Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:

CRM
e-Commerce
Financeiro
Inventário
PoS
Projeto
MRP

All apps

Todas as publicações Pessoas Emblemas

Marcadores (Ver tudo)

odoo accounting v14 pos v15

Sobre este fórum

Ajuda

Odoo security issue for invisible fields

security v8 fields invisible

5 Respostas

6044 Visualizações

Shawn Varghese

If you assign groups to a field in the following manner:

<field name="source_id" groups="base.group_system"/>

Now if I log on as a non-admin user, and right click the form view and choose 'Inspect Element', I can easily remove the invisible class of the field and see things I was not supposed to !

Isn't this a huge security hole? Or did I do something wrong? I was under the impression that this sort of thing is handled in 'fields_view_get' and the invisible field would not be rendered.

I understand that adding groups in .py prevents it from getting rendered. But I just wanted to know if specifying in XML can be made secure.

Luke Branch

@Shawn,

I agree this should be looked into. I think you should open an issue on github here detailing the issue with steps to reproduce:

https://github.com/odoo/odoo/issues

I'd recommend using a similar format to the following issue submission:

https://github.com/odoo/odoo/issues/3339

And consider using licecap for an animated GIF screencapture if you think it would be better demonstrated with a visual representation:

http://www.cockos.com/licecap/

Shawn Varghese

Autor

Thanks Luke...my next question was going to be how to open an issue ! I will double check to see if this has already been discussed before, and if not, I'll raise it.

Jérémy Kersten (jke)

Melhor resposta

Hi,

It's not a bug...

It is by design...

Groups in view is there to improve the display according to the user and not for security !

In any case, user can read info in xmlrpc, jsonrpx, from other view, ...

Add group on the field from your model, if you don't want that a group can read the info ! Documentation here : https://www.odoo.com/documentation/8.0/reference/security.html#field-access

Shawn Varghese

Autor

Got it, thanks for clearing that up!

Mohammed Razem

I searched a lot to find how to add a Group to a Base Field with no luck.

I can add a Group to restrict access for a custom field through UI. But when I try to do this for a Base Field (for example "remaining_leave" in hr.employee) I get an error.

Is there any documentation on how to add a Group restriction to a base field through a module?

Está gostando da discussão? Não fique apenas lendo, participe!

Crie uma conta hoje mesmo para aproveitar os recursos exclusivos e interagir com nossa incrível comunidade!

Publicações relacionadas	Respostas	Visualizações
Is there a way to apply read, write permissions per field? Or turn to read-only based on user groups? security v8 fields permissions	0 mar. 15	4901
Field level 'read' access rights missing in Odoo 8.0? security v8 fields orm	1 mar. 15	7484
Field Read-only for certain users (logged-in) security fields	2 ago. 20	3676
how to hide a field if empty in view mode and view it in edit mode (odoo11)? fields invisible	0 nov. 17	6264
How to change inherited fields group? security fields res.users	1 nov. 24	1820

Esta pergunta foi sinalizada

Está gostando da discussão? Não fique apenas lendo, participe!