Archives
Contributors
-
Re: Sale Channel Repository
Hi OCA boardIt's possible to create this new repo ?So we can start to push module ?ThanksLe mer. 12 oct. 2022 à 06:51, Mignon, Laurent <notifications@odoo-community.org> a écrit :+1 for this new repo and I would like to be part of the new PSCRegards,lmiOn Tue, Oct 11, 2022 at 3:07 PM Sebastien Beau <notifications@odoo-community.org> wrote:Hi allI would like to propose a new repository for having sale channel feature.The idea is when you do a sale you use a specific channel (marketplace, magento, prestashop, shopinvader, direct ....).For now all projects reimplement it's own backend and reimplement a lot of common logic (product linked to a channel, pricelist to use, journal for invoice, analytic accounting, email notification and template ....)The idea is to have a generic implementation of sale channel that can be reused (in a long term) between several projects.I can put this in sale workflow, but it's already have a lot of module so it's better to add this in a specific repo.We already have module in V14 here regarding this topic: https://github.com/akretion/sale-importThe aim is to migrate an d extract them in this repo for 16Thanks all for your feedback_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe
_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe
by Sébastien Beau - 09:36 - 30 Dec 2022 -
Re: Bank Account Security
Hi,I didn't realise it was so easy. We expected we would at the very least have to handle this function in bank statement that auto creates the accounts but hadn't really looked further for where else it assumed everyone could create bank accounts..On Sat, Dec 24, 2022 at 9:22 AM Pedro M. Baeza <notifications@odoo-community.org> wrote:Since v10, if you install the OCA module account_payment_order, the default permission is changed to only allow to change/create bank accounts if you have the group "Accounting / Payments":So for most of us, that's the "patch".Regards._______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe
by Graeme Gellatly - 04:41 - 24 Dec 2022 -
Re: Bank Account Security
Since v10, if you install the OCA module account_payment_order, the default permission is changed to only allow to change/create bank accounts if you have the group "Accounting / Payments":So for most of us, that's the "patch".Regards.
by Pedro M. Baeza - 09:20 - 23 Dec 2022 -
Re: Bank Account Security
Hi GraemePlease share the module !We all need to improve the default rule to improve the data security.Le ven. 23 déc. 2022 à 11:01, Jairo Llopis <notifications@odoo-community.org> a écrit :El jue, 22 de dic de 2022 a las 19:57:13 PM, Graeme Gellatly <notifications@odoo-community.org> escribió:But anyway, the feel I get here is no one wants it so we will just do in own code base.Hi Graeme!I'm not sure if I contributed to that feeling you express, but it certainly wasn't my intention.Of course having a solution for the problem would be great!I'll contact Odoo security myself, as I understand you don't want to.Regards!
_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe
by Sébastien Beau - 03:50 - 23 Dec 2022 -
Re: Bank Account Security
El jue, 22 de dic de 2022 a las 19:57:13 PM, Graeme Gellatly <notifications@odoo-community.org> escribió:But anyway, the feel I get here is no one wants it so we will just do in own code base.Hi Graeme!I'm not sure if I contributed to that feeling you express, but it certainly wasn't my intention.Of course having a solution for the problem would be great!I'll contact Odoo security myself, as I understand you don't want to.Regards!
by Jairo Llopis - 11:01 - 23 Dec 2022 -
Re: Bank Account Security
+1! I just remembered implementing that for a client last year as well.
