Skip to content

[FIX] account_payment_order: Manager can create partner bank accounts #1500

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: 18.0
Choose a base branch
from
Open

[FIX] account_payment_order: Manager can create partner bank accounts #1500

wants to merge 1 commit into from

Conversation

@monen17
Copy link

@monen17 monen17 commented Sep 22, 2025

I have found the following unexpected behavior while writing the tests of OCA/l10n-italy#4920:

  1. Write a test class inheriting from AccountTestInvoicingCommon, note that the self.env.user is an account manager.
  2. In a test, create a res.partner.bank record

Expected:
The record is created

Actual:

odoo.exceptions.AccessError: You are not allowed to create 'Bank Accounts' (res.partner.bank) records.

This operation is allowed for the following groups:
	- Extra Rights/Accounting / Payments

Contact your administrator to request access if necessary.

Additional context
The root cause is that in

bank-payment/account_payment_order/security/ir.model.access.csv

Line 7 in 311be5c

base.access_res_partner_bank_group_partner_manager,Full access on res.partner.bank to Account Payment group,base.model_res_partner_bank,group_account_payment,1,1,1,1
an access right in the core is edited so that only users of the group Extra Rights/Accounting / Payments can create partner bank accounts.

In the tests of 16.0 this was not a problem because the account manager created by AccountTestInvoicingCommon was inheriting the groups of OdooBot in https://github.com/odoo/odoo/blob/5de47fb3bd4619dab2c84fff8f08d69dfee7b308/addons/account/tests/common.py#L49.
This is no more the case in 18.0, where the account manager only has the account manager groups (see https://github.com/odoo/odoo/blob/0745730d44ad2a0e198a6f37b4ee7cb8e88f30ea/addons/account/tests/common.py#L248).

I understand there are security implications for this change, but I think it makes sense that an account manager can create bank accounts of the partners.

Please let me know if I'm wrong or if there are better solutions! Thanks

@monen17

This comment was marked as outdated.

Sign in to view
@monen17 monen17 mentioned this pull request Sep 22, 2025
Open
1 task
@pedrobaeza
Copy link
Member

This was done on purpose for security, removing the permissions and putting them in a special group called "Accounting / Payments".

@monen17 monen17 force-pushed the 18.0-fix-account_payment_order-accountman_partner_bank branch from fccaf24 to a267d1c Compare September 24, 2025 20:15
@monen17
Copy link
Author

monen17 commented Sep 24, 2025
edited
Loading

This was done on purpose for security, removing the permissions and putting them in a special group called "Accounting / Payments".

Thanks for having a look!
The special group is still there, do you think there is a problem with the proposed solution?
Do you have an alternative solution for the described issue?
I might move this edit to a noupdate="1" data node so that the user can remove the implied link, would that be better?

This issue affects any test class inheriting from AccountTestInvoicingCommon and that's a common base class for tests using invoices; it also affects modules that do not depend on account_payment_order as long as it has been installed in the DB before the tests execution

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@monen17 @pedrobaeza