> During an evaluation of OCA payment order module we discovered a critical
> default security issue in Odoo. (Note this is V14, but I doubt Odoo did
> anything)
in my book that's not a security issue (which are cases where you can do stuff
that's explicitly not meant to be possible) but a difference in expectations
between you and Odoo SA. Is it a security issue that I can change the address
of a customer who has ordered a bunch of 100k watches to my own address, let
the system create the delivery slip, change back afterwards?
If you set up an Odoo instance where employees aren't trustworthy, modules
like
https://github.com/OCA/server-tools/tree/14.0/base_changeset
https://github.com/OCA/server-ux/tree/14.0/base_tier_validation
(would need a specific module for bank accounts/partners)
come to mind.
--
Your partner for the hard Odoo problems
https://hunki-enterprises.com