On 12/22/22 21:12, Holger Brunn wrote:
> But anyway, the feel I get here is no one wants it so we will just do in own > code base. that's not true for me, I was just nitpicking about the term 'security issue'. I'm totally pro a module probably in partner-contact that removes the write/ create/unlink permissions from the standard groups and introduces an explicit group for managing bank accounts. Useful for many use cases. Still I'd advise everyone to use some implementation of the four eyes principle for this kind of data, keeping honest people honest and such. -- Your partner for the hard Odoo problems https://hunki-enterprises.com
_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe
by Tom Blauwendraat - 09:21 - 22 Dec 2022 -
Re: Bank Account Security
> But anyway, the feel I get here is no one wants it so we will just do in own > code base. that's not true for me, I was just nitpicking about the term 'security issue'. I'm totally pro a module probably in partner-contact that removes the write/ create/unlink permissions from the standard groups and introduces an explicit group for managing bank accounts. Useful for many use cases. Still I'd advise everyone to use some implementation of the four eyes principle for this kind of data, keeping honest people honest and such. -- Your partner for the hard Odoo problems https://hunki-enterprises.com
by Holger Brunn - 09:11 - 22 Dec 2022 -
Re: Bank Account Security
Funny example as that was an exact theft case we had to deal with, except they canceled order after printing. But I still think it is different here. In general people allowed to create sales orders would be expected to be able to set the delivery address. They are trusted to do that as part of their role.Changing someone's bank details as a default rule for all users when really it is solely a function of finance is not about trust, it is about responsibilities.But anyway, the feel I get here is no one wants it so we will just do in own code base.On Thu, 22 Dec 2022, 10:47 pm Holger Brunn, <notifications@odoo-community.org> wrote:
> During an evaluation of OCA payment order module we discovered a critical > default security issue in Odoo. (Note this is V14, but I doubt Odoo did > anything) in my book that's not a security issue (which are cases where you can do stuff that's explicitly not meant to be possible) but a difference in expectations between you and Odoo SA. Is it a security issue that I can change the address of a customer who has ordered a bunch of 100k watches to my own address, let the system create the delivery slip, change back afterwards? If you set up an Odoo instance where employees aren't trustworthy, modules like https://github.com/OCA/server-tools/tree/14.0/base_changeset https://github.com/OCA/server-ux/tree/14.0/base_tier_validation (would need a specific module for bank accounts/partners) come to mind. -- Your partner for the hard Odoo problems https://hunki-enterprises.com
_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe
by Graeme Gellatly - 08:56 - 22 Dec 2022 -
Re: Bank Account Security
What's more is the oca has plenty of modules already that do exactly the same thing for other functions and modules. E.g import exportAnd also we have similar far more severe privilege escalation issues open with odoo for many years. Truthfully they aren't that interested if it is difficult to fix and not purely a bug.Even under enterprise contract they just send you a link saying default security rules are not meant for production, and when you explain that it is nothing to do with rules but users can do things outside their allowed privileges, crickets.On Fri, 23 Dec 2022, 5:57 am Graeme Gellatly, <graeme@o4sb.com> wrote:Jairo,Sorry you are completely wrong. There is a huge difference between a conscious decision that odoo themselves has made about their own security rules and sql injections, buffer r overflow, privilege escalation etc. There is nothing to disclose, it is obvious public information already.On Fri, 23 Dec 2022, 12:12 am Urtzi Pérez, <notifications@odoo-community.org> wrote:I agree with you Luis, but I think Jairo's message is important for the knowledge of every contributor.Thank you Jairo for sharing your opinion.
