Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:

CRM
e-Commerce
Boekhouding
Voorraad
PoS
Project
MRP

All apps

Alle posts Personen Badges

Labels (Bekijk alle)

odoo accounting v14 pos v15

Over dit forum

Help

Security Fear: Make fields of a model secret without using groups attribute

security groups

5708 Weergaven

Gregor Heger

Hi,

For a long time I have some concerns about a security issue. It is about fields that have to be made secret without using groups attribute. I know 2 methods to do that, which I both see as INSECURE. Let me explain.
I'm using v8 Odoo.
I have a model "my_route.
This model is connected with my logistic module by many2one. A lot of people are working with that logistc module. They have to be able to read the route's name and 1-3 fields of that route. Other 10 fields of this route should be secret and only be viewable to high privileged groups.

Method1 - Groups Attribute: The common method would be to use the groups field attribute. But I do not want use this because there is a lot of code in that logistic module, which reads these secret 10 fields for doing some calculations.

Assume I would realize it with the groups attribute, and a user would click on "Calculate Transit Time". Then, for every .browse() command inside the logistic module, Odoo will raise an access error. I think that the only way to avoid this is using browse with a SUPERUSER_ID. But: The logistic module has a lot of browse commands. I don't feel comfortable to use about 10-20 browse commands with SUPERUSER_ID. If a malicious user finds a security flaw in my logistic module, he could gain superuser rights (maybe by XSS or SQL Injection). Thereby, I think using this method is a security risk.

Method2 - Ensuring only one view for the route that requires high privileges:
I ensure that only 1 view for the route exists which requires high privileges. There shouldn't even be one accessable ListView, because the user could peep on some secret field values by using "Advanced Search" (The attribute selectable=False doesn't work to hide them!).The 1-3 fields of the route, relevant for low privileged users, is displayed directly on the logistic module for which everybody has access
But still, I have the feeling that this is not secure. Indeed, the secret field's content is not displayed for the user, but it may be sent to the user's browser, stored inside the memory, right? How hard would it be for the user to snoop on these secret field's data? Or is it only possible with a javascript professional, who adjusts the code to be able to peep on the secret field's data? I think this method is also a security risk.

Can somebody tell me which method I should use? Which is the least secure? Is there even a different method I haven't considered? Thank your for your time!

Geniet je van het gesprek? Blijf niet alleen lezen, doe ook mee!

Maak vandaag nog een account aan om te profiteren van exclusieve functies en deel uit te maken van onze geweldige community!

Aanmelden

Gerelateerde posts	Antwoorden	Weergaven
How to display a view with one field removed for certain groups? security groups	1 mrt. 15	9257
access rights manual Opgelost security groups	1 mrt. 15	5748
Permission for a group to edit a single field only? Opgelost security v7 groups	10 dec. 23	37889
Make Field Read Only for specific Group Opgelost security fields groups	1 okt. 25	10945
How to set up security groups properly in this case? security models groups	1 sep. 21	4489

Deze vraag is gerapporteerd

Geniet je van het gesprek? Blijf niet alleen lezen, doe ook mee!