Zum Inhalt springen
Sie müssen registriert sein, um mit der Community zu interagieren.
Alle Beiträge Personen Abzeichen
Stichwörter (Alle anzeigen)
odoo accounting v14 pos v15
Über dieses Forum
Diese Frage wurde gekennzeichnet
securityv8fieldsinvisible
5 Antworten
5324 Ansichten
Avatar
Shawn Varghese

If you assign groups to a field in the following manner:

<field name="source_id" groups="base.group_system"/>

Now if I log on as a non-admin user, and right click the form view and choose 'Inspect Element', I can easily remove the invisible class of the field and see things I was not supposed to !

Isn't this a huge security hole? Or did I do something wrong? I was under the impression that this sort of thing is handled in 'fields_view_get' and the invisible field would not be rendered.

I understand that adding groups in .py prevents it from getting rendered. But I just wanted to know if specifying in XML can be made secure.



Avatar
Verwerfen
Luke Branch

@Shawn,

I agree this should be looked into. I think you should open an issue on github here detailing the issue with steps to reproduce:

https://github.com/odoo/odoo/issues

I'd recommend using a similar format to the following issue submission:

https://github.com/odoo/odoo/issues/3339

And consider using licecap for an animated GIF screencapture if you think it would be better demonstrated with a visual representation:

http://www.cockos.com/licecap/

Shawn Varghese
Autor

Thanks Luke...my next question was going to be how to open an issue ! I will double check to see if this has already been discussed before, and if not, I'll raise it.

Avatar
Jérémy Kersten (jke)
Beste Antwort

Hi,

It's not a bug...

It is by design...

Groups in view is there to improve the display according to the user and not for security !

In any case, user can read info in xmlrpc, jsonrpx, from other view, ...

Add group on the field from your model, if you don't want that a group can read the info ! Documentation here : https://www.odoo.com/documentation/8.0/reference/security.html#field-access

Avatar
Verwerfen
Shawn Varghese
Autor

Got it, thanks for clearing that up!

Avatar
Mohammed Razem
Beste Antwort

I searched a lot to find how to add a Group to a Base Field with no luck.

I can add a Group to restrict access for a custom field through UI. But when I try to do this for a Base Field (for example "remaining_leave" in hr.employee) I get an error.

Is there any documentation on how to add a Group restriction to a base field through a module?

Avatar
Verwerfen
Verknüpfte Beiträge Antworten Ansichten Aktivität
Is there a way to apply read, write permissions per field? Or turn to read-only based on user groups?
security v8 fields permissions
Avatar
0
März 15
4386
Field level 'read' access rights missing in Odoo 8.0?
security v8 fields orm
Avatar
Avatar
1
März 15
6726
Field Read-only for certain users (logged-in)
security fields
Avatar
2
Aug. 20
3074
how to hide a field if empty in view mode and view it in edit mode (odoo11)?
fields invisible
Avatar
0
Nov. 17
5759
How to change inherited fields group?
security fields res.users
Avatar
1
Nov. 24
1165