If you assign groups to a field in the following manner:
<field name="source_id" groups="base.group_system"/>
Now if I log on as a non-admin user, and right click the form view and choose 'Inspect Element', I can easily remove the invisible class of the field and see things I was not supposed to !
Isn't this a huge security hole? Or did I do something wrong? I was under the impression that this sort of thing is handled in 'fields_view_get' and the invisible field would not be rendered.
I understand that adding groups in .py prevents it from getting rendered. But I just wanted to know if specifying in XML can be made secure.
@Shawn,
I agree this should be looked into. I think you should open an issue on github here detailing the issue with steps to reproduce:
https://github.com/odoo/odoo/issues
I'd recommend using a similar format to the following issue submission:
https://github.com/odoo/odoo/issues/3339
And consider using licecap for an animated GIF screencapture if you think it would be better demonstrated with a visual representation:
http://www.cockos.com/licecap/
Thanks Luke...my next question was going to be how to open an issue ! I will double check to see if this has already been discussed before, and if not, I'll raise it.