Regards,
Urtzi Pérez
El jue, 22 dic 2022 a las 9:21, LuisDaniel Lafaurie (<notifications@odoo-community.org>) escribió:Hi, Jairo, in relation to your comments about what Graeme has posted, I believe you're right when explaining the way it should have been dealt with. BUT, you're contradicting yourself by posting this message publicly and not addressing only the person who posted it in the first place, which will make the problem even bigger.Just saying!Regards,LuisOn Thu, 22 Dec 2022, 08:57 Jairo Llopis, <notifications@odoo-community.org> wrote:Hi Graeme, thanks for finding this security problem.While I appreciate your intentions sincerely, I have to tell you this is not an appropriate way to do it. 😅When dealing with security problems it's important to understand the impact of such information. There's a concept called "responsible disclosure". When you find the vulnerability, is it your responsability to report it? I consider it a yes for me. But where to report it? If there's a security hole and someone makes it public before the patch is released, they only help in doing the problem bigger. Now there's not only a problem (the bug), there are two extra problems (everybody knows the bug and nobody has the fix).I've personally participated in fixing security holes both in Odoo and in OCA (and many contributors here too), and a good rule of thumb is: fix first, tell later. If you don't have a clear path for fixing the issue, it's better to ask specific persons through private channels than telling the world they can abuse every Odoo installation to steal money.In the case of Odoo, here they have the responsible disclosure process for those problems, and my recommendation is that you follow it. Now the bug is public, so please do it ASAP.Regarding the fix, modules are not meant to fix security issues. They are meant to improve the software. If there's a security problem, it must be fixed where the problem exists: in the payment module in this case AFAICS.Thanks!El lun, 19 dic 2022 a las 21:57, Graeme Gellatly (<notifications@odoo-community.org>) escribió:Hi all,During an evaluation of OCA payment order module we discovered a critical default security issue in Odoo. (Note this is V14, but I doubt Odoo did anything)Fundamentally, anybody with Contact Creation rights has unfettered access to bank accounts (res.partner.bank). Of course the issue here is with payment orders or any sort of manual/automatic payment upload where the account comes from Odoo as anyone with those rights can just change the account of a large supplier, get paid, move to Caymans.On the other hand, where an account does not exist it is created during reconciliation.My gut feel is I want to create a simple security addon which just restricts who can Edit/Delete bank accounts. Maybe create too if I can find the creates and work around them.So some questionsIs it a good idea?Does it already exist?Which repo?For create as well?For advisor rights (I think nearly all with advisor rights will be members of professional accounting bodies and bound to professional standards OR a business principal) or a new group?Only for automated payment scenarios or by default? my gut says actually this is a big issue and should be default._______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe
_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe
_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe
_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe
by Graeme Gellatly - 06:16 - 22 Dec 2022 -
Re: Bank Account Security
Jairo,Sorry you are completely wrong. There is a huge difference between a conscious decision that odoo themselves has made about their own security rules and sql injections, buffer r overflow, privilege escalation etc. There is nothing to disclose, it is obvious public information already.On Fri, 23 Dec 2022, 12:12 am Urtzi Pérez, <notifications@odoo-community.org> wrote:I agree with you Luis, but I think Jairo's message is important for the knowledge of every contributor.Thank you Jairo for sharing your opinion.
Regards,
Urtzi Pérez
El jue, 22 dic 2022 a las 9:21, LuisDaniel Lafaurie (<notifications@odoo-community.org>) escribió:Hi, Jairo, in relation to your comments about what Graeme has posted, I believe you're right when explaining the way it should have been dealt with. BUT, you're contradicting yourself by posting this message publicly and not addressing only the person who posted it in the first place, which will make the problem even bigger.Just saying!Regards,LuisOn Thu, 22 Dec 2022, 08:57 Jairo Llopis, <notifications@odoo-community.org> wrote:Hi Graeme, thanks for finding this security problem.While I appreciate your intentions sincerely, I have to tell you this is not an appropriate way to do it. 