Contributors mailing list archives
contributors@odoo-community.org
Browse archives
[PSA] mail template editor group, mass mailing user group
by
Holger Brunn
Hi all,
today I got aware that Odoo by default (and by design) assigns the mail
template editor group to all backend users. Sounds harmless, but being a
member of this group allows you to run code, and when you can run code you can
do all kinds of nefarious things in the database.
Given I'm busy with Odoo for a very long time, I'm a little ashamed that this
is news for me, but as a few colleagues I asked were also not aware of this,
it seems a good idea to me to spread awareness.
On https://github.com/OCA/social/pull/1319 you find a module that helps you
removing this potentially dangerous group from your users.
A very similar issue is mass_mailing with the mass mailing user group, the
above PR also contains a module to address that.
My (and my customers') expectation is: Nobody can run code unless being added
to some high privilege group like mass mailing user explicitly, and those
modules help implementing this.
Best regards,
Holger
--
Your partner for the hard Odoo problems
https://hunki-enterprises.com
Follow-Ups
-
Re: [PSA] mail template editor group, mass mailing user group
by "Graeme Gellatly" <graeme@moahub.nz> - 29/02/2024 20:09:43 - 0 -
Re: [PSA] mail template editor group, mass mailing user group
byHolger Brunn- 29/02/2024 19:30:52 - 1 -
Re: [PSA] mail template editor group, mass mailing user group
by "Adam Heinz" <adam.heinz@metricwise.com> - 29/02/2024 19:11:02 - 0 -
Re: [PSA] mail template editor group, mass mailing user group
byHolger Brunn- 29/02/2024 17:49:55 - 1 -
Re: [PSA] mail template editor group, mass mailing user group
by "Adam Heinz" <adam.heinz@metricwise.com> - 29/02/2024 17:08:18 - 0
