Unauthorized Access to Maintenance Menu and Ability to Create Requests in Odoo OCB V14.0

[conroyke56]

Module

Maintenance

Describe the bug

Users without any assigned roles under the Maintenance module can still view the maintenance menu and create requests, despite receiving an error message when saving the request. This behavior contradicts the expected permission constraints, where users without assigned roles in Maintenance should not have the ability to create requests or even access the maintenance menu.

To Reproduce

Affected versions: Odoo OCB V14.0

Steps to reproduce the behavior:

1. Create or select a user without any assigned roles under the Maintenance module.

2. Log in as that user.

3. Navigate to the Maintenance menu.

4. Attempt to create and save a maintenance request.

5. Receive the following error message:
   Due to security restrictions, you are not allowed to create 'Maintenance Request' (maintenance.request) records.

            Records: sdf (id=2)
            User: user (id=8)
            
            This restriction is due to the following rules:
            - Users are allowed to access their own maintenance requests
            
            Contact your administrator to request access if necessary.
   

Expected behavior
A user without assigned roles under the Maintenance module should not be able to view the maintenance menu or create maintenance requests. The system should enforce appropriate permission constraints to prevent unauthorized access and creation.

Additional context

• OS: Linux (server), Windows (client)
• Browser: Chrome
• Python Version: 3.8

[pedrobaeza]

Please publish this on odoo/odoo, as they are not OCB exclusive issues.

[conroyke56]

Please publish this on odoo/odoo, as they are not OCB exclusive issues.

Did you try replicate? With Odoo and ocb to see?

[pedrobaeza]

There's no exclusive OCB code related to maintenance module for now.