Technical mailing list archives

Re: Clarification on Accessing functionality through URL manipulation

- 07/08/2015 04:07:36
Yes you can change the perms to suit your needs, and if you think the default settings are unsafe it would be nice of you to file a bug report on
Lionel Sausin.

Le 08/07/2015 07:56, Combase Home a écrit :
<blockquote cite="" type="cite">
Hello Martin,

Thank you very much for your feedback.

You mentioned that most of the admin features and meta data that can be accessed through the url by normal users will not have write access to normal users. This is true for a lot of such features like the Access Controls List, General settings etc. 

However we have found out that there are some features, such as creating and editing email templates, that normal users have write access to. Normal users can view all available email templates by accessing it from the URL (i.e. changing the action id) even though the relevant menu item is not available to them, and then can edit existing templates or create new ones to be triggered with actions.

This in my opinion, would be a considerable risk. Just a suggestion but wouldn't it be better to restrict this data as well for normal users and let only the admin see them? If and when an organisation needs to give other users access to this data, they can set the permissions accordingly?

Thanks in advance!

On Friday, June 26, 2015 7:18 PM, Martin Trigaux <> wrote:


To clarify a bit the security aspect:

Setting a groups on a menu, view,.. is to restrict the access on the
view level. Meaning yes, the user will not see this particular menu or
this particular way to render the data. It does not restrict the access
to the data itself.

To restrict the access to some models or record rules, you need to
define some security rules (ir.model.access for models, ir.rule for
records). See security documentation for more details[1].

Now in the case of the URL, we restricted the access to the menu
"Settings" to some users.
However, the data the user is accessing through this interface is mainly
metadata (the configuration, the models, the views, the actions, the
security rules...). Most (but not all) of these metadata are NOT
considered as confidential data in read access. You even must to be able
to read the view definitions, the actions, the external ids, etc. to use
Odoo. However, on most you will not have a write access (hopefully).

Accessing it through some URL manipulations is just accessing public
(and necessary) data in some representation made for administrators but
it should not be harmful as you are not able to alter it.



On 26/06/15 13:41, Combase Home wrote:
> Hi all,
> When setting group based permissions to a certain model or action, the
> menu items that are used to navigate to those views are also restricted
> (i.e. not shown in tree). For instance, Settings are shown only for the
> admin and not for other users.
> But I noticed that when logged in as a ordinary user (i.e. non admin, HR
> Employee type) even though the menus are not shown to the user, the user
> can change id attributes in the URL through the browser address bar and
> access certain restricted features throughout the application, even
> features only available to Admin under normal circumstances (e.g. Access
> Controls List, Scheduled Actions, Server Actions etc).
> Is there a way to stop this from happening? Is there some sort of a
> configuration we have to add?
> Or is this a limitation of Odoo?
> Any help or feedback would be greatly appreciated.
> Thanks and best regards,
> Nishendra.
> _______________________________________________
> Mailing-List:
> Post to:
> Unsubscribe:

Martin Trigaux
Odoo (Formerly OpenERP)
Post to:

Post to: