[10.0] web_responsive: security issue showing all menus

[mohamedhagag]

Dears,
I would like to congratulate all of you on the great work and effort being done here in OCA Repos.
We found a security flaw in the latest web responsive module starting from the version providing search in the drawer.
the security issue is that all users can access all menus when searching in the drawer which exposes security.
even the user can open the menu and see all records that he should not see.

Regards,

[pedrobaeza]

Are you sure about this? I think you are only able to search on allowed menus...

[mohamedhagag]

One of our cutomers who is paranoid about security discovered this and we tested it and found it real to some level.
For ex. the sales user who have 'Own docs only' group permission can see and access all other users' invoices and can see the amounts and other info in the tree view, but he can't open the form view and see all other info.

I can record a video and put the url here if you want to see it in action.
Regards,

[pedrobaeza]

I think that's totally unrelated to this modules, as this is controlled at another level: record rules. web_responsive has nothing to do with that. It only opens the action window, but if there's some record rules, they are applied at ORM level. Please try to reproduce the same on runbot.

[mohamedhagag]

I tested it on OCA's /web runbot and recorded below video to show what I mean.

Runbot DB: http://3316021-10-0-929879.runbot2.odoo-community.org/web#min=1&limit=80&view_type=list&model=res.users&action=71

Video URL: https://inet.dvit.me/share/s/G_okeMrDSI2AeHYjkC4Llg

[FLovison]

I have also verified the same issue ...

[pedrobaeza]

@yajo @Tardo can you confirm this issue?

[Tardo]

I think that it's a permissions issue not related with "web_responsive" module... with correct access rights Odoo deny access to the views correctly...

For me the problem it's that the search feature returns entries that you really don't have access to see. (Odoo launch access rights exception correctly if you select them)

** Tested on local machine

Query for search menu entries: https://github.com/OCA/web/blob/10.0/web_responsive/static/src/js/web_responsive.js#L316
Link to launch action: https://github.com/OCA/web/blob/10.0/web_responsive/static/src/xml/app_drawer_menu_search.xml#L8

[pedrobaeza]

Yeah, then it seems we have to limit to the actual menus that are visible.