Odoo's security model uses multi-level access controls to restrict data access through groups, access control lists (ACLs), and rules at both the model and field level. Common vulnerabilities include injection, improper access controls, information leaks, and cross-site scripting. To break Odoo's security, one would try to exploit vulnerabilities like SQL injection, accessing data without proper permissions, or leaking sensitive information through unsafe domain combinations.
5. Multi-Level Access Control
User wants to
access data
GroupA
GroupB
User
data
ir.model.access
(groups)
ir.rule
(groups)
ir.rule
(global)
Per-field @groups
26. Merge Security Checklist
New fields/models? -> ACLs to add? Sensitive fields?
New methods? -> Private by default?
sudo? -> Double-check scope - record leaks - args
t-raw? -> Remove it quickly, unless it's a sanitized Html field
getattr? -> Find an alternative, there should be one...
(safe)_eval? -> Triple-check! Not for parsing data, right?
raw SQL? -> No %, concat or format(), right? Check again!
An ow in t o 're ta r…