odoo检查规则

@api.multi
def button_cancel(self):
    for move in self:
        if not move.journal_id.update_posted:
            raise UserError(_('You cannot modify a posted entry of this journal.\nFirst you should set the journal to allow cancelling entries.'))
        # We remove all the analytics entries for this journal
        move.mapped('line_ids.analytic_line_ids').unlink()
    if self.ids:
        self.check_access_rights('write')   #调用函数
        self.check_access_rule('write')     #调用函数
        self._check_lock_date()
        self._cr.execute('UPDATE account_move '\
                   'SET state=%s '\
                   'WHERE id IN %s', ('draft', tuple(self.ids),))
        self.invalidate_cache()
    self._check_lock_date()
    return True

    @api.model
    def check_access_rights(self, operation, raise_exception=True):
        """ Verifies that the operation given by ``operation`` is allowed for
            the current user according to the access rights.
        """
        return self.env['ir.model.access'].check(self._name, operation, raise_exception)

    @api.multi
    def check_access_rule(self, operation):
        """ Verifies that the operation given by ``operation`` is allowed for
            the current user according to ir.rules.

           :param operation: one of ``write``, ``unlink``
           :raise UserError: * if current ir.rules do not permit this operation.
           :return: None if the operation is allowed
        """
        if self._uid == SUPERUSER_ID:
            return

        invalid = self - self._filter_access_rules(operation)    #  ？？？？？？？
        if not invalid:
            return

        forbidden = invalid.exists()
        if forbidden:
            # the invalid records are (partially) hidden by access rules
            if self.is_transient():
                raise AccessError(_('For this kind of document, you may only access records you created yourself.\n\n(Document type: %s)') % (self._description,))
            else:
                _logger.info('Access Denied by record rules for operation: %s on record ids: %r, uid: %s, model: %s', operation, forbidden.ids, self._uid, self._name)
                raise AccessError(_('The requested operation cannot be completed due to security restrictions. Please contact your system administrator.\n\n(Document type: %s, Operation: %s)') % \
                                  (self._description, operation))

        # If we get here, the invalid records are not in the database.
        if operation in ('read', 'unlink'):
            # No need to warn about deleting an already deleted record.
            # And no error when reading a record that was deleted, to prevent spurious
            # errors for non-transactional search/read sequences coming from clients.
            return
        _logger.info('Failed operation on deleted record(s): %s, uid: %s, model: %s', operation, self._uid, self._name)
        raise MissingError(_('Missing document(s)') + ':' + _('One of the documents you are trying to access has been deleted, please try again after refreshing.'))