Recent years have seen a steady increase in the digital threats faced by businesses, small and large alike. The security of business and personal data becomes more and more important every day, and the arrival of new regulation such as GDPR adds legal burden to the existing business risk.
XSS, CSRF, SQL injection, broken authentication, data leak, and so on. All kinds of security problems happen every day, even to the biggest companies. We can't stop that, but we can at least prepare for it, by carefully considering the risks, and integrating best practices into daily coding tasks.
Before trying to break it, the talk will first describe the Odoo Security Model, with a quick recap of the key features built into the framework to help developers design secure Apps.
Then we'll explore a few real-life coding examples. We'll show how the security features are used in practice, and how they can be defeated if the developers are not careful, compromising the whole security of the system. Analyzing these examples will give substance and context to the security primitives, and help new and experienced developers integrate best practices into their development workflow.
5. Multi-Level Access Control
User wants to
access data
GroupA
GroupB
User
data
ir.model.access
(groups)
ir.rule
(groups)
ir.rule
(global)
Per-field @groups
26. Merge Security Checklist
New fields/models? -> ACLs to add? Sensitive fields?
New methods? -> Private by default?
sudo? -> Double-check scope - record leaks - args
t-raw? -> Remove it quickly, unless it's a sanitized Html field
getattr? -> Find an alternative, there should be one...
(safe)_eval? -> Triple-check! Not for parsing data, right?
raw SQL? -> No %, concat or format(), right? Check again!
An ow in t o 're ta r…