Contributors mailing list archives
Re: Bank Account Securityby
Open for Small Business, Graeme Gellatly
Funny example as that was an exact theft case we had to deal with, except they canceled order after printing. But I still think it is different here. In general people allowed to create sales orders would be expected to be able to set the delivery address. They are trusted to do that as part of their role.
Changing someone's bank details as a default rule for all users when really it is solely a function of finance is not about trust, it is about responsibilities.
But anyway, the feel I get here is no one wants it so we will just do in own code base.
On Thu, 22 Dec 2022, 10:47 pm Holger Brunn, <firstname.lastname@example.org> wrote:
> During an evaluation of OCA payment order module we discovered a critical > default security issue in Odoo. (Note this is V14, but I doubt Odoo did > anything) in my book that's not a security issue (which are cases where you can do stuff that's explicitly not meant to be possible) but a difference in expectations between you and Odoo SA. Is it a security issue that I can change the address of a customer who has ordered a bunch of 100k watches to my own address, let the system create the delivery slip, change back afterwards? If you set up an Odoo instance where employees aren't trustworthy, modules like https://github.com/OCA/server-tools/tree/14.0/base_changeset https://github.com/OCA/server-ux/tree/14.0/base_tier_validation (would need a specific module for bank accounts/partners) come to mind. -- Your partner for the hard Odoo problems https://hunki-enterprises.com