Skip to Content
Menu
This question has been flagged
1 Odpoveď
645 Zobrazenia

In Odoo if you are member of any accounting group, you can access both AR and AP records

Using groups in menus can separate access, but this can easily be bypassed by bookmarking the URL  like "http://odoo16/web#action=249&model=account.payment&view_type=list&cids=1"

Is there a more secure way of preventing access?  I'm thinking of a custom search function.  But is there a better way? 

Avatar
Zrušiť
Autor Best Answer

I have found solution by overriding the controller

import logging

from odoo.addons.web.controllers.action import Action

from odoo.exceptions import AccessDenied

from odoo.http import Controller, request, route



_logger = logging.getLogger(__name__)



class SecureAction(Action):


@route('/web/action/load', type='json', auth="user")

def load(self, action_id, additional_context=None):

retval = super().load(action_id, additional_context)

if 'id' in retval:

window_action = request.env['ir.actions.act_window'].sudo().browse(retval.get('id'))

if window_action.allowed_groups_id:

if not any(allowed_group in request.env.user.groups_id for allowed_group in window_action.allowed_groups_id):

raise AccessDenied(

'{} ({}) can only be accessed by {}'.format(

window_action.display_name,window_action.xml_id,', '.join(window_action.mapped('allowed_groups_id.full_name')))

)

return retval

Also adding special field in Window Action

from odoo import models, fields, api, _

from datetime import datetime, timedelta

import logging


_logger = logging.getLogger(__name__)


class WindowAction(models.Model):

_inherit = 'ir.actions.act_window'


allowed_groups_id = fields.Many2many('res.groups',relation="rel_allowed_groups_window_action")


View code

<odoo>

<record id="view_window_action_form" model="ir.ui.view">

<field name="inherit_id" ref="base.view_window_action_form"/>

<field name="model">ir.actions.act_window</field>

<field name="arch" type="xml">

<notebook>

<page name="allowed_groups" string="Allowed Groups">

<field name="allowed_groups_id" nolabel="1">

<tree editable="bottom">

<field name="full_name"/>

</tree>

</field>

</page>

</notebook>

</field>

</record>

</odoo>

Anybody else have another idea? 







Avatar
Zrušiť
Related Posts Replies Zobrazenia Aktivita
0
mar 15
3684
0
aug 25
143
1
aug 25
277
0
aug 25
198
2
aug 25
217