Community: Framework mailing list archives

expert-framework@mail.odoo.com

Re: Clarification on Accessing functionality through URL manipulation

by
Martin Trigaux (mat)
- 06/26/2015 09:03:36
Hello,

To clarify a bit the security aspect:

Setting a groups on a menu, view,.. is to restrict the access on the
view level. Meaning yes, the user will not see this particular menu or
this particular way to render the data. It does not restrict the access
to the data itself.

To restrict the access to some models or record rules, you need to
define some security rules (ir.model.access for models, ir.rule for
records). See security documentation for more details[1].

Now in the case of the URL, we restricted the access to the menu
"Settings" to some users.
However, the data the user is accessing through this interface is mainly
metadata (the configuration, the models, the views, the actions, the
security rules...). Most (but not all) of these metadata are NOT
considered as confidential data in read access. You even must to be able
to read the view definitions, the actions, the external ids, etc. to use
Odoo. However, on most you will not have a write access (hopefully).

Accessing it through some URL manipulations is just accessing public
(and necessary) data in some representation made for administrators but
it should not be harmful as you are not able to alter it.

Martin

[1] https://www.odoo.com/documentation/8.0/howtos/backend.html#security

On 26/06/15 13:41, Combase Home wrote:
> Hi all,
> 
> When setting group based permissions to a certain model or action, the
> menu items that are used to navigate to those views are also restricted
> (i.e. not shown in tree). For instance, Settings are shown only for the
> admin and not for other users.
> 
> But I noticed that when logged in as a ordinary user (i.e. non admin, HR
> Employee type) even though the menus are not shown to the user, the user
> can change id attributes in the URL through the browser address bar and
> access certain restricted features throughout the application, even
> features only available to Admin under normal circumstances (e.g. Access
> Controls List, Scheduled Actions, Server Actions etc).
> 
> Is there a way to stop this from happening? Is there some sort of a
> configuration we have to add?
> 
> Or is this a limitation of Odoo?
> 
> Any help or feedback would be greatly appreciated.
> 
> Thanks and best regards,
> Nishendra.
> 
> _______________________________________________
> Mailing-List: https://www.odoo.com/groups/community-framework-62
> Post to: mailto:expert-framework@mail.odoo.com
> Unsubscribe: https://www.odoo.com/groups?unsubscribe
> 

-- 
Martin Trigaux
Odoo (Formerly OpenERP)
https://odoo.com
https://github.com/mart-e