[FIX] web_m2x_options: allow field-level overrides of the global create and create_edit options

Ricardoalso · Ricardoalso · commit fac52dd33df9 · 2025-12-23T11:48:35.000+01:00
Allow field-level overrides for Many2One and Many2Many fields, while always respecting security permissions. This provides more granular control over the "Create..." and "Create and Edit..." dropdown entries without compromising access control.
diff --git a/web_m2x_options/static/src/components/form.esm.js b/web_m2x_options/static/src/components/form.esm.js
@@ -27,41 +27,49 @@ function evaluateSystemParameterDefaultTrue(option) {
     return isOptionSet ? evaluateBooleanExpr(isOptionSet) : true;
 }
 
+function evaluateHasCreatePermission(attrs) {
+    return attrs.can_create ? evaluateBooleanExpr(attrs.can_create) : true;
+}
+
+function evaluateFieldBooleanOption(option) {
+    return typeof option === "boolean" ? option : evaluateBooleanExpr(option);
+}
+
 patch(many2OneField, {
     m2o_options_props_create(props, attrs, options) {
         const canQuickCreate = evaluateSystemParameterDefaultTrue("create");
+        const hasCreatePermission = evaluateHasCreatePermission(attrs);
         if (options.no_quick_create) {
             props.canQuickCreate = false;
         } else if ("no_quick_create" in options) {
-            props.canQuickCreate = attrs.can_create
-                ? evaluateBooleanExpr(attrs.can_create)
-                : true;
+            props.canQuickCreate = hasCreatePermission;
+        } else if ("create" in options) {
+            // Field option set, but must respect can_create security attribute
+            props.canQuickCreate = hasCreatePermission && evaluateFieldBooleanOption(options.create);
         } else if (!canQuickCreate && props.canQuickCreate) {
             props.canQuickCreate = false;
         } else if (canQuickCreate && !props.canQuickCreate) {
-            props.canQuickCreate = attrs.can_create
-                ? evaluateBooleanExpr(attrs.can_create)
-                : true;
+            props.canQuickCreate = hasCreatePermission;
         }
         return props;
     },
 
     m2o_options_props_create_edit(props, attrs, options) {
         const canCreateEdit = evaluateSystemParameterDefaultTrue("create_edit");
+        const hasCreatePermission = evaluateHasCreatePermission(attrs);
         if (options.no_create_edit) {
             props.canCreateEdit = false;
         } else if ("no_create_edit" in options) {
             // Same condition set in web/views/fields/many2one/many2one_field
-            props.canCreateEdit = attrs.can_create
-                ? evaluateBooleanExpr(attrs.can_create)
-                : true;
+            props.canCreateEdit = hasCreatePermission;
+        } else if ("create_edit" in options) {
+            // Field option set, but must respect can_create security attribute
+            props.canCreateEdit = hasCreatePermission && evaluateFieldBooleanOption(options.create_edit);
         } else if (!canCreateEdit && props.canCreateEdit) {
             props.canCreateEdit = false;
         } else if (canCreateEdit && !props.canCreateEdit) {
             // Same condition set in web/views/fields/many2one/many2one_field
-            props.canCreateEdit = attrs.can_create
-                ? evaluateBooleanExpr(attrs.can_create)
-                : true;
+            props.canCreateEdit = hasCreatePermission;
         }
         return props;
     },
@@ -152,35 +160,36 @@ patch(Many2OneField.prototype, {
 patch(many2ManyTagsField, {
     m2m_options_props_create(props, attrs, options) {
         const canQuickCreate = evaluateSystemParameterDefaultTrue("create");
+        const hasCreatePermission = evaluateHasCreatePermission(attrs);
         // Create option already available for m2m fields
         if (!options.no_quick_create) {
-            if (!canQuickCreate && props.canQuickCreate) {
+            if ("create" in options) {
+                // Field option set, but must respect can_create security attribute
+                props.canQuickCreate = hasCreatePermission &&  evaluateFieldBooleanOption(options.create);
+            } else if (!canQuickCreate && props.canQuickCreate) {
                 props.canQuickCreate = false;
             } else if (canQuickCreate && !props.canQuickCreate) {
-                props.canQuickCreate = attrs.can_create
-                    ? evaluateBooleanExpr(attrs.can_create)
-                    : true;
+                props.canQuickCreate = hasCreatePermission;
             }
         }
         return props;
     },
 
     m2m_options_props_create_edit(props, attrs, options) {
         const canCreateEdit = evaluateSystemParameterDefaultTrue("create_edit");
+        const hasCreatePermission = evaluateHasCreatePermission(attrs);
         if (options.no_create_edit) {
             props.canCreateEdit = false;
         } else if ("no_create_edit" in options) {
             // Same condition set in web/views/fields/many2one/many2one_field
-            props.canCreateEdit = attrs.can_create
-                ? evaluateBooleanExpr(attrs.can_create)
-                : true;
+            props.canCreateEdit = hasCreatePermission;
+        } else if ("create_edit" in options) {
+            props.canCreateEdit = hasCreatePermission && evaluateFieldBooleanOption(options.create_edit);
         } else if (!canCreateEdit && props.canCreateEdit) {
             props.canCreateEdit = false;
         } else if (canCreateEdit && !props.canCreateEdit) {
             // Same condition set in web/views/fields/many2one/many2one_field
-            props.canCreateEdit = attrs.can_create
-                ? evaluateBooleanExpr(attrs.can_create)
-                : true;
+            props.canCreateEdit = hasCreatePermission;
         }
         return props;
     },
