From a6f951845d5de869b2e138403aecfd4c653bf8b3 Mon Sep 17 00:00:00 2001
From: "Touati Djamel (otd)" <otd@odoo.com>
Date: Tue, 10 Aug 2021 12:38:19 +0000
Subject: [PATCH] [FIX] hr_holidays: fix time off allocation access right
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Steps to reproduce the problem:
- Connect as admin
- Create a new employee, e.g: â€œEmployee1â€ for company â€œMy Company (San Francisco)â€
- Create a new time off request for this employee, and select a time off type linked to the company "San Francisco"
- create a user and do not give him access to the company â€œSan Franciscoâ€, e.g: â€œuser1â€
- Log in as â€œuser1â€
- Go to time off > Managers > Allocations > remove default filter

Problem:
user1 is able to see the time off allocation of â€œEmployee1â€, even though he does not have access to My Company San Francisco.

Solution:
Add multi-company rules  for the â€œhr.leave_allocationâ€ model to display only the time off allocations to which the current user has access

A rule has already been added for "hr.leave" model:
https://github.com/odoo/odoo/blob/0f3281e3b1dc943b81d79d2a8f82fca7b95b8186/addons/hr_holidays/security/hr_holidays_security.xml#L65-L70

opw-2535709

closes odoo/odoo#74934

Signed-off-by: Nicolas Lempereur (nle) <nle@odoo.com>
---
 addons/hr_holidays/security/hr_holidays_security.xml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/addons/hr_holidays/security/hr_holidays_security.xml b/addons/hr_holidays/security/hr_holidays_security.xml
index 546fe9440fd9..596f41c4a642 100644
--- a/addons/hr_holidays/security/hr_holidays_security.xml
+++ b/addons/hr_holidays/security/hr_holidays_security.xml
@@ -69,6 +69,12 @@
         <field name="domain_force">['|', ('holiday_status_id.company_id', '=', False), ('holiday_status_id.company_id', 'in', [user.company_id.id])]</field>
     </record>
 
+    <record id="hr_leave_allocation_rule_multicompany" model="ir.rule">
+        <field name="name">Leave Allocations: multi company global rule</field>
+        <field name="model_id" ref="model_hr_leave_allocation"/>
+        <field name="domain_force">['|', ('holiday_status_id.company_id', '=', False), ('holiday_status_id.company_id', 'in', [user.company_id.id])]</field>
+    </record>
+
     <record id="hr_leave_allocation_rule_employee" model="ir.rule">
         <field name="name">Allocations: employee: read own</field>
         <field name="model_id" ref="model_hr_leave_allocation"/>
-- 
GitLab