Modules
8861 Odoo modules tracked across all registered organizationsActive Pull Requests 884
0 fresh 0 rotting 0 rotten
Security Findings
Errors 39
| Module | Code | Message |
|---|---|---|
| auth_passkey | acl-public-write | auth_passkey.access_auth_passkey_key_portal — Access rule grants write on 'model_auth_passkey_key' to the portal/public group 'base.group_portal' |
| auth_passkey | acl-public-write | auth_passkey.access_auth_passkey_key_create_portal — Access rule grants write/create/unlink on 'model_auth_passkey_key_create' to the portal/public group 'base.group_portal' |
| auth_totp_portal | acl-public-write | access_auth_totp_portal_wizard — Access rule grants write/create/unlink on 'auth_totp.model_auth_totp_wizard' to the portal/public group 'base.group_portal' |
| base | acl-privilege-escalation | access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions |
| calendar | rule-public-bypass | calendar_attendee_rule_my — Record rule with an always-true domain grants portal/public users access to every record of its model |
| fieldservice_stock | acl-public-write | access_stock_move_portal — Access rule grants write on 'stock.model_stock_move' to the portal/public group 'base.group_portal' |
| gamification | acl-public-write | goal_portal — Access rule grants write on 'gamification.model_gamification_goal' to the portal/public group 'base.group_portal' |
| gamification | acl-public-write | badge_user_portal — Access rule grants write/create on 'gamification.model_gamification_badge_user' to the portal/public group 'base.group_portal' |
| helpdesk_mgmt | acl-public-write | access_helpdesk_ticket_stage_public — Access rule grants write on 'model_helpdesk_ticket_stage' to the portal/public group 'base.group_public' |
| acl-public-write | access_mail_message_portal — Access rule grants write/create/unlink on 'model_mail_message' to the portal/public group 'base.group_portal' |
|
| acl-public-write | access_discuss_channel_member_public — Access rule grants write/create/unlink on 'model_discuss_channel_member' to the portal/public group 'base.group_public' |
|
| acl-public-write | access_discuss_channel_member_portal — Access rule grants write/create/unlink on 'model_discuss_channel_member' to the portal/public group 'base.group_portal' |
|
| mrp_subcontracting | acl-public-write | access_subcontracting_portal_stock_move — Access rule grants write/create on 'stock.model_stock_move' to the portal/public group 'base.group_portal' |
| mrp_subcontracting | acl-public-write | access_subcontracting_portal_stock_move_line — Access rule grants write/create/unlink on 'stock.model_stock_move_line' to the portal/public group 'base.group_portal' |
| mrp_subcontracting | acl-public-write | access_subcontracting_portal_lot — Access rule grants create on 'stock.model_stock_lot' to the portal/public group 'base.group_portal' |
| mrp_subcontracting | acl-public-write | access_subcontracting_portal_production — Access rule grants write on 'mrp.model_mrp_production' to the portal/public group 'base.group_portal' |
| mrp_subcontracting | acl-public-write | access_subcontracting_portal_consumption_warning — Access rule grants write/create on 'mrp.model_mrp_consumption_warning' to the portal/public group 'base.group_portal' |
| mrp_subcontracting | acl-public-write | access_subcontracting_portal_consumption_warning_line — Access rule grants write/create on 'mrp.model_mrp_consumption_warning_line' to the portal/public group 'base.group_portal' |
| mrp_subcontracting | acl-public-write | access_subcontracting_portal_mrp_production_serials — Access rule grants write/create on 'mrp.model_mrp_production_serials' to the portal/public group 'base.group_portal' |
| mrp_subcontracting_account | acl-public-write | access_subcontracting_portal_analytic_line — Access rule grants write on 'mrp_account.model_account_analytic_line' to the portal/public group 'base.group_portal' |
| pms_website | acl-public-write | access_pms_property_public — Access rule grants write/create/unlink on 'pms_base.model_pms_property' to the portal/public group 'base.group_public' |
| project | acl-public-write | access_project_sharing_task_portal — Access rule grants write/create on 'model_project_task' to the portal/public group 'base.group_portal' |
| test_access_rights | acl-public-write | access_test_access_right_some_obj_public — Access rule grants write/create/unlink on 'model_test_access_right_some_obj' to the portal/public group 'base.group_public' |
| test_access_rights | acl-public-write | access_test_access_right_container_public — Access rule grants write/create/unlink on 'model_test_access_right_container' to the portal/public group 'base.group_public' |
| test_access_rights | acl-public-write | access_test_access_right_inherits_public — Access rule grants write/create/unlink on 'model_test_access_right_inherits' to the portal/public group 'base.group_public' |
| test_access_rights | acl-public-write | access_test_access_right_child_public — Access rule grants write/create/unlink on 'model_test_access_right_child' to the portal/public group 'base.group_public' |
| test_mail | acl-public-write | access_mail_test_access_portal — Access rule grants write on 'model_mail_test_access' to the portal/public group 'base.group_portal' |
| test_mail | acl-public-write | access_mail_test_access_public_public — Access rule grants write on 'model_mail_test_access_public' to the portal/public group 'base.group_public' |
| test_mail | acl-public-write | access_mail_test_access_public_portal — Access rule grants write on 'model_mail_test_access_public' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_post_portal — Access rule grants write/create/unlink on 'model_forum_post' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_post_vote_portal — Access rule grants write/create on 'model_forum_post_vote' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_tag_public — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_public' |
| website_forum | acl-public-write | access_forum_tag_portal — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_portal' |
| website_sale_wishlist | acl-public-write | access_product_wishlist_portal — Access rule grants write/create/unlink on 'model_product_wishlist' to the portal/public group 'base.group_portal' |
Warnings 415
| Module | Code | Message |
|---|---|---|
| account | rule-group-bypass | account_analytic_line_rule_billing_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_analytic_line_rule_readonly_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_rule_group_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_line_rule_group_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_line_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_send_single_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_send_batch_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | ir_rule_res_partner_bank_billing_officers — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | route-public-sudo | /terms — Unauthenticated endpoint 'TermsController.terms_conditions' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| account | route-public-sudo | /my/journal/<int:journal_id>/unsubscribe — Unauthenticated endpoint 'PortalAccount.portal_my_journal_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| account_payment | rule-group-bypass | payment_token_billing_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account_peppol | route-public-csrf-off | /peppol/webhook/new-message — Public HTTP endpoint 'PeppolWebhookController.webhook_new_message' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| account_peppol | route-public-sudo | /peppol/webhook/new-message — Unauthenticated endpoint 'PeppolWebhookController.webhook_new_message' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| account_peppol | route-public-csrf-off | /peppol/webhook/message-state-update — Public HTTP endpoint 'PeppolWebhookController.webhook_message_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| account_peppol | route-public-sudo | /peppol/webhook/message-state-update — Unauthenticated endpoint 'PeppolWebhookController.webhook_message_update' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| account_peppol | route-public-csrf-off | /peppol/webhook/user-state-update — Public HTTP endpoint 'PeppolWebhookController.webhook_user_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| account_peppol | route-public-sudo | /peppol/webhook/user-state-update — Unauthenticated endpoint 'PeppolWebhookController.webhook_user_update' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_oauth | route-auth-none | /auth_oauth/signin — Endpoint 'OAuthController.signin' uses auth="none": it runs with no user/session at all |
| auth_oauth | route-auth-none | /auth_oauth/oea — Endpoint 'OAuthController.oea' uses auth="none": it runs with no user/session at all |
| auth_signup | route-public-sudo | /web/signup — Unauthenticated endpoint 'AuthSignupHome.web_auth_signup' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_signup | route-public-sudo | /web/reset_password — Unauthenticated endpoint 'AuthSignupHome.web_auth_reset_password' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_totp | route-public-sudo | /web/login/totp — Unauthenticated endpoint 'Home.web_totp' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| base_automation | route-public-csrf-off | /web/hook/<string:rule_uuid> — Public HTTP endpoint 'BaseAutomationController.call_webhook_http' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base_automation | route-public-sudo | /web/hook/<string:rule_uuid> — Unauthenticated endpoint 'BaseAutomationController.call_webhook_http' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| base_import_module | route-public-csrf-off | /base_import_module/login_upload — Public HTTP endpoint 'ImportModule.login_upload' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base_import_module | route-auth-none | /base_import_module/login_upload — Endpoint 'ImportModule.login_upload' uses auth="none": it runs with no user/session at all |
| base_report_to_printer_qztray | route-public-sudo | /qz-certificate/ — Unauthenticated endpoint 'SignMessage.qz_certificate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| base_report_to_printer_qztray | route-public-sudo | /qz-sign-message/ — Unauthenticated endpoint 'SignMessage.qz_sign_message' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| base_setup | route-auth-none | /kpi/summary — Endpoint 'KpiController.kpi_summary' uses auth="none": it runs with no user/session at all |
| base_vat | route-public-csrf-off | /base_vat/1/webhook_update_vies — Public HTTP endpoint 'BaseVatWebhookController.webhook_update_vies' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| bus | route-public-sudo | /bus/has_missed_notifications — Unauthenticated endpoint 'BusController.has_missed_notifications' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| bus | route-auth-none | /websocket/health — Endpoint 'WebsocketController.health' uses auth="none": it runs with no user/session at all |
| calendar | rule-group-bypass | calendar_event_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| calendar | route-public-sudo | /calendar/join_videocall/<string:access_token> — Unauthenticated endpoint 'CalendarController.calendar_join_videocall' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| crm | rule-group-bypass | crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm | rule-group-bypass | crm_activity_report_rule_all_activities — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| digest | route-public-csrf-off | /digest/<int:digest_id>/unsubscribe_oneclik — Public HTTP endpoint 'DigestController.digest_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| digest | route-public-sudo | /digest/<int:digest_id>/unsubscribe — Unauthenticated endpoint 'DigestController.digest_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| event | route-public-sudo | /event/<model("event.event"):event>/ics — Unauthenticated endpoint 'EventController.event_ics_file' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| event | route-public-sudo | /event/<int:event_id>/my_tickets — Unauthenticated endpoint 'EventController.event_my_tickets' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| fieldservice | rule-group-bypass | fsm_order_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| helpdesk_mgmt | rule-group-bypass | helpdesk_ticket_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr | rule-group-bypass | ir_rule_res_partner_bank_employees — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_attendance | rule-group-bypass | hr_attendance_rule_attendance_admin — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_attendance | rule-group-bypass | hr_attendance_overtime_line_rule_admin — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_attendance | route-public-sudo | /hr_attendance/<token> — Unauthenticated endpoint 'HrAttendance.open_kiosk_mode' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| hr_attendance | route-public-sudo | /hr_attendance/attendance_employee_data — Unauthenticated endpoint 'HrAttendance.employee_attendance_data' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| hr_attendance | route-public-sudo | /hr_attendance/attendance_barcode_scanned — Unauthenticated endpoint 'HrAttendance.scan_barcode_with_geolocation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| hr_attendance | route-public-sudo | /hr_attendance/manual_selection — Unauthenticated endpoint 'HrAttendance.manual_selection' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| hr_attendance | route-public-sudo | /hr_attendance/employees_infos — Unauthenticated endpoint 'HrAttendance.employees_infos' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| hr_expense | rule-group-bypass | ir_rule_hr_expense_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_gamification | rule-group-bypass | hr_gamification_badge_group_hr_user_access — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | hr_leave_rule_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | hr_leave_allocation_rule_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | resource_leaves_base_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | resource_leaves_holidays_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | hr_leave_report_rule_group_holiday_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_homeworking | rule-group-bypass | homeworking_admin_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_homeworking_calendar | rule-group-bypass | homeworking_location_wizard_admin_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_recruitment | rule-group-bypass | hr_applicant_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_recruitment | rule-group-bypass | hr_job_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_recruitment | rule-group-bypass | hr_talent_pool_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_recruitment | rule-group-bypass | mail_message_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_recruitment_skills | rule-group-bypass | hr_applicant_skill_officer_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_resume_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_resume_rule_employee_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_skill_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_skill_rule_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_employee_skill_report_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_employee_skill_history_report_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_timesheet_attendance | rule-group-bypass | hr_timesheet_attendance_report_rule_approver — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| html_editor | route-public-sudo | /web_editor/shape/<module>/<path:filename>, /html_editor/shape/<module>/<path:filename> — Unauthenticated endpoint 'HTML_Editor.shape' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| http_routing | route-public-sudo | /website/translations — Unauthenticated endpoint 'Routing.get_website_translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-auth-none | /im_livechat/font-awesome — Endpoint 'LivechatController.fontawesome' uses auth="none": it runs with no user/session at all |
| im_livechat | route-auth-none | /im_livechat/odoo_ui_icons — Endpoint 'LivechatController.odoo_ui_icons' uses auth="none": it runs with no user/session at all |
| im_livechat | route-public-sudo | /im_livechat/support/<int:channel_id> — Unauthenticated endpoint 'LivechatController.support_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/loader/<int:channel_id> — Unauthenticated endpoint 'LivechatController.loader' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/get_session — Unauthenticated endpoint 'LivechatController.get_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/feedback — Unauthenticated endpoint 'LivechatController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/history — Unauthenticated endpoint 'LivechatController.history_pages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/download_transcript/<int:channel_id> — Unauthenticated endpoint 'LivechatController.download_livechat_transcript' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /chatbot/answer/save — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_save_answer' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /chatbot/step/trigger — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_trigger_step' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /chatbot/step/validate_email — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-csrf-off | /im_livechat/cors/attachment/upload — Public HTTP endpoint 'LivechatAttachmentController.im_livechat_attachment_upload' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_drivers | route-auth-none | /hw_proxy/scale_read — Endpoint 'ScaleReadHardwareProxy.scale_read' uses auth="none": it runs with no user/session at all |
| l10n_dk_nemhandel | route-public-csrf-off | /nemhandel/webhook/new-message — Public HTTP endpoint 'NemhandelWebhookController.webhook_nemhandel_new_message' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| l10n_dk_nemhandel | route-public-sudo | /nemhandel/webhook/new-message — Unauthenticated endpoint 'NemhandelWebhookController.webhook_nemhandel_new_message' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_dk_nemhandel | route-public-csrf-off | /nemhandel/webhook/message-state-update — Public HTTP endpoint 'NemhandelWebhookController.webhook_nemhandel_message_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| l10n_dk_nemhandel | route-public-sudo | /nemhandel/webhook/message-state-update — Unauthenticated endpoint 'NemhandelWebhookController.webhook_nemhandel_message_update' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_dk_nemhandel | route-public-csrf-off | /nemhandel/webhook/user-state-update — Public HTTP endpoint 'NemhandelWebhookController.webhook_nemhandel_user_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| l10n_dk_nemhandel | route-public-sudo | /nemhandel/webhook/user-state-update — Unauthenticated endpoint 'NemhandelWebhookController.webhook_nemhandel_user_update' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_es_aeat_mod347 | route-public-sudo | /mod347/accept — Unauthenticated endpoint 'Mod347Controller.mod347_accept' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_es_aeat_mod347 | route-public-sudo | /mod347/reject — Unauthenticated endpoint 'Mod347Controller.mod347_reject' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_fr_pdp | route-public-csrf-off | /api/signaturit_authentication_status/1/webhooks — Public HTTP endpoint 'IapAuthenticationWebhook.notify_authentication_status' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| l10n_fr_pdp | route-public-sudo | /api/signaturit_authentication_status/1/webhooks — Unauthenticated endpoint 'IapAuthenticationWebhook.notify_authentication_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_fr_pdp | route-public-csrf-off | /peppol/webhook/new-regulatory-message — Public HTTP endpoint 'PdpWebhookController.webhook_regulatory_message' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| l10n_fr_pdp | route-public-sudo | /peppol/webhook/new-regulatory-message — Unauthenticated endpoint 'PdpWebhookController.webhook_regulatory_message' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_pe | route-public-sudo | /portal/state_infos/<model("res.country.state"):state> — Unauthenticated endpoint 'L10nPEPortalAccount.state_infos' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_pe | route-public-sudo | /portal/city_infos/<model("res.city"):city> — Unauthenticated endpoint 'L10nPEPortalAccount.city_infos' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_tw_edi_ecpay | route-public-csrf-off | /invoice/ecpay/agreed_invoice_allowance/<int:invoice_id> — Public HTTP endpoint 'EcpayInvoiceController.agreed_invoice_allowance' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| link_tracker | route-public-sudo | /r/<string:code> — Unauthenticated endpoint 'LinkTracker.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| route-public-sudo | /mail/guest/update_name — Unauthenticated endpoint 'GuestController.mail_guest_update_name' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/message/reaction — Unauthenticated endpoint 'MessageReactionController.mail_message_reaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/link_preview — Unauthenticated endpoint 'LinkPreviewController.mail_link_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/link_preview/hide — Unauthenticated endpoint 'LinkPreviewController.mail_link_preview_hide' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/message/post — Unauthenticated endpoint 'ThreadController.mail_message_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/message/update_content — Unauthenticated endpoint 'ThreadController.mail_message_update_content' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/view — Unauthenticated endpoint 'MailController.mail_action_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-csrf-off | /mail/unfollow — Public HTTP endpoint 'MailController.mail_action_unfollow' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
