Community mailing list archives

community@mail.odoo.com

Re: MAJOR SECURITY PROBLEM! PRIVACY VIOLATED!

by
Andi Becker
- 11/12/2015 00:13:37
Hi Luke the solution described in your like is no more working in Version 9

How to avoid that users get send to Odoo.com to reset or create their password in Odoo 9
Wie verhindert man das Nutzer zu odoo.com geleitet werden um ihr Passwort zurueckzusetzen, bzw. ein neues anzulegen in Odoo 9

To deactivate the Oauth login you need to do the following:

1. On admin menu goto settings

correct 

2. Under Users, select oauth providers 

In Version 9 you need to go to "General Settings" and look for Authentication ("Authentifizierung" in German)
This box seems to be checked by default and you need to uncheck it and ignore the warning that the auth module will be deinstalled.

If you need the Oauth i.e. for authentication for Google (Docs etc) than best copy the module, move it to your custom add-ons folder and leave only those authentication providers insider (deactivate all others i.e. odoo.com)
 
3. You will see facebook, google and Odoo. (you won't see them actually. there is only another option below that)

You won't see that, as it states only the following:

"Use external authentication providers, sign in with Google..."

This text is misleading! Better wording would be:
"Use external authentication providers, sign in with Google... (Default: Odoo.com)"

Than everyone knows what might happen if he checks that box and will perhaps add an OAuth provider later on, as automatically everything will get directed to Odoo.com, even people not even have an account there!
 
4. Select and edit Odoo.

In Version 9 you only need to uncheck that box 
 
5. On edit. Uncheck Allowed.


In Version 9 no more needed

6. Save.


Don't forget to click save! and check again if it is still active or unchecked! If it is still checked, repeat step 4 again, as it should actually work - but sometimes it doesn't i.e. when your are at that time connected with a slow internet connection.

=============

I have found the following modules to debrand your Odoo 9 installation, it seems that

by 

If you need a customized debranding I would recommend the git versions:

Best way to search a git version is to go to http://www.odoo-code-search.com and type in "debranding" This will bring you tom most git repositories of their original authors but also to lots of those who simply copied and multiplied those versions all around the world. If you know that your company is using Qauth but can't find their module somewhere ask them for the module and/or remind them friendly on the AGPL v.3.

For those not so good in English use the following search words:

debrand


some other helpful links for getting rid of links are:

http://odoo.guide/debranding-odoo-backend/

https://www.odoo.com/de_DE/forum/hilfe-1/question/if-odoo-does-not-allow-to-remove-powered-by-odoo-then-why-odoo-de-branding-module-is-available-at-odoo-official-website-93041

To change the Favicon:

https://www.odoo.com/de_DE/forum/hilfe-1/question/how-to-change-favicon-38363

How to remove the website footer:

http://stackoverflow.com/questions/27372526/how-to-remove-the-powered-by-odoo-1-open-source-ecommerce-footer-from-front-end

For the backend:

http://www.hitechnologia.com/forum/odoo-forum-1/question/odoo-debranding-odoo-backend-71

https://gist.github.com/lambone/2d7a0418b810a4cc8694


=============

Thanks to Graeme Gellatly this is great professional help.

http://www.odoo-code-search.com/#name%3Adisable_openerp_online~~{%22aggregate%22%3A0}

disable_openerp_online (about 60 results - check if you can find a version for 9) on Github it has been forked 206 times.

i.e. https://github.com/open-synergy/server-tools/tree/8.0/disable_openerp_online

There is no version 9 available right now!

But MindAndGo has a version for Odoo 9

https://github.com/MindAndGo/server-tools/tree/9.0/disable_openerp_online

Check it out!

---

If people have a question about licensing and what they should use for their modules or concerning debranding / rebranding and "phoning back-features" than check out the licenses to get help:

https://www.odoo.com/de_DE/forum/hilfe-1/question/odoo-licensing-queries-89399

The term "commercial" appears only one time in the whole document:

http://www.gnu.org/licenses/agpl.html

If you are using Version 9 you would need to read also the LGPL

http://www.gnu.org/licenses/lgpl.html

Check out also the FAQ - i.e. if you want to use your stuff in a proprietary module or if yu want to avoid that it is used in a proprietary module you won't have access to.

http://www.gnu.org/licenses/gpl-faq.html

And even much better readings are this here - about GPL and making money:

http://www.gnu.org/licenses/gpl-faq.html#DoesTheGPLAllowMoney


Very Important part 

Why you shouldn't use the Lesser GPL for your next library

http://www.gnu.org/licenses/why-not-lgpl.html

and of course 

Why the Affero GPL

Suppose you develop and release a free program under the ordinary GNU GPL. If developer D modifies the program and releases it, the GPL requires him to distribute his version under the GPL too. Thus, if you get a copy of his version, you are free to incorporate some or all of his changes into your own version.


http://www.gnu.org/licenses/why-affero-gpl.en.html

Probably you don't know:

Both the ordinary GNU GPL, version 3, and the GNU Affero GPL have text allowing you to link together modules under these two licenses in one program.


