Odoo: Ir Config Parameters group_ids missing intentionally?

Created on 24 May 2017  路  1Comment  路  Source: odoo/odoo

Impacted versions:

master: (since saas-14)

Steps to reproduce:

image

Current behavior:

No posibility to hide for some group a config parameter.

Expected behavior:

Secure this variables.

Video/Screenshot link (optional):

picture nhomar

Most helpful comment

As of Odoo 11 ir.config.parameters (and many other similar internal tables) are only accessible by the system (administrators). This is a much better default, in order to harden the security.
When addons need to use a system parameter on behalf of a normal user, they can access it with a limited sudo() call. This ensures that all config parameters are safe by default. It was too common for security groups to be forgotten by mistake, exposing them easily via RPC to unprivileged users.

See also the introduction commit.

picture odony on 24 May 2017
👍3

>All comments

As of Odoo 11 ir.config.parameters (and many other similar internal tables) are only accessible by the system (administrators). This is a much better default, in order to harden the security.
When addons need to use a system parameter on behalf of a normal user, they can access it with a limited sudo() call. This ensures that all config parameters are safe by default. It was too common for security groups to be forgotten by mistake, exposing them easily via RPC to unprivileged users.

See also the introduction commit.

odony picture odony on 24 May 2017
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

BoubakerAB picture BoubakerAB  路  3Comments
sswapnesh picture sswapnesh  路  3Comments
tebanep picture tebanep  路  3Comments
AlexandruCiobanu picture AlexandruCiobanu  路  3Comments
roccocesetti picture roccocesetti  路  3Comments