Odoo Help

1

Prevent users from exporting passwords in v7?

By
Sean Samborski
on 12/12/14, 4:58 PM 897 views

Any user with access rights to the user list can export every single password in the system. For one, storing plain text passwords in any form is poor security and having anyone with access to all users' paswords is also poor security. You can't allow a user to create other users but ensure they can't steal everyone's passwords.

 

Is there any way to prevent users having access to other people's passwords even if they have the rights to create users. Example, you have an HR user that can create users but we don't want them to have access to the CEO's password. I'm sure all the executives at any company would agree.

1

Ivan

--Ivan--
3290
| 5 3 6
Jakarta, Indonesia
--Ivan--
Ivan
On 12/15/14, 2:45 AM

The auth_crypt that Fabrice had suggested will encrypt the password so that it is not stored in clear text.  However, I think it is still a better idea to prevent exporting password all-together (anyway, who want to export password without any malice objective in the first place).  A list of enrypted passwords will make it easier for attacker to reverse engineer the hash algorithm.  I'd recommend inheriting the export_data method in the res.users and remove password field from the fields_to_export.
 

1

Fabrice Henrion (fhe)

--Fabrice Henrion (fhe)--
6108
| 7 7 9
San Francisco, United States
--Fabrice Henrion (fhe)--

Director Odoo USA

Fabrice Henrion (fhe)
On 12/12/14, 9:30 PM

About This Community

This platform is for beginners and experts willing to share their Odoo knowledge. It's not a forum to discuss ideas, but a knowledge base of questions and their answers.

Register

Odoo Training Center

Access to our E-learning platform and experience all Odoo Apps through learning videos, exercises and Quizz.

Test it now

Question tools

1 follower(s)

Stats

Asked: 12/12/14, 4:58 PM
Seen: 897 times
Last updated: 3/16/15, 8:10 AM