Help

1

Odoo login page & Databases administration

Avatar
Gaston Huot

I'm in a process of evaluating Odoo (8) for a client.

The installation went well but when the time came to provide an access to Odoo to the client testers, I saw the "Manage databases" button under the login box. Is it a mistake or there is a way to remove this from the login page and also prevent a non-admin user from accessing the databases administration page ? It is so unusual that I'm sudenly concern  about the security of Odoo (waht about other things that I don't see).

1Comment
Avatar
Discard
Avatar
Ray Carnes
-

Clicking on the link simply gives options that are useless without the password. Why is is any less secure than www.yourbank.com/login? It shows them databases, which if they don't have the password for they can't access them.

3Answers
3
Avatar
Luke Branch
Best Answer

@gaston,

In regards to your questions you can create a module that inherits the login form and simply remove the database dropdown menu as an option. This is a very simple module and I have already implemented this functionality in a website theme module that i'm using in production now.

In regards to restricting access to the /web/database/selector and /web/database/manager pages there are a few options. You could try the following module that redirects from /web/database/manager to the website login for those without access rights to see the /web/database/manager page:

https://github.com/prakashsukraj/Odoo-DBRestrict

or you could set up Nginx as a reverse proxy in front of Odoo and simply use Nginx rules to restrict access to those pages to certain fixed IP addresses by using the example i've provided in the following forum post:

https://www.odoo.com/forum/help-1/question/how-to-show-the-manage-database-page-for-particular-user-like-administrator-in-openerp-v8-57036

Feel free to post back if you have any questions.

Avatar
Discard
1
Avatar
Gaston Huot
Best Answer

@Luke: Thanks for the tips. I will try that.

@Ray, @Juan: !!! If I well understand, it's a little bit like a lottery ? It's like saying: "I will give you my bank accounts list. Try to get in now. I'm sure that you won't be able to do anything with it..."  
Maybe it's just me, but I think it is against one of the basic rules in security: don't challenge hackers!

1Comment
Avatar
Discard
Avatar
Luke Branch
-

@Gaston, No problem. Odoo has another rather annoying 'feature' that you will probably want to disable if you have the website module installed. Go to : http://(your server url here)/website/info You'll see that Odoo displays this publicly to anyone that visits your website (and consequently search engines will pick up on this on your site eventually). This page displays all installed modules on your Odoo instance (not ideal under any circumstance really) and in my opinion is also a security risk for the same reason you mentioned above. It's easily handled in Nginx by simply adding a deny all for that url, eg: location ~ ^/website/(info) { allow 1.2.3.4; deny all; However I would highly recommend not leaving the page publicly accessible.

0
Avatar
Juan José Scarafía
Best Answer

Hi Gaston,

Without the Master Password, the users can't do anything, so there is no matter if they can acces to the Database Manager.

Regards,

Juan José - Ing ADHOC

Avatar
Discard