|
| route-public-sudo | /mail/unfollow — Unauthenticated endpoint 'MailController.mail_action_unfollow' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-auth-none | /web_editor/font_to_img/<icon>, /web_editor/font_to_img/<icon>/<color>, /web_editor/font_to_img/<icon>/<color>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<int:width>x<int:height>, /web_editor/font_to_img/<icon>/<color>/<int:size>/<int:alpha>, /web_editor/font_to_img/<icon>/<color>/<int:width>x<int:height>/<int:alpha>, /web_editor/font_to_img/<icon>/<color>/<bg>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:width>x<int:height>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:width>x<int:height>/<int:alpha>, /mail/font_to_img/<icon>, /mail/font_to_img/<icon>/<color>, /mail/font_to_img/<icon>/<color>/<int:size>, /mail/font_to_img/<icon>/<color>/<int:width>x<int:height>, /mail/font_to_img/<icon>/<color>/<int:size>/<int:alpha>, /mail/font_to_img/<icon>/<color>/<int:width>x<int:height>/<int:alpha>, /mail/font_to_img/<icon>/<color>/<bg>, /mail/font_to_img/<icon>/<color>/<bg>/<int:size>, /mail/font_to_img/<icon>/<color>/<bg>/<int:width>x<int:height>, /mail/font_to_img/<icon>/<color>/<bg>/<int:width>x<int:height>/<int:alpha> — Endpoint 'MailController.export_icon_to_png' uses auth="none": it runs with no user/session at all |
|
| route-public-sudo | /mail/attachment/upload — Unauthenticated endpoint 'AttachmentController.mail_attachment_upload' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/attachment/delete — Unauthenticated endpoint 'AttachmentController.mail_attachment_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/attachment/pdf_first_page/<int:attachment_id> — Unauthenticated endpoint 'AttachmentController.mail_attachment_pdf_first_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/attachment/update_thumbnail — Unauthenticated endpoint 'AttachmentController.mail_attachement_update_thumbnail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /chat/<int:channel_id>/<string:invitation_token> — Unauthenticated endpoint 'PublicPageController.discuss_channel_invitation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/rtc/session/notify_call_members — Unauthenticated endpoint 'RtcController.session_call_notify' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/rtc/session/update_and_broadcast — Unauthenticated endpoint 'RtcController.session_update_and_broadcast' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/rtc/channel/join_call — Unauthenticated endpoint 'RtcController.channel_call_join' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/rtc/channel/leave_call — Unauthenticated endpoint 'RtcController.channel_call_leave' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/rtc/channel/cancel_call_invitation — Unauthenticated endpoint 'RtcController.channel_call_cancel_invitation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /discuss/channel/ping — Unauthenticated endpoint 'RtcController.channel_ping' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /discuss/channel/attachments — Unauthenticated endpoint 'ChannelController.load_attachments' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| mail_group | route-public-sudo | /groups — Unauthenticated endpoint 'PortalMailGroup.groups_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_group | route-public-sudo | /groups/<model("mail.group"):group>, /groups/<model("mail.group"):group>/page/<int:page> — Unauthenticated endpoint 'PortalMailGroup.group_view_messages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_group | route-public-sudo | /groups/<model("mail.group"):group>/<model("mail.group.message"):message> — Unauthenticated endpoint 'PortalMailGroup.group_view_message' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_group | route-public-sudo | /groups/<model("mail.group"):group>/<model("mail.group.message"):message>/get_replies — Unauthenticated endpoint 'PortalMailGroup.group_message_get_replies' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_group | route-public-csrf-off | /group/<int:group_id>/unsubscribe_oneclick — Public HTTP endpoint 'PortalMailGroup.group_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| mail_group | route-public-sudo | /group/<int:group_id>/unsubscribe_oneclick — Unauthenticated endpoint 'PortalMailGroup.group_unsubscribe_oneclick' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_group | route-public-sudo | /group/subscribe-confirm — Unauthenticated endpoint 'PortalMailGroup.group_subscribe_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_plugin | route-auth-none | /mail_plugin/auth/check_version — Endpoint 'Authenticate.auth_check_version' uses auth="none": it runs with no user/session at all |
| mail_plugin | route-auth-none | /mail_client_extension/auth/access_token, /mail_plugin/auth/access_token — Endpoint 'Authenticate.auth_access_token' uses auth="none": it runs with no user/session at all |
| mail_tracking | route-public-sudo | /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MailTrackingController.mail_tracking_open' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_tracking | route-auth-none | /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Endpoint 'MailTrackingController.mail_tracking_open' uses auth="none": it runs with no user/session at all |
| marketing_card | route-public-sudo | /cards/<string:card_slug>/card.jpg, /cards/<int:card_id>/card.jpg — Unauthenticated endpoint 'MarketingCardController.card_campaign_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| marketing_card | route-public-sudo | /cards/<string:card_slug>/preview, /cards/<int:card_id>/preview — Unauthenticated endpoint 'MarketingCardController.card_campaign_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| marketing_card | route-public-sudo | /cards/<string:card_slug>/redirect, /cards/<int:card_id>/redirect — Unauthenticated endpoint 'MarketingCardController.card_campaign_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-csrf-off | /mailing/<int:mailing_id>/unsubscribe_oneclick — Public HTTP endpoint 'MassMailController.mailing_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| mass_mailing | route-public-sudo | /mailing/<int:mailing_id>/confirm_unsubscribe — Unauthenticated endpoint 'MassMailController.mailing_confirm_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/list/update — Unauthenticated endpoint 'MassMailController.mailing_update_list_subscription' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/feedback — Unauthenticated endpoint 'MassMailController.mailing_send_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mail/track/<int:mail_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MassMailController.track_mail_open' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /r/<string:code>/m/<int:mailing_trace_id> — Unauthenticated endpoint 'MassMailController.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/report/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing_report_deactivate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/<int:mailing_id>/view — Unauthenticated endpoint 'MassMailController.mailing_view_in_browser' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/blocklist/add — Unauthenticated endpoint 'MassMailController.mail_blocklist_add' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/blocklist/remove — Unauthenticated endpoint 'MassMailController.mail_blocklist_remove' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing_sms | route-public-sudo | /sms/<int:mailing_id>/<string:trace_code> — Unauthenticated endpoint 'MailingSMSController.blacklist_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing_sms | route-public-sudo | /sms/<int:mailing_id>/unsubscribe/<string:trace_code> — Unauthenticated endpoint 'MailingSMSController.blacklist_number' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing_sms | route-public-sudo | /r/<string:code>/s/<int:sms_id_int> — Unauthenticated endpoint 'MailingSMSController.sms_short_link_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /payment/pay — Unauthenticated endpoint 'PaymentPortal.payment_pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /payment/confirmation — Unauthenticated endpoint 'PaymentPortal.payment_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-sudo | /payment/adyen/payment_methods — Unauthenticated endpoint 'AdyenController.adyen_payment_methods' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-sudo | /payment/adyen/payments — Unauthenticated endpoint 'AdyenController.adyen_payments' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-sudo | /payment/adyen/payments/details — Unauthenticated endpoint 'AdyenController.adyen_payment_details' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-csrf-off | /payment/adyen/return — Public HTTP endpoint 'AdyenController.adyen_return_from_3ds_auth' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_adyen | route-public-sudo | /payment/adyen/return — Unauthenticated endpoint 'AdyenController.adyen_return_from_3ds_auth' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-csrf-off | AdyenController.adyen_webhook — Public HTTP endpoint 'AdyenController.adyen_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_adyen | route-public-sudo | AdyenController.adyen_webhook — Unauthenticated endpoint 'AdyenController.adyen_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_aps | route-public-csrf-off | APSController.aps_return_from_checkout — Public HTTP endpoint 'APSController.aps_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_aps | route-public-sudo | APSController.aps_return_from_checkout — Unauthenticated endpoint 'APSController.aps_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_aps | route-public-csrf-off | APSController.aps_webhook — Public HTTP endpoint 'APSController.aps_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_aps | route-public-sudo | APSController.aps_webhook — Unauthenticated endpoint 'APSController.aps_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_asiapay | route-public-csrf-off | AsiaPayController.asiapay_webhook — Public HTTP endpoint 'AsiaPayController.asiapay_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_asiapay | route-public-sudo | AsiaPayController.asiapay_webhook — Unauthenticated endpoint 'AsiaPayController.asiapay_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_authorize | route-public-sudo | /payment/authorize/payment — Unauthenticated endpoint 'AuthorizeController.authorize_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_buckaroo | route-public-csrf-off | BuckarooController.buckaroo_return_from_checkout — Public HTTP endpoint 'BuckarooController.buckaroo_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_buckaroo | route-public-sudo | BuckarooController.buckaroo_return_from_checkout — Unauthenticated endpoint 'BuckarooController.buckaroo_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_buckaroo | route-public-csrf-off | BuckarooController.buckaroo_webhook — Public HTTP endpoint 'BuckarooController.buckaroo_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_buckaroo | route-public-sudo | BuckarooController.buckaroo_webhook — Unauthenticated endpoint 'BuckarooController.buckaroo_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_custom | route-public-csrf-off | CustomController.custom_process_transaction — Public HTTP endpoint 'CustomController.custom_process_transaction' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_custom | route-public-sudo | CustomController.custom_process_transaction — Unauthenticated endpoint 'CustomController.custom_process_transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_demo | route-public-sudo | PaymentDemoController.demo_simulate_payment — Unauthenticated endpoint 'PaymentDemoController.demo_simulate_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ecpay | route-public-csrf-off | EcpayController.ecpay_return_from_checkout — Public HTTP endpoint 'EcpayController.ecpay_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_ecpay | route-public-sudo | EcpayController.ecpay_return_from_checkout — Unauthenticated endpoint 'EcpayController.ecpay_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ecpay | route-public-csrf-off | EcpayController.ecpay_webhook — Public HTTP endpoint 'EcpayController.ecpay_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_ecpay | route-public-sudo | EcpayController.ecpay_webhook — Unauthenticated endpoint 'EcpayController.ecpay_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_flutterwave | route-public-csrf-off | FlutterwaveController.flutterwave_webhook — Public HTTP endpoint 'FlutterwaveController.flutterwave_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_flutterwave | route-public-sudo | FlutterwaveController.flutterwave_webhook — Unauthenticated endpoint 'FlutterwaveController.flutterwave_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_iyzico | route-public-csrf-off | IyzicoController.iyzico_return_from_payment — Public HTTP endpoint 'IyzicoController.iyzico_return_from_payment' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_iyzico | route-public-csrf-off | IyzicoController.iyzico_webhook — Public HTTP endpoint 'IyzicoController.iyzico_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_mercado_pago | route-public-sudo | /payment/mercado_pago/payments — Unauthenticated endpoint 'MercadoPagoPaymentController.mercado_pago_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_mercado_pago | route-public-csrf-off | MercadoPagoPaymentController.mercado_pago_webhook — Public HTTP endpoint 'MercadoPagoPaymentController.mercado_pago_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_mollie | route-public-csrf-off | MollieController.mollie_return_from_checkout — Public HTTP endpoint 'MollieController.mollie_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_mollie | route-public-csrf-off | MollieController.mollie_webhook — Public HTTP endpoint 'MollieController.mollie_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_nuvei | route-public-sudo | NuveiController.nuvei_return_from_checkout — Unauthenticated endpoint 'NuveiController.nuvei_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_nuvei | route-public-csrf-off | NuveiController.nuvei_webhook — Public HTTP endpoint 'NuveiController.nuvei_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_nuvei | route-public-sudo | NuveiController.nuvei_webhook — Unauthenticated endpoint 'NuveiController.nuvei_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_paymob | route-public-sudo | PaymobController.paymob_return_from_checkout — Unauthenticated endpoint 'PaymobController.paymob_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_paymob | route-public-csrf-off | PaymobController.paymob_webhook — Public HTTP endpoint 'PaymobController.paymob_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_paymob | route-public-sudo | PaymobController.paymob_webhook — Unauthenticated endpoint 'PaymobController.paymob_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_paypal | route-public-sudo | PaypalController.paypal_complete_order — Unauthenticated endpoint 'PaypalController.paypal_complete_order' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_paypal | route-public-csrf-off | PaypalController.paypal_webhook — Public HTTP endpoint 'PaypalController.paypal_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_paypal | route-public-sudo | PaypalController.paypal_webhook — Unauthenticated endpoint 'PaypalController.paypal_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_payu | route-public-csrf-off | PayuController.payu_return_from_checkout — Public HTTP endpoint 'PayuController.payu_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_payu | route-public-sudo | PayuController.payu_return_from_checkout — Unauthenticated endpoint 'PayuController.payu_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_payu | route-public-csrf-off | PayuController.payu_webhook — Public HTTP endpoint 'PayuController.payu_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_payu | route-public-sudo | PayuController.payu_webhook — Unauthenticated endpoint 'PayuController.payu_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_razorpay | route-public-csrf-off | RazorpayController.razorpay_return_from_checkout — Public HTTP endpoint 'RazorpayController.razorpay_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_razorpay | route-public-sudo | RazorpayController.razorpay_return_from_checkout — Unauthenticated endpoint 'RazorpayController.razorpay_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_razorpay | route-public-csrf-off | RazorpayController.razorpay_webhook — Public HTTP endpoint 'RazorpayController.razorpay_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_razorpay | route-public-sudo | RazorpayController.razorpay_webhook — Unauthenticated endpoint 'RazorpayController.razorpay_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_redsys | route-public-sudo | RedsysController.redsys_return_from_checkout — Unauthenticated endpoint 'RedsysController.redsys_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_redsys | route-public-csrf-off | RedsysController.redsys_webhook — Public HTTP endpoint 'RedsysController.redsys_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_redsys | route-public-sudo | RedsysController.redsys_webhook — Unauthenticated endpoint 'RedsysController.redsys_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe | route-public-sudo | StripeController.stripe_return — Unauthenticated endpoint 'StripeController.stripe_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe | route-public-csrf-off | StripeController.stripe_webhook — Public HTTP endpoint 'StripeController.stripe_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_stripe | route-public-sudo | StripeController.stripe_webhook — Unauthenticated endpoint 'StripeController.stripe_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe | route-public-csrf-off | StripeController.stripe_apple_pay_get_domain_association_file — Public HTTP endpoint 