During an evaluation of OCA payment order module we discovered a critical default security issue in Odoo. (Note this is V14, but I doubt Odoo did anything)
Fundamentally, anybody with Contact Creation rights has unfettered access to bank accounts (res.partner.bank). Of course the issue here is with payment orders or any sort of manual/automatic payment upload where the account comes from Odoo as anyone with
those rights can just change the account of a large supplier, get paid, move to Caymans.
On the other hand, where an account does not exist it is created during reconciliation.
My gut feel is I want to create a simple security addon which just restricts who can Edit/Delete bank accounts. Maybe create too if I can find the creates and work around them.
So some questions
Is it a good idea?
Does it already exist?
For create as well?
For advisor rights (I think nearly all with advisor rights will be members of professional accounting bodies and bound to professional standards OR a business principal) or a new group?
Only for automated payment scenarios or by default? my gut says actually this is a big issue and should be default.