Archives
Contributors
Re: Bank Account Security
> But anyway, the feel I get here is no one wants it so we will just do in own > code base. that's not true for me, I was just nitpicking about the term 'security issue'. I'm totally pro a module probably in partner-contact that removes the write/ create/unlink permissions from the standard groups and introduces an explicit group for managing bank accounts. Useful for many use cases. Still I'd advise everyone to use some implementation of the four eyes principle for this kind of data, keeping honest people honest and such. -- Your partner for the hard Odoo problems https://hunki-enterprises.com
by Holger Brunn - 09:11 - 22 Dec 2022
Reference
-
Bank Account Security
Hi all,During an evaluation of OCA payment order module we discovered a critical default security issue in Odoo. (Note this is V14, but I doubt Odoo did anything)Fundamentally, anybody with Contact Creation rights has unfettered access to bank accounts (res.partner.bank). Of course the issue here is with payment orders or any sort of manual/automatic payment upload where the account comes from Odoo as anyone with those rights can just change the account of a large supplier, get paid, move to Caymans.On the other hand, where an account does not exist it is created during reconciliation.My gut feel is I want to create a simple security addon which just restricts who can Edit/Delete bank accounts. Maybe create too if I can find the creates and work around them.So some questionsIs it a good idea?Does it already exist?Which repo?For create as well?For advisor rights (I think nearly all with advisor rights will be members of professional accounting bodies and bound to professional standards OR a business principal) or a new group?Only for automated payment scenarios or by default? my gut says actually this is a big issue and should be default.
by Graeme Gellatly - 10:56 - 19 Dec 2022