[MIG][19.0] crm_project_task: Migration to 19.0#741
Conversation
ljmnoonan
changed the title
|
@EmilioPascual and @rafaelbn it looks like the bot forgot to notify you. I would love your input when you get some time. Thanks! |
There was a problem hiding this comment.
@ljmnoonan thank you for the migration but I’m afraid you haven't done a migration; this is a new module that works differently from version 18.0.
This module was designed specifically so that a salesman who doesn’t have access to tasks can still create a task linked to a sales project.
Over time, we’ve found that giving salesman more access isn’t the best option.
Only users with the appropriate permissions will be able to view, edit, delete or create tasks.
@moduon MT-14675
There was a problem hiding this comment.
Hello @ljmnoonan thank you for the migration work!
I’m afraid this PR changes the intended security behavior of the module, so I don’t think we should include that change as part of the migration from 18.0.
The module was intentionally designed to allow a sales user without Project permissions to create a task from a lead/opportunity, but not to view, edit, or delete the task afterwards. Those tasks may contain internal information intended only for project users.
If a salesperson needs access to those tasks, the correct approach is to grant that user the appropriate Project permissions, not to extend project.task access to all sales users through this module.
Could you please adjust the PR to preserve the 18.0 behavior?
Thanks again for your work on this. 😄 🙏🏼
|
/ocabot migration crm_project_task |
@moduon MT-3175 Co-authored-by: Rafael Blasco <8736623+rafaelbn@users.noreply.github.com> Co-authored-by: Jairo Llopis <973709+yajo@users.noreply.github.com>
- Added field lead_id in task. - Added field task_ids in lead. - Added smart button in lead to show related tasks.
ljmnoonan
force-pushed
the
19.0-mig-crm_project_task
branch
2 times, most recently
from
3640e4d to
c6e2865
Compare
|
@rafaelbn @EmilioPascual Thank you for the feedback! I understand what you are saying about separation of roles, so I brought back the previous behavior specifically for the case of the salesman who should not be able to mess with tasks. However, I did change what happens when he hits "Create Task" in the wizard view: instead of being redirected to the task form view, where he can edit nothing and will get an annoying access error if he even clicks in the HTML editor, he now stays on the lead page; the wizard closes and the task is created in the background. He can click the On the subject of Also, for users looking at the task, there is now an Finally, users with Please let me know what you think! |
EmilioPascual
left a comment
EmilioPascual
left a comment
There was a problem hiding this comment.
@ljmnoonan thank you for the changes.
A minor change in readme.
ljmnoonan
force-pushed
the
19.0-mig-crm_project_task
branch
from
c6e2865 to
0226cd4
Compare
|
Fixed the docs and added some edge case type stuff. Now the decision to use the wizard or not is determined not only by the permissions group, but also by whether the user has read access to the default project the new task is being created in. This allows certain cases like:
Finally, when a user created a task via the wizard, even if he had no permissions in the default project, he would still be able to come back and view/edit the task he created. This was because he was automatically added as a follower by the |
Adapt behavior to user permissions: A user with no permissions in the configured default project will only be able to add a single task via the “Create Task” button, and that only if a different task does not already exist. He is not added as a follower on tasks he creates either. Basically, he is limited to initiating a task. He can use the oe_stat_button to see linked tasks that he has been given permission to view/edit, otherwise, the views this button directs him to will be empty. A user with permissions in the configured default project will be able to add tasks not only with the “Create Task” button (which will bring him to a full form view instead of a popup), but also with the “New” buttons in the views arrived at by clicking the “Task(s)” oe_stat_button. Contextual default values stay the same regardless of the meton used to create the task. All of this produces a more consistent and logical ux with less annoying access errors. Users are never given the opportunity to commit an action that would result in an access error
Bringing the translations in line with new structure. This task was done with AI. It also added some new translations, but I do not speak any of these languages, so cannot verify accuracy.
ljmnoonan
force-pushed
the
19.0-mig-crm_project_task
branch
from
0226cd4 to
278be58
Compare
fcvalgar
left a comment
fcvalgar
left a comment
There was a problem hiding this comment.
Thanks for the contribution @ljmnoonan and the migration work done on this module.
The following tests have been performed in Odoo 19:
Test 1: OK - Created a project task from a CRM opportunity using Mitchel Admin. The task was correctly linked to the opportunity and accessible through the smart button.
Test 2: OK - Verified that the “Create Task” button is only available when no linked tasks exist on the lead/opportunity.
Test 3: OK - Checked the smart button behavior and confirmed that only related tasks are displayed from the CRM record.
Test 4: OK - Verified that created tasks inherit default values from the CRM opportunity, including customer, assigned user and configured default project.
Test 5: OK - Tested task creation flow with a user without full project permissions. The wizard flow correctly created the task in the configured CRM project.
Test 6: OK - Confirmed that an appropriate validation error is displayed when no default CRM project is configured.
Test 7: OK - Verified navigation from the created project task back to the originating CRM lead/opportunity.
Test 8: OK - Confirmed that linked tasks remain properly assigned after merging CRM opportunities.
Test 9: OK - Verified the new permission selection behavior in Sales and Project access rights views. The “no permission assigned” state is now explicitly displayed as “No” instead of an empty value.
Additionally, there has been a UI modification in the Project access rights view under Sales/Project permissions where the empty permission state is now shown as “No”. While technically correct, this behavior is not common in standard Odoo, where unassigned permission levels are usually displayed as empty values rather than explicit “No” labels.
|
This PR has the |
Thanks for the clarification! I honestly didn’t know this behavior was already standard in Odoo 19. Thanks again for the migration work! |
6 participants
This is a migration + a pretty heavy handed rewrite of the of the security behavior. Previously, a user with no access to the
project.taskmodel could still create a task via a transient model, but it was a bit of a shot in the dark, because if he wanted to correct something, he would immediately get an access error. To fix this, I gavesales_team.group_sale_salesmanaccess toproject.task, but restricted them to tasks with alead_idpointing to a lead accessible by the user.Notes:
default_getmethod inproject.taskwe need to use sudo, as our user may not have access to such models asproject.project. However, sudo strips alldefault_context here, which appears to be a decision related to mail (odoo/odoo@7700bd1). In order to solve this, I use_get_sudo_env_with_contextwhich reinjects thedefault_values. The other approach would be to simply givesales_team.group_sale_salesmanread access toproject.projectand restrict to thecrm_default_project_idproject, but this seems brittle. What if another model adds fields with defaults that we don't have access to? It's a little far-fetched, but better be prepared.res.company.crm_default_project_idfor Company1 to a project in Company2. This will cause users from Company1 without access to Comany2 to get access errors when attempting to create a related task from a lead.While I can Imagine a situation in which this kind of cross company compatibility might be useful, I also think it violates the design intent of odoo in general.