Chapter 7 - Odoo 15 Development Book

Superuser Access to Recordsets

Unauthorized access to records in odoo is managed using some techniques like security groups, access rules and record rules. But when applying complex business logic, there may be some conditions where you have to break all access rules. An example is the case of lead creation from a public user. We know that public users have no access to leads by a lead created when they enquire about anything using the website.

sudo() is a method where you can access a record set as a superuser. That is sudo() makes it possible to break all access rules or record rules.

Let's discuss this with the help of an example. Consider a model which stores all students' records of an educational organization.

class Student(models.Model):
   _name = "student.student"
   _description = "Student"
   name = fields.Char(string="Name", required=True)
   phone = fields.Char(string="Phone Number")
   email = fields.Char(string="Email", required=True)
   status = fields.Char(string="Status", groups="edu_organisation.group_organisation_admins")

There is a field named status which updates the Student Status, and it is only accessible for the admins of the education organization. That is, there is a user group created for the module edu_organisation named group_organisation_admins. Since this group is specified in the field definition, this field will be only accessible to those users who fall in this category.

Then create a button that will update the student status. For that, add the button in the student form view inside the header tag.

<button name="update_status" string="Update Status" class="oe_highlight"

Now write the method for button click inside the student model. Since the status field is only accessible for the Admins of Edu Organization, it is necessary to use the superuser access in the button click method. For that, use sudo() in the method. Before using the write method, we used sudo() for accessing the current record set as with superuser access. This will return the same record set with a different environment, that is the environment from the super user, and it will bypass all access rules and security rights. This way, a user who does not include in the Edu Organization Admin category can update the status field value.

def update_status(self):
       'status': "Status Updated"


Cybrosys Technologies Pvt. Ltd.
Neospace, Kinfra Techno Park
Kakkancherry, Calicut
Kerala, India - 673635



Cybrosys Limited
Alpha House,
100 Borough High Street, London,
SE1 1LB, United Kingdom



Cybrosys Technologies Pvt. Ltd.
1st Floor, Thapasya Building,
Infopark, Kakkanad,
Kochi, India - 682030.



Cybrosys Techno Solutions
The Estate, 8th Floor,
Dickenson Road,
Bangalore, India - 560042

Send Us A Message