'StripeController.stripe_apple_pay_get_domain_association_file' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_toss_payments | route-public-sudo | TossPaymentsController._toss_payments_success_return — Unauthenticated endpoint 'TossPaymentsController._toss_payments_success_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_toss_payments | route-public-sudo | TossPaymentsController._toss_payments_failure_return — Unauthenticated endpoint 'TossPaymentsController._toss_payments_failure_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_toss_payments | route-public-csrf-off | TossPaymentsController._toss_payments_webhook — Public HTTP endpoint 'TossPaymentsController._toss_payments_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_toss_payments | route-public-sudo | TossPaymentsController._toss_payments_webhook — Unauthenticated endpoint 'TossPaymentsController._toss_payments_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_worldline | route-public-sudo | WorldlineController.worldline_return_from_checkout — Unauthenticated endpoint 'WorldlineController.worldline_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_worldline | route-public-csrf-off | WorldlineController.worldline_webhook — Public HTTP endpoint 'WorldlineController.worldline_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_worldline | route-public-sudo | WorldlineController.worldline_webhook — Unauthenticated endpoint 'WorldlineController.worldline_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_xendit | route-public-sudo | /payment/xendit/payment — Unauthenticated endpoint 'XenditController.xendit_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_xendit | route-public-csrf-off | XenditController.xendit_webhook — Public HTTP endpoint 'XenditController.xendit_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_xendit | route-public-sudo | XenditController.xendit_webhook — Unauthenticated endpoint 'XenditController.xendit_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_xendit | route-public-sudo | XenditController.xendit_return — Unauthenticated endpoint 'XenditController.xendit_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| point_of_sale | rule-group-bypass | rule_pos_bank_statement_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| point_of_sale | rule-group-bypass | rule_pos_bank_statement_line_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| point_of_sale | route-public-sudo | /pos/ticket — Unauthenticated endpoint 'PosController.invoice_request_screen' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| point_of_sale | route-public-sudo | /pos/ticket/validate — Unauthenticated endpoint 'PosController.show_ticket_validation_screen' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| point_of_sale | route-public-sudo | /pos_customer_display/<id_>/<device_uuid> — Unauthenticated endpoint 'PosCustomerDisplay.pos_customer_display' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| portal | route-public-sudo | /my/address/country_info/<model("res.country"):country> — Unauthenticated endpoint 'CustomerPortal.portal_address_country_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| portal | route-public-sudo | /mail/avatar/mail.message/<int:res_id>/author_avatar/<int:width>x<int:height> — Unauthenticated endpoint 'PortalChatter.portal_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| portal | route-public-sudo | /portal/chatter_init — Unauthenticated endpoint 'PortalChatter.portal_chatter_init' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| portal | route-public-sudo | /mail/chatter_fetch — Unauthenticated endpoint 'PortalChatter.portal_message_fetch' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_adyen | route-public-sudo | /pos_adyen/notification — Unauthenticated endpoint 'PosAdyenController.notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_mercado_pago | route-public-csrf-off | /pos_mercado_pago/notification — Public HTTP endpoint 'PosMercadoPagoWebhook.notification' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| pos_mercado_pago | route-public-sudo | /pos_mercado_pago/notification — Unauthenticated endpoint 'PosMercadoPagoWebhook.notification' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_mercado_pago | route-auth-none | /pos_mercado_pago/notification — Endpoint 'PosMercadoPagoWebhook.notification' uses auth="none": it runs with no user/session at all |
| pos_mollie | route-public-csrf-off | /pos_mollie/webhook — Public HTTP endpoint 'PosMollie.mollie_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| pos_mollie | route-public-sudo | /pos_mollie/webhook — Unauthenticated endpoint 'PosMollie.mollie_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_online_payment | route-public-sudo | /pos/pay/<int:pos_order_id> — Unauthenticated endpoint 'PaymentPortal.pos_order_pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_online_payment | route-public-sudo | /pos/pay/confirmation/<int:pos_order_id> — Unauthenticated endpoint 'PaymentPortal.pos_order_pay_confirmation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_qfpay | route-public-csrf-off | /qfpay/notify — Public HTTP endpoint 'QFPayNotificationController.qfpay_notify' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| pos_qfpay | route-public-sudo | /qfpay/notify — Unauthenticated endpoint 'QFPayNotificationController.qfpay_notify' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_safaricom | route-public-csrf-off | /pos_safaricom/callback — Public HTTP endpoint 'SafaricomController.safaricom_callback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| pos_safaricom | route-public-sudo | /pos_safaricom/callback — Unauthenticated endpoint 'SafaricomController.safaricom_callback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_safaricom | route-public-csrf-off | /c2b/validation/callback — Public HTTP endpoint 'SafaricomController.c2b_validation_callback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| pos_safaricom | route-public-sudo | /c2b/validation/callback — Unauthenticated endpoint 'SafaricomController.c2b_validation_callback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_safaricom | route-public-csrf-off | /c2b/confirmation/callback — Public HTTP endpoint 'SafaricomController.c2b_confirmation_callback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| pos_safaricom | route-public-sudo | /c2b/confirmation/callback — Unauthenticated endpoint 'SafaricomController.c2b_confirmation_callback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_self_order | route-public-sudo | /pos-self-order/process-order/<device_type>/ — Unauthenticated endpoint 'PosSelfOrderController.process_order' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_self_order | route-public-sudo | /pos-self-order/validate-partner — Unauthenticated endpoint 'PosSelfOrderController.validate_partner' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_self_order | route-public-sudo | /pos-self/<config_id>, /pos-self/<config_id>/<path:subpath> — Unauthenticated endpoint 'PosSelfKiosk.start_self_ordering' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_viva_com | route-public-csrf-off | /pos_viva_com/notification — Public HTTP endpoint 'PosVivaComController.notification' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| pos_viva_com | route-public-sudo | /pos_viva_com/notification — Unauthenticated endpoint 'PosVivaComController.notification' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_viva_com | route-auth-none | /pos_viva_com/notification — Endpoint 'PosVivaComController.notification' uses auth="none": it runs with no user/session at all |
| queue_job | route-auth-none | /queue_job/runjob — Endpoint 'RunJobController.runjob' uses auth="none": it runs with no user/session at all |
| rpc | route-auth-none | /web/version, /json/version — Endpoint 'RPC.version' uses auth="none": it runs with no user/session at all |
| rpc | route-auth-none | /jsonrpc — Endpoint 'JSONRPC.jsonrpc' uses auth="none": it runs with no user/session at all |
| rpc | route-public-csrf-off | /xmlrpc/<service> — Public HTTP endpoint 'XMLRPC.xmlrpc_1' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| rpc | route-auth-none | /xmlrpc/<service> — Endpoint 'XMLRPC.xmlrpc_1' uses auth="none": it runs with no user/session at all |
| rpc | route-public-csrf-off | /xmlrpc/2/<service> — Public HTTP endpoint 'XMLRPC.xmlrpc_2' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| rpc | route-auth-none | /xmlrpc/2/<service> — Endpoint 'XMLRPC.xmlrpc_2' uses auth="none": it runs with no user/session at all |
| sale | rule-group-bypass | payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale | rule-group-bypass | payment_token_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale_gelato | route-public-csrf-off | GelatoController.gelato_webhook — Public HTTP endpoint 'GelatoController.gelato_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| sale_gelato | route-public-sudo | GelatoController.gelato_webhook — Unauthenticated endpoint 'GelatoController.gelato_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sale_stock | rule-group-bypass | sale_order_line_rule_stock_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale_stock | route-public-sudo | /my/picking/pdf/<int:picking_id> — Unauthenticated endpoint 'SaleStockPortal.portal_my_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sale_stock | route-public-sudo | /my/picking/return/pdf/<int:picking_id> — Unauthenticated endpoint 'SaleStockPortal.portal_my_picking_return_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sales_team | rule-group-bypass | crm_rule_all_salesteam — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sms | route-public-sudo | /sms/status — Unauthenticated endpoint 'SmsController.update_sms_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sms_twilio | route-public-csrf-off | /sms_twilio/status/<string:uuid> — Public HTTP endpoint 'SmsTwilioController.update_sms_status' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| sms_twilio | route-public-sudo | /sms_twilio/status/<string:uuid> — Unauthenticated endpoint 'SmsTwilioController.update_sms_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| spreadsheet_dashboard | route-public-sudo | /dashboard/share/<int:share_id>/<token> — Unauthenticated endpoint 'DashboardShareRoute.share_portal' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| spreadsheet_dashboard | route-public-sudo | /dashboard/data/<int:share_id>/<token> — Unauthenticated endpoint 'DashboardShareRoute.get_shared_dashboard_data' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| survey | route-public-sudo | /survey/start/<string:survey_token> — Unauthenticated endpoint 'Survey.survey_start' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| survey | route-public-sudo | /survey/get_question_image/<string:survey_token>/<string:answer_token>/<int:question_id>/<int:suggested_answer_id> — Unauthenticated endpoint 'Survey.survey_get_question_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| survey | route-public-sudo | /survey/submit/<string:survey_token>/<string:answer_token> — Unauthenticated endpoint 'Survey.survey_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| test_http | route-auth-none | /test_http/greeting, /test_http/greeting-none — Endpoint 'TestHttp.greeting_none' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/wsgi_environ — Endpoint 'TestHttp.wsgi_environ' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/echo-http-get — Endpoint 'TestHttp.echo_http_get' uses auth="none": it runs with no user/session at all |
| test_http | route-public-csrf-off | /test_http/echo-http-post — Public HTTP endpoint 'TestHttp.echo_http_post' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| test_http | route-auth-none | /test_http/echo-http-post — Endpoint 'TestHttp.echo_http_post' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/echo-http-csrf — Endpoint 'TestHttp.echo_http_csrf' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/echo-json — Endpoint 'TestHttp.echo_json' uses auth="none": it runs with no user/session at all |
| test_http | route-public-csrf-off | /test_http/echo-json-over-http — Public HTTP endpoint 'TestHttp.echo_json_over_http' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| test_http | route-auth-none | /test_http/echo-json-over-http — Endpoint 'TestHttp.echo_json_over_http' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/cors_http_default — Endpoint 'TestHttp.cors_http' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/cors_http_methods — Endpoint 'TestHttp.cors_http_verbs' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/cors_json — Endpoint 'TestHttp.cors_json' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/ensure_db — Endpoint 'TestHttp.ensure_db_endpoint' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/geoip — Endpoint 'TestHttp.geoip' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/save_session — Endpoint 'TestHttp.touch' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/fail — Endpoint 'TestHttp.fail' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/json_value_error — Endpoint 'TestHttp.json_value_error' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/hide_errors/decorator — Endpoint 'TestHttp.hide_errors_decorator' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/hide_errors/context-manager — Endpoint 'TestHttp.hide_errors_context_manager' uses auth="none": it runs with no user/session at all |
| test_http | route-public-csrf-off | /test_http/upload_file — Public HTTP endpoint 'TestHttp.upload_file_retry' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| test_http | route-auth-none | /test_http/upload_file — Endpoint 'TestHttp.upload_file_retry' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/concurrency_error — Endpoint 'TestHttp.concurrency_error' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/httprequest_attrs — Endpoint 'TestHttp.request_attrs' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/httprequest_environ — Endpoint 'TestHttp.request_environ' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/f2qs/step1/no-operation-to-perform — Endpoint 'TestHttp.f2qs_test' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/f2qs/step2/1-var-in-fragment — Endpoint 'TestHttp.f2qs_test_simple_fragment' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/f2qs/step3/3-var-in-fragment — Endpoint 'TestHttp.f2qs_test_3_args_fragment' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/f2qs/step4/empty-query-3-var-in-frag — Endpoint 'TestHttp.f2qs_test_empty_query_with_fragment' uses auth="none": it runs with no user/session at all |
| test_website | route-public-sudo | /test_website/model_item_sudo/<int:record_id> — Unauthenticated endpoint 'WebsiteTest.test_model_item_sudo' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web | route-auth-none | /web/database/selector — Endpoint 'Database.selector' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/database/manager — Endpoint 'Database.manager' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/create — Public HTTP endpoint 'Database.create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/create — Endpoint 'Database.create' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/duplicate — Public HTTP endpoint 'Database.duplicate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/duplicate — Endpoint 'Database.duplicate' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/drop — Public HTTP endpoint 'Database.drop' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/drop — Endpoint 'Database.drop' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/backup — Public HTTP endpoint 'Database.backup' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/backup — Endpoint 'Database.backup' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/restore — Public HTTP endpoint 'Database.restore' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/restore — Endpoint 'Database.restore' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/change_password — Public HTTP endpoint 'Database.change_password' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/change_password — Endpoint 'Database.change_password' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/database/list — Endpoint 'Database.list' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/filestore/<path:_path> — Endpoint 'Binary.content_filestore' uses auth="none": it runs with no user/session at all |
| web | route-public-sudo | /web/assets/<string:unique>/<string:filename> — Unauthenticated endpoint 'Binary.content_assets' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web | route-public-sudo | /web/image, /web/image/<string:xmlid>, /web/image/<string:xmlid>/<string:filename>, /web/image/<string:xmlid>/<int:width>x<int:height>, /web/image/<string:xmlid>/<int:width>x<int:height>/<string:filename>, /web/image/<string:model>/<int:id>/<string:field>, /web/image/<string:model>/<int:id>/<string:field>/<string:filename>, /web/image/<string:model>/<int:id>/<string:field>/<int:width>x<int:height>, /web/image/<string:model>/<int:id>/<string:field>/<int:width>x<int:height>/<string:filename>, /web/image/<int:id>, /web/image/<int:id>/<string:filename>, /web/image/<int:id>/<int:width>x<int:height>, /web/image/<int:id>/<int:width>x<int:height>/<string:filename>, /web/image/<int:id>-<string:unique>, /web/image/<int:id>-<string:unique>/<string:filename>, /web/image/<int:id>-<string:unique>/<int:width>x<int:height>, /web/image/<int:id>-<string:unique>/<int:width>x<int:height>/<string:filename> — Unauthenticated endpoint 'Binary.content_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web | route-auth-none | /web/binary/company_logo, /logo, /logo.png — Endpoint 'Binary.company_logo' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/sign/get_fonts, /web/sign/get_fonts/<string:fontname> — Endpoint 'Binary.get_fonts' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/authenticate — Endpoint 'Session.authenticate' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/get_lang_list — Endpoint 'Session.get_lang_list' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/logout — Endpoint 'Session.logout' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/bootstrap_translations — Endpoint 'WebClient.bootstrap_translations' uses auth="none": it runs with no user/session at all |
| web | route-public-sudo | /web/webclient/translations — Unauthenticated endpoint 'WebClient.translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web | route-auth-none | /web/webclient/version_info — Endpoint 'WebClient.version_info' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | / — Endpoint 'Home.index' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web, /odoo, /odoo/<path:subpath>, /scoped_app/<path:subpath> — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/login — Endpoint 'Home.web_login' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/health — Endpoint 'Home.health' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /robots.txt — Endpoint 'Home.robots' uses auth="none": it runs with no user/session at all |
