Why don't window action access rights work?

Question

This is a serious security concern, defining group access rights on menu items is not enough to restrict access to actions

How do you protect against this ? someone could just try action ids one by one until they find an existing action that gives him/her access to potentially private information.

I restricted access to a window action to a specific group, but I was still able to see it with a user that doesn't belong to that group.

*Edit:* The same goes for views, when I define access rights

Ray Carnes · Answer

Using groups to hide or give access to menus is more related to the needs of ergonomics or usability than the needs of security. It is a best practice to putting rules on documents and models instead of putting groups on menus. For example, hiding invoices can be done by modifying the record rule on the invoice object, and it is more efficient and safer than hiding menus related to invoices.

Similarly, using groups to hide or give access to views based on groups should also not be considered as meeting security needs.

From "Security in OpenERP: users, groups" at https://doc.openerp.com/trunk/server/04_security/

Similarly, using groups to hide or give access to views based on groups should also not be considered as

Publicaciones relacionadas	Respuestas	Vistas
My ir.actions.server isn't being triggered on sales order save, why? actions	1 mar 15	4950
Why don't window action access rights work? actions	0 mar 15	3554
Why don't window action access rights work? actions	0 mar 15	3734
Server action triggering Server action (Odoo 12) actions server_actions	0 mar 25	712
Prevent Users to Devliver more than demanded quantity. Resuelto actions stock.move	2 oct 24	1595

Se marcó esta pregunta

¿Le interesa esta conversación? ¡Participe en ella!