Odoo Help

Welcome!

This community is for beginners and experts willing to share their Odoo knowledge. It's not a forum to discuss ideas, but a knowledge base of questions and their answers.

0

Odoo security issue for invisible fields

By
Shawn Varghese
on 5/30/15, 4:53 AM 825 views

If you assign groups to a field in the following manner:

<field name="source_id" groups="base.group_system"/>  

Now if I log on as a non-admin user, and right click the form view and choose 'Inspect Element', I can easily remove the invisible class of the field and see things I was not supposed to !

Isn't this a huge security hole? Or did I do something wrong? I was under the impression that this sort of thing is handled in 'fields_view_get' and the invisible field would not be rendered.

I understand that adding groups in .py prevents it from getting rendered. But I just wanted to know if specifying in XML can be made secure.



@Shawn,

I agree this should be looked into. I think you should open an issue on github here detailing the issue with steps to reproduce:

https://github.com/odoo/odoo/issues

I'd recommend using a similar format to the following issue submission:

https://github.com/odoo/odoo/issues/3339

And consider using licecap for an animated GIF screencapture if you think it would be better demonstrated with a visual representation:

http://www.cockos.com/licecap/

Luke Branch
on 5/30/15, 6:26 AM

Thanks Luke...my next question was going to be how to open an issue ! I will double check to see if this has already been discussed before, and if not, I'll raise it.

Shawn Varghese
on 5/30/15, 6:51 AM
2

Jérémy Kersten (jke)

--Jérémy Kersten (jke)--
2983
| 3 2 5
Jodoigne, Belgium
--Jérémy Kersten (jke)--

Jérémy is a member of the core R&D team since september 2013. He developed several projects for OpenERP version 8 including the eCommerce, the Google Calendar synchronization and the new product variants/configurator. Now, he manages Odoo website and themes for saas.

Jérémy Kersten (jke)
On 5/30/15, 10:26 AM

Hi,

It's not a bug...

It is by design...

Groups in view is there to improve the display according to the user and not for security !

In any case, user can read info in xmlrpc, jsonrpx, from other view, ...

Add group on the field from your model, if you don't want that a group can read the info ! Documentation here : https://www.odoo.com/documentation/8.0/reference/security.html#field-access

Got it, thanks for clearing that up!

Shawn Varghese
on 5/30/15, 3:54 PM
0
Mohammed Razem
On 6/12/15, 4:58 AM

I searched a lot to find how to add a Group to a Base Field with no luck.

I can add a Group to restrict access for a custom field through UI. But when I try to do this for a Base Field (for example "remaining_leave" in hr.employee) I get an error.

Is there any documentation on how to add a Group restriction to a base field through a module?

Your Answer

Please try to give a substantial answer. If you wanted to comment on the question or answer, just use the commenting tool. Please remember that you can always revise your answers - no need to answer the same question twice. Also, please don't forget to vote - it really helps to select the best questions and answers!

About This Community

This community is for professionals and enthusiasts of our products and services. Read Guidelines

Question tools

1 follower(s)

Stats

Asked: 5/30/15, 4:53 AM
Seen: 825 times
Last updated: 11/2/15, 5:40 AM