Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:

CRM
e-Commerce
Apskaita
Atsarga
PoS
Projektas
MRP

All apps

All Posts People Badges

Žymos (View all)

odoo accounting v14 pos v15

About this forum

Pagalba

Odoo security issue for invisible fields

security v8 fields invisible

5 Replies

6031 Rodiniai

Shawn Varghese

If you assign groups to a field in the following manner:

<field name="source_id" groups="base.group_system"/>

Now if I log on as a non-admin user, and right click the form view and choose 'Inspect Element', I can easily remove the invisible class of the field and see things I was not supposed to !

Isn't this a huge security hole? Or did I do something wrong? I was under the impression that this sort of thing is handled in 'fields_view_get' and the invisible field would not be rendered.

I understand that adding groups in .py prevents it from getting rendered. But I just wanted to know if specifying in XML can be made secure.

Luke Branch

@Shawn,

I agree this should be looked into. I think you should open an issue on github here detailing the issue with steps to reproduce:

https://github.com/odoo/odoo/issues

I'd recommend using a similar format to the following issue submission:

https://github.com/odoo/odoo/issues/3339

And consider using licecap for an animated GIF screencapture if you think it would be better demonstrated with a visual representation:

http://www.cockos.com/licecap/

Shawn Varghese

Autorius

Thanks Luke...my next question was going to be how to open an issue ! I will double check to see if this has already been discussed before, and if not, I'll raise it.

Jérémy Kersten (jke)

Best Answer

Hi,

It's not a bug...

It is by design...

Groups in view is there to improve the display according to the user and not for security !

In any case, user can read info in xmlrpc, jsonrpx, from other view, ...

Add group on the field from your model, if you don't want that a group can read the info ! Documentation here : https://www.odoo.com/documentation/8.0/reference/security.html#field-access

Shawn Varghese

Autorius

Got it, thanks for clearing that up!

Mohammed Razem

I searched a lot to find how to add a Group to a Base Field with no luck.

I can add a Group to restrict access for a custom field through UI. But when I try to do this for a Base Field (for example "remaining_leave" in hr.employee) I get an error.

Is there any documentation on how to add a Group restriction to a base field through a module?

Enjoying the discussion? Don't just read, join in!

Create an account today to enjoy exclusive features and engage with our awesome community!

Registracija

Related Posts	Replies	Rodiniai
Is there a way to apply read, write permissions per field? Or turn to read-only based on user groups? security v8 fields permissions	0 kov. 15	4889
Field level 'read' access rights missing in Odoo 8.0? security v8 fields orm	1 kov. 15	7465
Field Read-only for certain users (logged-in) security fields	2 rugp. 20	3661
how to hide a field if empty in view mode and view it in edit mode (odoo11)? fields invisible	0 lapkr. 17	6248
How to change inherited fields group? security fields res.users	1 lapkr. 24	1795

This question has been flagged

Enjoying the discussion? Don't just read, join in!