OCA · OCA-git-bot · May 14, 2024 · May 8, 2024
diff --git a/edi_oca/models/edi_exchange_record.py b/edi_oca/models/edi_exchange_record.py
@@ -468,8 +468,8 @@ def _search(
             count=False,
             access_rights_uid=access_rights_uid,
         )
-        if self.env.is_system():
-            # restrictions do not apply to group "Settings"
+        if self.env.is_superuser():
+            # restrictions do not apply for the superuser
             return len(ids) if count else ids
 
         # TODO highlight orphaned EDI records in UI:
@@ -514,11 +514,14 @@ def _search(
                         list(targets[res_id]),
                     )
                 recs = recs - missing
-            allowed = (
+            allowed = list(
                 self.env[model]
                 .with_context(active_test=False)
                 ._search([("id", "in", recs.ids)])
             )
+            if self.env.is_system():
+                # Group "Settings" can list exchanges where record is deleted
+                allowed.extend(missing.ids)
             for target_id in allowed:
                 result += list(targets[target_id])
         if len(orig_ids) == limit and len(result) < len(orig_ids):
@@ -545,7 +548,7 @@ def read(self, fields=None, load="_classic_read"):
     def check_access_rule(self, operation):
         """In order to check if we can access a record, we are checking if we can access
         the related document"""
-        super(EDIExchangeRecord, self).check_access_rule(operation)
+        super().check_access_rule(operation)
         if self.env.is_superuser():
             return
         default_checker = self.env["edi.exchange.consumer.mixin"].get_edi_access

diff --git a/edi_oca/tests/test_security.py b/edi_oca/tests/test_security.py
@@ -194,7 +194,7 @@ def test_search_no_record_admin(self):
         exchange_record = self.create_record()
         exchange_record.res_id = -1
         admin_group = self.env.ref("base.group_system")
-        self.user.write({"groups_id": [(4, admin_group.id)]})
+        self.user.write({"groups_id": [(4, self.group.id), (4, admin_group.id)]})
         self.assertEqual(
             1,
             self.env["edi.exchange.record"]