I have a odoo instance running on the internet with dbfilter active to hostname (^%h$). This works when I check the url https://www.domain.com/web/database/selector or manager.
What I have seen now is that still it is possible to list all the odoo databases when you do the following POST request to https://www.domain.com/jsonrpc?session_id
POST /jsonrpc?session_id HTTP/1.1
Then I get back all the databases which is a security problem of odoo.
Anyone who knows how to prevent that?