| web_pwa_customize | route-public-sudo | /web/manifest.webmanifest — Unauthenticated endpoint 'WebManifest.webmanifest' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web_unsplash | route-public-sudo | /web_unsplash/get_app_id — Unauthenticated endpoint 'Web_Unsplash.get_unsplash_app_id' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| webservice | route-public-csrf-off | /webservice/<int:backend_id>/oauth2/redirect — Public HTTP endpoint 'OAuth2Controller.redirect' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| webservice | route-public-sudo | /webservice/<int:backend_id>/oauth2/redirect — Unauthenticated endpoint 'OAuth2Controller.redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /sitemap.xml — Unauthenticated endpoint 'Website.sitemap_xml_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/info — Unauthenticated endpoint 'Website.website_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/snippet/filters — Unauthenticated endpoint 'Website.get_dynamic_filter' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/snippet/filter_templates — Unauthenticated endpoint 'Website.get_dynamic_snippet_templates' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/snippet/autocomplete — Unauthenticated endpoint 'Website.autocomplete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /google<string(length=16):key>.html — Unauthenticated endpoint 'Website.google_console_search' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/action/<path_or_xml_id_or_id>, /website/action/<path_or_xml_id_or_id>/<path:path> — Unauthenticated endpoint 'Website.actions_server' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /model/<string:page_name_slugified>, /model/<string:page_name_slugified>/page/<int:page_number>, /model/<string:page_name_slugified>/<string:record_slug> — Unauthenticated endpoint 'ModelPageController.generic_model' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-csrf-off | /website/form/<string:model_name> — Public HTTP endpoint 'WebsiteForm.website_form' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| website_customer | route-public-sudo | /customers, /customers/page/<int:page>, /customers/country/<model("res.country"):country>, /customers/country/<model("res.country"):country>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>, /customers/industry/<model("res.partner.industry"):industry>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCustomer.customers' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_customer | route-public-sudo | /customers/<partner_id> — Unauthenticated endpoint 'WebsiteCustomer.customers_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event | rule-group-bypass | ir_rule_event_question_event_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_event | rule-group-bypass | ir_rule_event_question_answer_event_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_event | route-public-sudo | WebsiteEventController.events — Unauthenticated endpoint 'WebsiteEventController.events' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event | route-public-sudo | /event/<model("event.event"):event>/page/<path:page> — Unauthenticated endpoint 'WebsiteEventController.event_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event | route-public-sudo | /event/<model("event.event"):event>/registration/success — Unauthenticated endpoint 'WebsiteEventController.event_registration_success' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_booth | route-public-sudo | /event/booth/check_availability — Unauthenticated endpoint 'WebsiteEventBoothController.check_booths_availability' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_booth | route-public-sudo | /event/booth_category/get_available_booths — Unauthenticated endpoint 'WebsiteEventBoothController.get_booth_category_available_booths' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_exhibitor | route-public-sudo | /event/<model("event.event", "[('exhibitor_menu', '=', True)]"):event>/exhibitor/<model("event.sponsor", "[('event_id', '=', event.id)]"):sponsor> — Unauthenticated endpoint 'ExhibitorController.event_exhibitor' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_exhibitor | route-public-sudo | /event_sponsor/<int:sponsor_id>/read — Unauthenticated endpoint 'ExhibitorController.event_sponsor_read' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track | route-public-sudo | /event/<model("event.event", "[('website_track', '=', True)]"):event>/track/<model("event.track", "[('event_id', '=', event.id)]"):track> — Unauthenticated endpoint 'EventTrackController.event_track_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track | route-public-sudo | /event/track/send_email_reminder — Unauthenticated endpoint 'EventTrackController.send_email_reminder' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track | route-public-sudo | /event/<model("event.event"):event>/track_proposal/post — Unauthenticated endpoint 'EventTrackController.event_track_proposal_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track_live | route-public-sudo | /event_track/get_track_suggestion — Unauthenticated endpoint 'EventTrackLiveController.get_next_track_suggestion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track_quiz | route-public-sudo | /event_track/quiz/submit — Unauthenticated endpoint 'WebsiteEventTrackQuiz.event_track_quiz_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track_quiz | route-public-sudo | /event_track/quiz/reset — Unauthenticated endpoint 'WebsiteEventTrackQuiz.quiz_reset' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | rule-group-bypass | website_forum_create_website_designer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/<model("forum.post"):question> — Unauthenticated endpoint 'WebsiteForum.question' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/partner/<int:partner_id> — Unauthenticated endpoint 'WebsiteForum.open_partner' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_google_map | route-public-sudo | /google_map — Unauthenticated endpoint 'GoogleMap.google_map' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_hr_recruitment | rule-group-bypass | hr_job_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_hr_recruitment | route-public-sudo | /jobs, /jobs/page/<int:page> — Unauthenticated endpoint 'WebsiteHrRecruitment.jobs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_hr_recruitment | route-public-sudo | /website_hr_recruitment/check_recent_application — Unauthenticated endpoint 'WebsiteHrRecruitment.check_recent_application' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail | route-public-sudo | /website_mail/follow — Unauthenticated endpoint 'WebsiteMail.website_message_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail | route-public-sudo | /website_mail/is_follower — Unauthenticated endpoint 'WebsiteMail.is_follower' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_group | route-public-sudo | /group/is_member — Unauthenticated endpoint 'WebsiteMailGroup.group_is_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /website_mass_mailing/is_subscriber — Unauthenticated endpoint 'MassMailController.is_subscriber' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_partner | route-public-sudo | /partners/<partner_id> — Unauthenticated endpoint 'WebsitePartnerPage.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_payment | route-public-sudo | /website_payment/snippet/supported_payment_methods — Unauthenticated endpoint 'PaymentPortal.get_supported_payment_methods' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_profile | route-public-sudo | /profile/avatar/<int:user_id> — Unauthenticated endpoint 'WebsiteProfile.get_user_profile_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_profile | route-public-sudo | /profile/users, /profile/users/page/<int:page> — Unauthenticated endpoint 'WebsiteProfile.view_all_users_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_profile | route-public-sudo | /profile/validate_email — Unauthenticated endpoint 'WebsiteProfile.validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | WebsiteSale.shop — Unauthenticated endpoint 'WebsiteSale.shop' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/<model("product.template"):product_template>/document/<int:document_id> — Unauthenticated endpoint 'WebsiteSale.product_document' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/product/is_add_to_cart_allowed — Unauthenticated endpoint 'WebsiteSale.is_add_to_cart_allowed' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/pricelist — Unauthenticated endpoint 'WebsiteSale.pricelist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/update_address — Unauthenticated endpoint 'WebsiteSale.shop_update_address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/payment/validate — Unauthenticated endpoint 'WebsiteSale.shop_payment_validate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/confirmation — Unauthenticated endpoint 'WebsiteSale.shop_payment_confirmation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/print — Unauthenticated endpoint 'WebsiteSale.print_saleorder' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/products/recently_viewed_delete — Unauthenticated endpoint 'WebsiteSale.products_recently_viewed_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/set_delivery_method — Unauthenticated endpoint 'Delivery.shop_set_delivery_method' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/get_delivery_rate — Unauthenticated endpoint 'Delivery.shop_get_delivery_rate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | Cart.cart — Unauthenticated endpoint 'Cart.cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | Cart.add_to_cart — Unauthenticated endpoint 'Cart.add_to_cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /website/form/shop.sale.order — Unauthenticated endpoint 'WebsiteSaleForm.website_form_saleorder' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_charge_payment_fee | route-public-sudo | /shop/payment — Unauthenticated endpoint 'WebsiteSaleFee.shop_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_collect | route-public-sudo | /shop/set_click_and_collect_location — Unauthenticated endpoint 'InStoreDelivery.shop_set_click_and_collect_location' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_loyalty | route-public-sudo | /shop/claimreward — Unauthenticated endpoint 'WebsiteSale.claim_reward' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_mondialrelay | route-public-sudo | /website_sale_mondialrelay/update_shipping — Unauthenticated endpoint 'MondialRelay.mondial_relay_update_shipping' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_product_brand | route-public-sudo | /page/product_brands — Unauthenticated endpoint 'WebsiteSale.product_brands' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_stock | route-public-sudo | /shop/add/stock_notification — Unauthenticated endpoint 'WebsiteSaleStock.add_stock_email_notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_wishlist | route-public-sudo | /shop/wishlist/add — Unauthenticated endpoint 'WebsiteSaleWishlist.add_to_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_wishlist | route-public-sudo | /shop/wishlist/remove/<int:wish_id> — Unauthenticated endpoint 'WebsiteSaleWishlist.remove_from_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | rule-group-bypass | rule_slide_channel_officer_r — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides | rule-group-bypass | rule_slide_slide_officer_r — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides | rule-group-bypass | rule_slide_slide_resource_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides | route-public-sudo | /slides/<int:channel_id>, /slides/<int:channel_id>/category/<int:category_id>, /slides/<int:channel_id>/category/<int:category_id>/page/<int:page>, /slides/<model("slide.channel"):channel>, /slides/<model("slide.channel"):channel>/page/<int:page>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>/page/<int:page>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>/page/<int:page> — Unauthenticated endpoint 'WebsiteSlides.channel' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/channel/join — Unauthenticated endpoint 'WebsiteSlides.slide_channel_join' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/<model("slide.slide"):slide> — Unauthenticated endpoint 'WebsiteSlides.slide_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/like — Unauthenticated endpoint 'WebsiteSlides.slide_like' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/quiz/submit — Unauthenticated endpoint 'WebsiteSlides.slide_quiz_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides_forum | rule-group-bypass | website_slides_forum_website_slides_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides_forum | rule-group-bypass | website_slides_forum_website_slides_officer_post — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides_forum | rule-group-bypass | website_slides_forum_website_slides_officer_tag — Record rule with an always-true domain bypasses every other record rule of its model for its group |
Active Pull Requests 522
0 fresh 0 rotting 0 rotten
Security Findings
Errors 40
| Module | Code | Message |
|---|---|---|
| account_avatax_exemption_base | acl-public-write | access_portal_res_partner_exemption — Access rule grants write/create on 'model_res_partner_exemption' to the portal/public group 'base.group_portal' |
| auth_totp_portal | acl-public-write | access_auth_totp_portal_wizard — Access rule grants write/create/unlink on 'auth_totp.model_auth_totp_wizard' to the portal/public group 'base.group_portal' |
| base | acl-privilege-escalation | access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions |
| bus | acl-public-write | access_bus_presence_portal — Access rule grants write/create/unlink on 'model_bus_presence' to the portal/public group 'base.group_portal' |
| calendar | rule-public-bypass | calendar_attendee_rule_my — Record rule with an always-true domain grants portal/public users access to every record of its model |
| fieldservice_route | acl-public-write | access_fsm_route_dayroute_portal — Access rule grants write/create on 'model_fsm_route_dayroute' to the portal/public group 'base.group_portal' |
| fieldservice_stock | acl-public-write | access_stock_move_portal — Access rule grants write on 'stock.model_stock_move' to the portal/public group 'base.group_portal' |
| gamification | acl-public-write | goal_portal — Access rule grants write on 'gamification.model_gamification_goal' to the portal/public group 'base.group_portal' |
| gamification | acl-public-write | badge_user_portal — Access rule grants write/create on 'gamification.model_gamification_badge_user' to the portal/public group 'base.group_portal' |
| helpdesk_mgmt | acl-public-write | access_helpdesk_ticket_stage_public — Access rule grants write on 'model_helpdesk_ticket_stage' to the portal/public group 'base.group_public' |
| l10n_bg_report_theme | acl-global-write | access_base_document_layout_colors — Access rule grants write/create/unlink on 'model_base_document_layout_colors' to EVERY user (portal/public included): no group is set |
| acl-public-write | access_mail_message_portal — Access rule grants write/create/unlink on 'model_mail_message' to the portal/public group 'base.group_portal' |
|
| acl-public-write | access_discuss_channel_member_public — Access rule grants write/create/unlink on 'model_discuss_channel_member' to the portal/public group 'base.group_public' |
|
| acl-public-write | access_discuss_channel_member_portal — Access rule grants write/create/unlink on 'model_discuss_channel_member' to the portal/public group 'base.group_portal' |
|
| mrp_subcontracting | acl-public-write | access_subcontracting_portal_stock_move — Access rule grants write/create on 'stock.model_stock_move' to the portal/public group 'base.group_portal' |
| mrp_subcontracting | acl-public-write | access_subcontracting_portal_stock_move_line — Access rule grants write/create/unlink on 'stock.model_stock_move_line' to the portal/public group 'base.group_portal' |
| mrp_subcontracting | acl-public-write | access_subcontracting_portal_lot — Access rule grants create on 'stock.model_stock_lot' to the portal/public group 'base.group_portal' |
| mrp_subcontracting | acl-public-write | access_subcontracting_portal_production — Access rule grants write on 'mrp.model_mrp_production' to the portal/public group 'base.group_portal' |
| mrp_subcontracting | acl-public-write | access_subcontracting_portal_consumption_warning — Access rule grants write/create on 'mrp.model_mrp_consumption_warning' to the portal/public group 'base.group_portal' |
| mrp_subcontracting | acl-public-write | access_subcontracting_portal_consumption_warning_line — Access rule grants write/create on 'mrp.model_mrp_consumption_warning_line' to the portal/public group 'base.group_portal' |
| mrp_subcontracting_account | acl-public-write | access_subcontracting_portal_analytic_line — Access rule grants write on 'mrp_account.model_account_analytic_line' to the portal/public group 'base.group_portal' |
| partner_autocomplete | acl-public-write | access_partner_autocomplete_sync_portal — Access rule grants create on 'model_res_partner_autocomplete_sync' to the portal/public group 'base.group_portal' |
| password_security | acl-public-write | access_res_users_pass_history_portal — Access rule grants create on 'model_res_users_pass_history' to the portal/public group 'base.group_portal' |
| project | acl-public-write | access_project_sharing_task_portal — Access rule grants write/create on 'model_project_task' to the portal/public group 'base.group_portal' |
| test_access_rights | acl-public-write | access_test_access_right_some_obj_public — Access rule grants write/create/unlink on 'model_test_access_right_some_obj' to the portal/public group 'base.group_public' |
| test_access_rights | acl-public-write | access_test_access_right_container_public — Access rule grants write/create/unlink on 'model_test_access_right_container' to the portal/public group 'base.group_public' |
| test_access_rights | acl-public-write | access_test_access_right_inherits_public — Access rule grants write/create/unlink on 'model_test_access_right_inherits' to the portal/public group 'base.group_public' |
| test_access_rights | acl-public-write | access_test_access_right_child_public — Access rule grants write/create/unlink on 'model_test_access_right_child' to the portal/public group 'base.group_public' |
| test_mail | acl-public-write | access_mail_test_access_portal — Access rule grants write on 'model_mail_test_access' to the portal/public group 'base.group_portal' |
| test_mail | acl-public-write | access_mail_test_public_public — Access rule grants write on 'model_mail_test_public' to the portal/public group 'base.group_public' |
| website_forum | acl-public-write | access_forum_post_portal — Access rule grants write/create/unlink on 'model_forum_post' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_post_vote_portal — Access rule grants write/create on 'model_forum_post_vote' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_tag_public — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_public' |
| website_forum | acl-public-write | access_forum_tag_portal — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_portal' |
| website_sale_wishlist | acl-public-write | access_product_wishlist_portal — Access rule grants write/create/unlink on 'model_product_wishlist' to the portal/public group 'base.group_portal' |
Warnings 491
| Module | Code | Message |
|---|---|---|
| account | rule-group-bypass | account_analytic_line_rule_billing_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_analytic_line_rule_readonly_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_rule_group_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_line_rule_group_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_line_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_send_single_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_send_batch_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | ir_rule_res_partner_bank_billing_officers — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | route-public-sudo | /terms — Unauthenticated endpoint 'TermsController.terms_conditions' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| account_avatax_exemption | route-public-sudo | /exemption/<int:exemption_id> — Unauthenticated endpoint 'Exemption.get_exemption' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| account_brand | acl-global-read | res_partner_account_brand_access — Access rule grants read on 'model_res_partner_account_brand' to every user (portal/public included): no group is set |
