Security Fear: Make fields of a model secret without using groups attribute

Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:

CRM
e-Commerce
Accounting
Inventory
PoS
Project management
MRP

Take the tour

Posts People Badges

Tags View all

odoo accounting v7 pos invoice

About this forum

Help

Security Fear: Make fields of a model secret without using groups attribute

2775 Views

security groups

Gregor Heger

Hi,

For a long time I have some concerns about a security issue. It is about fields that have to be made secret without using groups attribute. I know 2 methods to do that, which I both see as INSECURE. Let me explain.
I'm using v8 Odoo.
I have a model "my_route.
This model is connected with my logistic module by many2one. A lot of people are working with that logistc module. They have to be able to read the route's name and 1-3 fields of that route. Other 10 fields of this route should be secret and only be viewable to high privileged groups.

Method1 - Groups Attribute: The common method would be to use the groups field attribute. But I do not want use this because there is a lot of code in that logistic module, which reads these secret 10 fields for doing some calculations.

Assume I would realize it with the groups attribute, and a user would click on "Calculate Transit Time". Then, for every .browse() command inside the logistic module, Odoo will raise an access error. I think that the only way to avoid this is using browse with a SUPERUSER_ID. But: The logistic module has a lot of browse commands. I don't feel comfortable to use about 10-20 browse commands with SUPERUSER_ID. If a malicious user finds a security flaw in my logistic module, he could gain superuser rights (maybe by XSS or SQL Injection). Thereby, I think using this method is a security risk.

Method2 - Ensuring only one view for the route that requires high privileges:
I ensure that only 1 view for the route exists which requires high privileges. There shouldn't even be one accessable ListView, because the user could peep on some secret field values by using "Advanced Search" (The attribute selectable=False doesn't work to hide them!).The 1-3 fields of the route, relevant for low privileged users, is displayed directly on the logistic module for which everybody has access
But still, I have the feeling that this is not secure. Indeed, the secret field's content is not displayed for the user, but it may be sent to the user's browser, stored inside the memory, right? How hard would it be for the user to snoop on these secret field's data? Or is it only possible with a javascript professional, who adjusts the code to be able to peep on the secret field's data? I think this method is also a security risk.

Can somebody tell me which method I should use? Which is the least secure? Is there even a different method I haven't considered? Thank your for your time!

This question has been flagged