Archives
Contributors
Re: Bank Account Security
El jue, 22 de dic de 2022 a las 19:57:13 PM, Graeme Gellatly <notifications@odoo-community.org> escribió:But anyway, the feel I get here is no one wants it so we will just do in own code base.Hi Graeme!I'm not sure if I contributed to that feeling you express, but it certainly wasn't my intention.Of course having a solution for the problem would be great!I'll contact Odoo security myself, as I understand you don't want to.Regards!_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe
by Sébastien Beau - 03:50 - 23 Dec 2022
Reference
-
Bank Account Security
Hi all,During an evaluation of OCA payment order module we discovered a critical default security issue in Odoo. (Note this is V14, but I doubt Odoo did anything)Fundamentally, anybody with Contact Creation rights has unfettered access to bank accounts (res.partner.bank). Of course the issue here is with payment orders or any sort of manual/automatic payment upload where the account comes from Odoo as anyone with those rights can just change the account of a large supplier, get paid, move to Caymans.On the other hand, where an account does not exist it is created during reconciliation.My gut feel is I want to create a simple security addon which just restricts who can Edit/Delete bank accounts. Maybe create too if I can find the creates and work around them.So some questionsIs it a good idea?Does it already exist?Which repo?For create as well?For advisor rights (I think nearly all with advisor rights will be members of professional accounting bodies and bound to professional standards OR a business principal) or a new group?Only for automated payment scenarios or by default? my gut says actually this is a big issue and should be default.
by Graeme Gellatly - 10:56 - 19 Dec 2022-
Re: Bank Account Security
Hi,I didn't realise it was so easy. We expected we would at the very least have to handle this function in bank statement that auto creates the accounts but hadn't really looked further for where else it assumed everyone could create bank accounts..On Sat, Dec 24, 2022 at 9:22 AM Pedro M. Baeza <notifications@odoo-community.org> wrote:Since v10, if you install the OCA module account_payment_order, the default permission is changed to only allow to change/create bank accounts if you have the group "Accounting / Payments":So for most of us, that's the "patch".Regards.
_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe
by Graeme Gellatly - 04:41 - 24 Dec 2022 -
Re: Bank Account Security
Since v10, if you install the OCA module account_payment_order, the default permission is changed to only allow to change/create bank accounts if you have the group "Accounting / Payments":So for most of us, that's the "patch".Regards.
by Pedro M. Baeza - 09:20 - 23 Dec 2022 -
Re: Bank Account Security
Hi GraemePlease share the module !We all need to improve the default rule to improve the data security.Le ven. 23 déc. 2022 à 11:01, Jairo Llopis <notifications@odoo-community.org> a écrit :El jue, 22 de dic de 2022 a las 19:57:13 PM, Graeme Gellatly <notifications@odoo-community.org> escribió:But anyway, the feel I get here is no one wants it so we will just do in own code base.Hi Graeme!I'm not sure if I contributed to that feeling you express, but it certainly wasn't my intention.Of course having a solution for the problem would be great!I'll contact Odoo security myself, as I understand you don't want to.Regards!
_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe
by Sébastien Beau - 03:50 - 23 Dec 2022 -
Re: Bank Account Security
El jue, 22 de dic de 2022 a las 19:57:13 PM, Graeme Gellatly <notifications@odoo-community.org> escribió:But anyway, the feel I get here is no one wants it so we will just do in own code base.Hi Graeme!I'm not sure if I contributed to that feeling you express, but it certainly wasn't my intention.Of course having a solution for the problem would be great!I'll contact Odoo security myself, as I understand you don't want to.Regards!
by Jairo Llopis - 11:01 - 23 Dec 2022 -
Re: Bank Account Security
+1! I just remembered implementing that for a client last year as well.
On 12/22/22 21:12, Holger Brunn wrote:
> But anyway, the feel I get here is no one wants it so we will just do in own > code base. that's not true for me, I was just nitpicking about the term 'security issue'. I'm totally pro a module probably in partner-contact that removes the write/ create/unlink permissions from the standard groups and introduces an explicit group for managing bank accounts. Useful for many use cases. Still I'd advise everyone to use some implementation of the four eyes principle for this kind of data, keeping honest people honest and such. -- Your partner for the hard Odoo problems https://hunki-enterprises.com
_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe
by Tom Blauwendraat - 09:21 - 22 Dec 2022
-