| account_payment | rule-group-bypass | payment_token_billing_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account_statement_import_online_gocardless | route-public-csrf-off | /gocardless/response — Public HTTP endpoint 'GocardlessController.gocardless_response' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| account_statement_import_online_gocardless | route-public-sudo | /gocardless/response — Unauthenticated endpoint 'GocardlessController.gocardless_response' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| ai_oca_bridge | route-public-csrf-off | /ai/response/<int:execution_id>/<string:token> — Public HTTP endpoint 'AIController.ai_process_response' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| ai_oca_bridge | route-public-sudo | /ai/response/<int:execution_id>/<string:token> — Unauthenticated endpoint 'AIController.ai_process_response' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_oauth | route-auth-none | /auth_oauth/signin — Endpoint 'OAuthController.signin' uses auth="none": it runs with no user/session at all |
| auth_oauth | route-auth-none | /auth_oauth/oea — Endpoint 'OAuthController.oea' uses auth="none": it runs with no user/session at all |
| auth_saml | route-public-sudo | /auth_saml/get_auth_request — Unauthenticated endpoint 'AuthSAMLController.get_auth_request' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_saml | route-auth-none | /auth_saml/get_auth_request — Endpoint 'AuthSAMLController.get_auth_request' uses auth="none": it runs with no user/session at all |
| auth_saml | route-public-csrf-off | /auth_saml/signin — Public HTTP endpoint 'AuthSAMLController.signin' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| auth_saml | route-auth-none | /auth_saml/signin — Endpoint 'AuthSAMLController.signin' uses auth="none": it runs with no user/session at all |
| auth_saml | route-public-csrf-off | /auth_saml/metadata — Public HTTP endpoint 'AuthSAMLController.saml_metadata' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| auth_saml | route-public-sudo | /auth_saml/metadata — Unauthenticated endpoint 'AuthSAMLController.saml_metadata' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_saml | route-auth-none | /auth_saml/metadata — Endpoint 'AuthSAMLController.saml_metadata' uses auth="none": it runs with no user/session at all |
| auth_signup | route-public-sudo | /web/signup — Unauthenticated endpoint 'AuthSignupHome.web_auth_signup' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_signup | route-public-sudo | /web/reset_password — Unauthenticated endpoint 'AuthSignupHome.web_auth_reset_password' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_totp | route-public-sudo | /web/login/totp — Unauthenticated endpoint 'Home.web_totp' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| automation_oca | route-public-sudo | /automation_oca/track/<int:record_id>/<string:token>/blank.gif — Unauthenticated endpoint 'AutomationOCAController.automation_oca_mail_open' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| automation_oca | route-public-sudo | /r/<string:code>/au/<int:record_id>/<string:token> — Unauthenticated endpoint 'AutomationOCAController.automation_oca_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| base | route-public-csrf-off | /xmlrpc/<service> — Public HTTP endpoint 'RPC.xmlrpc_1' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base | route-auth-none | /xmlrpc/<service> — Endpoint 'RPC.xmlrpc_1' uses auth="none": it runs with no user/session at all |
| base | route-public-csrf-off | /xmlrpc/2/<service> — Public HTTP endpoint 'RPC.xmlrpc_2' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base | route-auth-none | /xmlrpc/2/<service> — Endpoint 'RPC.xmlrpc_2' uses auth="none": it runs with no user/session at all |
| base | route-auth-none | /jsonrpc — Endpoint 'RPC.jsonrpc' uses auth="none": it runs with no user/session at all |
| base_automation | route-public-csrf-off | /web/hook/<string:rule_uuid> — Public HTTP endpoint 'BaseAutomationController.call_webhook_http' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base_automation | route-public-sudo | /web/hook/<string:rule_uuid> — Unauthenticated endpoint 'BaseAutomationController.call_webhook_http' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| base_ical | route-auth-none | /base_ical/<int:calendar_id> — Endpoint 'ICalController.get_ical' uses auth="none": it runs with no user/session at all |
| base_import_module | route-public-csrf-off | /base_import_module/login_upload — Public HTTP endpoint 'ImportModule.login_upload' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base_import_module | route-auth-none | /base_import_module/login_upload — Endpoint 'ImportModule.login_upload' uses auth="none": it runs with no user/session at all |
| base_vat | route-public-csrf-off | /base_vat/1/webhook_update_vies — Public HTTP endpoint 'BaseVatWebhookController.webhook_update_vies' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| bus | route-public-sudo | /bus/has_missed_notifications — Unauthenticated endpoint 'BusController.has_missed_notifications' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| bus | route-public-sudo | /bus/get_autovacuum_info — Unauthenticated endpoint 'BusController.get_autovacuum_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| bus | route-auth-none | /websocket/health — Endpoint 'WebsocketController.health' uses auth="none": it runs with no user/session at all |
| calendar | rule-group-bypass | calendar_event_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| calendar | route-public-sudo | /calendar/join_videocall/<string:access_token> — Unauthenticated endpoint 'CalendarController.calendar_join_videocall' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| crm | rule-group-bypass | crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm | rule-group-bypass | crm_activity_report_rule_all_activities — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm_salesperson_planner | rule-group-bypass | all_salesperson_planner_visit — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm_salesperson_planner | rule-group-bypass | all_salesperson_planner_visit_template — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| cross_connect_client | route-public-sudo | /cross_connect_server/<int:server_id> — Unauthenticated endpoint 'CrossConnectController.cross_connect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| crowdfunding | route-public-sudo | /crowdfunding/<model('crowdfunding.challenge'):challenge>/pay — Unauthenticated endpoint 'Payment.crowdfunding_pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| crowdfunding_public_pledge | route-public-sudo | /crowdfunding/<model('crowdfunding.challenge'):challenge>/pledge/<int:partner_id> — Unauthenticated endpoint 'CrowdfundingController.pledge_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| digest | route-public-csrf-off | /digest/<int:digest_id>/unsubscribe_oneclik — Public HTTP endpoint 'DigestController.digest_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| digest | route-public-sudo | /digest/<int:digest_id>/unsubscribe — Unauthenticated endpoint 'DigestController.digest_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| dms | route-public-sudo | /my/dms/directory/<int:dms_directory_id> — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_directory' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| dms | route-public-sudo | /my/dms/file/<int:dms_file_id>/download — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_file_download' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| event | route-public-sudo | /event/<int:event_id>/my_tickets — Unauthenticated endpoint 'EventController.event_my_tickets' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| fieldservice | rule-group-bypass | fsm_order_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| helpdesk_mgmt | rule-group-bypass | helpdesk_ticket_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr | rule-group-bypass | ir_rule_res_partner_bank_employees — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_appraisal_oca | rule-group-bypass | hr_appraisal_hr_officer_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_attendance | route-public-sudo | /hr_attendance/<token> — Unauthenticated endpoint 'HrAttendance.open_kiosk_mode' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| hr_attendance | route-public-sudo | /hr_attendance/attendance_employee_data — Unauthenticated endpoint 'HrAttendance.employee_attendance_data' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| hr_attendance | route-public-sudo | /hr_attendance/attendance_barcode_scanned — Unauthenticated endpoint 'HrAttendance.scan_barcode_with_geolocation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| hr_attendance | route-public-sudo | /hr_attendance/manual_selection — Unauthenticated endpoint 'HrAttendance.manual_selection_with_geolocation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| hr_attendance | route-public-sudo | /hr_attendance/employees_infos — Unauthenticated endpoint 'HrAttendance.employees_infos' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| hr_attendance | route-public-sudo | /hr_attendance/is_fresh_db — Unauthenticated endpoint 'HrAttendance.is_fresh_db' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| hr_attendance_reason | route-public-sudo | /hr_attendance_reason/get_reasons — Unauthenticated endpoint 'HrAttendance.attendance_get_reasons' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| hr_attendance_rfid | rule-group-bypass | hr_attendance_rfid_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_expense | rule-group-bypass | ir_rule_hr_expense_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_expense | rule-group-bypass | ir_rule_hr_expense_sheet_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | hr_leave_rule_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | hr_leave_allocation_rule_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | resource_leaves_base_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | resource_leaves_holidays_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | hr_leave_report_rule_group_holiday_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_homeworking | rule-group-bypass | homeworking_admin_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_homeworking_calendar | rule-group-bypass | homeworking_location_wizard_admin_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_personal_equipment_request | rule-group-bypass | personal_equipment_request_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_personal_equipment_request | rule-group-bypass | personal_equipment_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_recruitment | rule-group-bypass | hr_applicant_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_recruitment | rule-group-bypass | hr_candidate_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_recruitment | rule-group-bypass | hr_job_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_recruitment | rule-group-bypass | mail_message_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_recruitment_skills | rule-group-bypass | hr_applicant_skill_officer_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_resume_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_resume_rule_employee_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_skill_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_skill_rule_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_employee_skill_report_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_timesheet_attendance | rule-group-bypass | hr_timesheet_attendance_report_rule_approver — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| html_editor | route-public-sudo | /web_editor/shape/<module>/<path:filename>, /html_editor/shape/<module>/<path:filename> — Unauthenticated endpoint 'HTML_Editor.shape' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| http_routing | route-public-sudo | /website/translations/<string:unique> — Unauthenticated endpoint 'Routing.get_website_translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| hw_drivers | route-auth-none | /hw_proxy/hello — Endpoint 'ProxyController.hello' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/handshake — Endpoint 'ProxyController.handshake' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/status_json — Endpoint 'ProxyController.status_json' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_drivers/action — Endpoint 'DriverController.action' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-public-csrf-off | /hw_drivers/check_certificate — Public HTTP endpoint 'DriverController.check_certificate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_drivers | route-auth-none | /hw_drivers/check_certificate — Endpoint 'DriverController.check_certificate' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_drivers/event — Endpoint 'DriverController.event' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-public-csrf-off | /hw_drivers/download_logs — Public HTTP endpoint 'DriverController.download_logs' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_drivers | route-auth-none | /hw_drivers/download_logs — Endpoint 'DriverController.download_logs' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/scale_read — Endpoint 'ScaleReadHardwareProxy.scale_read' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/default_printer_action — Endpoint 'PrinterController.default_printer_action' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/scanner — Endpoint 'KeyboardUSBController.get_barcode' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-public-csrf-off | /hw_proxy/l10n_ke_cu_send — Public HTTP endpoint 'TremolG03Controller.l10n_ke_cu_send' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_drivers | route-auth-none | /hw_proxy/l10n_ke_cu_send — Endpoint 'TremolG03Controller.l10n_ke_cu_send' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-public-csrf-off | /hw_l10n_eg_eta/certificate — Public HTTP endpoint 'EtaUsbController.eta_certificate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_drivers | route-auth-none | /hw_l10n_eg_eta/certificate — Endpoint 'EtaUsbController.eta_certificate' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-public-csrf-off | /hw_l10n_eg_eta/sign — Public HTTP endpoint 'EtaUsbController.eta_sign' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_drivers | route-auth-none | /hw_l10n_eg_eta/sign — Endpoint 'EtaUsbController.eta_sign' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/customer_facing_display — Endpoint 'DisplayController.customer_facing_display' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /point_of_sale/display, /point_of_sale/display/<string:display_identifier> — Endpoint 'DisplayController.display' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /point_of_sale/iot_devices — Endpoint 'DisplayController.get_iot_devices' uses auth="none": it runs with no user/session at all |
| hw_escpos | route-auth-none | /hw_proxy/open_cashbox — Endpoint 'EscposProxy.open_cashbox' uses auth="none": it runs with no user/session at all |
| hw_escpos | route-auth-none | /hw_proxy/print_receipt — Endpoint 'EscposProxy.print_receipt' uses auth="none": it runs with no user/session at all |
| hw_escpos | route-auth-none | /hw_proxy/print_xml_receipt — Endpoint 'EscposProxy.print_xml_receipt' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_upgrade — Endpoint 'IoTboxHomepage.perform_upgrade' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/get_version — Endpoint 'IoTboxHomepage.check_version' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_flashing_create_partition — Endpoint 'IoTboxHomepage.perform_flashing_create_partition' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_flashing_download_raspios — Endpoint 'IoTboxHomepage.perform_flashing_download_raspios' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_flashing_copy_raspios — Endpoint 'IoTboxHomepage.perform_flashing_copy_raspios' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/restart_odoo_service — Endpoint 'IotBoxOwlHomePage.odoo_service_restart' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/iot_logs — Endpoint 'IotBoxOwlHomePage.get_iot_logs' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/six_payment_terminal_clear — Endpoint 'IotBoxOwlHomePage.clear_six_terminal' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/clear_credential — Endpoint 'IotBoxOwlHomePage.clear_credential' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/wifi_clear — Endpoint 'IotBoxOwlHomePage.clear_wifi_configuration' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/server_clear — Endpoint 'IotBoxOwlHomePage.clear_server_configuration' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/ping — Endpoint 'IotBoxOwlHomePage.ping' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/data — Endpoint 'IotBoxOwlHomePage.get_homepage_data' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/wifi — Endpoint 'IotBoxOwlHomePage.get_available_wifi' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/generate_password — Endpoint 'IotBoxOwlHomePage.generate_password' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/version_info — Endpoint 'IotBoxOwlHomePage.get_version_info' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/log_levels — Endpoint 'IotBoxOwlHomePage.log_levels' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/load_iot_handlers — Endpoint 'IotBoxOwlHomePage.load_iot_log_level' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/clear_iot_handlers — Endpoint 'IotBoxOwlHomePage.clear_iot_handlers' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/six_payment_terminal_add — Endpoint 'IotBoxOwlHomePage.add_six_terminal' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/save_credential — Endpoint 'IotBoxOwlHomePage.save_credential' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/update_wifi — Endpoint 'IotBoxOwlHomePage.update_wifi' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/enable_ngrok — Endpoint 'IotBoxOwlHomePage.enable_remote_connection' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/connect_to_server — Endpoint 'IotBoxOwlHomePage.connect_to_odoo_server' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/log_levels_update — Endpoint 'IotBoxOwlHomePage.update_log_level' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/update_git_tree — Endpoint 'IotBoxOwlHomePage.update_git_tree' uses auth="none": it runs with no user/session at all |
| im_livechat | route-auth-none | /im_livechat/font-awesome — Endpoint 'LivechatController.fontawesome' uses auth="none": it runs with no user/session at all |
| im_livechat | route-auth-none | /im_livechat/odoo_ui_icons — Endpoint 'LivechatController.odoo_ui_icons' uses auth="none": it runs with no user/session at all |
| im_livechat | route-public-sudo | /im_livechat/support/<int:channel_id> — Unauthenticated endpoint 'LivechatController.support_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/loader/<int:channel_id> — Unauthenticated endpoint 'LivechatController.loader' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/init — Unauthenticated endpoint 'LivechatController.livechat_init' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/get_session — Unauthenticated endpoint 'LivechatController.get_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/feedback — Unauthenticated endpoint 'LivechatController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/history — Unauthenticated endpoint 'LivechatController.history_pages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /chatbot/answer/save — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_save_answer' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /chatbot/step/trigger — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_trigger_step' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /chatbot/step/validate_email — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-csrf-off | /im_livechat/cors/attachment/upload — Public HTTP endpoint 'LivechatAttachmentController.im_livechat_attachment_upload' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| l10n_bg_city | acl-global-read | access_res_city_types_read — Access rule grants read on 'model_res_city_types' to every user (portal/public included): no group is set |
