Odoo is the world's easiest all-in-one management software. It includes hundreds of business apps:
CRM | e-Commerce | Accounting | Inventory | PoS | Project management | MRP | etc.
I created a normal users, with no 'Technical Features' access rights granted. I logged in with this user, and opened some screen.
Now I logged in using the admin user, opened the 'users' list view and got the 'action' # from the url of this view,
From the user's url I changed the action # of the current view to be 76 same as that of the 'users' list view.
The user, which has no access rights to the 'Technical Features' was able to see the 'users' list view
Moreover, he can access groups and other technical features by changing the action id from the url
I don't need this user to see these data.
How to prevent this behavior or work around it?
About This Community
This platform is for beginners and experts willing to share their Odoo knowledge. It's not a forum to discuss ideas, but a knowledge base of questions and their answers.Register
Odoo Training Center
Access to our E-learning platform and experience all Odoo Apps through learning videos, exercises and Quizz.Test it now
|Asked: 4/25/16, 6:02 AM|
|Seen: 747 times|
|Last updated: 5/12/16, 3:06 AM|