Odoo Help

Welcome!

This community is for beginners and experts willing to share their Odoo knowledge. It's not a forum to discuss ideas, but a knowledge base of questions and their answers.

0

Why don't window action access rights work?

By
IBS
on 12/26/13, 2:59 PM 1,421 views

This is a serious security concern, defining group access rights on menu items is not enough to restrict access to actions

How do you protect against this ? someone could just try action ids one by one until they find an existing action that gives him/her access to potentially private information.

I restricted access to a window action to a specific group, but I was still able to see it with a user that doesn't belong to that group.

Edit: The same goes for views, when I define access rights, they don't work, I can still access them from other groups.

Is this a bug? or am I missing something?

0

Ray Carnes

--Ray Carnes--
15677
| 9 7 9
Greater Los Angeles, United States
--Ray Carnes--

Senior Odoo Analyst

OpenERP 6.1, 7.0 and Odoo 8.0, 9.0 (Since 2012)

Completed Functional and Technical Training.

Major Skills:

  • Needs Discovery and Requirements Analysis;

  • Function and Technical Specifications;

  • Project Planning;

  • Prototyping and Proof of concepts;

  • Data migration;

  • Configuration & Customization (UI and modules);

  • Integration - data, business logic and service levels;

  • Training and Knowledge transfer;

  • Go Live support;

  • Help desk;

  • Version Migration.

I have over 20 years of experience empowering and enabling users with enterprise information systems that make a real and measurable difference in their ability to proactively manage their businesses and organizations. 

Ray Carnes
On 12/26/13, 6:40 PM

Using groups to hide or give access to menus is more related to the needs of ergonomics or usability than the needs of security. It is a best practice to putting rules on documents and models instead of putting groups on menus. For example, hiding invoices can be done by modifying the record rule on the invoice object, and it is more efficient and safer than hiding menus related to invoices.

Similarly, using groups to hide or give access to views based on groups should also not be considered as meeting security needs.

From "Security in OpenERP: users, groups" at https://doc.openerp.com/trunk/server/04_security/

Thank your your answer, however your last suggestion does not work, I tested it but I could still access restricted views, the same goes for actions, which is the main thing I am asking about.

IBS
on 12/26/13, 6:43 PM

My suggestion was not to use groups for Views or Actions to meet your security needs.

Bista Solutions US, Ray Carnes
on 12/26/13, 6:48 PM

Assign a group to some window action and try to access it directly through action=ID in the URL from a user that don't belong to that group and you should be able to execute that action and see its results.

IBS
on 12/26/13, 7:13 PM

Your Answer

Please try to give a substantial answer. If you wanted to comment on the question or answer, just use the commenting tool. Please remember that you can always revise your answers - no need to answer the same question twice. Also, please don't forget to vote - it really helps to select the best questions and answers!

About This Community

This community is for professionals and enthusiasts of our products and services. Read Guidelines

Question tools

1 follower(s)

Stats

Asked: 12/26/13, 2:59 PM
Seen: 1421 times
Last updated: 3/16/15, 8:10 AM