| l10n_dk_nemhandel | route-public-csrf-off | /nemhandel/webhook/new-message — Public HTTP endpoint 'NemhandelWebhookController.webhook_nemhandel_new_message' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| l10n_dk_nemhandel | route-public-sudo | /nemhandel/webhook/new-message — Unauthenticated endpoint 'NemhandelWebhookController.webhook_nemhandel_new_message' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_dk_nemhandel | route-public-csrf-off | /nemhandel/webhook/message-state-update — Public HTTP endpoint 'NemhandelWebhookController.webhook_nemhandel_message_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| l10n_dk_nemhandel | route-public-sudo | /nemhandel/webhook/message-state-update — Unauthenticated endpoint 'NemhandelWebhookController.webhook_nemhandel_message_update' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_dk_nemhandel | route-public-csrf-off | /nemhandel/webhook/user-state-update — Public HTTP endpoint 'NemhandelWebhookController.webhook_nemhandel_user_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| l10n_dk_nemhandel | route-public-sudo | /nemhandel/webhook/user-state-update — Unauthenticated endpoint 'NemhandelWebhookController.webhook_nemhandel_user_update' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_es_aeat_mod347 | route-public-sudo | /mod347/accept — Unauthenticated endpoint 'Mod347Controller.mod347_accept' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_es_aeat_mod347 | route-public-sudo | /mod347/reject — Unauthenticated endpoint 'Mod347Controller.mod347_reject' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_fr_pdp | route-public-csrf-off | /api/signaturit_authentication_status/1/webhooks — Public HTTP endpoint 'IapAuthenticationWebhook.notify_authentication_status' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| l10n_fr_pdp | route-public-sudo | /api/signaturit_authentication_status/1/webhooks — Unauthenticated endpoint 'IapAuthenticationWebhook.notify_authentication_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_pe_website_sale | route-public-sudo | /shop/state_infos/<model("res.country.state"):state> — Unauthenticated endpoint 'L10nPEWebsiteSale.state_infos' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_pe_website_sale | route-public-sudo | /shop/city_infos/<model("res.city"):city> — Unauthenticated endpoint 'L10nPEWebsiteSale.city_infos' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_tw_edi_ecpay | route-public-csrf-off | /invoice/ecpay/agreed_invoice_allowance/<int:invoice_id> — Public HTTP endpoint 'EcpayInvoiceController.agreed_invoice_allowance' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| link_tracker | route-public-sudo | /r/<string:code> — Unauthenticated endpoint 'LinkTracker.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| route-public-sudo | /mail/guest/update_name — Unauthenticated endpoint 'GuestController.mail_guest_update_name' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/message/reaction — Unauthenticated endpoint 'MessageReactionController.mail_message_reaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/link_preview — Unauthenticated endpoint 'LinkPreviewController.mail_link_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/link_preview/hide — Unauthenticated endpoint 'LinkPreviewController.mail_link_preview_hide' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/message/post — Unauthenticated endpoint 'ThreadController.mail_message_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/message/update_content — Unauthenticated endpoint 'ThreadController.mail_message_update_content' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/view — Unauthenticated endpoint 'MailController.mail_action_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-csrf-off | /mail/unfollow — Public HTTP endpoint 'MailController.mail_action_unfollow' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
|
| route-public-sudo | /mail/unfollow — Unauthenticated endpoint 'MailController.mail_action_unfollow' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/attachment/upload — Unauthenticated endpoint 'AttachmentController.mail_attachment_upload' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/attachment/delete — Unauthenticated endpoint 'AttachmentController.mail_attachment_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /chat/<int:channel_id>/<string:invitation_token> — Unauthenticated endpoint 'PublicPageController.discuss_channel_invitation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /discuss/channel/<int:channel_id>/attachment/<int:attachment_id> — Unauthenticated endpoint 'BinaryController.discuss_channel_attachment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /discuss/channel/<int:channel_id>/image/<int:attachment_id>, /discuss/channel/<int:channel_id>/image/<int:attachment_id>/<int:width>x<int:height> — Unauthenticated endpoint 'BinaryController.fetch_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/rtc/session/notify_call_members — Unauthenticated endpoint 'RtcController.session_call_notify' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/rtc/session/update_and_broadcast — Unauthenticated endpoint 'RtcController.session_update_and_broadcast' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/rtc/channel/join_call — Unauthenticated endpoint 'RtcController.channel_call_join' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/rtc/channel/leave_call — Unauthenticated endpoint 'RtcController.channel_call_leave' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/rtc/channel/cancel_call_invitation — Unauthenticated endpoint 'RtcController.channel_call_cancel_invitation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /discuss/channel/ping — Unauthenticated endpoint 'RtcController.channel_ping' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /discuss/channel/attachments — Unauthenticated endpoint 'ChannelController.load_attachments' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| mail_brand | route-auth-none | /web/binary/company_logo, /logo, /logo.png — Endpoint 'BrandBinary.company_logo' uses auth="none": it runs with no user/session at all |
| mail_gateway | route-public-csrf-off | /gateway/<string:usage>/<string:token>/update — Public HTTP endpoint 'GatewayController.post_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| mail_group | route-public-sudo | /groups — Unauthenticated endpoint 'PortalMailGroup.groups_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_group | route-public-sudo | /groups/<model("mail.group"):group>, /groups/<model("mail.group"):group>/page/<int:page> — Unauthenticated endpoint 'PortalMailGroup.group_view_messages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_group | route-public-sudo | /groups/<model("mail.group"):group>/<model("mail.group.message"):message> — Unauthenticated endpoint 'PortalMailGroup.group_view_message' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_group | route-public-sudo | /groups/<model("mail.group"):group>/<model("mail.group.message"):message>/get_replies — Unauthenticated endpoint 'PortalMailGroup.group_message_get_replies' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_group | route-public-csrf-off | /group/<int:group_id>/unsubscribe_oneclick — Public HTTP endpoint 'PortalMailGroup.group_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| mail_group | route-public-sudo | /group/<int:group_id>/unsubscribe_oneclick — Unauthenticated endpoint 'PortalMailGroup.group_unsubscribe_oneclick' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_group | route-public-sudo | /group/subscribe-confirm — Unauthenticated endpoint 'PortalMailGroup.group_subscribe_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_plugin | route-auth-none | /mail_plugin/auth/check_version — Endpoint 'Authenticate.auth_check_version' uses auth="none": it runs with no user/session at all |
| mail_plugin | route-auth-none | /mail_client_extension/auth/access_token, /mail_plugin/auth/access_token — Endpoint 'Authenticate.auth_access_token' uses auth="none": it runs with no user/session at all |
| mail_tracking | route-public-sudo | /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MailTrackingController.mail_tracking_open' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_tracking | route-auth-none | /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Endpoint 'MailTrackingController.mail_tracking_open' uses auth="none": it runs with no user/session at all |
| mail_tracking_mailgun | route-public-sudo | /mail/tracking/mailgun/all — Unauthenticated endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_tracking_mailgun | route-auth-none | /mail/tracking/mailgun/all — Endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' uses auth="none": it runs with no user/session at all |
| marketing_card | route-public-sudo | /cards/<string:card_slug>/card.jpg, /cards/<int:card_id>/card.jpg — Unauthenticated endpoint 'MarketingCardController.card_campaign_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| marketing_card | route-public-sudo | /cards/<string:card_slug>/preview, /cards/<int:card_id>/preview — Unauthenticated endpoint 'MarketingCardController.card_campaign_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| marketing_card | route-public-sudo | /cards/<string:card_slug>/redirect, /cards/<int:card_id>/redirect — Unauthenticated endpoint 'MarketingCardController.card_campaign_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-csrf-off | /mailing/<int:mailing_id>/unsubscribe_oneclick — Public HTTP endpoint 'MassMailController.mailing_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| mass_mailing | route-public-sudo | /mailing/<int:mailing_id>/confirm_unsubscribe — Unauthenticated endpoint 'MassMailController.mailing_confirm_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/list/update — Unauthenticated endpoint 'MassMailController.mailing_update_list_subscription' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/feedback — Unauthenticated endpoint 'MassMailController.mailing_send_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mail/track/<int:mail_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MassMailController.track_mail_open' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /r/<string:code>/m/<int:mailing_trace_id> — Unauthenticated endpoint 'MassMailController.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/report/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing_report_deactivate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/<int:mailing_id>/view — Unauthenticated endpoint 'MassMailController.mailing_view_in_browser' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/blocklist/add — Unauthenticated endpoint 'MassMailController.mail_blocklist_add' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/blocklist/remove — Unauthenticated endpoint 'MassMailController.mail_blocklist_remove' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing_sms | route-public-sudo | /sms/<int:mailing_id>/unsubscribe/<string:trace_code> — Unauthenticated endpoint 'MailingSMSController.blacklist_number' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing_sms | route-public-sudo | /r/<string:code>/s/<int:sms_id_int> — Unauthenticated endpoint 'MailingSMSController.sms_short_link_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| odoo_repository | route-public-csrf-off | /odoo-repository/data — Public HTTP endpoint 'OdooRepository.index' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| odoo_repository | route-public-sudo | /odoo-repository/data — Unauthenticated endpoint 'OdooRepository.index' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| odoo_repository | route-auth-none | /odoo-repository/data — Endpoint 'OdooRepository.index' uses auth="none": it runs with no user/session at all |
| payment | route-public-sudo | /payment/pay — Unauthenticated endpoint 'PaymentPortal.payment_pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /payment/confirmation — Unauthenticated endpoint 'PaymentPortal.payment_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-sudo | /payment/adyen/payment_methods — Unauthenticated endpoint 'AdyenController.adyen_payment_methods' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-sudo | /payment/adyen/payments — Unauthenticated endpoint 'AdyenController.adyen_payments' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-sudo | /payment/adyen/payments/details — Unauthenticated endpoint 'AdyenController.adyen_payment_details' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-csrf-off | /payment/adyen/return — Public HTTP endpoint 'AdyenController.adyen_return_from_3ds_auth' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_adyen | route-public-sudo | /payment/adyen/return — Unauthenticated endpoint 'AdyenController.adyen_return_from_3ds_auth' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-csrf-off | AdyenController.adyen_webhook — Public HTTP endpoint 'AdyenController.adyen_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_adyen | route-public-sudo | AdyenController.adyen_webhook — Unauthenticated endpoint 'AdyenController.adyen_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_aps | route-public-csrf-off | APSController.aps_return_from_checkout — Public HTTP endpoint 'APSController.aps_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_aps | route-public-sudo | APSController.aps_return_from_checkout — Unauthenticated endpoint 'APSController.aps_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_aps | route-public-csrf-off | APSController.aps_webhook — Public HTTP endpoint 'APSController.aps_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_aps | route-public-sudo | APSController.aps_webhook — Unauthenticated endpoint 'APSController.aps_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_asiapay | route-public-csrf-off | AsiaPayController.asiapay_webhook — Public HTTP endpoint 'AsiaPayController.asiapay_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_asiapay | route-public-sudo | AsiaPayController.asiapay_webhook — Unauthenticated endpoint 'AsiaPayController.asiapay_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_authorize | route-public-sudo | /payment/authorize/payment — Unauthenticated endpoint 'AuthorizeController.authorize_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_buckaroo | route-public-csrf-off | BuckarooController.buckaroo_return_from_checkout — Public HTTP endpoint 'BuckarooController.buckaroo_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_buckaroo | route-public-sudo | BuckarooController.buckaroo_return_from_checkout — Unauthenticated endpoint 'BuckarooController.buckaroo_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_buckaroo | route-public-csrf-off | BuckarooController.buckaroo_webhook — Public HTTP endpoint 'BuckarooController.buckaroo_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_buckaroo | route-public-sudo | BuckarooController.buckaroo_webhook — Unauthenticated endpoint 'BuckarooController.buckaroo_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_custom | route-public-csrf-off | CustomController.custom_process_transaction — Public HTTP endpoint 'CustomController.custom_process_transaction' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_custom | route-public-sudo | CustomController.custom_process_transaction — Unauthenticated endpoint 'CustomController.custom_process_transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_demo | route-public-sudo | PaymentDemoController.demo_simulate_payment — Unauthenticated endpoint 'PaymentDemoController.demo_simulate_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_easypay_oca | route-public-sudo | /payment/easypay/checkout/success — Unauthenticated endpoint 'EasyPayCheckoutCallbackController.easypay_checkout_success' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_easypay_oca | route-public-sudo | /payment/easypay/mb_reference/<int:tx_id> — Unauthenticated endpoint 'EasyPayCheckoutCallbackController.easypay_mb_reference' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_easypay_oca | route-public-sudo | /payment/easypay/checkout/cancel — Unauthenticated endpoint 'EasyPayCheckoutCallbackController.easypay_checkout_cancel' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_easypay_oca | route-public-csrf-off | /payment/easypay/checkout — Public HTTP endpoint 'EasyPayCheckoutPageController.checkout_page' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_easypay_oca | route-public-sudo | /payment/easypay/checkout — Unauthenticated endpoint 'EasyPayCheckoutPageController.checkout_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_easypay_oca | route-public-csrf-off | /payment/easypay/webhook/generic — Public HTTP endpoint 'EasyPayWebhookController._generic_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_easypay_oca | route-public-csrf-off | /payment/easypay/webhook/authorisation — Public HTTP endpoint 'EasyPayWebhookController._authorisation_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_easypay_oca | route-public-csrf-off | /payment/easypay/webhook/transaction — Public HTTP endpoint 'EasyPayWebhookController.easypay_transaction_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_easypay_oca | route-public-sudo | /payment/easypay/webhook/transaction — Unauthenticated endpoint 'EasyPayWebhookController.easypay_transaction_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_easypay_oca | route-public-sudo | /payment/easypay/create_checkout_session — Unauthenticated endpoint 'EasyPayCheckoutSessionController.create_checkout_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_flutterwave | route-public-sudo | FlutterwaveController.flutterwave_return_from_checkout — Unauthenticated endpoint 'FlutterwaveController.flutterwave_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_flutterwave | route-public-csrf-off | FlutterwaveController.flutterwave_webhook — Public HTTP endpoint 'FlutterwaveController.flutterwave_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_flutterwave | route-public-sudo | FlutterwaveController.flutterwave_webhook — Unauthenticated endpoint 'FlutterwaveController.flutterwave_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_mercado_pago | route-public-sudo | MercadoPagoController.mercado_pago_return_from_checkout — Unauthenticated endpoint 'MercadoPagoController.mercado_pago_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_mercado_pago | route-public-csrf-off | MercadoPagoController.mercado_pago_webhook — Public HTTP endpoint 'MercadoPagoController.mercado_pago_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_mercado_pago | route-public-sudo | MercadoPagoController.mercado_pago_webhook — Unauthenticated endpoint 'MercadoPagoController.mercado_pago_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_mollie | route-public-csrf-off | MollieController.mollie_return_from_checkout — Public HTTP endpoint 'MollieController.mollie_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_mollie | route-public-sudo | MollieController.mollie_return_from_checkout — Unauthenticated endpoint 'MollieController.mollie_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_mollie | route-public-csrf-off | MollieController.mollie_webhook — Public HTTP endpoint 'MollieController.mollie_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_mollie | route-public-sudo | MollieController.mollie_webhook — Unauthenticated endpoint 'MollieController.mollie_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_nuvei | route-public-sudo | NuveiController.nuvei_return_from_checkout — Unauthenticated endpoint 'NuveiController.nuvei_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_nuvei | route-public-csrf-off | NuveiController.nuvei_webhook — Public HTTP endpoint 'NuveiController.nuvei_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_nuvei | route-public-sudo | NuveiController.nuvei_webhook — Unauthenticated endpoint 'NuveiController.nuvei_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_paypal | route-public-sudo | PaypalController.paypal_complete_order — Unauthenticated endpoint 'PaypalController.paypal_complete_order' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_paypal | route-public-csrf-off | PaypalController.paypal_webhook — Public HTTP endpoint 'PaypalController.paypal_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_paypal | route-public-sudo | PaypalController.paypal_webhook — Unauthenticated endpoint 'PaypalController.paypal_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_razorpay | route-public-csrf-off | RazorpayController.razorpay_webhook — Public HTTP endpoint 'RazorpayController.razorpay_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_razorpay | route-public-sudo | RazorpayController.razorpay_webhook — Unauthenticated endpoint 'RazorpayController.razorpay_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_redsys | route-public-csrf-off | /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Public HTTP endpoint 'RedsysController.redsys_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_redsys | route-public-sudo | /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Unauthenticated endpoint 'RedsysController.redsys_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe | route-public-sudo | StripeController.stripe_return — Unauthenticated endpoint 'StripeController.stripe_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe | route-public-csrf-off | StripeController.stripe_webhook — Public HTTP endpoint 'StripeController.stripe_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_stripe | route-public-sudo | StripeController.stripe_webhook — Unauthenticated endpoint 'StripeController.stripe_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe | route-public-csrf-off | StripeController.stripe_apple_pay_get_domain_association_file — Public HTTP endpoint 'StripeController.stripe_apple_pay_get_domain_association_file' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_worldline | route-public-sudo | WorldlineController.worldline_return_from_checkout — Unauthenticated endpoint 'WorldlineController.worldline_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_worldline | route-public-csrf-off | WorldlineController.worldline_webhook — Public HTTP endpoint 'WorldlineController.worldline_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_worldline | route-public-sudo | WorldlineController.worldline_webhook — Unauthenticated endpoint 'WorldlineController.worldline_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_xendit | route-public-sudo | /payment/xendit/payment — Unauthenticated endpoint 'XenditController.xendit_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_xendit | route-public-csrf-off | XenditController.xendit_webhook — Public HTTP endpoint 'XenditController.xendit_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_xendit | route-public-sudo | XenditController.xendit_webhook — Unauthenticated endpoint 'XenditController.xendit_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_xendit | route-public-sudo | XenditController.xendit_return — Unauthenticated endpoint 'XenditController.xendit_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| point_of_sale | rule-group-bypass | rule_pos_bank_statement_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| point_of_sale | rule-group-bypass | rule_pos_bank_statement_line_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| point_of_sale | route-public-sudo | /pos/ticket — Unauthenticated endpoint 'PosController.invoice_request_screen' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| point_of_sale | route-public-sudo | /pos/ticket/validate — Unauthenticated endpoint 'PosController.show_ticket_validation_screen' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| point_of_sale | route-public-sudo | /pos_customer_display/<id_>/<access_token> — Unauthenticated endpoint 'PosCustomerDisplay.pos_customer_display' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| portal | route-public-sudo | /mail/avatar/mail.message/<int:res_id>/author_avatar/<int:width>x<int:height> — Unauthenticated endpoint 'PortalChatter.portal_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| portal | route-public-sudo | /portal/chatter_init — Unauthenticated endpoint 'PortalChatter.portal_chatter_init' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| portal | route-public-sudo | /mail/chatter_fetch — Unauthenticated endpoint 'PortalChatter.portal_message_fetch' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_adyen | route-public-sudo | /pos_adyen/notification — Unauthenticated endpoint 'PosAdyenController.notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_mercado_pago | route-public-csrf-off | /pos_mercado_pago/notification — Public HTTP endpoint 'PosMercadoPagoWebhook.notification' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| pos_mercado_pago | route-public-sudo | /pos_mercado_pago/notification — Unauthenticated endpoint 'PosMercadoPagoWebhook.notification' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_mercado_pago | route-auth-none | /pos_mercado_pago/notification — Endpoint 'PosMercadoPagoWebhook.notification' uses auth="none": it runs with no user/session at all |
| pos_online_payment | route-public-sudo | /pos/pay/<int:pos_order_id> — Unauthenticated endpoint 'PaymentPortal.pos_order_pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_online_payment | route-public-sudo | /pos/pay/confirmation/<int:pos_order_id> — Unauthenticated endpoint 'PaymentPortal.pos_order_pay_confirmation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_self_order | route-public-sudo | /pos-self-order/process-order-args/<device_type>/ — Unauthenticated endpoint 'PosSelfOrderController.process_order_args' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_self_order | route-public-sudo | /pos-self/<config_id>, /pos-self/<config_id>/<path:subpath> — Unauthenticated endpoint 'PosSelfKiosk.start_self_ordering' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_viva_wallet | route-public-csrf-off | /pos_viva_wallet/notification — Public HTTP endpoint 'PosVivaWalletController.notification' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| pos_viva_wallet | route-public-sudo | /pos_viva_wallet/notification — Unauthenticated endpoint 'PosVivaWalletController.notification' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_viva_wallet | route-auth-none | /pos_viva_wallet/notification — Endpoint 'PosVivaWalletController.notification' uses auth="none": it runs with no user/session at all |
| privacy_consent | route-public-sudo | /privacy/consent/<any(accept,reject):choice>/<int:consent_id>/<token> — Unauthenticated endpoint 'ConsentController.consent' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| project_update_portal | acl-global-read | project.access_project_update_portal — Access rule grants read on '?' to every user (portal/public included): no group is set |
| queue_job | route-auth-none | /queue_job/runjob — Endpoint 'RunJobController.runjob' uses auth="none": it runs with no user/session at all |
| report_substitute | acl-global-read | action_report_substitution_rule_user_access — Access rule grants read on 'model_ir_actions_report_substitution_rule' to every user (portal/public included): no group is set |
| rma | route-public-sudo | /my/rma/picking/pdf/<int:rma_id>/<int:picking_id> — Unauthenticated endpoint 'PortalRma.portal_my_rma_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sale | rule-group-bypass | payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale | rule-group-bypass | payment_token_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale_gelato | route-public-csrf-off | GelatoController.gelato_webhook — Public HTTP endpoint 'GelatoController.gelato_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| sale_gelato | route-public-sudo | GelatoController.gelato_webhook — Unauthenticated endpoint 'GelatoController.gelato_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sale_planner_calendar | rule-group-bypass | partner_all_documents_follower_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale_report_delivered | rule-group-bypass | sale_report_delivered_see_all_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale_stock | route-public-sudo | /my/picking/pdf/<int:picking_id> — Unauthenticated endpoint 'SaleStockPortal.portal_my_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sale_stock | route-public-sudo | /my/picking/return/pdf/<int:picking_id> — Unauthenticated endpoint 'SaleStockPortal.portal_my_picking_return_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sales_team | rule-group-bypass | crm_rule_all_salesteam — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sms | route-public-sudo | /sms/status — Unauthenticated endpoint 'SmsController.update_sms_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sms_twilio | route-public-csrf-off | /sms_twilio/status/<string:uuid> — Public HTTP endpoint 'SmsTwilioController.update_sms_status' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| sms_twilio | route-public-sudo | /sms_twilio/status/<string:uuid> — Unauthenticated endpoint 'SmsTwilioController.update_sms_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| spreadsheet_dashboard | route-public-sudo | /dashboard/share/<int:share_id>/<token> — Unauthenticated endpoint 'DashboardShareRoute.share_portal' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| spreadsheet_dashboard | route-public-sudo | /dashboard/data/<int:share_id>/<token> — Unauthenticated endpoint 'DashboardShareRoute.get_shared_dashboard_data' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| stock_measuring_device_zippcube | route-auth-none | /stock/zippcube/<string:zippcube_device_name>/measurement — Endpoint 'ZippcubeController.measurement' uses auth="none": it runs with no user/session at all |
| stock_vertical_lift | route-public-csrf-off | /vertical-lift — Public HTTP endpoint 'VerticalLiftController.vertical_lift' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| stock_vertical_lift | route-public-sudo | /vertical-lift — Unauthenticated endpoint 'VerticalLiftController.vertical_lift' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| storage_file | rule-group-bypass | ir_rule_storage_file_internal — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | route-public-sudo | /survey/get_question_image/<string:survey_token>/<string:answer_token>/<int:question_id>/<int:suggested_answer_id> — Unauthenticated endpoint 'Survey.survey_get_question_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| survey | route-public-sudo | /survey/submit/<string:survey_token>/<string:answer_token> — Unauthenticated endpoint 'Survey.survey_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| test_http | route-auth-none | /test_http/greeting, /test_http/greeting-none — Endpoint 'TestHttp.greeting_none' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/wsgi_environ — Endpoint 'TestHttp.wsgi_environ' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/echo-http-get — Endpoint 'TestHttp.echo_http_get' uses auth="none": it runs with no user/session at all |
| test_http | route-public-csrf-off | /test_http/echo-http-post — Public HTTP endpoint 'TestHttp.echo_http_post' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| test_http | route-auth-none | /test_http/echo-http-post — Endpoint 'TestHttp.echo_http_post' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/echo-http-csrf — Endpoint 'TestHttp.echo_http_csrf' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/echo-json — Endpoint 'TestHttp.echo_json' uses auth="none": it runs with no user/session at all |
| test_http | route-public-csrf-off | /test_http/echo-json-over-http — Public HTTP endpoint 'TestHttp.echo_json_over_http' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| test_http | route-auth-none | /test_http/echo-json-over-http — Endpoint 'TestHttp.echo_json_over_http' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/cors_http_default — Endpoint 'TestHttp.cors_http' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/cors_http_methods — Endpoint 'TestHttp.cors_http_verbs' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/cors_json — Endpoint 'TestHttp.cors_json' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/ensure_db — Endpoint 'TestHttp.ensure_db_endpoint' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/geoip — Endpoint 'TestHttp.geoip' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/save_session — Endpoint 'TestHttp.touch' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/fail — Endpoint 'TestHttp.fail' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/json_value_error — Endpoint 'TestHttp.json_value_error' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/hide_errors/decorator — Endpoint 'TestHttp.hide_errors_decorator' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/hide_errors/context-manager — Endpoint 'TestHttp.hide_errors_context_manager' uses auth="none": it runs with no user/session at all |
| test_http | route-public-csrf-off | /test_http/upload_file — Public HTTP endpoint 'TestHttp.upload_file_retry' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| test_http | route-auth-none | /test_http/upload_file — Endpoint 'TestHttp.upload_file_retry' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/httprequest_attrs — Endpoint 'TestHttp.request_attrs' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/httprequest_environ — Endpoint 'TestHttp.request_environ' uses auth="none": it runs with no user/session at all |
| test_website | route-public-sudo | /test_website/model_item_sudo/<int:record_id> — Unauthenticated endpoint 'WebsiteTest.test_model_item_sudo' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| vault | route-public-sudo | /vault/inbox/<string:token> — Unauthenticated endpoint 'Controller.vault_inbox' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| vault_share | route-public-sudo | /vault/share/<string:token> — Unauthenticated endpoint 'Controller.vault_share' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web | route-auth-none | /web/database/selector — Endpoint 'Database.selector' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/database/manager — Endpoint 'Database.manager' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/create — Public HTTP endpoint 'Database.create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/create — Endpoint 'Database.create' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/duplicate — Public HTTP endpoint 'Database.duplicate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/duplicate — Endpoint 'Database.duplicate' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/drop — Public HTTP endpoint 'Database.drop' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/drop — Endpoint 'Database.drop' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/backup — Public HTTP endpoint 'Database.backup' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/backup — Endpoint 'Database.backup' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/restore — Public HTTP endpoint 'Database.restore' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/restore — Endpoint 'Database.restore' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/change_password — Public HTTP endpoint 'Database.change_password' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/change_password — Endpoint 'Database.change_password' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/database/list — Endpoint 'Database.list' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/filestore/<path:_path> — Endpoint 'Binary.content_filestore' uses auth="none": it runs with no user/session at all |
| web | route-public-sudo | /web/assets/<string:unique>/<string:filename> — Unauthenticated endpoint 'Binary.content_assets' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web | route-public-sudo | /web/image, /web/image/<string:xmlid>, /web/image/<string:xmlid>/<string:filename>, /web/image/<string:xmlid>/<int:width>x<int:height>, /web/image/<string:xmlid>/<int:width>x<int:height>/<string:filename>, /web/image/<string:model>/<int:id>/<string:field>, /web/image/<string:model>/<int:id>/<string:field>/<string:filename>, /web/image/<string:model>/<int:id>/<string:field>/<int:width>x<int:height>, /web/image/<string:model>/<int:id>/<string:field>/<int:width>x<int:height>/<string:filename>, /web/image/<int:id>, /web/image/<int:id>/<string:filename>, /web/image/<int:id>/<int:width>x<int:height>, /web/image/<int:id>/<int:width>x<int:height>/<string:filename>, /web/image/<int:id>-<string:unique>, /web/image/<int:id>-<string:unique>/<string:filename>, /web/image/<int:id>-<string:unique>/<int:width>x<int:height>, /web/image/<int:id>-<string:unique>/<int:width>x<int:height>/<string:filename> — Unauthenticated endpoint 'Binary.content_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web | route-auth-none | /web/binary/company_logo, /logo, /logo.png — Endpoint 'Binary.company_logo' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/sign/get_fonts, /web/sign/get_fonts/<string:fontname> — Endpoint 'Binary.get_fonts' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/authenticate — Endpoint 'Session.authenticate' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/get_lang_list — Endpoint 'Session.get_lang_list' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/logout — Endpoint 'Session.logout' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/bootstrap_translations — Endpoint 'WebClient.bootstrap_translations' uses auth="none": it runs with no user/session at all |
| web | route-public-sudo | /web/webclient/translations/<string:unique> — Unauthenticated endpoint 'WebClient.translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web | route-auth-none | /web/webclient/version_info — Endpoint 'WebClient.version_info' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/tests/legacy/mobile — Endpoint 'WebClient.test_mobile_suite' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | / — Endpoint 'Home.index' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web, /odoo, /odoo/<path:subpath>, /scoped_app/<path:subpath> — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/login — Endpoint 'Home.web_login' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/health — Endpoint 'Home.health' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /robots.txt — Endpoint 'Home.robots' uses auth="none": it runs with no user/session at all |
| web_editor | route-auth-none | /web_editor/font_to_img/<icon>, /web_editor/font_to_img/<icon>/<color>, /web_editor/font_to_img/<icon>/<color>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<int:width>x<int:height>, /web_editor/font_to_img/<icon>/<color>/<int:size>/<int:alpha>, /web_editor/font_to_img/<icon>/<color>/<int:width>x<int:height>/<int:alpha>, /web_editor/font_to_img/<icon>/<color>/<bg>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:width>x<int:height>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:width>x<int:height>/<int:alpha> — Endpoint 'Web_Editor.export_icon_to_png' uses auth="none": it runs with no user/session at all |
