0

I am showing certain notebook/page according to user groups in Odoo11 form.

As per my architecture i am unable to use access record rule as per groups for all employee but as an alternative i made all fields invisible employee form(except employee name) for other employee and user can see full information for his/her record only. But now i can see security issue with inspect element(developer tool) where users able to see other employee information by removing class(.o_invisible_modifier) from developer tool. So, how i can secure my system by removing this issue?

Note: I am already block keyboard short-cuts and events for inspect element by J query.

Please suggest me best solution.

Thanks in advance.

Pawan Kumar Sharma
  • 1,168
  • 8
  • 30

1 Answers1

1

For same reason Employee model is changed starting form Odoo 13. Now its split between 2 models. Where personal info is present on one model and public info is on the other model.

But you can maybe do extra manual check. When you overwrite write and i think it was read.

https://github.com/odoo/odoo/blob/5b335396addb16456d61273ae6b0446913f7f489/addons/project/models/project.py#L1607

https://github.com/odoo/odoo/blob/5b335396addb16456d61273ae6b0446913f7f489/addons/project/models/project.py#L1625

Paxmees
  • 1,540
  • 1
  • 15
  • 28