😅When dealing with security problems it's important to understand the impact of such information. There's a concept called "responsible disclosure". When you find the vulnerability, is it your responsability to report it? I consider it a yes for me. But where to report it? If there's a security hole and someone makes it public before the patch is released, they only help in doing the problem bigger. Now there's not only a problem (the bug), there are two extra problems (everybody knows the bug and nobody has the fix).I've personally participated in fixing security holes both in Odoo and in OCA (and many contributors here too), and a good rule of thumb is: fix first, tell later. If you don't have a clear path for fixing the issue, it's better to ask specific persons through private channels than telling the world they can abuse every Odoo installation to steal money.In the case of Odoo, here they have the responsible disclosure process for those problems, and my recommendation is that you follow it. Now the bug is public, so please do it ASAP.Regarding the fix, modules are not meant to fix security issues. They are meant to improve the software. If there's a security problem, it must be fixed where the problem exists: in the payment module in this case AFAICS.Thanks!El lun, 19 dic 2022 a las 21:57, Graeme Gellatly (<notifications@odoo-community.org>) escribió:Hi all,During an evaluation of OCA payment order module we discovered a critical default security issue in Odoo. (Note this is V14, but I doubt Odoo did anything)Fundamentally, anybody with Contact Creation rights has unfettered access to bank accounts (res.partner.bank). Of course the issue here is with payment orders or any sort of manual/automatic payment upload where the account comes from Odoo as anyone with those rights can just change the account of a large supplier, get paid, move to Caymans.On the other hand, where an account does not exist it is created during reconciliation.My gut feel is I want to create a simple security addon which just restricts who can Edit/Delete bank accounts. Maybe create too if I can find the creates and work around them.So some questionsIs it a good idea?Does it already exist?Which repo?For create as well?For advisor rights (I think nearly all with advisor rights will be members of professional accounting bodies and bound to professional standards OR a business principal) or a new group?Only for automated payment scenarios or by default? my gut says actually this is a big issue and should be default._______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe
_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe
_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe
_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe
by Graeme Gellatly - 06:00 - 22 Dec 2022 -
Re: Wake up Manufacture and Maintenance repos
I've been doing some work there and can help.
You can ping me with @dreispt
Thanks
Daniel
On 22/12/22 16:31, Stefano Consolaro wrote:
Hi all,I'm porting some module to v16.0: i started with something for managemetnt-system and maintenance filling holes on 15.0 and 14.0 (13.0 if necessary), and I'm interested to Manufacture repo too.But I saw that there isn't much activity here in recent time.There are someone (PSC I think) that can assist me in this work? Mainly to approve and merge PRs but sometime to help me in strange (for me) errors?The same for Maintenance repo.
Thanks
Stefano Consolaro
mymage.it_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe
--
DANIEL REIS
MANAGING DIRECTORM: +351 919 991 307
E: dreis@OpenSourceIntegrators.com
A: Avenida da República 3000, Estoril Office B, #34
by Daniel Reis - 05:41 - 22 Dec 2022 -
Wake up Manufacture and Maintenance repos
Hi all,I'm porting some module to v16.0: i started with something for managemetnt-system and maintenance filling holes on 15.0 and 14.0 (13.0 if necessary), and I'm interested to Manufacture repo too.But I saw that there isn't much activity here in recent time.There are someone (PSC I think) that can assist me in this work? Mainly to approve and merge PRs but sometime to help me in strange (for me) errors?The same for Maintenance repo.
ThanksStefano Consolaromymage.it
by Stefano Consolaro - 05:30 - 22 Dec 2022 -
Re: Bank Account Security
Hi, Jairo, in relation to your comments about what Graeme has posted, I believe you're right when explaining the way it should have been dealt with. BUT, you're contradicting yourself by posting this message publicly and not addressing only the person who posted it in the first place, which will make the problem even bigger.Just saying!Regards,LuisOn Thu, 22 Dec 2022, 08:57 Jairo Llopis, <notifications@odoo-community.org> wrote:Hi Graeme, thanks for finding this security problem.While I appreciate your intentions sincerely, I have to tell you this is not an appropriate way to do it. 