Archives
Contributors
Re: Bank Account Security
El jue, 22 de dic de 2022 a las 19:57:13 PM, Graeme Gellatly <notifications@odoo-community.org> escribió:
But anyway, the feel I get here is no one wants it so we will just do in own code base.
Hi Graeme!
I'm not sure if I contributed to that feeling you express, but it certainly wasn't my intention.
Of course having a solution for the problem would be great!
I'll contact Odoo security myself, as I understand you don't want to.
Regards!
by Jairo Llopis - 11:01 - 23 Dec 2022
Reference
-
Bank Account Security
Hi all,During an evaluation of OCA payment order module we discovered a critical default security issue in Odoo. (Note this is V14, but I doubt Odoo did anything)Fundamentally, anybody with Contact Creation rights has unfettered access to bank accounts (res.partner.bank). Of course the issue here is with payment orders or any sort of manual/automatic payment upload where the account comes from Odoo as anyone with those rights can just change the account of a large supplier, get paid, move to Caymans.On the other hand, where an account does not exist it is created during reconciliation.My gut feel is I want to create a simple security addon which just restricts who can Edit/Delete bank accounts. Maybe create too if I can find the creates and work around them.So some questionsIs it a good idea?Does it already exist?Which repo?For create as well?For advisor rights (I think nearly all with advisor rights will be members of professional accounting bodies and bound to professional standards OR a business principal) or a new group?Only for automated payment scenarios or by default? my gut says actually this is a big issue and should be default.
by Graeme Gellatly - 10:56 - 19 Dec 2022