7

I tried taking out the delete access in calendar-> security folder -> calendar_event_all employee , but did not give any result

access_calendar_attendee_employee,calendar.attendee_employee,model_calendar_attendee,base.group_user,1,1,1,1

this is the access security line in calendar's security's csv file

Shravy
  • 656
  • 1
  • 23
  • 61
  • "1" means giving acess rights & "0" means vice versa of it. – Hardik Patadia Sep 05 '15 at 09:21
  • yes I know that, but giving 0 did not effect it, – Shravy Sep 05 '15 at 09:27
  • try to look into all access rights for the model "calender.attendee_employee", and see which group is having delete right, and check whether this user is there in that list. It may happen due to some other access right the user may still be able to delete the data. – Hardik Patadia Sep 05 '15 at 09:48
  • yes, already checking on it.. Thanks a lot – Shravy Sep 05 '15 at 10:07
  • Anyone got any idea on this issue ? – Shravy Nov 24 '15 at 07:02
  • I'm sorry I can only give you an idea, but not an answer: I had a co-worker who had to do exactly what you want, and I remember he had to do it with JavaScript. He had nothing to do with Odoo security files (XML nor CSV). – forvas Nov 24 '15 at 10:08
  • are you sure ? its in javascript forvas ? – Shravy Nov 24 '15 at 10:33
  • Yes, I've just checked, but the situation wasn't exactly like yours. He had created a new group, and users who didn't belong to that group weren't able to **remove** calendar events which have been created by other users. If users belonged to that group, they were able to remove any calendar event. He did all this functionality through JavaScript. – forvas Nov 24 '15 at 10:48

4 Answers4

1

you change access right of below for calendar event:

access_calendar_event_all_employee,calendar.event_all_employee,model_calendar_event,base.group_user,1,1,1,0

calendar event restricted delete for the base.group_user = Employee .

if you want to create your own group then add following type code

Example:

 <record model="res.groups" id="group_user">
       <field name="implied_ids" eval="[(4, ref('group_no_one'))]"/>
       <field name="users" eval="[(4, ref('base.user_root'))]"/>
  </record>
Jainik Patel
  • 2,284
  • 1
  • 15
  • 35
  • I have already done this, but it wont effect. it allows the other user to delete the other user event – Shravy Nov 24 '15 at 09:45
  • I have already done the changes in access right , but it lets one user to delete other user's calendar event – Shravy Nov 24 '15 at 09:49
  • Jainik, its not regarding any groups, its for all system users, so if a user "A" tries to delete user "B"'s calendar event, then user A should not be able to delete user B's event – Shravy Nov 24 '15 at 10:34
0

The idea here is, Try by overriding unlink method

def unlink(self,cr,uid,ids,context=None):
...
...

as whenever we try to delete a record, the unlink method will be called and in uid we will have current user-id. so, if you want to restrict deletion for all users, then in the method raise an exception with some appropriate message. If you want to restrict deletion for other users, then compare current uid with record uid. If they differs then raise exception otherwise allow.

shravan cherukuri
  • 490
  • 3
  • 12
0

You can use JavaScript to manage your purpose. Create a JS file in your src/static folder of your custom module and add this code (don't forget to include this JS file in the data of the __openerp__.py of your module):

openerp.your_module_name = function(instance) {

var _t = instance.web._t;
var Users = new openerp.web.Model('res.users');
var Events = new openerp.web.Model('calendar.event');

instance.web_calendar.CalendarView.include({

    remove_event: function(id) {
        var self = this;

        do_removal = function() {
            return $.when(self.dataset.unlink([id])).then(function() {
                self.$calendar.fullCalendar('removeEvents', id);
            });
        };

        confirm_removal = function() {
            if (self.options.confirm_on_delete) {
                if (confirm(_t("Are you sure you want to delete this record?"))) {
                    do_removal();
                }
            } else {
                do_removal();
            }
        };

        Users.call('has_group', ['put_here_the_module_name_where_the_group_which_can_remove_is_declared.put_here_the_group_which_can_remove'])
            .done(function(result) {
                if (result == true) {
                    confirm_removal();
                } else {
                    alert(_t("Your user has not permission to delete this event"));
                }
            });
    },

With this code, only users who belong to the specified group (in Users.call method) will be able to remove calendar events (They will receive a confirmation dialog: Are you sure you want to delete this record?). The users who don't belong to that group will receive an alert message: Your user has not permission to delete this event.

forvas
  • 9,801
  • 7
  • 62
  • 158
0

You can extend the unlink method like so.

from openerp import models, api, exceptions

class CalendarEvent(models.Model):
    _inherit = "calendar.event"

    @api.multi
    def unlink(self):
        for record in self:
            if record.create_uid != self.uid:
                raise exceptions.Warning(('Error'), ('You cannot delete an event that you did not create.'))
        return super(ClassName, self).unlink()

You can use record rules

<record model="ir.rule" id="calendar_event_rule">
    <field name="name">Calendar Event : cannot delete someone else's event</field>
    <field name="model_id" ref="model_calendar_event"></field>
    <!-- Omitting group as you want it to be global -->
    <field name="domain_force">[('create_uid', '!=', user.id)]</field>
    <field eval="0" name="perm_write"></field>
    <field eval="1" name="perm_read"></field>
    <field eval="0" name="perm_unlink"></field>
    <field eval="1" name="perm_create"></field>
 </record>

Note that with this rule, they won't be able to edit it as well.

Majikat
  • 722
  • 4
  • 13