Troubleshooting User Permissions in Odoo: Common Issues and Solutions

User Jane in "Sales" group
access_sale_order_salesman,sale.order.salesman,sale.model_sale_order,sales_team.group_sale_salesman,1,1,1,0
                                                                                                 ↑ = READ permission = YES

Result: Jane CAN access sale.order model

<record id="sale_order_rule" model="ir.rule">
    <field name="domain_force">[('user_id', '=', user.id)]</field>
</record>

Result: Jane can only see orders where user_id = Jane
       Other salespeople's orders: HIDDEN

# ir.model.access.csv
# Missing invoice access!
id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
access_order_salesman,sale.order salesman,sale.model_sale_order,sales_team.group_sale_salesman,1,1,1,0
# ← No entry for account.move!

# When salesman tries to view invoice → AccessError

# Add missing ACL entry
id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
access_order_salesman,sale.order salesman,sale.model_sale_order,sales_team.group_sale_salesman,1,1,1,0
access_invoice_salesman,account.move salesman,account.model_account_move,sales_team.group_sale_salesman,1,0,0,0
# ↑ Added invoice read access (no write/create/delete)

# In Python console
user = self.env['res.users'].browse(user_id)
print(user.groups_id)  # What groups is user in?

# Check if user can read model
try:
    self.env['account.move'].check_access_rights('read')
    print("✓ User can read account.move")
except:
    print("✗ User cannot read account.move (missing ACL)")

# Salesman Jane tries to view all orders
orders = self.env['sale.order'].search([])

# Result: Shows only Jane's orders (record rule filters silently)
# She expects: All orders for her territory
# She gets: Only her personal orders
# No error, just different data

# This is SILENT filtering (hardest to debug!)

<!-- WRONG: Salesman only sees own orders -->
<record id="sale_order_rule_salesman" model="ir.rule">
    <field name="name">Order - Salesman Own</field>
    <field name="model_id" ref="sale.model_sale_order"/>
    <field name="groups" eval="[(4, ref('sales_team.group_sale_salesman'))]"/>
    <field name="domain_force">[('user_id', '=', user.id)]</field>
    <!-- This filters by user_id, but what if orders don't have user_id? -->
</record>

# Salesman Jane with user_id = 10
# Order #1: user_id = 10 → VISIBLE ✓
# Order #2: user_id = 11 (another rep) → HIDDEN ✗
# Order #3: user_id = False (no owner) → HIDDEN ✗

# Jane thinks orders are missing, but actually they don't match domain

<!-- RIGHT: Salesman sees own + team orders -->
<record id="sale_order_rule_salesman_own_team" model="ir.rule">
    <field name="name">Order - Salesman Own & Team</field>
    <field name="model_id" ref="sale.model_sale_order"/>
    <field name="groups" eval="[(4, ref('sales_team.group_sale_salesman'))]"/>
    <!-- Allow both own orders AND team orders -->
    <field name="domain_force">
        ['|',
         ('user_id', '=', user.id),
         ('team_id', '=', user.sale_team_id.id)
        ]
    </field>
</record>

# In Python console, simulate user's view
user = self.env['res.users'].browse(user_id)

# What records does this user see?
with self.env.with_user(user):
    visible_orders = self.env['sale.order'].search([])
    print(f"User can see {len(visible_orders)} orders")
    
    # Check if specific order is visible
    order = self.env['sale.order'].browse(order_id)
    try:
        order.check_access_rule('read')
        print(f"✓ Order {order.id} is visible")
    except:
        print(f"✗ Order {order.id} is hidden by record rule")

class SaleOrder(models.Model):
    _inherit = 'sale.order'
    
    # Everyone can see
    customer = fields.Many2one('res.partner')
    
    # Only managers can see
    cost_price = fields.Float(
        groups='sales_team.group_sale_manager'  # Hidden from salesman!
    )
    
    # Only accountants can see
    profit_margin = fields.Float(
        groups='account.group_account_accountant'
    )

<field name="cost_price" groups="sales_team.group_sale_manager"/>
<!-- Only visible to managers -->

# Check if field visible to user
field = self.env['sale.order']._fields['cost_price']
print(field.groups)  # ('sales_team.group_sale_manager',)

user = self.env['res.users'].browse(user_id)
print(user.groups_id.mapped('id'))  # User's groups

# Is user in required group?
has_group = user.has_group('sales_team.group_sale_manager')
print(f"User can see cost_price: {has_group}")

# Does user have read permission on account.move?
user = self.env['res.users'].search([('login', '=', 'john@example.com')])
print(f"User groups: {user.groups_id.mapped('name')}")

# Check access rights
try:
    self.env['account.move'].check_access_rights('read')
    print("✓ Layer 1 OK: User has read access on account.move")
except AccessError as e:
    print(f"✗ Layer 1 FAIL: {e}")
    # Add to ir.model.access.csv

# With user context, what invoices can they see?
with self.env.with_user(user):
    invoices = self.env['account.move'].search([])
    print(f"User can see {len(invoices)} invoices")
    
    # Find which invoices they CAN'T see
    all_invoices = self.env['account.move'].search([], count=True)
    invisible = all_invoices - len(invoices)
    print(f"User cannot see {invisible} invoices (filtered by record rules)")
    
    # Check a specific invoice
    invoice = self.env['account.move'].browse(invoice_id)
    try:
        invoice.check_access_rule('read')
        print(f"✓ Invoice {invoice.id} matches record rule")
    except AccessError:
        print(f"✗ Invoice {invoice.id} filtered out by record rule")
        print(f"  Rule domain: {invoice._rule_domain}")

# Are there hidden fields?
move = self.env['account.move']
for field_name, field in move._fields.items():
    if field.groups:
        print(f"Field '{field_name}' restricted to: {field.groups}")
        # Can user see this field?
        if user.has_group(field.groups[0]):
            print(f"  ✓ User can see {field_name}")
        else:
            print(f"  ✗ User cannot see {field_name}")

# Solution: Add proper ACL + Record Rule

# 1. ir.model.access.csv
access_invoice_salesman,account.move salesman,account.model_account_move,sales_team.group_sale_salesman,1,0,0,0

# 2. ir_rule.xml
<record id="invoice_rule_salesman" model="ir.rule">
    <field name="name">Invoice - Related to customer</field>
    <field name="model_id" ref="account.model_account_move"/>
    <field name="groups" eval="[(4, ref('sales_team.group_sale_salesman'))]"/>
    <!-- See invoices for customers they sold to -->
    <field name="domain_force">[('partner_id', 'in', user.partner_ids.ids)]</field>
</record>

# 3. Test
user = self.env['res.users'].search([('login', '=', 'john@example.com')])
with self.env.with_user(user):
    invoices = self.env['account.move'].search([])
    print(f"✓ User can now see {len(invoices)} invoices")