Skip to content

[18.0][FIX] hr_timesheet_sheet_attendance: prevent AccessError for non-admin users #858

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
OCA-git-bot merged 1 commit into from
Jan 26, 2026
Merged

[18.0][FIX] hr_timesheet_sheet_attendance: prevent AccessError for non-admin users #858

OCA-git-bot merged 1 commit into from
Jan 26, 2026

Conversation

@kanda999
Copy link
Contributor

@kanda999 kanda999 commented Jan 7, 2026

Non-admin users could get an AccessError when creating a timesheet sheet because it triggers a write on hr.attendance.

@qrtl QT6155

@kanda999
[18.0][FIX] hr_timesheet_sheet_attendance: prevent AccessError for no…
32b09d1 
…n-admin users

Non-admin users could get an AccessError when creating a timesheet sheet because it triggers a write on hr.attendance.
yostashiro
yostashiro reviewed Jan 7, 2026
View reviewed changes
hr_timesheet_sheet_attendance/models/hr_timesheet_sheet.py
]
)
attendances._compute_sheet_id()
attendances.sudo()._compute_sheet_id()
Copy link
Member

@yostashiro yostashiro Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add compute_sudo=True to the field instead?

Copy link
Contributor Author

@kanda999 kanda999 Jan 8, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried adding compute_sudo=True to sheet_id = fields.Many2one(...), but it didn’t work.
Since _compute_sheet_id is called from create, it seems that create needs to be executed with sudo().

hr_timesheet_sheet_attendance/models/hr_timesheet_sheet.py
Returns last attendance record"""

return self.employee_id._attendance_action_change()
return self.employee_id.sudo()._attendance_action_change()
Copy link
Member

@yostashiro yostashiro Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you double-check if this is a valid fix. Wouldn't this allow updating attendance records of other employees?

Copy link
Contributor Author

@kanda999 kanda999 Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This part seems to require sudo() to write to hr.attendance.
The write access to hr.attendance is handled the same way in Odoo’s standard code as well.
https://github.com/odoo/odoo/blob/ad1c367d9d3e14cb7196416e117a13b8a11e9d12/addons/hr_attendance/controllers/main.py#L135-L139

yostashiro
yostashiro approved these changes Jan 8, 2026
View reviewed changes
Copy link
Member

@yostashiro yostashiro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code review. LGTM.

AungKoKoLin1997
AungKoKoLin1997 approved these changes Jan 19, 2026
View reviewed changes
Copy link

@AungKoKoLin1997 AungKoKoLin1997 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@OCA-git-bot
Copy link
Contributor

OCA-git-bot commented Jan 19, 2026

This PR has the approved label and has been created more than 5 days ago. It should therefore be ready to merge by a maintainer (or a PSC member if the concerned addon has no declared maintainer). 🤖

@ivs-cetmix
Copy link
Member

ivs-cetmix commented Jan 26, 2026

Hey @kanda999 thank you for your contribution!
/ocabot merge patch

@OCA-git-bot
Copy link
Contributor

OCA-git-bot commented Jan 26, 2026

What a great day to merge this nice PR. Let's do it!
Prepared branch 18.0-ocabot-merge-pr-858-by-ivs-cetmix-bump-patch, awaiting test results.

OCA-git-bot added a commit that referenced this pull request Jan 26, 2026
@OCA-git-bot
Merge PR #858 into 18.0
8404b07 
Signed-off-by ivs-cetmix
@OCA-git-bot
Copy link
Contributor

OCA-git-bot commented Jan 26, 2026

It looks like something changed on 18.0 in the meantime.
Let me try again (no action is required from you).
Prepared branch 18.0-ocabot-merge-pr-858-by-ivs-cetmix-bump-patch, awaiting test results.

@OCA-git-bot OCA-git-bot merged commit f30c907 into OCA:18.0 Jan 26, 2026
7 checks passed
@OCA-git-bot
Copy link
Contributor

OCA-git-bot commented Jan 26, 2026

Congratulations, your PR was merged at a3618e9. Thanks a lot for contributing to OCA. ❤️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@yostashiro yostashiro yostashiro approved these changes

@AungKoKoLin1997 AungKoKoLin1997 AungKoKoLin1997 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

approved merged 🎉 ready to merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@kanda999 @OCA-git-bot @ivs-cetmix @yostashiro @AungKoKoLin1997