For a long time I have some concerns about a security issue. It is about fields that have to be made secret without using groups attribute. I know 2 methods to do that, which I both see as INSECURE. Let me explain.
I'm using v8 Odoo.
I have a model "my_route.
This model is connected with my logistic module by many2one. A lot of people are working with that logistc module. They have to be able to read the route's name and 1-3 fields of that route. Other 10 fields of this route should be secret and only be viewable to high privileged groups.
Method1 - Groups Attribute: The common method would be to use the groups field attribute. But I do not want use this because there is a lot of code in that logistic module, which reads these secret 10 fields for doing some calculations.
Assume I would realize it with the groups attribute, and a user would click on "Calculate Transit Time". Then, for every .browse() command inside the logistic module, Odoo will raise an access error. I think that the only way to avoid this is using browse with a SUPERUSER_ID. But: The logistic module has a lot of browse commands. I don't feel comfortable to use about 10-20 browse commands with SUPERUSER_ID. If a malicious user finds a security flaw in my logistic module, he could gain superuser rights (maybe by XSS or SQL Injection). Thereby, I think using this method is a security risk.
Method2 - Ensuring only one view for the route that requires high privileges:
I ensure that only 1 view for the route exists which requires high privileges. There shouldn't even be one accessable ListView, because the user could peep on some secret field values by using "Advanced Search" (The attribute selectable=False doesn't work to hide them!).The 1-3 fields of the route, relevant for low privileged users, is displayed directly on the logistic module for which everybody has access
Can somebody tell me which method I should use? Which is the least secure? Is there even a different method I haven't considered? Thank your for your time!
Please try to give a substantial answer. If you wanted to comment on the question or answer, just use the commenting tool. Please remember that you can always revise your answers - no need to answer the same question twice. Also, please don't forget to vote - it really helps to select the best questions and answers!
About This Community
|Asked: 11/25/15, 4:23 AM|
|Seen: 416 times|
|Last updated: 11/25/15, 4:23 AM|