Contributors mailing list archives

Browse archives


Re: Bank Account Security

by "Richard deMeester" <> - 19/12/2022 23:33:17

Yes, please do.

We had to do a lockdown of this area for a client who had been exploited this way a few years ago by one of their employees.

They were astounded how easy in Odoo changing a payment receiving bank account was.




Kind Regards 



A close up of a sign

Description automatically generated 


Richard deMeester 

Senior Development Analyst 





T: (03) 9135 1900 | M: 0403 76 76 76 | A: Bld 10/435 Williamstown Road, Port Melbourne, 3207 


A picture containing monitor, screen, holding, person

Description automatically generated 



Notice: This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to which they are addressed. If you are not the intended recipient, you may not disclose or use the information in this email in any way. If you have received this email in error please notify the sender. Although reasonable precautions have been taken to ensure no viruses are present in this email, no responsibility is accepted by WilldooIT Pty Ltd or its related entities for any loss or damage arising from the use of this email or attachments. Any views expressed in this email or file attachments are those of the individual sender only, unless expressly stated to be those of WilldooIT Pty Ltd  ABN 85 006 073 052 or any of its related entities. 



From: Graeme Gellatly <>
Sent: Tuesday, 20 December 2022 8:57 AM
To: Contributors <>
Subject: Bank Account Security
Hi all,

During an evaluation of OCA payment order module we discovered a critical default security issue in Odoo. (Note this is V14, but I doubt Odoo did anything)

Fundamentally, anybody with Contact Creation rights has unfettered access to bank accounts ( Of course the issue here is with payment orders or any sort of manual/automatic payment upload where the account comes from Odoo as anyone with those rights can just change the account of a large supplier, get paid, move to Caymans.

On the other hand, where an account does not exist it is created during reconciliation.

My gut feel is I want to create a simple security addon which just restricts who can Edit/Delete bank accounts. Maybe create too if I can find the creates and work around them.

So some questions
Is it a good idea?
Does it already exist?
Which repo?
For create as well?
For advisor rights (I think nearly all with advisor rights will be members of professional accounting bodies and bound to professional standards OR a business principal) or a new group?
Only for automated payment scenarios or by default? my gut says actually this is a big issue and should be default.

Post to: