Security record rules
When given access to a Model, by default users will be able to access all its records. But in some cases, we need to restrict the particular records each user should be able to access. This is possible using record rules, which define domain filters to automatically be enforced when performing read or write operations.
For example, in our to-do app, the To-do Items are expected to be private, so we want users to only be able to see their own items. We need a record rule to filter only the records created by the current user:
- The create_uid field is automatically added by the framework, and stores the user that created the record, and we can use it to see who owns each record
- The current user is available in the user variable, a user variable browse object available in the context where the domain filter is evaluated
We can use this in a domain expression to achieve our goal: [('create_uid', '=', user.id)].
Record rules are available in the Settings | Technical | Security | Record Rules menu. Navigate there and create a new Record Rules, with the following values:
- Name: A descriptive title, such as To-do Own Items
- Object: Select the Model from the list, To-do Item in our case
- Access Rights: The actions where the rule will be applied; leave all checked
- Rule Definition: The Domain Filter, [('create_uid', '=', user.id)]
- Groups: The security groups it applies to; select and add the To-do User group
This is how the Record Rules definition will look like:
And we're done. You can now try this new rule by creating a couple of to-do items with both the Admin and Demo users. Each should be able to see only their own items. The Record Rules can be switched off through the box button in the upper-right corner of the form. If you try that and check the to-do item list, you should see all the items from all users.