httprequest problem | Odoo

Apps
Finance

Accounting

Invoicing

Expenses

Spreadsheet (BI)

Documents

Sign
Sales

CRM

Sales

Point of Sale - Shop

Point of Sale - Restaurant

Subscriptions

Rental
Websites

Website Builder

eCommerce

Blog

Forum

Live Chat

eLearning
Inventory & MRP

Inventory

Manufacturing

PLM

Purchase

Maintenance

Quality
Human Resources

Employees

Recruitment

Time Off

Appraisals

Referrals

Fleet
Marketing

Social Marketing

Email Marketing

SMS Marketing

Events

Marketing Automation

Surveys
Services

Project

Timesheets

Field Service

Helpdesk

Planning

Appointments
Productivity

Discuss

Approvals

IoT

VoIP

Knowledge

WhatsAppNew!
Third party apps Odoo Studio Odoo Cloud Platform
Community
Learn

Tutorials

Documentation

Certifications

Training

Podcast

Empower Education

Education Program

Scale Up! Business Game

Visit Odoo
Get the Software

Download

Compare Editions

Releases
Collaborate

Github

Forum

Events

Translations

Become a Partner

Register your Accounting Firm
Get Services

Find a Partner

Find an Accountant

Schedule a demo

Customer References

Implementation Services

Development Services

Support

Upgrades
Github Youtube Twitter Linkedin Instagram Facebook Spotify

+1 (650) 691-3277 WhatsApp with Us
Get a demo
Pricing
Contact

Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:

CRM
e-Commerce
Accounting
Inventory
PoS
Project management
MRP

Take the tour

Posts People Badges

odoo accounting v7 pos invoice

About this forum

httprequest problem

2194 Views

Tarek Mohamed Ibrahim

I created a normal users, with no 'Technical Features' access rights granted. I logged in with this user, and opened some screen.

Now I logged in using the admin user, opened the 'users' list view and got the 'action' # from the url of this view,

http://localhost:8069/web#page=0&limit=80&view_type=list&model=res.users&menu_id=85&action=76

From the user's url I changed the action # of the current view to be 76 same as that of the 'users' list view.

The user, which has no access rights to the 'Technical Features' was able to see the 'users' list view

Moreover, he can access groups and other technical features by changing the action id from the url

I don't need this user to see these data.

How to prevent this behavior or work around it?

Tarek Mohamed Ibrahim

Author

Moreover, I need to prevent anyone from accessing view using the URL, how to do that?

Tarek Mohamed Ibrahim

Author

Isn't there anyone tried to resolve this problem ?