Discussion:
[tryton] Restrict the lines that can be remove it from a many2many field
Luciano Rossi
2018-01-25 14:24:28 UTC
Permalink
Hi!

I need to create an interface to manage the users. For now, I add to my
module the menu item Administration -> Users.

The problem that i'm having, is that I want to restrict the groups that
the user can add or remove from the groups field (many2many).

I added a restriction to the groups field, modifying the definition of
the domain attribute of the groups field, so when choosing the groups to
be added, it will restrict the list of them. But, I don't know how I can
restrict the lines (groups) that the user can remove.

For example, the user can add to the user the groups Accounts and
Purchase. But, if the user already has the group Sale, I do not want
that this group to be remove it.

Any idea?

Thanks!
--
Luciano Rossi - ***@gcoop.coop
http://gcoop.coop - Cooperativa de Software Libre
Julián Alvarez 958 CABA C1414DRT +54 11 4771-0055

Visitá www.tiendas.coop - www.nube.coop
--
You received this message because you are subscribed to the Google Groups "tryton" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/tryton/d068d840-f74e-b260-7b98-0c8ead4fd03d%40gcoop.coop.
Sergi Almacellas Abellana
2018-01-25 14:57:58 UTC
Permalink
Post by Luciano Rossi
Hi!
I need to create an interface to manage the users. For now, I add to my
module the menu item Administration -> Users.
The problem that i'm having, is that I want to restrict the groups that
the user can add or remove from the groups field (many2many).
I added a restriction to the groups field, modifying the definition of
the domain attribute of the groups field, so when choosing the groups to
be added, it will restrict the list of them. But, I don't know how I can
restrict the lines (groups) that the user can remove.
The user will be allowed to add and remove all the groups that are
allowed by domain.
Post by Luciano Rossi
For example, the user can add to the user the groups Accounts and
Purchase. But, if the user already has the group Sale, I do not want
that this group to be remove it.
Any idea?
If the idea is to prevent removal of existing groups I will probably
make the current user groups readonly and add a function field which is
empty by default and it's used to add new groups to the user.

But for sure, this should be done with access groups, so there are
groups that are allowed to write directly and remove groups.

Hope it helps.
--
Sergi Almacellas Abellana
www.koolpi.com
Twitter: @pokoli_srk
--
You received this message because you are subscribed to the Google Groups "tryton" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/tryton/3fba2a70-db35-4787-6d97-18d7605899e1%40koolpi.com.
Luciano Rossi
2018-01-25 15:13:47 UTC
Permalink
Hi sergi!
Post by Sergi Almacellas Abellana
Post by Luciano Rossi
Hi!
I need to create an interface to manage the users. For now, I add to my
module the menu item Administration -> Users.
The problem that i'm having, is that I want to restrict the groups that
the user can add or remove from the groups field (many2many).
I added a restriction to the groups field, modifying the definition of
the domain attribute of the groups field, so when choosing the groups to
be added, it will restrict the list of them. But, I don't know how I can
restrict the lines (groups) that the user can remove.
The user will be allowed to add and remove all the groups that are
allowed by domain.
Post by Luciano Rossi
For example, the user can add to the user the groups Accounts and
Purchase. But, if the user already has the group Sale, I do not want
that this group to be remove it.
Any idea?
If the idea is to prevent removal of existing groups I will probably
make the current user groups readonly and add a function field which is
empty by default and it's used to add new groups to the user.
It's a good idea. Perhaps the function field should not be empty. May
be, it could retrieve only the groups that the user has, but that are
allowed to add or remove it.
Post by Sergi Almacellas Abellana
But for sure, this should be done with access groups, so there are
groups that are allowed to write directly and remove groups.
If I understand, yes, this new "group" could not modify or remove the
groups, just add or remove it from the groups field at User model.
Post by Sergi Almacellas Abellana
Hope it helps.
Thanks!
--
Luciano Rossi - ***@gcoop.coop
http://gcoop.coop - Cooperativa de Software Libre
Julián Alvarez 958 CABA C1414DRT +54 11 4771-0055

Visitá www.tiendas.coop - www.nube.coop
--
You received this message because you are subscribed to the Google Groups "tryton" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/tryton/a91e30da-6f3b-087d-df90-3489ed8a827a%40gcoop.coop.
Sergi Almacellas Abellana
2018-01-25 15:27:03 UTC
Permalink
Post by Luciano Rossi
Post by Sergi Almacellas Abellana
If the idea is to prevent removal of existing groups I will probably
make the current user groups readonly and add a function field which is
empty by default and it's used to add new groups to the user.
It's a good idea. Perhaps the function field should not be empty. May
be, it could retrieve only the groups that the user has, but that are
allowed to add or remove it.
If you can apply a domain to filter the group of records that the user
is allowed to write and modify, you can add a new Many2Many fields which
writes to the same relation but applying a filter on target records with
the filter attribute:

