CRM | e-Commerce | Accounting | Inventory | PoS | Project management | MRP | etc.
If you assign groups to a field in the following manner:
<field name="source_id" groups="base.group_system"/>
Now if I log on as a non-admin user, and right click the form view and choose 'Inspect Element', I can easily remove the invisible class of the field and see things I was not supposed to !
Isn't this a huge security hole? Or did I do something wrong? I was under the impression that this sort of thing is handled in 'fields_view_get' and the invisible field would not be rendered.
I understand that adding groups in .py prevents it from getting rendered. But I just wanted to know if specifying in XML can be made secure.
It's not a bug...
It is by design...
Groups in view is there to improve the display according to the user and not for security !
In any case, user can read info in xmlrpc, jsonrpx, from other view, ...
Add group on the field from your model, if you don't want that a group can read the info ! Documentation here : https://www.odoo.com/documentation/8.0/reference/security.html#field-access
I searched a lot to find how to add a Group to a Base Field with no luck.
I can add a Group to restrict access for a custom field through UI. But when I try to do this for a Base Field (for example "remaining_leave" in hr.employee) I get an error.
Is there any documentation on how to add a Group restriction to a base field through a module?
About This Community
Odoo Training Center
|Asked: 5/30/15, 4:53 AM|
|Seen: 1341 times|
|Last updated: 11/2/15, 5:40 AM|