Odoo Help


Odoo login page & Databases administration

Gaston Huot
on 11/24/14, 4:51 PM 7,277 views

I'm in a process of evaluating Odoo (8) for a client.

The installation went well but when the time came to provide an access to Odoo to the client testers, I saw the "Manage databases" button under the login box. Is it a mistake or there is a way to remove this from the login page and also prevent a non-admin user from accessing the databases administration page ? It is so unusual that I'm sudenly concern  about the security of Odoo (waht about other things that I don't see).

Clicking on the link simply gives options that are useless without the password. Why is is any less secure than www.yourbank.com/login? It shows them databases, which if they don't have the password for they can't access them.

Ray Carnes
on 11/24/14, 6:02 PM

Luke Branch

--Luke Branch--
| 7 8 8
Mui Wo, Lantau, Hong Kong
--Luke Branch--


Luke Branch
On 11/24/14, 9:40 PM


In regards to your questions you can create a module that inherits the login form and simply remove the database dropdown menu as an option. This is a very simple module and I have already implemented this functionality in a website theme module that i'm using in production now.

In regards to restricting access to the /web/database/selector and /web/database/manager pages there are a few options. You could try the following module that redirects from /web/database/manager to the website login for those without access rights to see the /web/database/manager page:


or you could set up Nginx as a reverse proxy in front of Odoo and simply use Nginx rules to restrict access to those pages to certain fixed IP addresses by using the example i've provided in the following forum post:


Feel free to post back if you have any questions.

Gaston Huot
On 11/25/14, 9:27 AM

@Luke: Thanks for the tips. I will try that.

@Ray, @Juan: !!! If I well understand, it's a little bit like a lottery ? It's like saying: "I will give you my bank accounts list. Try to get in now. I'm sure that you won't be able to do anything with it..."  
Maybe it's just me, but I think it is against one of the basic rules in security: don't challenge hackers!

@Gaston, No problem. Odoo has another rather annoying 'feature' that you will probably want to disable if you have the website module installed. Go to : http://(your server url here)/website/info You'll see that Odoo displays this publicly to anyone that visits your website (and consequently search engines will pick up on this on your site eventually). This page displays all installed modules on your Odoo instance (not ideal under any circumstance really) and in my opinion is also a security risk for the same reason you mentioned above. It's easily handled in Nginx by simply adding a deny all for that url, eg: location ~ ^/website/(info) { allow; deny all; However I would highly recommend not leaving the page publicly accessible.

Luke Branch
on 11/27/14, 3:17 AM
Juan José Scarafía
On 11/25/14, 9:18 AM

Hi Gaston,

Without the Master Password, the users can't do anything, so there is no matter if they can acces to the Database Manager.


Juan José - Ing ADHOC

About This Community

This platform is for beginners and experts willing to share their Odoo knowledge. It's not a forum to discuss ideas, but a knowledge base of questions and their answers.


Odoo Training Center

Access to our E-learning platform and experience all Odoo Apps through learning videos, exercises and Quizz.

Test it now

Question tools

2 follower(s)


Asked: 11/24/14, 4:51 PM
Seen: 7277 times
Last updated: 1/24/18, 7:48 AM