Technical mailing list archives

Clarification on Accessing functionality through URL manipulation

- 06/26/2015 07:27:31
Hi all,

When setting group based permissions to a certain model or action, the menu items that are used to navigate to those views are also restricted (i.e. not shown in tree). For instance, Settings are shown only for the admin and not for other users.

But I noticed that when logged in as a ordinary user (i.e. non admin, HR Employee type) even though the menus are not shown to the user, the user can change id attributes in the URL through the browser address bar and access certain restricted features throughout the application, even features only available to Admin under normal circumstances (e.g. Access Controls List, Scheduled Actions, Server Actions etc).

Is there a way to stop this from happening? Is there some sort of a configuration we have to add?

Or is this a limitation of Odoo?

Any help or feedback would be greatly appreciated.

Thanks and best regards,