CRM | e-Commerce | Accounting | Inventory | PoS | Project management | MRP | etc.
Any user with access rights to the user list can export every single password in the system. For one, storing plain text passwords in any form is poor security and having anyone with access to all users' paswords is also poor security. You can't allow a user to create other users but ensure they can't steal everyone's passwords.
Is there any way to prevent users having access to other people's passwords even if they have the rights to create users. Example, you have an HR user that can create users but we don't want them to have access to the CEO's password. I'm sure all the executives at any company would agree.
The auth_crypt that Fabrice had suggested will encrypt the password so that it is not stored in clear text. However, I think it is still a better idea to prevent exporting password all-together (anyway, who want to export password without any malice objective in the first place). A list of enrypted passwords will make it easier for attacker to reverse engineer the hash algorithm. I'd recommend inheriting the export_data method in the res.users and remove password field from the fields_to_export.
About This Community
Odoo Training Center
|Asked: 12/12/14, 4:58 PM|
|Seen: 1065 times|
|Last updated: 3/16/15, 8:10 AM|