😅When dealing with security problems it's important to understand the impact of such information. There's a concept called "responsible disclosure". When you find the vulnerability, is it your responsability to report it? I consider it a yes for me. But where to report it? If there's a security hole and someone makes it public before the patch is released, they only help in doing the problem bigger. Now there's not only a problem (the bug), there are two extra problems (everybody knows the bug and nobody has the fix).I've personally participated in fixing security holes both in Odoo and in OCA (and many contributors here too), and a good rule of thumb is: fix first, tell later. If you don't have a clear path for fixing the issue, it's better to ask specific persons through private channels than telling the world they can abuse every Odoo installation to steal money.In the case of Odoo, here they have the responsible disclosure process for those problems, and my recommendation is that you follow it. Now the bug is public, so please do it ASAP.Regarding the fix, modules are not meant to fix security issues. They are meant to improve the software. If there's a security problem, it must be fixed where the problem exists: in the payment module in this case AFAICS.Thanks!El lun, 19 dic 2022 a las 21:57, Graeme Gellatly (<notifications@odoo-community.org>) escribió:Hi all,During an evaluation of OCA payment order module we discovered a critical default security issue in Odoo. (Note this is V14, but I doubt Odoo did anything)Fundamentally, anybody with Contact Creation rights has unfettered access to bank accounts (res.partner.bank). Of course the issue here is with payment orders or any sort of manual/automatic payment upload where the account comes from Odoo as anyone with those rights can just change the account of a large supplier, get paid, move to Caymans.On the other hand, where an account does not exist it is created during reconciliation.My gut feel is I want to create a simple security addon which just restricts who can Edit/Delete bank accounts. Maybe create too if I can find the creates and work around them.So some questionsIs it a good idea?Does it already exist?Which repo?For create as well?For advisor rights (I think nearly all with advisor rights will be members of professional accounting bodies and bound to professional standards OR a business principal) or a new group?Only for automated payment scenarios or by default? my gut says actually this is a big issue and should be default.
_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe
_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe
by Luis Lafaurie - 09:16 - 22 Dec 2022 -
Re: Bank Account Security
Hi Graeme, thanks for finding this security problem.While I appreciate your intentions sincerely, I have to tell you this is not an appropriate way to do it. 😅When dealing with security problems it's important to understand the impact of such information. There's a concept called "responsible disclosure". When you find the vulnerability, is it your responsability to report it? I consider it a yes for me. But where to report it? If there's a security hole and someone makes it public before the patch is released, they only help in doing the problem bigger. Now there's not only a problem (the bug), there are two extra problems (everybody knows the bug and nobody has the fix).I've personally participated in fixing security holes both in Odoo and in OCA (and many contributors here too), and a good rule of thumb is: fix first, tell later. If you don't have a clear path for fixing the issue, it's better to ask specific persons through private channels than telling the world they can abuse every Odoo installation to steal money.In the case of Odoo, here they have the responsible disclosure process for those problems, and my recommendation is that you follow it. Now the bug is public, so please do it ASAP.Regarding the fix, modules are not meant to fix security issues. They are meant to improve the software. If there's a security problem, it must be fixed where the problem exists: in the payment module in this case AFAICS.Thanks!El lun, 19 dic 2022 a las 21:57, Graeme Gellatly (<notifications@odoo-community.org>) escribió:Hi all,During an evaluation of OCA payment order module we discovered a critical default security issue in Odoo. (Note this is V14, but I doubt Odoo did anything)Fundamentally, anybody with Contact Creation rights has unfettered access to bank accounts (res.partner.bank). Of course the issue here is with payment orders or any sort of manual/automatic payment upload where the account comes from Odoo as anyone with those rights can just change the account of a large supplier, get paid, move to Caymans.On the other hand, where an account does not exist it is created during reconciliation.My gut feel is I want to create a simple security addon which just restricts who can Edit/Delete bank accounts. Maybe create too if I can find the creates and work around them.So some questionsIs it a good idea?Does it already exist?Which repo?For create as well?For advisor rights (I think nearly all with advisor rights will be members of professional accounting bodies and bound to professional standards OR a business principal) or a new group?Only for automated payment scenarios or by default? my gut says actually this is a big issue and should be default.
_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe
by Jairo Llopis - 08:56 - 22 Dec 2022 -
Re: Bank Account Security
Yes, please do.
We had to do a lockdown of this area for a client who had been exploited this way a few years ago by one of their employees.
They were astounded how easy in Odoo changing a payment receiving bank account was.
