Prevent users from exporting passwords in v7?

Question

Any user with access rights to the user list can export every single password in the system. For one, storing plain text passwords in any form is poor security and having anyone with access to all users' paswords is also poor security. You can't allow a user to create other users but ensure they can't steal everyone's passwords.

Is there any way to prevent users having access to other people's passwords even if they have the rights to create users. Example, you have an HR user that can create

Fabrice Henrion (fhe) · Answer

Use the module /auth_crypt/
None [1] https://www.odoo.com/apps/modules/7.0/auth_crypt/

[1] https://www.odoo.com/apps/modules/7.0/auth_crypt/

Ivan · Answer

The auth_crypt that Fabrice had suggested will encrypt the password so that it is not stored in clear text. However, I think it is still a better idea to prevent exporting password all-together (anyway, who want to export password without any malice objective in the first place). A list of enrypted passwords will make it easier for attacker to reverse engineer the hash algorithm. I'd recommend inheriting the export_data method in the res.users and remove password field from the fields_to_export.

Bài viết liên quan	Trả lời	Lượt xem
[8] Export data in Excel security modules export users excel	0 thg 2 18	5152
Can I force a user to change their password? security users	1 thg 3 15	5134
Users reporting when the login it shows them as a different user security users odoo10	0 thg 6 25	2320
Keep Getting "The user cannot have more than one user types." Đã xử lý security users group	1 thg 11 21	5608
Postgres server password inside openerp-server.conf file!! Đã xử lý security password database	2 thg 12 23	32731

Câu hỏi này đã bị gắn cờ

Bạn có hứng thú với cuộc thảo luận không? Đừng chỉ đọc, hãy tham gia nhé!