odoo record rule AccessError

Question

Initial data:

1. system: odoo v8, ubuntu 14.04
2. module: remake

remake/openerp.py >> successfull

# -*- coding: utf-8 -*-
{
    'name': 'Remake',
    'version': '1.0.1',
    'author': 'BZ Group',
    'category': 'System',
    'sequence': 8,
    'depends': [
        'base',
        'account',
        'project', 
        'account_analytic_analysis'
    ],
    'data': [
        'security/remake_security.xml',
        'security/ir.model.access.csv',
    ],
    'installable': True,
    'application': True,
    'post_init_hook': 'set_account_analytic_account_project_id',
}

remake/init.py >> successfull

# -*- coding: utf-8 -*-
from . import account_analytic_project_id
from .post_install import set_account_analytic_account_project_id

remake/account_analytic_project_id.py >> successfull

# -*- coding: utf-8 -*-

from openerp import fields, models, api

class AccountAnalyticAccount(models.Model):
    _inherit = 'account.analytic.account'

    project_id = fields.Many2one(
        'project.project', 'Project', copy=False,
        index=True)


class ProjectProject(models.Model):
    _name = 'project.project'
    _inherit = 'project.project'

    @api.model
    @api.returns('self', lambda value: value.id)
    def create(self, vals):
        project = super(ProjectProject, self).create(vals)
        project.analytic_account_id.sudo().write({'project_id': project.id})
        return project

remake/post_install.py >> successfull

def set_account_analytic_account_project_id(cr, pool):
    '''
        Initialize the project_id field in case the module is
        installed when projects already exist
    '''
    cr.execute("""
            update account_analytic_account
                set project_id = (select id
                    from project_project where
                    analytic_account_id = account_analytic_account.id)
        """)
    return

remake/security/ir.model.access.csv >> successfull

id,                     name,                   model_id:id,                                                    group_id:id,perm_read,perm_write,perm_create,perm_unlink
remake_g4_pr_pr,        remake_g4_pr.pr,        project.model_project_project,                                  remake.remake_g4,1,0,0,0
remake_g4_ac_an_in_ln,  remake_g4_ac.an.in.ln,  account_analytic_analysis.model_account_analytic_invoice_line,  remake.remake_g4,1,0,0,0
remake_g4_ac_an_ac,     remake_g4_ac.an.ac,     analytic.model_account_analytic_account,                        remake.remake_g4,1,0,0,0
remake_g4_ac_ac,        remake_g4_ac.ac,        account.model_account_account,                                  remake.remake_g4,1,0,0,0
remake_g4_pr_ac_an_ln,  remake_g4_pr.ac.an.ln,  account.model_project_account_analytic_line,                    remake.remake_g4,1,0,0,0
remake_g4_ac_in,        remake_g4_ac.in,        account.model_account_invoice,                                  remake.remake_g4,1,0,0,0
remake_g4_ac_in_ln,     remake_g4_ac.in.ln,     account.model_account_invoice_line,                             remake.remake_g4,1,0,0,0

remake/security/remake_security.xml >> need help: remake_g4_rule_account

<?xml version="1.0" encoding="utf-8" ?> 
- <openerp>
- <data noupdate="0">

- <record id="remake_group_category" model="ir.module.category">
  <field name="name">Remake</field> 
  </record>

- <record id="remake_g4" model="res.groups">
  <field name="name">Security Group IV</field> 
  <field name="implied_ids" eval="[(4, ref('base.group_user'))]" /> 
  <field name="category_id" ref="remake_group_category" /> 
 </record>


  <delete model="ir.rule" id="project.task_visibility_rule" /> 
  <delete model="ir.rule" id="project.project_public_members_rule" /> 

- <record model="ir.rule" id="remake_g4_rule_project">
  <field name="name">Remake group 4 project, member or follower: read</field> 
  <field name="model_id" ref="project.model_project_project" /> 
  <field name="domain_force">[ '|', '&', ('privacy_visibility', '=', 'employees'), ('members','in',[user.id]), '&', ('privacy_visibility', '=', 'followers'), ('message_follower_ids', 'in', [user.partner_id.id])]</field> 
  <field name="groups" eval="[(6,0,[ref('remake_g4')])]" /> 
  <field name="global" eval="False" /> 
  <field name="perm_read" eval="True" /> 
  <field name="perm_write" eval="False" /> 
  <field name="perm_create" eval="False" /> 
  <field name="perm_unlink" eval="False" /> 
  </record>

- <!--  If uncomment this rule >> raise AccessError    
- <record model="ir.rule" id="remake_g4_rule_account">
  <field name="name">Remake group 4 account, member or follower: read</field> 
  <field name="model_id" ref="analytic.model_account_analytic_account" /> 
  <field name="domain_force">[ '|', '&', ('project_id.privacy_visibility', '=', 'employees'), ('project_id.members','in',[user.id]), '&', ('project_id.privacy_visibility', '=', 'followers'), ('project_id.message_follower_ids', 'in', [user.partner_id.id])]</field> 
  <field name="groups" eval="[(6,0,[ref('remake_g4')])]" /> 
  <field name="global" eval="False" /> 
  <field name="perm_read" eval="True" /> 
  <field name="perm_write" eval="False" /> 
  <field name="perm_create" eval="False" /> 
  <field name="perm_unlink" eval="False" /> 
  </record> -->
 </data>
</openerp>

---

When move to Sales > Contracts:

RESULT: AccessError, The requested operation cannot be completed to security restriction. Please contact your system administrator.(Document type: account.analytic.account, Operation: read)

Answer 1

You need to create access rules in ir.model.access.csv and define access rules for that particular model and group and CRUD access. That will do for you.