion_repairs/__manifest__.py b/fusion_repairs/__manifest__.py index c68e10b1..b0de4ed2 100644 --- a/fusion_repairs/__manifest__.py +++ b/fusion_repairs/__manifest__.py @@ -4,7 +4,7 @@ { 'name': 'Fusion Repairs', - 'version': '19.0.1.0.6', + 'version': '19.0.1.0.7', 'category': 'Inventory/Repairs', 'summary': 'Guided medical equipment repair intake, dispatch, maintenance, and self-service portal', 'description': """ diff --git a/fusion_repairs/security/ir.model.access.csv b/fusion_repairs/security/ir.model.access.csv index 4470566b..10da9d95 100644 --- a/fusion_repairs/security/ir.model.access.csv +++ b/fusion_repairs/security/ir.model.access.csv @@ -19,3 +19,7 @@ access_repair_visit_report_wizard_line_user,Visit Report Line User,model_fusion_ access_repair_maintenance_user,Maintenance Contract User Read,model_fusion_repair_maintenance_contract,group_fusion_repairs_user,1,0,0,0 access_repair_maintenance_dispatcher,Maintenance Contract Dispatcher,model_fusion_repair_maintenance_contract,group_fusion_repairs_dispatcher,1,1,1,0 access_repair_maintenance_manager,Maintenance Contract Manager Full,model_fusion_repair_maintenance_contract,group_fusion_repairs_manager,1,1,1,1 +access_repair_order_repairs_user,Repair Order Repairs User Read/Write,repair.model_repair_order,group_fusion_repairs_user,1,1,1,0 +access_repair_order_repairs_manager,Repair Order Repairs Manager Full,repair.model_repair_order,group_fusion_repairs_manager,1,1,1,1 +access_technician_task_repairs_user,Technician Task Repairs User Schedule,fusion_tasks.model_fusion_technician_task,group_fusion_repairs_user,1,1,1,0 +access_technician_task_repairs_manager,Technician Task Repairs Manager Full,fusion_tasks.model_fusion_technician_task,group_fusion_repairs_manager,1,1,1,1 diff --git a/fusion_repairs/security/security.xml b/fusion_repairs/security/security.xml index 89476c53..1344c82a 100644 --- a/fusion_repairs/security/security.xml +++ b/fusion_repairs/security/security.xml @@ -64,7 +64,11 @@ + Uses STORED fields (technician_id + additional_technician_ids) - not the computed all_technician_ids. + + NOTE: per-group rules in Odoo are OR'd. A user who is BOTH a field + technician AND a Repairs User/Dispatcher/Manager will see all repairs + because the permissive Repairs rules below grant access via the OR. --> Repair Order: Technician sees own repairs @@ -76,6 +80,56 @@ + + + Repair Order: Repairs Office Full Access + + [(1, '=', 1)] + + + + + + + + Repair Order: Repairs Manager Can Delete + + [(1, '=', 1)] + + + + + + + + + + Technician Task: Repairs Office Access + + [(1, '=', 1)] + + + + + + + + Technician Task: Repairs Manager Can Delete + + [(1, '=', 1)] + + + + + + + Repair Intake Answer: Multi-Company