Skip to Content
Musisz się zarejestrować, aby móc wchodzić w interakcje z tą społecznością.
Wszystkie posty Osoby Odznaki
Tagi (Zobacz wszystko)
odoo accounting v14 pos v15
O tym forum
To pytanie dostało ostrzeżenie
actions
1 Odpowiedz
9392 Widoki
Awatar
IBS Group

This is a serious security concern, defining group access rights on menu items is not enough to restrict access to actions

How do you protect against this ? someone could just try action ids one by one until they find an existing action that gives him/her access to potentially private information.

I restricted access to a window action to a specific group, but I was still able to see it with a user that doesn't belong to that group.

Edit: The same goes for views, when I define access rights, they don't work, I can still access them from other groups.

Is this a bug? or am I missing something?

Awatar
Odrzuć
Awatar
Ray Carnes
Najlepsza odpowiedź

Using groups to hide or give access to menus is more related to the needs of ergonomics or usability than the needs of security. It is a best practice to putting rules on documents and models instead of putting groups on menus. For example, hiding invoices can be done by modifying the record rule on the invoice object, and it is more efficient and safer than hiding menus related to invoices.

Similarly, using groups to hide or give access to views based on groups should also not be considered as meeting security needs.

From "Security in OpenERP: users, groups" at https://doc.openerp.com/trunk/server/04_security/

Awatar
Odrzuć
IBS Group
Autor

Thank your your answer, however your last suggestion does not work, I tested it but I could still access restricted views, the same goes for actions, which is the main thing I am asking about.

Ray Carnes

My suggestion was not to use groups for Views or Actions to meet your security needs.

IBS Group
Autor

Assign a group to some window action and try to access it directly through action=ID in the URL from a user that don't belong to that group and you should be able to execute that action and see its results.

Powiązane posty Odpowiedzi Widoki Czynność
My ir.actions.server isn't being triggered on sales order save, why?
actions
Awatar
1
mar 15
6012
Why don't window action access rights work?
actions
Awatar
0
mar 15
4409
Why don't window action access rights work?
actions
Awatar
0
mar 15
4672
Server action triggering Server action (Odoo 12)
actions server_actions
Awatar
0
mar 25
1416
Prevent Users to Devliver more than demanded quantity. Rozwiązane
actions stock.move
Awatar
Awatar
2
paź 24
2608