The FSF recommends: 2 Licenses GPL v.3 and AGPL v.3

http://www.gnu.org/licenses/recommended-copylefts.html


Graeme you are right that nobody can be forced to use a certain license unless it is simply an requirement and a must due to the fact that it links to a GPL program. On the other hand the OCA could simply promote publishing the modules in AGPL v.3 and trying to avoid that people publish them under LGPL v.3. 

Why not have on OCA such a code and module search functionality and even better having a centralised repository for all modules licensed under AGPL - which gets regularly (at least daily) updated. For sure people will come and search on OCA and not on ODOO.com, Also Templates could be offered for a lower price at OCA and for sure people again would come to check them out.

I think it is not good following blind without refection about what is actually going on the ODOO.com roadmap. Why not simply publish a debranded version, which would for sure be used by most of the developers! Why not even publish a AGPL/LGPL version which contains all stuff from 8 and from 9 and where nothing had been changed use the AGPL version. Or even publish a NO Module Version of ODOO and let people choose themselves what they want to load and what not.

There are many ways how actually the community which contributes a lot with their ideas, with time and with coding and not at least with getting more and more customers working with Odoo in the Community boat under at least 80% AGPL - and the rest rewrite to AGPL and use already Python v.3!

IMHO the community has so much power but it is not at all using its power and instead following blind all those license changes until it is to late to switch back to AGPL as to many parts than had been "outsourced" and republished as proprietary software parts. Start thinking about it - actually those who moved out top Tryton already warned that this will happen, but even I did not listen to them at that time! Lesson learned I would say! 

The following the leader principal can be quite disastrous for lots of community base ODOO businesses in future if the policy to not inform the community long time before things are actually happening about roadmap, new modules, possible license changes etc.

There are so many problems which never had been addressed - i.e. the hunger on resources of ODOO or that it is often sloooowww and not complete loading when you are connected with no high speed connection or that Odoo is still using Python 2.7 even Python with so many great features is already out since 7 years! If this continues than ODOO or what ever it will be called than is a Stone aged thing with the speed of that age.

A Community like the one of ODOO with really great companies all around the world could do much much better if they would stand together and they put in the features which than get developed - and of course everybody will be happy if Fabien and his company will join this effort and even more if the next release will be AGPL again! Together ODOO might be strong, but with another Fork like with TRYTON it would get worse. Therefore this should be avoided if not necessary. The best way in doing that, is to make the Community much more powerful and let ODOO contribute to the effort and not vice versa like right now. Who guarantees that your work effort you put into the translation, promotion, programming etc, for more or less no price will be still useful after some parts perhaps vanished away into the Proprietary Corner. Well than perhaps step by step more will close down their sources to etc and finally the community version will be a nice looking house with nothing inside anymore as all those ingredients are gone. It might be only a possible Vision but until now there is no clear statement if not more License Changes will happen and more and more code will be LGPL reduced and no more maintained but there proprietary counterparts will. Fact is that LGPL will give the full power to ODOO S.A. and you have to follow if you want or not as they can dictate the way you will go. Lets' talk again when Version 10 is out and remember what I said here!

@ Moy Lop

Please, read Fabien's message:
"If you think your website is more trustable than Odoo, all you need to do is to uninstall OAuth."


Thanks this is one possibility to deinstall it but if you need i.e. google or. i.e. Facebook Oauth services but your customer don't like that his users get in contact with Odoo than you need to customise the module accordingly like described above.

The main point is actually less the Oauth Module but the way that it is working. That it is actually doing things without that the user sees that he gets redirected to another page. They even present the company LOGO of the customers Site on the ODOO.com website and this is IMHO nothing else than methods used usually by Pishing websites! Now I hope that Odoo is not involved in Pishing and I don't think so, but it leaves with customers exactly that impression (especially as they are using the logo to make the odoo.com site looking as it is integrated into the odoo installation of the customers local server.

As mentioned above. Simple rename the button and make it "visible" for users what is actually happening!

I hope that helps also Daniel to setup his site more secure according to european laws even he is in Chile or Argentine - they have for sure not so strict laws I guess! You are lucky! Your customers might not ;-)

By the way for those in Germany who develop with ODOO they should be aware that it could be very expensive for your customers if privacy laws get violated. This was 2013 and meanwhile the Law is even much more stricter and it gets enforced more and more! I guess it is nearly the same in all EU soon.

http://www.dpn-datenschutz.de/wp-content/uploads/2013/09/DPN-Datenschutz_Zeitung_Ausgabe_September-2013.pdf

Have a nice day or night

Andi