Přejít na obsah
You need to be registered to interact with the community.
All Posts Lidé Odznaky
Štítky (View all)
odoo accounting v14 pos v15
O tomto fóru
This question has been flagged
quickstart
2 Odpovědi
3207 Zobrazení
Avatar
Amira Friedman

Hello,

I have discovered that when a new module is installed, all users are automatically set to have administrator access rights for the new module installed which in turn changes users’ access rights for other modules.

One particularly concerning example of this is that when installing Recruitment, all users access rights are set to Administrator. This in turn can change the permission of someone with 'user: kiosk mode only' in Employees to a higher permission allowing the previously low-level permission user to see Private HR information such as salary for all employees at a company.

I submitted a ticket to the Odoo helpdesk and have been told that this behaviour is OOTB.

I’d like to hear if anyone has come across this before and what your thoughts on the matter are.

Thanks!


Avatar
Zrušit
Niyas Raphy (Walnut Software Solutions)

Is this behavior reproducible in odoo runbot ?

Amira Friedman
Autor

Yes. Steps to replicate on Runbot:
1. Uninstall Recruitment as it is already installed on Runbot.
2. Set a user to user to ‘user: kiosk only mode’ permissions for Employees.
3. Reinstall Recruitment.
4. You’ll notice that the user now has administrator access right for Recruitment and ‘Officer: Manage all employees’ access rights for Employees enabling them to see the ‘Private Information’ and ‘HR Settings’ Tab on an Employee card.

Avatar
Salim Jamal-Eddine
Nejlepší odpověď

Did you find any solutions??

Otherwise we are thinking of installing everything once and for all... but this is ridiculous.

Avatar
Zrušit
Avatar
Miguel Angel Lopez (mial)
Nejlepší odpověď

I think it is consistent with Odoo logic as to never restrict users unless absolutely necessary, I wouldn't let it the other way around.


Avatar
Zrušit
Jacqueline Bullen

This surely breaches Data Privacy rules in several countries around the world as well as GDPR given the case stated above if data such as race, ethnicity etc are asked in recruitment job application surveys.

Imagine a 300 user company who adds another module and then has to go through all the employees (sure they can export import) to remove a permission added because a new module was installed. It makes more sense to provide permission to users who need it after installation than have to remove access from everyone. Plus from a database management perspective, I imagine most administrators would prefer to provide access to those who need it rather than have to remove it from everyone first. An inexperienced administrator would mess this up instantly!

Miguel Angel Lopez (mial)

Oh I see, I didn't see the use case, my point stays for new apps, but not if they are related like the example you are giving me, yes it sounds weird if you suddenly give access to everyone about it, haven't tested it myself but for HR makes sense.
But I can think of the possibility of downgrading users for example:
If I currently have X app on which I'm admin and then install Y app, and both share permissions wouldn't it be bad to set me back to user? then I would have to go through the said 300 users just to get them back to using the same things they were using before.
Maybe a middleground would be to leave permissions as they are regardless of the app installed.

Related Posts Odpovědi Zobrazení Aktivita
Link attachments with wanted record and model Vyřešeno
quickstart
Avatar
1
dub 25
7679
✅Change the Account on Payments in Odoo
quickstart
Avatar
0
bře 25
1292
✅Change the Account on Payments in Odoo
quickstart
Avatar
1
bře 25
30
✅ Change the order date to the Old date
quickstart
Avatar
0
bře 25
1148
Plugin ALMA
quickstart
Avatar
Avatar
Avatar
Avatar
3
zář 24
5432