Chapter 5: Security - A Brief Introduction
In the previous chapter, we created our first table intended to store business data. In a business application such as Odoo, one of the first questions to consider is who1 can access the data. Odoo provides a security mechanism to allow access to the data for specific groups of users.
The topic of security is covered in more detail in Advanced B: ACL and Record Rules. This chapter aims to cover the minimum required for our new module.
Data Files (CSV)
Odoo is a highly data driven system. Although behavior is customized using Python code, part of a module’s value is in the data it sets up when loaded. One way to load data is through a CSV file. One example is the list of country states which is loaded at installation of the
idis an external identifier. It can be used to refer to the record (without knowing its in-database identifier).
country_id:idrefers to the country by using its external identifier.
nameis the name of the state.
codeis the code of the state.
These three fields are defined in the
By convention, a file importing data is located in the
data folder of a module. When the data is related to security, it is located in the
security folder. When the data is related to views and actions (we will cover this later), it is located in the
views folder. Additionally, all of these files must be declared in the
data list within the
__manifest__.py file. Our example file is defined in the manifest of the base module.
Also note that the content of the data files is only loaded when a module is installed or updated.
Why is all this important for security? Because all the security configuration of a model is loaded through data files, as we’ll see in the next section.
Reference: the documentation related to this topic can be found in Access Rights.
When no access rights are defined on a model, Odoo determines that no users can access the data. It is even notified in the log:
Access rights are defined as records of the model
ir.model.access. Each access right is associated with a model, a group (or no group for global access) and a set of permissions: create, read, write and unlink2. Such access rights are usually defined in a CSV file named
Here is an example for our previous
idis an external identifier.
nameis the name of the
model_id/idrefers to the model which the access right applies to. The standard way to refer to the model is
_nameof the model with the
_. Seems cumbersome? Indeed it is…
group_id/idrefers to the group which the access right applies to. We will cover the concept of groups in the advanced topic dedicated to the security.
perm_read,perm_write,perm_create,perm_unlink: read, write, create and unlink permissions
Restart the server and the warning message should have disappeared!
It’s now time to finally interact with the UI!
meaning which Odoo user (or group of users)
‘unlink’ is the equivalent of ‘delete’