How rules work on Odoo v8?

Question

I made a module in Odoo v8. One of the things my module does is adding a boolean field named is_important to the model res.partner.

As you probably know, the users groups in sales are, less privileges first, more privileges last: group_sale_salesman, group_sale_salesman_all_leads, group_sale_manager. Then, I had to add some rules to my module:

• Users who belong to the group group_sale_salesman didn't have to see the partners whose field is_important was True, nor partners who were from a different state.
• Users who belong to the group group_sale_salesman_all_leads didn't have to see the partners whose field is_important was True.

So I implemented the following XML code:

<record model="ir.rule" id="res_partner_same_state_no_important_rule">
    <field name="name">res_partner: read only no important partners from your state</field>
    <field name="model_id" ref="base.model_res_partner"/>
    <field name="domain_force">[('state_id.id', '=', user.state_id.id), ('is_important', '=', False)]</field>
    <field name="groups" eval="[(4, ref('base.group_sale_salesman'))]"/>
    <field name="perm_read" eval="True"/>
    <field name="perm_write" eval="True"/>
    <field name="perm_create" eval="True"/>
    <field name="perm_unlink" eval="False"/>
</record>

<record model="ir.rule" id="res_partner_no_important_rule">
    <field name="name">res_partner: read only no important partners</field>
    <field name="model_id" ref="base.model_res_partner"/>
    <field name="domain_force">[('is_important', '=', False)]</field>
    <field name="groups" eval="[(4, ref('base.group_sale_salesman_all_leads'))]"/>
    <field name="perm_read" eval="True"/>
    <field name="perm_write" eval="True"/>
    <field name="perm_create" eval="True"/>
    <field name="perm_unlink" eval="False"/>
</record>

It seemed to work great, but then, I logged in with an user who belonged to the group group_sale_manager, and the rule named res_partner_no_important_rule was affecting it (despite not declaring a rule for that group).

It's like the group was inheriting the least restrictive rules of the groups which less privileges. Is this true? Am I right?

Finally, I had to add a nonsense rule to fix this and allow users who belong to group_sale_manager to keep the privileges they had before I implemented my other rules (read, write, create and unlink to True):

<record model="ir.rule" id="res_partner_see_all">
    <field name="name">res_partner: read all</field>
    <field name="model_id" ref="base.model_res_partner"/>
    <field name="domain_force">['|', ('is_important', '=', True), ('is_important', '=', False)]</field>
    <field name="groups" eval="[(4, ref('base.group_sale_manager'))]"/>
    <field name="perm_read" eval="True"/>
    <field name="perm_write" eval="True"/>
    <field name="perm_create" eval="True"/>
    <field name="perm_unlink" eval="True"/>
</record>

After implementing this last rule, it started to work. But, is there any better way to achieve what I wanted?

Thank you!

Answer 1

group_sale_manager has group_sale_salesman_all_leads in its implied groups, so a member of group_sale_manager is automatically added to group_sale_salesman_all_leads and thus the rule applies to him. If no other rule give him access to those partners, he won't have access to them.

You can replace the domain_force of the last rule by [(1, '=', 1)]. I think there is no better way.