Human logic vs OpenERP logic, hard times.
Very simple idea: a project user should be able to see/read all the tasks, but only be able to edit/write his assigned tasks.
Easy, Record Rules on project.task:
Nope, 2nd rule overwrites the 1st one.
Is it me or it is really complicated to do real simple things? Have I missed something?
Thanks
Edit: To clarify my point here are my rules 1 & 2:
<record model="ir.rule" id="project_task_user_rule">
<field name="name">Project/task: user: read others tasks</field>
<field name="model_id" ref="project.model_project_task"/>
<field name="domain_force">[('user_id','not in',[user.id])]</field>
<field name="groups" eval="[(4,ref('project.group_project_user'))]"/>
<field eval="1" name="perm_read"/>
<field eval="0" name="perm_write"/>
<field eval="0" name="perm_create"/>
<field eval="0" name="perm_unlink"/>
</record>
<record model="ir.rule" id="project_task_user_rule">
<field name="name">Project/task: user: RW rights on his tasks</field>
<field name="model_id" ref="project.model_project_task"/>
<field name="domain_force">[('user_id','=',user.id)]</field>
<field name="groups" eval="[(4,ref('project.group_project_user'))]"/>
<field eval="1" name="perm_read"/>
<field eval="1" name="perm_write"/>
<field eval="0" name="perm_create"/>
<field eval="0" name="perm_unlink"/>
</record>
In this case, the user sees only his tasks and can modify them. If I put the second rule over the first one, user can see all the tasks, but is not able to edit any, neither his own.
No they don't overwrite each other, they are cumulative:
The access rule engine looks for a positive permission for the action to be done (read, create, write, unlink) in any of the available rules.
That same method is used in the OCA module project_baseuser to limit helpdesk end users to have write access only on draft/new Tasks. Once Tasks move to a started stage only Project Users can edit them. See: https://github.com/OCA/project/blob/29caef1cd8029e755c2c27d54541202d52b9c744/project_baseuser/security/project_security.xml#L79