[16.0][BUG] rating: Missing multi-company rule

[carolinafernandez-tecnativa]

Impacted versions:
15.0, 16.0, 17.0

Steps to reproduce:

1- Multi-environment configuration
2- Allow customer ratings on project.
3- Go to Project > Reporting > Customer ratings
4- All customer ratings belong to Company San Francisco.

5- User is current on Company Chicago

6- Tried to access one customer rating

Current behavior:

If I have multi-company environment, all customer ratings tasks are not being filtered by company, it shows all ratings for all companies, independently which company is the user at.

Expected behavior:

If I have multi-company environment, when i go to check customer ratings task as an example, it has to show only task rating for the company that user is logged in.
In this example, when the user is with Company Chicago, when access to Customer ratings, it should be an empty list.

Please note, there is no field company_id on model rating.rating and security rule is missing.

cc @Tecnativa TT48683

[pedrobaeza]

@mart-e do you know who is in charge of this module?

[vava-odoo]

That would be something for @xavierbol. Could you have a look?

[pedrobaeza]

I think this can be implemented overriding _check_access and checking if the user have access to the rating related record. This way, it's not only multi-company, but any other restriction through record rules can be checked.