Odoo Help

Welcome!

This community is for beginners and experts willing to share their Odoo knowledge. It's not a forum to discuss ideas, but a knowledge base of questions and their answers.

1

httprequest problem

By
Tarek Mohamed Ibrahim
on 4/25/16, 6:02 AM 348 views

I created a normal users, with no 'Technical Features' access rights granted. I logged in with this user, and opened some screen. 

Now I logged in using the admin user, opened the 'users' list view and got the 'action' # from the url of this view,

http://localhost:8069/web#page=0&limit=80&view_type=list&model=res.users&menu_id=85&action=76
From the user's url I changed the action # of the current view to be 76 same as that of the 'users' list view.

The user, which has no access rights to the 'Technical Features' was able to see the 'users' list view

Moreover, he can access groups and other technical features by changing the action id from the url

I don't need this user to see these data.

How to prevent this behavior or work around it?



Moreover, I need to prevent anyone from accessing view using the URL, how to do that?

Tarek Mohamed Ibrahim
on 4/28/16, 5:45 AM

Isn't there anyone tried to resolve this problem ?

Tarek Mohamed Ibrahim
on 5/1/16, 2:38 AM

Your Answer

Please try to give a substantial answer. If you wanted to comment on the question or answer, just use the commenting tool. Please remember that you can always revise your answers - no need to answer the same question twice. Also, please don't forget to vote - it really helps to select the best questions and answers!

About This Community

This community is for professionals and enthusiasts of our products and services. Read Guidelines

Question tools

1 follower(s)

Stats

Asked: 4/25/16, 6:02 AM
Seen: 348 times
Last updated: 5/12/16, 3:06 AM