I am sorry I know this discussion is old, but I think it’s still persisting. but what I am trying to do is that I have sales team that are within a specific sales group as I have different sales groups, and within this sales group each sales person can only see their own documents, but the sales manager can see all sales orders, projects … etc. within one sales group.
One Solution similar to the structure of suitecrm:
-
I built a new doctype called Access Group, which I have my different groups as only names e.g. Sales Team 1, Sales Team 2, And I link this doctype to the docs required e.g. project, sales order, opportunities … etc. via a custom variable connected to this access group doctype.
-
Then I allow each user using the user permission based on the access group
-
Then I check the apply user permission and set “Select Document Types” to access group for the group access controller document required e.g. Sales Order
What works:
- If I check only the if owner, user can only see their documents.
- If I check only the apply user permission, user can see the documents is in it’s access group.
What is not working
3. If I check both, user can see what is in their access group, but can also see what they do not own
Conclusion:
This makes me think that there is an “OR” between if owner and apply user permission rather than an “AND” relationship
I am trying to alter this in the frappe/frappe/permission.py, to “AND” between if owner and apply user permission.
-
Is this the right approach ?
-
Is my guess correct that if owner and apply user permission will be true if one of these two rules is true instead of return false if any of them is false?
Sorry for the repeated title, but I scanned alot of forums and still this is not answered.
Also I think the idea of the access group over the documents is a nice solution for grouping, I am intending also to automatically populate this custom variable when checking user access group