http://doc.tryton.org/4.6/trytond/doc/ref/models/fields.html?highlight=filter#trytond.model.fields.Many2Many.filter
--
Sergi Almacellas Abellana
www.koolpi.com
Twitter: @pokoli_srk
--
You received this message because you are subscribed to the Google Groups "tryton" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/tryton/f3ac3441-1b1a-65a1-9ed9-d270281e5e66%40koolpi.com.
Cédric Krier
2018-01-25 15:45:58 UTC
Permalink
Post by Sergi Almacellas Abellana
Post by Luciano Rossi
Post by Sergi Almacellas Abellana
If the idea is to prevent removal of existing groups I will probably
make the current user groups readonly and add a function field which is
empty by default and it's used to add new groups to the user.
It's a good idea. Perhaps the function field should not be empty. May
be, it could retrieve only the groups that the user has, but that are
allowed to add or remove it.
If you can apply a domain to filter the group of records that the user
is allowed to write and modify, you can add a new Many2Many fields which
writes to the same relation but applying a filter on target records with
http://doc.tryton.org/4.6/trytond/doc/ref/models/fields.html?highlight=filter#trytond.model.fields.Many2Many.filter
I do not think such design will enforce any security.
--
Cédric Krier - B2CK SPRL
Email/Jabber: ***@b2ck.com
Tel: +32 472 54 46 59
Website: http://www.b2ck.com/
--
You received this message because you are subscribed to the Google Groups "tryton" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/tryton/20180125154558.GJ23162%40kei.
Cédric Krier
2018-01-25 15:36:27 UTC
Permalink
Post by Luciano Rossi
Hi!
I need to create an interface to manage the users. For now, I add to my
module the menu item Administration -> Users.
The problem that i'm having, is that I want to restrict the groups that
the user can add or remove from the groups field (many2many).
I added a restriction to the groups field, modifying the definition of
the domain attribute of the groups field, so when choosing the groups to
be added, it will restrict the list of them. But, I don't know how I can
restrict the lines (groups) that the user can remove.
For example, the user can add to the user the groups Accounts and
Purchase. But, if the user already has the group Sale, I do not want
that this group to be remove it.
Any idea?
For me, this is strange. If a user can add some groups to its profile, I
do not see why not add all the allowed to the user by default so he does
not need to edit himself this sensitive field. I see no reason a user
will want to remove himself from some groups and thus restrict himself
his access rights..

Maybe what you are looking for is an abstract level above the group to
ease the management. Sebastian has started to work on something like
that: https://bugs.tryton.org/issue7003
--
Cédric Krier - B2CK SPRL
Email/Jabber: ***@b2ck.com
Tel: +32 472 54 46 59
Website: http://www.b2ck.com/
--
You received this message because you are subscribed to the Google Groups "tryton" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/tryton/20180125153627.GI23162%40kei.
Luciano Rossi
2018-01-26 14:02:02 UTC
Permalink
Hi Cédric,
Post by Cédric Krier
Post by Luciano Rossi
Hi!
I need to create an interface to manage the users. For now, I add to my
module the menu item Administration -> Users.
The problem that i'm having, is that I want to restrict the groups that
the user can add or remove from the groups field (many2many).
I added a restriction to the groups field, modifying the definition of
the domain attribute of the groups field, so when choosing the groups to
be added, it will restrict the list of them. But, I don't know how I can
restrict the lines (groups) that the user can remove.
For example, the user can add to the user the groups Accounts and
Purchase. But, if the user already has the group Sale, I do not want
that this group to be remove it.
Any idea?
For me, this is strange. If a user can add some groups to its profile, I
do not see why not add all the allowed to the user by default so he does
not need to edit himself this sensitive field. I see no reason a user
will want to remove himself from some groups and thus restrict himself
his access rights..
Well, I think it's not strange if the idea is to sell Tryton as SAAS.
Probably you will want to give to the customer the possibility to create
or modify users, but for example, you will not want him to access to the
Administration group (if the customer grant access to that, it could
activate modules).
Post by Cédric Krier
Maybe what you are looking for is an abstract level above the group to
ease the management. Sebastian has started to work on something like
that: https://bugs.tryton.org/issue7003
mmm.. If I understand right, I will need to restrict also the roles that
the user could manage.

Thanks!
--
Luciano Rossi - ***@gcoop.coop
http://gcoop.coop - Cooperativa de Software Libre
Julián Alvarez 958 CABA C1414DRT +54 11 4771-0055

Visitá www.tiendas.coop - www.nube.coop
--
You received this message because you are subscribed to the Google Groups "tryton" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/tryton/ec43ad41-c013-29bc-c081-ebe83e6ccb78%40gcoop.coop.
Cédric Krier
2018-01-26 15:06:17 UTC
Permalink
Post by Luciano Rossi
Hi Cédric,
Post by Cédric Krier
Post by Luciano Rossi
Hi!
I need to create an interface to manage the users. For now, I add to my
module the menu item Administration -> Users.
The problem that i'm having, is that I want to restrict the groups that
the user can add or remove from the groups field (many2many).
I added a restriction to the groups field, modifying the definition of
the domain attribute of the groups field, so when choosing the groups to
be added, it will restrict the list of them. But, I don't know how I can
restrict the lines (groups) that the user can remove.
For example, the user can add to the user the groups Accounts and
Purchase. But, if the user already has the group Sale, I do not want
that this group to be remove it.
Any idea?
For me, this is strange. If a user can add some groups to its profile, I
do not see why not add all the allowed to the user by default so he does
not need to edit himself this sensitive field. I see no reason a user
will want to remove himself from some groups and thus restrict himself
his access rights..
Well, I think it's not strange if the idea is to sell Tryton as SAAS.
Probably you will want to give to the customer the possibility to create
or modify users, but for example, you will not want him to access to the
Administration group (if the customer grant access to that, it could
activate modules).
It is still strange for me even on SaaS.
I do not see any problem to allow user to *activate* modules as far as you
control the modules that are *installed*.
--
Cédric Krier - B2CK SPRL
Email/Jabber: ***@b2ck.com
Tel: +32 472 54 46 59
Website: http://www.b2ck.com/
--
You received this message because you are subscribed to the Google Groups "tryton" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/tryton/20180126150617.GS23162%40kei.
Loading...