Access to database manager and its URL are not configurable

[alejandrosantana]

Access to database manager and its URL are not configurable

Impacted versions:

• 8.0 and beyond, at least

Steps to reproduce:

1. install Odoo
2. load it in a browser

Current behavior:

You can access database manager via:

• "Database manager" link at the bottom of the login page.
• Adding "/web/database/manager" to the base Odoo url (as this is hardcoded in addons/web/controllers/main.py)

Expected behavior:

In order to improve security and avoid attacks as much as possible, it would be great to achieve these two things using the config file:

• be able to deactivate/hide the "Database manager" link (by setting disable_database_manager in web/views/webclient_templates.xml to True)
• modify the url to the database maager (instead hardcoded "/web/database/manager").

This can increase security, as you could hide link and choose the url and thus no one would know it, disallowing almost completely any brute-force attack to databases.

[jholze]

👍

[lukebranch]

+1

[xmo-odoo]

be able to deactivate/hide the "Database manager" link (by setting disable_database_manager in web/views/webclient_templates.xml to True)

The database manager must be available when there's no database, so that's not really an option.

modify the url to the database maager (instead hardcoded "/web/database/manager").

Technically already possible: create a module "dbmanager" with the __init__ file

from openerp import http
from openerp.addons.web.controllers.main import Database

class Dbtest(Database):
    @http.route('/dbmanager', type='http', auth='none')
    def manager(self, **kw):
        return super(Dbtest, self).manager(**kw)

and start the server with --load=web,dbmanager. However this won't be moving the other RPC endpoints and it won't change the link from the login page, so it's of fairly little use. You can disable them all by overriding all relevant methods without using the @route decorator though, that'll "unpublish" all the routes.

There's an internal task to disable the db manager via a command-line/configuration file flag, I could augment it with the ability to set the "root URL" for the manager (that is change the /web/database part)

And of course in production you really should have a reverse proxy in front of Odoo (if only to terminate TLS connections), you can trivially block or redirect any URL from there, or only allow them e.g. for internal IPs.

[alejandrosantana]

@xmo-odoo I see those commits. Are they intended for odoo 8.0, for some saas or for future v9? Or just unknown?
(And is there any way I could track that?)

[reedlaw]

I'd like to see this merged. What's blocking it?

[winston6071]

This is definitly a good idea to improve security,

mostly you using a webserver infront so what about the option of disallowing the special url except from your own VPN or Local area Network ?

Any conclusion of this approach ?

OH sorry did not see this comment @xmo-odoo

And of course in production you really should have a reverse proxy in front of Odoo (if only to >>terminate TLS connections), you can trivially block or redirect any URL from there, or only allow them >>e.g. for internal IPs.

[Yenthe666]

@xmo-odoo could you give an update here please? It has been a while 😉

[eabquina]

Any comments on this related to 10 or v11?

[bluemix]

any updates about this severe issue?!

[C3POdoo]

Dear @alejandrosantana,

Thank you for your report but we are closing it due to inactivity.
We apology if we could not look at your request in time.
If your report still makes sense, don't hesitate to reopen a new one. We will try to check it as soon as possible.

This is an automated message.