Contributors mailing list archives

Browse archives


Re: Bank Account Security

Open for Small Business, Graeme Gellatly
- 22/12/2022 20:54:44
Funny example as that was an exact theft case we had to deal with, except they canceled order after printing. But I still think it is different here. In general people allowed to create sales orders would be expected to be able to set the delivery address. They are trusted to do that as part of their role.

Changing someone's bank details as a default rule for all users when  really it is solely a function of finance is not about trust, it is about responsibilities.

But anyway, the feel I get here is no one wants it so we will just do in own code base.

On Thu, 22 Dec 2022, 10:47 pm Holger Brunn, <> wrote:
> During an evaluation of OCA payment order module we discovered a critical

> default security issue in Odoo. (Note this is V14, but I doubt Odoo did

> anything)

in my book that's not a security issue (which are cases where you can do stuff 
that's explicitly not meant to be possible) but a difference in expectations 
between you and Odoo SA. Is it a security issue that I can change the address 
of a customer who has ordered a bunch of 100k watches to my own address, let 
the system create the delivery slip, change back afterwards?

If you set up an Odoo instance where employees aren't trustworthy, modules 
(would need a specific module for bank accounts/partners)

come to mind.

Your partner for the hard Odoo problems

Post to: