Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:
I know in V8, to access to the 'manage database' page, there's no button directly link to that page, you need to access by url http://localhost:8069/web/database/manager#action=database_manager.
I don't want everyone has the access right to move to that page, is there's method I can set a pass word for that url? or can I decide only administrator can access to that page?
Anyone can help me?
In Odoo version 8 Select database / Manage Databases view using the below URL:-
http://localhost:8069/web/database/selector
Note: Default Port No 8069. change Url based on your port no configuration.
EDIT:
GitHub Source Code https://github.com/prakashsukraj/Odoo-DBRestrict
I just finished a new module "web_dbrestrict" that Database Manager page restrict redirect to password page.
__openerp__.py
{
'name': 'Web DB Restrict',
'category': 'Hidden',
'version': '1.0',
'description': """
OpenERP Web core module.
========================
This module provides Database Manager page restrict redirect to password page.
""",
'depends': ['web'],
'data': [
'views/web_dbrestrict.xml',
],
'installable': True,
'application': True,
}
views/web_dbrestrict.xml
<?xml version="1.0" encoding="utf-8"?>
<openerp>
<data>
<template id="dbmanager_password" name="DB Password">
<t t-call="web.login_layout">
<form class="oe_login_form" role="form" action="/web/dbmanager_password" method="post">
<div class="form-group field-password">
<label for="password" class="control-label">Password</label>
<input type="password" name="password" id="password" class="form-control" required="required" t-att-autofocus="'autofocus' if login else None"/>
</div>
<p class="alert alert-danger" t-if="error">
<t t-esc="error"/>
</p>
<p class="alert alert-success" t-if="message">
<t t-esc="message"/>
</p>
<div class="clearfix oe_login_buttons">
<button type="submit" class="btn btn-primary">Log in</button>
</div>
</form>
</t>
</template>
</data>
</openerp>
web_dbrestrict/controllers/main.py
import jinja2
import os
import simplejson
import sys
import openerp
import openerp.modules.registry
from openerp.tools import topological_sort
from openerp import http
from openerp.http import request, serialize_exception as _serialize_exception
if hasattr(sys, 'frozen'):
# When running on compiled windows binary, we don't have access to package loader.
path = os.path.realpath(os.path.join(os.path.dirname(__file__), '..', 'views'))
loader = jinja2.FileSystemLoader(path)
else:
loader = jinja2.PackageLoader('openerp.addons.web', "views")
env = jinja2.Environment(loader=loader, autoescape=True)
env.filters["json"] = simplejson.dumps
db_monodb = http.db_monodb
def module_installed_bypass_session(dbname):
loadable = http.addons_manifest.keys()
modules = {}
try:
registry = openerp.modules.registry.RegistryManager.get(dbname)
with registry.cursor() as cr:
m = registry.get('ir.module.module')
# TODO The following code should move to ir.module.module.list_installed_modules()
domain = [('state','=','installed'), ('name','in', loadable)]
ids = m.search(cr, 1, [('state','=','installed'), ('name','in', loadable)])
for module in m.read(cr, 1, ids, ['name', 'dependencies_id']):
modules[module['name']] = []
deps = module.get('dependencies_id')
if deps:
deps_read = registry.get('ir.module.module.dependency').read(cr, 1, deps, ['name'])
dependencies = [i['name'] for i in deps_read]
modules[module['name']] = dependencies
except Exception,e:
pass
sorted_modules = topological_sort(modules)
return sorted_modules
def module_boot(db=None):
server_wide_modules = openerp.conf.server_wide_modules or ['web']
serverside = []
dbside = []
for i in server_wide_modules:
if i in http.addons_manifest:
serverside.append(i)
monodb = db or db_monodb()
if monodb:
dbside = module_installed_bypass_session(monodb)
dbside = [i for i in dbside if i not in serverside]
addons = serverside + dbside
return addons
# In the above code Import and method copy and paste from the web/main.py file
class Database_Password(openerp.addons.web.controllers.main.Database):
@http.route('/web/database/manager', type='http', auth="none")
def manager(self, **kw):
request.session.logout()
return http.local_redirect('/web/password')
@http.route('/web/password', type='http', auth='public', website=True)
def pasword(self, redirect=None, **post):
return request.render('web_dbrestrict.dbmanager_password', {'url_root': request.httprequest.url_root})
@http.route('/web/dbmanager_password', type='http', auth='public', website=True)
def dbmanager_password(self, cert_type=None, **post):
password = request.params['password']
if password == 'Your_Password': #user enter password matched redirect to DBManager page
return env.get_template("database_manager.html").render({
'modules': simplejson.dumps(module_boot()),
})
else:
values = request.params.copy()
values['error'] = "Wrong password"
return request.render('web_dbrestrict.dbmanager_password', values)
web_dbrestrict/views
copy and paste the "database_manager.html" File from the location web/views to web_dbrestrict/views
@Prakash, Do you have a github repository for this module? I would like to fork it for my own use if possible. I think github would be the best way as other people who would also like to use your module can see changes against their fork if you make updates to your module. Please let me know if you have any plans to add this to a github repository. If you do not plan to add this to a github repository or your own I would like to ask your permission before adding this module to my own repo here: http://github.com/lukebranch if this is the case please provide me with details I can add to the __openerp__.py file to provide credit to you as the author.
@Luke: Just update the module in github https://github.com/prakashsukraj/Odoo-DBRestrict
@Prakash, Thank you!
In order to restrict access to /web/database/selector and /web/database/manager I have setup nginx as a frontend proxy in front of Odoo's webserver and applied the following rules to the /sites-enabled/examplewebsite.com (add inside server {}):
location ~ ^ /web/database(manager|selector) {
allow 1.2.3.4;
deny all;
}
simply replace 1.2.3.4 with an ip (preferably fixed ip) of your choice. I have replaced it with an ip address inside my internal LAN. This will provide anyone who is not trying to access that URL from that IP address a 403 Forbidden error from nginx.
In order to setup Nginx as a frontend proxy for Odoo I have used the following steps on Debian 7.6:
1) sudo apt-get install nginx
2) sudo pico -w /etc/nginx/sites-enabled/examplewebsite.com
3) paste the following and replace examplewebsite.com with your domain, and 1.2.3.4 with the fixed IP address you would like to access your /web/database/manager and /web/database/selector links from:
server {
listen 80;
server_name www.examplewebsite.com examplewebsite.com;
charset utf-8;
access_log /var/log/nginx/prolv-access.log;
error_log /var/log/nginx/prolv-error.log;
location ~ ^/web/database/(manager|selector) {
allow 1.2.3.4;
deny all;
}
location / {
proxy_pass http://127.0.0.1:8072/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-OpenERP-dbfilter prolv;
client_max_body_size 200m;
# proxy_connect_timeout 90;
# proxy_send_timeout 90;
# proxy_read_timeout 90;
proxy_buffer_size 128k;
proxy_buffers 16 64k;
# proxy_busy_buffers_size 64k;
# proxy_temp_file_write_size 64k;
}
# Static files location
#location ~* ^.+.(jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js)$ {
# root /spool/www/members_ng;
#}
}
Credit to Viktor for his basic Nginx config for Odoo 8.0 here
http://www.prolv.net/forum/help-1/question/nginix-setup-for-odoo-6
and NixCraft for their explanation of Nginx Access rules here:
http://www.cyberciti.biz/faq/nginx-block-url-access-all-except-one-ip-address/
Although this is by no means a complete or production ready configuration it has at least helped me to achieve restricting access to those URL's to a specific IP. I will be rolling a more complete nginx configuration into my Odoo 8.0 install script (forked and modified from Andre Schenkel's here - https://github.com/lukebranch/openerp-install-scripts/blob/master/odoo-saas4/ubuntu-14-04/odoo_install.sh).
There are probably better ways to do this and I welcome any comments on how this might be better implemented.
If you're using Apache, you could do something like this:
<Location /web/database>
Order deny,allow
Deny from all
Allow from 1.2.3.4
</Location>
in your site configuration file.
This way, only the IP 1.2.3.4 can access the /web/database path. And the /web/database/manager uses this path, so...
@Prakash, Thanks for your solution (db-restrict module). It's working fine for one database, but when I create a new one, then I try to access database manager, I get a 404 error when I'm redirected to /web/password..
Please, if there is any update ? Thanks.
I think, if db-restrict module installed in all the database then the 404 error will not shows.
I rechecked it, it's installed in all databases (also, I set auto_install to true, so it was installed automatically). But the problem still persisting.. Also, I can access to Database Manager from /web/manager/selector without password! But when I dropped the new database (only one kept) It worked fine.. I recreate new one, the problem reoccur !
Here is whole explanation of removing manage databases, https://accounts.openerp.com/forum/Help-1/question/2615
Dear everyone :)
i am a new user for Odoo :)
have anybody installed Odoo version 9.0 ?
I have installed it, but i didn't find button for restore my database :(
the page just filled with blank page and "Odoo" text
what should I do ?
thanks before,
Mega
What do you expect exactly ?
Why don't you change masterpassword for admin ?
The user will be able to reach this page but won't be able manipulate.
1. Use the live chat to ask your questions.
2. The operator answers within a few minutes.
i'm also looking to restrict this in the same manner as you would with .htaccess in Apache (eg. restrict access to a certain fixed IP). I'll post back here if I find a solution.
Hi Luke, happy to hear that ! Looking forward to your feedback.
Why don't you script inside the webpage? Check which user is logged in with which preferences.. if the scenario you want matches you show the button that redirects to the /web/database/manager page. If this doesn't match you don't show the button.
@phoebe: I updated my custom module code to restrict DBManager page redirect to password page.
Is there any solution now?
Thomas the solution is given in the post below here. This is pretty much your prototype.
updated GitHub Source Code https://github.com/prakashsukraj/Odoo-DBRestrict