-
-
Notifications
You must be signed in to change notification settings - Fork 611
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC] Enable bots by parsing commands in mail messages #169
Comments
Messages would arrive to all followers? |
Good point. Indeed that's the default behaviour. A solution could be to "capture" messages that begin with a "@", so that these are forwarded to the corresponding bot, and committed from the Chatter wall. |
How would we prevent malicious usage? A security group of people allowed to issue commands? |
@lasley You are replying to a "mail thread" - AFAIK the reply mail must have the Message ID of the thread. Maybe important operations should require a confirmation mail and reply? |
Confirmation mail adds no security IMHO... odoo/odoo#11376 would be a problem, for instance. |
The issue you link to can be solved with #169 (comment) |
I'm assuming the message ID is a UUID-4, just like all the other tokens in the system. While I would argue the security behind this implementation, the system considers it secure, so we probably should too. In that light, we'd probably be fine trusting the token in the email and optionally creating a module like OCA/server-tools#835 to lock it down.
Yeah we're probably good here too. Anyone with access to the thread would have access to issue the bot commands anyways right? I think this would mean that there would be no reason to attack from this vector?
How would this work with HTML emails? |
Well, not quite. For example: we could have several followers, but only the Manager would have approval authorization. A resourceful follower Employee could forge a mail impersonating the Manager. I'm aware this proposal is not perfect from a security PoV, but hopefully it is good enough for a good range of use cases.
An html2text is needed for that, but it sounds doable. |
I only see one single use case for this proposal: being able to control Odoo through email, saving time and effort. If the manager must approve any requests made by anybody, the time saving is lost, and then I cannot imagine a use case. OTOH we have to keep in mind that training users to use this would be very hard. And what about translations? Not sure in your country, but here not much people speak english. Chances of getting
Both assertions are true... IMHO they are enough to abort this proposal... 😞 One alternative solution that you can have is adding some buttons to mail templates. For instance, when getting a mail from an issue, you get buttons to self-assign the issue and to edit it. That is easy to use and safe, although you still have to open Odoo for that. v10 is way faster opening, so that should not be an excessive problem either. I'd go that way, honestly. |
Couldn't we inspect the email headers to circumvent this, matching the user against the address in the One could reasonably assume that inbound emails have already passed spam protection (DMARC & SPF minimal), thus the sender domain is validated. IMO domain validation is good enough, because traceability is still there. If a resourceful employee does decide to get out of line, they can be terminated. If a customer out of line, hopefully we didn't give them rights to do anything stupid. And hopefully we don't allow customers to send from our own domain. My main worry here would be a malicious external entity attempting to issue requests under my domain, from within a message they have rights to.
I've implemented something like this before in the past, and the solution was to halt message processing when an invalid command is detected. A helper message is sent back to the user that was attempting a command, which includes shortcut usage instructions & a copy of their original message. That said, our system was pretty limited in scope, so it was easy enough to have an In the abstract, how would we determine which shortcuts apply to which objects? From there, which objects are applicable to which mail messages?
I like this proposal. What if we could make a similar shortcut mechanism, but instead pair it with the visual side of things in the templates? It seems this would nail both the security and training side of things in a pretty elegant swoop. |
I think "mail commands" can be useful for low impact actions, such as adding a Tag to an Issue (like some Github bots). So, in summary, IMO both approaches are complementary and adequate for different use cases. |
There hasn't been any activity on this issue in the past 6 months, so it has been marked as stale and it will be closed automatically if no further activity occurs in the next 30 days. |
Example use cases:
The text was updated successfully, but these errors were encountered: