New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Access to database manager and its URL are not configurable #5540
Comments
👍 |
1 similar comment
+1 |
The database manager must be available when there's no database, so that's not really an option.
Technically already possible: create a module "dbmanager" with the from openerp import http
from openerp.addons.web.controllers.main import Database
class Dbtest(Database):
@http.route('/dbmanager', type='http', auth='none')
def manager(self, **kw):
return super(Dbtest, self).manager(**kw) and start the server with There's an internal task to disable the db manager via a command-line/configuration file flag, I could augment it with the ability to set the "root URL" for the manager (that is change the And of course in production you really should have a reverse proxy in front of Odoo (if only to terminate TLS connections), you can trivially block or redirect any URL from there, or only allow them e.g. for internal IPs. |
* add an option ``--no-database-manager`` (and corresponding ``database_manager = False`` config setting) to completely disable the database manager: - disables the management URLs - removes UI links to these URLs * add an option ``--database-manager = <url>`` to configure the database manager's url (same config file setting as above) - fixes up links from various templates - fixes up calls from JS: the database_manager client action now takes a ``root`` param Odd discovery: the ``web.login_layout`` template had a test to remove links to the database manager, but as far as I could see this wasn't used anywhere, and the commit introducing it didn't actually make it usable either. task 9738 fixes odoo#5540
@xmo-odoo I see those commits. Are they intended for odoo 8.0, for some saas or for future v9? Or just unknown? |
I'd like to see this merged. What's blocking it? |
This is definitly a good idea to improve security, mostly you using a webserver infront so what about the option of disallowing the special url except from your own VPN or Local area Network ? Any conclusion of this approach ? OH sorry did not see this comment @xmo-odoo
|
@xmo-odoo could you give an update here please? It has been a while 😉 |
Any comments on this related to 10 or v11? |
any updates about this severe issue?! |
Dear @alejandrosantana, Thank you for your report but we are closing it due to inactivity. This is an automated message. |
Access to database manager and its URL are not configurable
Impacted versions:
Steps to reproduce:
Current behavior:
You can access database manager via:
Expected behavior:
In order to improve security and avoid attacks as much as possible, it would be great to achieve these two things using the config file:
This can increase security, as you could hide link and choose the url and thus no one would know it, disallowing almost completely any brute-force attack to databases.
The text was updated successfully, but these errors were encountered: