Difference between with and without sudo() in Odoo

Solution 1

Odoo 8–12

Calling sudo() (with no parameters) before calling create() will return the recordset with an updated environment with the admin (superuser) user ID set. This means that further method calls on your recordset will use the admin user and as a result bypass access rights/record rules checks [source]. sudo() also takes an optional parameter user which is the ID of the user (res.users) which will be used in the environment (SUPERUSER_ID is the default).

When not using sudo(), if the user who calls your method does not have create permissions on my.example model, then calling create will fail with an AccessError.

Because access rights/record rules are not applied for the superuser, sudo() should be used with caution. Also, it can have some undesired effects, eg. mixing records from different companies in multi-company environments, additional refetching due to cache invalidation (see section Environment swapping in Model Reference).

Odoo 13+

Starting with Odoo 13, calling sudo(flag) will return the recordset in a environment with superuser mode enabled or disabled, depending if flag is True or False, respectively. The superuser mode does not change the current user, and simply bypasses access rights checks. Use with_user(user) to actually switch users.

Solution 2

You can check the comments on sudo in Odoo code at odoo -> models.py -> def sudo().

Solution 3

Returns a new version of this recordset attached to the provided user.

    By default this returns a ``SUPERUSER`` recordset, where access
    control and record rules are bypassed.

    It is same as:

    from odoo import api, SUPERUSER_ID

    env = api.Environment(cr, SUPERUSER_ID, {})

    In this example we pass SUPERUSER_ID in place of uid at the time of creating a Enviroment.

    If you are not use Sudo() then the current user need permission to 
    create a given object.


    .. note::

        Using ``sudo`` could cause data access to cross the
        boundaries of record rules, possibly mixing records that
        are meant to be isolated (e.g. records from different
        companies in multi-company environments).

        It may lead to un-intuitive results in methods which select one
        record among many - for example getting the default company, or
        selecting a Bill of Materials.

    .. note::

        Because the record rules and access control will have to be
        re-evaluated, the new recordset will not benefit from the current
        environment's data cache, so later data access may incur extra
        delays while re-fetching from the database.
        The returned recordset has the same prefetch object as ``self``.

Author by

Pointer

Updated on June 14, 2022