purchase_security: seller (product.supplerinfo) access can raise contact access error

[dalonsod]

Due to Contact security restrictions added by this addon, in some situations, restricted users could not save PO lines, when a product with restricted vendor prices are involved. Not sure which the best solution for this could be.

Module

purchase_security

Describe the bug

For a restricted Purchase user (e.g. "See own documents" one), a read access error is raised when a product with seller records is selected, if one of them belongs to a vendor (contact) restricted for the user.

To Reproduce

At least at 17.0, but presumably at other versions as well.

Steps to reproduce the behavior:

1. From a Purchase "Manager" user, add a Purchase record (Vendor pricelist) to a product A, for a certain vendor V.
2. Ensure that selected Vendor V has a Purchase Representative set.
3. From a Purchase "User (own orders)" user that is not vendor V Purchase Representative, open a PO and try to select product A for a new line => a 'read' access error for Contact is raised.

Expected behavior
No error should be raised. Not sure what should Odoo do/select instead.

What should be the proper approach? I've checked that PO line's _suggest_quantity() method (that calls _select_seller() at product module) is the error responsible, so adding here a sudo() could solve it. Other approach should be adding record rules for product.supplierinfo (and hide those that belong to restricted vendors, for this group). Both solutions are not equivalent anyway....

cc @victoralmau @StefanRijnhart

[StefanRijnhart]

I am not entirely familiar with this module but from what I can see the restrictions in this model are on the purchase order level, not on the partner level (https://github.com/OCA/purchase-workflow/blob/17.0/purchase_security/security/security.xml) so I don't yet understand how a Contact access error is caused by this module. Can you explain this?

[dalonsod]

@StefanRijnhart thanks for the feedback. I'm referring to this (python rules for Contacts):

purchase-workflow/purchase_security/models/ir_rule.py

Lines 23 to 57 in 4973c3e

	def _compute_domain(self, model_name, mode="read"):
	"""Inject extra domain for restricting partners when the user
	has the group 'Purchase / User (own orders)."""
	res = super()._compute_domain(model_name, mode=mode)
	user = self.env.user
	group1 = "purchase_security.group_purchase_own_orders"
	group2 = "purchase_security.group_purchase_group_orders"
	group3 = "purchase.group_purchase_manager"
	if model_name == "res.partner" and not self.env.su:
	if user.has_group(group1) and not user.has_group(group3):
	extra_domain = [
	"|",
	("message_partner_ids", "in", user.partner_id.ids),
	"|",
	("id", "=", user.partner_id.id),
	]
	if user.has_group(group2):
	extra_domain += [
	"|",
	("purchase_team_id", "=", user.purchase_team_ids[:1].id),
	("purchase_team_id", "=", False),
	]
	else:
	extra_domain += [
	"|",
	("purchase_user_id", "=", user.id),
	"&",
	("purchase_user_id", "=", False),
	"|",
	("purchase_team_id", "=", False),
	("purchase_team_id", "=", user.purchase_team_ids[:1].id),
	]
	extra_domain = expression.normalize_domain(extra_domain)
	res = expression.AND([extra_domain] + [res])
	return res

[StefanRijnhart]

Thanks for clarifying! It makes sense to apply the same partner constraints to seller info indeed!