Odoo is the world's easiest all-in-one management software. It includes hundreds of business apps:
CRM | e-Commerce | Accounting | Inventory | PoS | Project management | MRP | etc.
For a long time I have some concerns about a security issue. It is about fields that have to be made secret without using groups attribute. I know 2 methods to do that, which I both see as INSECURE. Let me explain.
I'm using v8 Odoo.
I have a model "my_route.
This model is connected with my logistic module by many2one. A lot of people are working with that logistc module. They have to be able to read the route's name and 1-3 fields of that route. Other 10 fields of this route should be secret and only be viewable to high privileged groups.
Method1 - Groups Attribute: The common method would be to use the groups field attribute. But I do not want use this because there is a lot of code in that logistic module, which reads these secret 10 fields for doing some calculations.
Assume I would realize it with the groups attribute, and a user would click on "Calculate Transit Time". Then, for every .browse() command inside the logistic module, Odoo will raise an access error. I think that the only way to avoid this is using browse with a SUPERUSER_ID. But: The logistic module has a lot of browse commands. I don't feel comfortable to use about 10-20 browse commands with SUPERUSER_ID. If a malicious user finds a security flaw in my logistic module, he could gain superuser rights (maybe by XSS or SQL Injection). Thereby, I think using this method is a security risk.
Method2 - Ensuring only one view for the route that requires high privileges:
I ensure that only 1 view for the route exists which requires high privileges. There shouldn't even be one accessable ListView, because the user could peep on some secret field values by using "Advanced Search" (The attribute selectable=False doesn't work to hide them!).The 1-3 fields of the route, relevant for low privileged users, is displayed directly on the logistic module for which everybody has access
Can somebody tell me which method I should use? Which is the least secure? Is there even a different method I haven't considered? Thank your for your time!
About This Community
This platform is for beginners and experts willing to share their Odoo knowledge. It's not a forum to discuss ideas, but a knowledge base of questions and their answers.Register
Odoo Training Center
Access to our E-learning platform and experience all Odoo Apps through learning videos, exercises and Quizz.Test it now
|Asked: 11/25/15, 4:23 AM|
|Seen: 888 times|
|Last updated: 11/25/15, 4:23 AM|