Richard
Kind Regards
T: (03) 9135 1900 | M: 0403 76 76 76 | A: Bld 10/435 Williamstown Road, Port Melbourne, 3207
MAKING GROWTH THROUGH TECHNOLOGY EASY
Notice: This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to which they are addressed. If you are not the intended recipient, you may not disclose or use the information in this email in any way. If you have received this email in error please notify the sender. Although reasonable precautions have been taken to ensure no viruses are present in this email, no responsibility is accepted by WilldooIT Pty Ltd or its related entities for any loss or damage arising from the use of this email or attachments. Any views expressed in this email or file attachments are those of the individual sender only, unless expressly stated to be those of WilldooIT Pty Ltd ABN 85 006 073 052 or any of its related entities.
From: Graeme Gellatly <notifications@odoo-community.org>
Sent: Tuesday, 20 December 2022 8:57 AM
To: Contributors <contributors@odoo-community.org>
Subject: Bank Account SecurityHi all,
During an evaluation of OCA payment order module we discovered a critical default security issue in Odoo. (Note this is V14, but I doubt Odoo did anything)
Fundamentally, anybody with Contact Creation rights has unfettered access to bank accounts (res.partner.bank). Of course the issue here is with payment orders or any sort of manual/automatic payment upload where the account comes from Odoo as anyone with those rights can just change the account of a large supplier, get paid, move to Caymans.
On the other hand, where an account does not exist it is created during reconciliation.
My gut feel is I want to create a simple security addon which just restricts who can Edit/Delete bank accounts. Maybe create too if I can find the creates and work around them.
So some questionsIs it a good idea?Does it already exist?Which repo?For create as well?For advisor rights (I think nearly all with advisor rights will be members of professional accounting bodies and bound to professional standards OR a business principal) or a new group?Only for automated payment scenarios or by default? my gut says actually this is a big issue and should be default._______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe
by "Richard deMeester" <richard.demeester@willdooit.com> - 11:36 - 19 Dec 2022 -
RE: OCA - Github - Switch brach by default
I’m PSC but I don’t see “Settings” tab.
De: Stéphane Bidoul <notifications@odoo-community.org>
Enviado el: miércoles, 14 de diciembre de 2022 16:28
Para: Contributors <contributors@odoo-community.org>
Asunto: Re: OCA - Github - Switch brach by defaultPSC *representatives* have admin rights to change default branches.
-sbi
On Wed, Dec 14, 2022 at 3:27 PM Rafael Blasco <notifications@odoo-community.org> wrote:
Hello!
I would like to know as PSC if I can change the default branch of a repository and how 😊
For example, by default account-financial-reporting is v13, It should be v15. Isn’t it?
https://github.com/OCA/account-financial-reporting
More branches by default are v14, etc.
Thanks
Regards
Rafael
_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe
by "Rafael Blasco" <rblasco@rbnpro.com> - 11:31 - 19 Dec 2022 -
Bank Account Security
Hi all,During an evaluation of OCA payment order module we discovered a critical default security issue in Odoo. (Note this is V14, but I doubt Odoo did anything)Fundamentally, anybody with Contact Creation rights has unfettered access to bank accounts (res.partner.bank). Of course the issue here is with payment orders or any sort of manual/automatic payment upload where the account comes from Odoo as anyone with those rights can just change the account of a large supplier, get paid, move to Caymans.On the other hand, where an account does not exist it is created during reconciliation.My gut feel is I want to create a simple security addon which just restricts who can Edit/Delete bank accounts. Maybe create too if I can find the creates and work around them.So some questionsIs it a good idea?Does it already exist?Which repo?For create as well?For advisor rights (I think nearly all with advisor rights will be members of professional accounting bodies and bound to professional standards OR a business principal) or a new group?Only for automated payment scenarios or by default? my gut says actually this is a big issue and should be default.
by Graeme Gellatly - 10:56 - 19 Dec 2022
