Hi @dreispt , thinking and testing this module I would like to ask you opinion in my reflexions.
Installing this module is very specific and maybe we could make it better. I think that we can maintain this functionality better by adding 2 more security groups in project (setting -> Users):
- User
- Member (new group)
- Project Manager (new group - for res.user who are assigned in user_id in project.project)
- Manager
This way we don't touch Odoo's permission groups so if you don't user "member" or "project manager" you will have same functionality of Core.
#1
Employees are now basic Project users, able to create new documents (Issues or Tasks). These are kept editable while in New and Cancelled states, to allow for corrections or for the user himself to cancel an incorrectly created request. Previously, Employee users did not have any write nor create access to project documents.
- Adding to employees make all employees access to project (this is not very common), this is not good as many employees must see the minimum part of their job, just sales, just purchases, just accounting...
- Force to customer to use "New" and "Cancel" states, in fact, for to use states when Odoo v8 and v9 do not use it anymore.
I think we must maintain option in Setting -> User to select if a user or employee access to project o not.
Note: Odoo core has a functional bug in my opinion. By default a Project User cannot create issues... this has no sense. So we can add this to the default user's group. Project Users can create issues. Here is how you must add this manualy: https://youtu.be/ZLzZ-o6q8N0
#2
Project Users, on the other hand, are supposed to act on these documents, such as reported issues, and update them accordingly, so they have write access for all states. Employee users don't have write access on later states, but can still write comments and communicate through the message board (open chatter).
In general, users will only be able to see documents where:
They are assigned/responsible for, or
They are following, or
They are a team member for the corresponding Project (but not if only in the project's follower list).
Project's Members in project.project have same permission as Project's followers. This have many sense, as you have permissions on the project but you don't need to follow it. this has two benefits:
- Project manager when creating task doesn't have to delete followers pulled from project.
- Project users don't have see all task in one project, they can unfollow or follow as needed.
#3
Project Managers have access rules similar to Project Users, but additionally can create new projects and can see all documents for the projects they are the Manager. As a consequence, Project Managers no longer have inconditional access to all Tasks and Issues, and will only be able to edit the definitions of Projects they manage.
This makes it possible for a Project Manager to have private projects that other users, Project Managers included, will not be able to see. They will need to be added as followers or team members to able to see it.
Public Projects and their documents are still visible to everyone. Portal users access rules are kept unchanged.
Adding "Project manager" groups (which is different of Manager) you will have same functionality as you describe. You can have many project managers who are independent of each other and you can still have a Full Manager like CTO, CIO or also CEO who see everything.
#4
Access Rules summary:
We will have in Setting - Users - Access Right - Application - Project
Employee Users Can see only documents followed or responsible for (in "user_id"). Can create new documents and edit them while in "New"/"Cancelled" states.
Project Users Can edit Project Issues and Tasks in any stage/state. Can see all documents for projects they are followers on team members. Can see only documents followed or assigned to for other projects.
Project Managers Can create new projects and edit their attributes. Can see all documents (Tasks or Issues) but only for their managed projects. For the other Projects, will see only followed documents, just like the other users.
Note: For sure if needed we can add also "Employee" as you described, having 5 groups of permission for projects.
Also I think is more clear to understand for anyone.
After writting this I have read #59 so welcome @jbeficent
We can do this of v8 like I described if you agree.
@dreispt could be this and [IMP] of project_baseuser of it must be a new one.
cc @antespi @pedrobaeza