Some users can get an incorrect access error on editing / writing product templates (and maybe with other models too). We have detected it for version 18.0, not sure if it happens for other versions.
Module
product_multi_company (although probably related to base_multi_company too).
To Reproduce
Steps to reproduce the behavior, I reproduced it on runboat.
- Create an environment with 3 or more companies. The admin user can access to all of them (in this case we have 4 companies in total), while another demo user can only access to the first 2 companies.
- With the admin user, select a product template, enter in its form view and assign it to the first 3 companies.
- With the demo user, open that product's form. In the companies field, you'll see only the first 2 companies because this user does not have access to the third one. This is expected.
- Now try to edit any field in the product. You will get a companies access error, which you should not be getting. The user has access to the product, so they should be able to write it without getting an error.
Expected behavior
The user should be able to write the field in the product template normally, without getting the access error.
Additional context
I believe this is an issue related to cache. The company_ids field gets read first in a sudo environment (therefore returning the 3 companies). Later, when it is read in a non-sudo environment, it uses the cached value (the 3 companies, but out user only has access to 2 of them). And that's why the access error is thrown, because it tries to read information from the 3 companies but one of them is not accessible.
This might also be related to this issue and PR. Although the PR does not solve this issue since it's still happening after applying those changes too. But it really seems like a cache issue. When executing locally with breakpoints, reading the company_ids fields before the error is thrown returns the 3 companies. Then, if you invalidate the cache for that record and try reading the field again it only returns 2 companies (the 2 that the user has actual access to). So the cached field is returning more information than necessary and therefore causing access errors.
Any help on how to fix this is welcome. Thanks!
Some users can get an incorrect access error on editing / writing product templates (and maybe with other models too). We have detected it for version 18.0, not sure if it happens for other versions.
Module
product_multi_company (although probably related to base_multi_company too).
To Reproduce
Steps to reproduce the behavior, I reproduced it on runboat.
Expected behavior
The user should be able to write the field in the product template normally, without getting the access error.
Additional context
I believe this is an issue related to cache. The
company_idsfield gets read first in a sudo environment (therefore returning the 3 companies). Later, when it is read in a non-sudo environment, it uses the cached value (the 3 companies, but out user only has access to 2 of them). And that's why the access error is thrown, because it tries to read information from the 3 companies but one of them is not accessible.This might also be related to this issue and PR. Although the PR does not solve this issue since it's still happening after applying those changes too. But it really seems like a cache issue. When executing locally with breakpoints, reading the
company_idsfields before the error is thrown returns the 3 companies. Then, if you invalidate the cache for that record and try reading the field again it only returns 2 companies (the 2 that the user has actual access to). So the cached field is returning more information than necessary and therefore causing access errors.Any help on how to fix this is welcome. Thanks!