Contributors mailing list archives

contributors@odoo-community.org

Avatar

Re: Bank Account Security

by "Holger Brunn" <mail@hunki-enterprises.nl> - 22/12/2022 10:43:33
> During an evaluation of OCA payment order module we discovered a critical

> default security issue in Odoo. (Note this is V14, but I doubt Odoo did

> anything)

in my book that's not a security issue (which are cases where you can do stuff 
that's explicitly not meant to be possible) but a difference in expectations 
between you and Odoo SA. Is it a security issue that I can change the address 
of a customer who has ordered a bunch of 100k watches to my own address, let 
the system create the delivery slip, change back afterwards?

If you set up an Odoo instance where employees aren't trustworthy, modules 
like

https://github.com/OCA/server-tools/tree/14.0/base_changeset
https://github.com/OCA/server-ux/tree/14.0/base_tier_validation
(would need a specific module for bank accounts/partners)

come to mind.

-- 
Your partner for the hard Odoo problems
https://hunki-enterprises.com

Reference