Hello,
I have discovered that when a new module is installed, all users are automatically set to have administrator access rights for the new module installed which in turn changes users’ access rights for other modules.
One particularly concerning example of this is that when installing Recruitment, all users access rights are set to Administrator. This in turn can change the permission of someone with 'user: kiosk mode only' in Employees to a higher permission allowing the previously low-level permission user to see Private HR information such as salary for all employees at a company.
I submitted a ticket to the Odoo helpdesk and have been told that this behaviour is OOTB.
I’d like to hear if anyone has come across this before and what your thoughts on the matter are.
Thanks!
Is this behavior reproducible in odoo runbot ?
Yes. Steps to replicate on Runbot:
1. Uninstall Recruitment as it is already installed on Runbot.
2. Set a user to user to ‘user: kiosk only mode’ permissions for Employees.
3. Reinstall Recruitment.
4. You’ll notice that the user now has administrator access right for Recruitment and ‘Officer: Manage all employees’ access rights for Employees enabling them to see the ‘Private Information’ and ‘HR Settings’ Tab on an Employee card.