基于工作流状态的不同权限 [英] different permissions based on workflow state

问题描述

我需要根据对象的工作流程状态为其设置不同的权限.例如，只有当state = draft时，经理组"才可以编辑该对象，但是如果state = validated，超级管理员组"也可以对其进行编辑.

I need to set up different permission on an object based on its workflow state. For instance, 'manager group' can edit the object only if state=draft but 'super manager group' can edit it also if state=validated.

似乎无法使用ir.model.access，并且我正在评估是否可以使用ir.rule完成.似乎不是...

It seems that's not possible using ir.model.access and I'm evaluating if it could be done using ir.rule. It seems not...

是否有一种official方式来实现此功能，或者我是否需要实现此功能(可能是通过在ir.model.access机械中添加条件)来实现.

Is there a official way to get this or do I need to implement this feature (maybe by adding a condition into ir.model.access machinery).

推荐答案

在默认情况下，对于ir.model.access，这是不可能的，因为此权限模型的设计类似于CRUD操作上的简单Unix权限，并且是静态定义的，每个模型和每个组.

This is not possible by default with ir.model.access, because this permission model is designed to act like simple Unix permission on CRUD operations, and it is statically defined, per-model and per-group.

您可以使用ir.rule来实现类似的功能，因为它可以基于字段值实现动态的每条记录访问控制.通过仅在write和unlink操作上并基于state字段定义一组规则，您将能够防止某些组在某些状态下修改记录.通过使用始终为真规则[(1,'=',1)]的技术，您可以为具有超级访问"组的用户放宽非全局规则.另请参阅此 answer .
但是，此选项将有一些重要警告:

You may be able to implement something like this using ir.rule, as it implements dynamic per-record access control based on field values. By having a set of rules defined only on the write and unlink operations and based on the state field, you will be able to prevent some groups from modifying records in certain states. By using the technique of an always-true rule [(1,'=',1)] you can then relax a non-global rule for users who have a "super-access" group. See also this answer.
This option will have important caveats however:

• 请注意不要使这些规则适用于read，因为它将使记录完全消失，并且通常会对您的流程造成破坏
• 规则生效后，界面将不会变为只读，并且如果您想将字段和按钮设置为只读，则必须找到一种通过attrs进行指定的方式，具体取决于在用户组上.另请参见启动板问题.
• 用户界面中的保存"按钮将不会被禁用
• ir.rule限制情况下的标准错误报告不是很清楚，因此肯定会使用户感到困惑(请注意:7.0版已对其进行了改进)

• Be careful not to make those rules apply for read, as it will make the records completely disappear, and generally wreak havoc in your processes
• The interface will not become read-only when the rule is in effect, and if you want to make the fields and buttons read-only you will have to find a way to specify this via attrs in a manner that depends on the user's groups. See also this Launchpad question.
• the Save button in the UI will not be disabled
• The standard error reporting in case of ir.rule restriction is not very clear, so it will certainly confuse users (note: it's being improved for 7.0)

如您所见，为此目的使用ir.rule过滤器并不是一个完美的解决方案，您首先需要为上述问题找到合适的解决方案.

As you see, using ir.rule filters for this purpose is far from a perfect solution, and you will first need to find appropriate solutions for the above issues.

最终，您可能会更轻松地实现自己的逻辑，在ORM基本API方法中插入新机制:fields_view_get(用于使字段基于用户组动态只读)和CRUD方法(用于实际限制操作)

Ultimately, you might have an easier task of implementing your own logic for this, plugging a new mechanism in the ORM primitive API methods: fields_view_get (for making fields dynamically read-only based on the user groups) and the CRUD methods (for actually restricting the operations)

这篇关于基于工作流状态的不同权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！