Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:

CRM
e-Commerce
Buchhaltung
Lager
PoS
Projekte
MRP

All apps

Alle Beiträge Personen Abzeichen

Stichwörter (Alle anzeigen)

odoo accounting v14 pos v15

Über dieses Forum

Hilfe

Odoo security issue for invisible fields

security v8 fields invisible

5 Antworten

6030 Ansichten

Shawn Varghese

If you assign groups to a field in the following manner:

<field name="source_id" groups="base.group_system"/>

Now if I log on as a non-admin user, and right click the form view and choose 'Inspect Element', I can easily remove the invisible class of the field and see things I was not supposed to !

Isn't this a huge security hole? Or did I do something wrong? I was under the impression that this sort of thing is handled in 'fields_view_get' and the invisible field would not be rendered.

I understand that adding groups in .py prevents it from getting rendered. But I just wanted to know if specifying in XML can be made secure.

Luke Branch

@Shawn,

I agree this should be looked into. I think you should open an issue on github here detailing the issue with steps to reproduce:

https://github.com/odoo/odoo/issues

I'd recommend using a similar format to the following issue submission:

https://github.com/odoo/odoo/issues/3339

And consider using licecap for an animated GIF screencapture if you think it would be better demonstrated with a visual representation:

http://www.cockos.com/licecap/

Shawn Varghese

Autor

Thanks Luke...my next question was going to be how to open an issue ! I will double check to see if this has already been discussed before, and if not, I'll raise it.

Jérémy Kersten (jke)

Beste Antwort

Hi,

It's not a bug...

It is by design...

Groups in view is there to improve the display according to the user and not for security !

In any case, user can read info in xmlrpc, jsonrpx, from other view, ...

Add group on the field from your model, if you don't want that a group can read the info ! Documentation here : https://www.odoo.com/documentation/8.0/reference/security.html#field-access

Shawn Varghese

Autor

Got it, thanks for clearing that up!

Mohammed Razem

I searched a lot to find how to add a Group to a Base Field with no luck.

I can add a Group to restrict access for a custom field through UI. But when I try to do this for a Base Field (for example "remaining_leave" in hr.employee) I get an error.

Is there any documentation on how to add a Group restriction to a base field through a module?

Diskutieren Sie gerne? Treten Sie bei, statt nur zu lesen!

Erstellen Sie heute ein Konto, um exklusive Funktionen zu nutzen und mit unserer tollen Community zu interagieren!

Registrieren

Verknüpfte Beiträge	Antworten	Ansichten
Is there a way to apply read, write permissions per field? Or turn to read-only based on user groups? security v8 fields permissions	0 März 15	4889
Field level 'read' access rights missing in Odoo 8.0? security v8 fields orm	1 März 15	7463
Field Read-only for certain users (logged-in) security fields	2 Aug. 20	3661
how to hide a field if empty in view mode and view it in edit mode (odoo11)? fields invisible	0 Nov. 17	6248
How to change inherited fields group? security fields res.users	1 Nov. 24	1793

Diese Frage wurde gekennzeichnet

Diskutieren Sie gerne? Treten Sie bei, statt nur zu lesen!