post-thumb

Security - A Brief Introduction

In a business application such as Odoo, one of the first questions to consider is who1 can access the data. Odoo provides a security mechanism to allow access to the data for specific groups of users.

read more

Data Files (CSV)

Odoo is a highly data driven system. Although behavior is customized using Python code, part of a module’s value is in the data it sets up when loaded. One way to load data is through a CSV file. One example is the list of country states which is loaded at installation of the base module.

"id","country_id:id","name","code"
state_au_1,au,"Australian Capital Territory","ACT"
state_au_2,au,"New South Wales","NSW"
state_au_3,au,"Northern Territory","NT"
state_au_4,au,"Queensland","QLD"
...

  • id is an external identifier. It can be used to refer to the record (without knowing its in-database identifier).

  • country_id:id refers to the country by using its external identifier.

  • name is the name of the state.

  • code is the code of the state.

These three fields are defined in the res.country.state model.

By convention, a file importing data is located in the data folder of a module. When the data is related to security, it is located in the security folder. When the data is related to views and actions (we will cover this later), it is located in the views folder. Additionally, all of these files must be declared in the data list within the __manifest__.py file. Our example file is defined in the manifest of the base module.

Also note that the content of the data files is only loaded when a module is installed or updated.

 

 

Access Right

 

read more

 

When no access rights are defined on a model, Odoo determines that no users can access the data. It is even notified in the log:

WARNING rd-demo odoo.modules.loading: The models ['estate.property'] have no access rules in module estate, consider adding some, like:
id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink

Access rights are defined as records of the model ir.model.access. Each access right is associated with a model, a group (or no group for global access) and a set of permissions: create, read, write and unlink2. Such access rights are usually defined in a CSV file named ir.model.access.csv.

Here is an example for our previous test_model:

id,name,model_id/id,group_id/id,perm_read,perm_write,perm_create,perm_unlink
access_test_model,access_test_model,model_test_model,base.group_user,1,0,0,0

  • id is an external identifier.

  • name is the name of the ir.model.access.

  • model_id/id refers to the model which the access right applies to. The standard way to refer to the model is model_<model_name>, where <model_name> is the _name of the model with the . replaced by _. Seems cumbersome? Indeed it is…

  • group_id/id refers to the group which the access right applies to.

  • perm_read,perm_write,perm_create,perm_unlink: read, write, create and unlink permissions