diff --git a/content/developer/reference/backend/mixins.rst b/content/developer/reference/backend/mixins.rst
index 51c306bb4..c1b8ce607 100644
--- a/content/developer/reference/backend/mixins.rst
+++ b/content/developer/reference/backend/mixins.rst
@@ -451,12 +451,12 @@ The urls in the actions list can be generated automatically by calling the
 
                 new_group = (
                     'group_trip_manager',
-                    lambda partner: bool(partner.user_ids) and
-                    any(user.has_group('business.group_trip_manager')
-                    for user in partner.user_ids),
-                    {
-                        'actions': trip_actions,
-                    })
+                    lambda partner: any(
+                        user.sudo().has_group('business.group_trip_manager')
+                        for user in partner.user_ids
+                    ),
+                    {'actions': trip_actions},
+                )
 
                 return [new_group] + groups
 
diff --git a/content/developer/reference/backend/security.rst b/content/developer/reference/backend/security.rst
index 9e6b4c4b0..120b8f2f2 100644
--- a/content/developer/reference/backend/security.rst
+++ b/content/developer/reference/backend/security.rst
@@ -213,7 +213,7 @@ can not be trusted, ACL being only verified during CRUD operations.
 
     # this method is public and its arguments can not be trusted
     def action_done(self):
-        if self.state == "draft" and self.user_has_groups('base.manager'):
+        if self.state == "draft" and self.env.user.has_group('base.manager'):
             self._set_state("done")
 
     # this method is private and can only be called from other python methods