[fix] multi-company visibility

bzr revid: fp@tinyerp.com-20101012070857-9ix6fu732ml1o3rt
2010-10-12 09:08:57 +02:00 · 2010-10-12 09:08:57 +02:00 · ae1653e63c
parent 11d492dc4f
commit ae1653e63c
2 changed files with 7 additions and 5 deletions
--- a/bin/addons/base/res/res_security.xml
+++ b/bin/addons/base/res/res_security.xml
@ -17,7 +17,7 @@
        <field name="name">company rule</field>
        <field model="ir.model" name="model_id" ref="model_res_company"/>
        <field eval="True" name="global"/>
-        <field name="domain_force">['|',('user_ids','=',user.id),('parent_id','=',user.company_id.id)]</field>
+        <field name="domain_force">['|', ('child_ids', 'child_of', [company_id]), ('parent_id', 'child_of', [company_id])]</field>
    </record>

    <!-- Record Rule For User -->
@ -25,7 +25,7 @@
        <field name="name">user rule</field>
        <field model="ir.model" name="model_id" ref="model_res_users"/>
        <field eval="True" name="global"/>
-        <field name="domain_force">['|',('company_id','=',user.company_id.id),('company_id','child_of',[user.company_id.id])]</field>
+        <field name="domain_force">['|',('company_id.child_ids','child_of',[user.company_id.id]),('company_id','child_of',[user.company_id.id])]</field>
    </record>


--- a/bin/addons/base/res/res_user.py
+++ b/bin/addons/base/res/res_user.py
@ -356,11 +356,13 @@ class users(osv.osv):
        if ids == [uid]:
            for key in values.keys():
                if not (key in self.SELF_WRITEABLE_FIELDS or key.startswith('context_')):
+                    print 'Not Found', key
                    break
            else:
-                # check that user is not selecting an invalid company_id
-                if 'company_id' not in values or (values.get('company_id') in self.read(cr, uid, uid, ['company_ids'], context=context)['company_ids']):
-                    uid = 1 # safe fields only, so we write as super-user to bypass access rights
+                if 'company_id' in values:
+                    if not (values['company_id'] in self.read(cr, uid, uid, ['company_ids'], context=context)['company_ids']):
+                        del values['company_id']
+                uid = 1 # safe fields only, so we write as super-user to bypass access rights

        res = super(users, self).write(cr, uid, ids, values, context=context)