-
- Downloads
[FIX] hr_attendance: user can see other users attendances
Steps:
- As admin, go to Settings > Users & Companies > Users
- Edit Mark Demo (demo)
- In Human Resources > Attendances, select Manual Attendance or blank
- As demo, go to My Profile
- Click the smart button showing the hours worked for the last month
- Remove all filters
Bug:
The demo user, who hasn't the rights to see the other employees
attendances, can see them.
Explanation:
Every user must have the right to read attendances in order to see their
own attendances. Not giving the users the read rights in the security
record rule prevents the record rule from being applied when reading
attendances. This makes the read access rights the only rule and allows
everyone to see the attendances of the others.
This commit also fixes the default selected employee when going to the
attendances tree view on these paths:
- User
- Employee
- User > Employee
In fact, sometime, `active_id` is the ÌD of the user and not of the
employee. This leads to incorrect results since another employee's
attendances are shown.
Finally, this commit prevents users from creating attendances from other
apps since only attendance officers and above can have access to the
creation form within the Attendances app.
opw:2440117
closes odoo/odoo#64866
Signed-off-by: 
backspac <backspac@users.noreply.github.com>
Showing
- addons/hr_attendance/security/hr_attendance_security.xml 2 additions, 2 deletionsaddons/hr_attendance/security/hr_attendance_security.xml
- addons/hr_attendance/views/hr_attendance_view.xml 1 addition, 1 deletionaddons/hr_attendance/views/hr_attendance_view.xml
- addons/hr_attendance/views/hr_employee_view.xml 4 additions, 3 deletionsaddons/hr_attendance/views/hr_employee_view.xml
Loading
Please register or sign in to comment