| web_pwa_customize | route-public-sudo | /web/manifest.webmanifest — Unauthenticated endpoint 'WebManifest.webmanifest' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web_unsplash | route-public-sudo | /web_unsplash/get_app_id — Unauthenticated endpoint 'Web_Unsplash.get_unsplash_app_id' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| webservice | route-public-csrf-off | /webservice/<int:backend_id>/oauth2/redirect — Public HTTP endpoint 'OAuth2Controller.redirect' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| webservice | route-public-sudo | /webservice/<int:backend_id>/oauth2/redirect — Unauthenticated endpoint 'OAuth2Controller.redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /sitemap.xml — Unauthenticated endpoint 'Website.sitemap_xml_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/info — Unauthenticated endpoint 'Website.website_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/snippet/filters — Unauthenticated endpoint 'Website.get_dynamic_filter' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/snippet/filter_templates — Unauthenticated endpoint 'Website.get_dynamic_snippet_templates' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/snippet/autocomplete — Unauthenticated endpoint 'Website.autocomplete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /google<string(length=16):key>.html — Unauthenticated endpoint 'Website.google_console_search' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/action/<path_or_xml_id_or_id>, /website/action/<path_or_xml_id_or_id>/<path:path> — Unauthenticated endpoint 'Website.actions_server' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /model/<string:page_name_slugified>, /model/<string:page_name_slugified>/page/<int:page_number>, /model/<string:page_name_slugified>/<string:record_slug> — Unauthenticated endpoint 'ModelPageController.generic_model' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-csrf-off | /website/form/<string:model_name> — Public HTTP endpoint 'WebsiteForm.website_form' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| website_altcha | route-public-sudo | /altcha — Unauthenticated endpoint 'AltchaController.generate_altcha_challenge' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_crm_partner_assign | route-public-sudo | /partners, /partners/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>, /partners/grade/<model("res.partner.grade"):grade>/page/<int:page>, /partners/country/<model("res.country"):country>, /partners/country/<model("res.country"):country>/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_customer | route-public-sudo | /customers, /customers/page/<int:page>, /customers/country/<model("res.country"):country>, /customers/country/<model("res.country"):country>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>, /customers/industry/<model("res.partner.industry"):industry>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCustomer.customers' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_customer | route-public-sudo | /customers/<partner_id> — Unauthenticated endpoint 'WebsiteCustomer.customers_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event | rule-group-bypass | ir_rule_event_question_event_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_event | rule-group-bypass | ir_rule_event_question_answer_event_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_event | route-public-sudo | /event, /event/page/<int:page>, /events, /events/page/<int:page> — Unauthenticated endpoint 'WebsiteEventController.events' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event | route-public-sudo | /event/<model("event.event"):event>/page/<path:page> — Unauthenticated endpoint 'WebsiteEventController.event_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event | route-public-sudo | /event/<model("event.event"):event>/registration/success — Unauthenticated endpoint 'WebsiteEventController.event_registration_success' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_booth | route-public-sudo | /event/booth/check_availability — Unauthenticated endpoint 'WebsiteEventBoothController.check_booths_availability' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_booth | route-public-sudo | /event/booth_category/get_available_booths — Unauthenticated endpoint 'WebsiteEventBoothController.get_booth_category_available_booths' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_exhibitor | route-public-sudo | /event/<model("event.event", "[('exhibitor_menu', '=', True)]"):event>/exhibitor/<model("event.sponsor", "[('event_id', '=', event.id)]"):sponsor> — Unauthenticated endpoint 'ExhibitorController.event_exhibitor' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_exhibitor | route-public-sudo | /event_sponsor/<int:sponsor_id>/read — Unauthenticated endpoint 'ExhibitorController.event_sponsor_read' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_meet | route-public-sudo | /event/<model('event.event'):event>/meeting_room_create — Unauthenticated endpoint 'WebsiteEventMeetController.create_meeting_room' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_meet | route-public-sudo | /event/active_langs — Unauthenticated endpoint 'WebsiteEventMeetController.active_langs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_meet | route-public-sudo | /event/<model('event.event', "[('community_menu', '=', True)]"):event>/meeting_room/<model("event.meeting.room","[('event_id','=',event.id)]"):meeting_room> — Unauthenticated endpoint 'WebsiteEventMeetController.event_meeting_room_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track | route-public-sudo | /event/<model("event.event", "[('website_track', '=', True)]"):event>/track/<model("event.track", "[('event_id', '=', event.id)]"):track> — Unauthenticated endpoint 'EventTrackController.event_track_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track | route-public-sudo | /event/<model("event.event"):event>/track_proposal/post — Unauthenticated endpoint 'EventTrackController.event_track_proposal_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track_live | route-public-sudo | /event_track/get_track_suggestion — Unauthenticated endpoint 'EventTrackLiveController.get_next_track_suggestion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track_quiz | route-public-sudo | /event_track/quiz/submit — Unauthenticated endpoint 'WebsiteEventTrackQuiz.event_track_quiz_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track_quiz | route-public-sudo | /event_track/quiz/reset — Unauthenticated endpoint 'WebsiteEventTrackQuiz.quiz_reset' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | rule-group-bypass | website_forum_create_website_designer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/<model("forum.post"):question> — Unauthenticated endpoint 'WebsiteForum.question' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/partner/<int:partner_id> — Unauthenticated endpoint 'WebsiteForum.open_partner' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_google_map | route-public-sudo | /google_map — Unauthenticated endpoint 'GoogleMap.google_map' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_hr_recruitment | rule-group-bypass | hr_job_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_hr_recruitment | route-public-sudo | /jobs, /jobs/page/<int:page> — Unauthenticated endpoint 'WebsiteHrRecruitment.jobs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_hr_recruitment | route-public-sudo | /website_hr_recruitment/check_recent_application — Unauthenticated endpoint 'WebsiteHrRecruitment.check_recent_application' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_livechat | route-public-sudo | /livechat/channel/<model("im_livechat.channel"):channel> — Unauthenticated endpoint 'WebsiteLivechat.channel_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail | route-public-sudo | /website_mail/follow — Unauthenticated endpoint 'WebsiteMail.website_message_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail | route-public-sudo | /website_mail/is_follower — Unauthenticated endpoint 'WebsiteMail.is_follower' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_group | route-public-sudo | /group/is_member — Unauthenticated endpoint 'WebsiteMailGroup.group_is_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /website_mass_mailing/is_subscriber — Unauthenticated endpoint 'MassMailController.is_subscriber' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_membership | route-public-sudo | /members, /members/page/<int:page>, /members/association/<membership_id>, /members/association/<membership_id>/page/<int:page>, /members/country/<int:country_id>, /members/country/<country_name>-<int:country_id>, /members/country/<int:country_id>/page/<int:page>, /members/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<country_name>-<int:country_id>, /members/association/<membership_id>/country/<int:country_id>, /members/association/<membership_id>/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteMembership.members' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_membership | route-public-sudo | /members/<partner_id> — Unauthenticated endpoint 'WebsiteMembership.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_oca_integrator | route-public-sudo | /integrators, /integrators/page/<int:page>, /integrators/country/<model("res.country"):country>, /integrators/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteIntegrator.integrators' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_oca_integrator | route-public-sudo | /integrators/<integrator_id> — Unauthenticated endpoint 'WebsiteIntegrator.integrators_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_oca_integrator | route-public-sudo | /integrators/<integrator_id>/contributors/country/<model('res.country'):country>, /integrators/<integrator_id>/contributors/country/<model('res.country'):country>/page/<int:page>, /integrators/<integrator_id>/contributors, /integrators/<integrator_id>/contributors/page/<int:page>, /integrators/<integrator_id>/contributors/country/<int:country_id>, /integrators/<integrator_id>/contributors/country/<int:country_id>/page/<int:page>, /integrators/<integrator_id>/contributors/country/<country_name>-<int:country_id>, /integrators/<integrator_id>/contributors/country/<country_name>-<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteIntegrator.integrator_contributors' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_partner | route-public-sudo | /partners/<partner_id> — Unauthenticated endpoint 'WebsitePartnerPage.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_product_document_download_counter | route-public-sudo | /shop/<model("product.template"):product_template>/document/<int:document_id>/count — Unauthenticated endpoint 'ProductDocumentDownloadCounterController.product_document_with_counter' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_profile | route-public-sudo | /profile/avatar/<int:user_id> — Unauthenticated endpoint 'WebsiteProfile.get_user_profile_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_profile | route-public-sudo | /profile/users, /profile/users/page/<int:page> — Unauthenticated endpoint 'WebsiteProfile.view_all_users_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_profile | route-public-sudo | /profile/validate_email — Unauthenticated endpoint 'WebsiteProfile.validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop, /shop/page/<int:page>, /shop/category/<model("product.public.category"):category>, /shop/category/<model("product.public.category"):category>/page/<int:page> — Unauthenticated endpoint 'WebsiteSale.shop' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/<model("product.template"):product_template>/document/<int:document_id> — Unauthenticated endpoint 'WebsiteSale.product_document' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/pricelist — Unauthenticated endpoint 'WebsiteSale.pricelist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/cart — Unauthenticated endpoint 'WebsiteSale.cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/address/submit — Unauthenticated endpoint 'WebsiteSale.shop_address_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/update_address — Unauthenticated endpoint 'WebsiteSale.shop_update_address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/payment/validate — Unauthenticated endpoint 'WebsiteSale.shop_payment_validate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/confirmation — Unauthenticated endpoint 'WebsiteSale.shop_payment_confirmation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/print — Unauthenticated endpoint 'WebsiteSale.print_saleorder' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/country_info/<model("res.country"):country> — Unauthenticated endpoint 'WebsiteSale.shop_country_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/products/recently_viewed_delete — Unauthenticated endpoint 'WebsiteSale.products_recently_viewed_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/set_delivery_method — Unauthenticated endpoint 'Delivery.shop_set_delivery_method' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/get_delivery_rate — Unauthenticated endpoint 'Delivery.shop_get_delivery_rate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_autocomplete | route-public-sudo | /autocomplete/address — Unauthenticated endpoint 'AutoCompleteController._autocomplete_address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_autocomplete | route-public-sudo | /autocomplete/address_full — Unauthenticated endpoint 'AutoCompleteController._autocomplete_address_full' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_charge_payment_fee | route-public-sudo | /shop/payment — Unauthenticated endpoint 'WebsiteSaleFee.shop_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_collect | route-public-sudo | /shop/set_click_and_collect_location — Unauthenticated endpoint 'InStoreDelivery.shop_set_click_and_collect_location' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_financial_risk | route-public-csrf-off | CreditController.custom_process_transaction — Public HTTP endpoint 'CreditController.custom_process_transaction' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| website_sale_financial_risk | route-public-sudo | CreditController.custom_process_transaction — Unauthenticated endpoint 'CreditController.custom_process_transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_loyalty | route-public-sudo | /shop/claimreward — Unauthenticated endpoint 'WebsiteSale.claim_reward' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_loyalty_page | route-public-sudo | /promotions — Unauthenticated endpoint 'WebsiteSale.promotion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_loyalty_suggestion_wizard | route-public-sudo | /promotions/<int:program_id>/apply — Unauthenticated endpoint 'WebsiteSaleLoyaltySuggestionWizard.promotion_program_apply' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_loyalty_suggestion_wizard | route-public-sudo | /website_sale_loyalty_suggestion_wizard/get_defaults — Unauthenticated endpoint 'WebsiteSaleLoyaltySuggestionWizardController.get_default_products' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_loyalty_suggestion_wizard | route-public-sudo | /website_sale_loyalty_suggestion_wizard/apply — Unauthenticated endpoint 'WebsiteSaleLoyaltySuggestionWizardController.apply_promotion_public' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_mondialrelay | route-public-sudo | /website_sale_mondialrelay/update_shipping — Unauthenticated endpoint 'MondialRelay.mondial_relay_update_shipping' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_product_assortment | route-public-sudo | /sale/get_info_assortment_preview — Unauthenticated endpoint 'WebsiteSaleVariantController.get_info_assortment_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_product_brand | route-public-sudo | /page/product_brands — Unauthenticated endpoint 'WebsiteSale.product_brands' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_stock | route-public-sudo | /shop/add/stock_notification — Unauthenticated endpoint 'WebsiteSaleStock.add_stock_email_notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_wishlist | route-public-sudo | /shop/wishlist/add — Unauthenticated endpoint 'WebsiteSaleWishlist.add_to_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_wishlist | route-public-sudo | /shop/wishlist/remove/<int:wish_id> — Unauthenticated endpoint 'WebsiteSaleWishlist.remove_from_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | rule-group-bypass | rule_slide_channel_officer_r — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides | rule-group-bypass | rule_slide_slide_officer_r — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides | rule-group-bypass | rule_slide_slide_resource_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides | route-public-sudo | /slides — Unauthenticated endpoint 'WebsiteSlides.slides_channel_home' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/<int:channel_id>, /slides/<int:channel_id>/category/<int:category_id>, /slides/<int:channel_id>/category/<int:category_id>/page/<int:page>, /slides/<model("slide.channel"):channel>, /slides/<model("slide.channel"):channel>/page/<int:page>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>/page/<int:page>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>/page/<int:page> — Unauthenticated endpoint 'WebsiteSlides.channel' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/channel/join — Unauthenticated endpoint 'WebsiteSlides.slide_channel_join' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/<model("slide.slide"):slide> — Unauthenticated endpoint 'WebsiteSlides.slide_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/like — Unauthenticated endpoint 'WebsiteSlides.slide_like' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/quiz/submit — Unauthenticated endpoint 'WebsiteSlides.slide_quiz_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides_forum | rule-group-bypass | website_slides_forum_website_slides_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides_forum | rule-group-bypass | website_slides_forum_website_slides_officer_post — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides_forum | rule-group-bypass | website_slides_forum_website_slides_officer_tag — Record rule with an always-true domain bypasses every other record rule of its model for its group |
Active Pull Requests 242
0 fresh 0 rotting 0 rotten
Security Findings
Errors 77
| Module | Code | Message |
|---|---|---|
| auth_totp_portal | acl-public-write | access_auth_totp_portal_wizard — Access rule grants write/create/unlink on 'auth_totp.model_auth_totp_wizard' to the portal/public group 'base.group_portal' |
| base | acl-privilege-escalation | access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions |
| bus | acl-public-write | access_bus_presence_portal — Access rule grants write/create/unlink on 'model_bus_presence' to the portal/public group 'base.group_portal' |
| calendar | rule-public-bypass | calendar_attendee_rule_my — Record rule with an always-true domain grants portal/public users access to every record of its model |
| delivery_sendcloud_oca | acl-global-write | access_sendcloud_parcel — Access rule grants write/create/unlink on 'model_sendcloud_parcel' to EVERY user (portal/public included): no group is set |
| delivery_sendcloud_oca | acl-global-write | access_sendcloud_parcel_item — Access rule grants write/create/unlink on 'model_sendcloud_parcel_item' to EVERY user (portal/public included): no group is set |
| delivery_sendcloud_oca | acl-global-write | access_sendcloud_brand — Access rule grants write/create on 'model_sendcloud_brand' to EVERY user (portal/public included): no group is set |
| delivery_sendcloud_oca | acl-global-write | access_sendcloud_parcel_status — Access rule grants write/create on 'model_sendcloud_parcel_status' to EVERY user (portal/public included): no group is set |
| delivery_sendcloud_oca | acl-global-write | access_sendcloud_return — Access rule grants write/create on 'model_sendcloud_return' to EVERY user (portal/public included): no group is set |
| delivery_sendcloud_oca | acl-global-write | access_sendcloud_return_location — Access rule grants write/create on 'model_sendcloud_return_location' to EVERY user (portal/public included): no group is set |
| delivery_sendcloud_oca | acl-global-write | access_sendcloud_invoice — Access rule grants write/create on 'model_sendcloud_invoice' to EVERY user (portal/public included): no group is set |
| delivery_sendcloud_oca | acl-global-write | access_sendcloud_invoice_item — Access rule grants write/create/unlink on 'model_sendcloud_invoice_item' to EVERY user (portal/public included): no group is set |
| delivery_sendcloud_oca | acl-global-write | access_sendcloud_sender_address — Access rule grants write/create on 'model_sendcloud_sender_address' to EVERY user (portal/public included): no group is set |
| delivery_sendcloud_oca | acl-global-write | access_sendcloud_action_webhook — Access rule grants write/create on 'model_sendcloud_action' to EVERY user (portal/public included): no group is set |
| delivery_sendcloud_oca | acl-global-write | access_sendcloud_integration — Access rule grants write/create on 'model_sendcloud_integration' to EVERY user (portal/public included): no group is set |
| delivery_sendcloud_oca | acl-global-write | access_sendcloud_shipping_method_country — Access rule grants write/create/unlink on 'model_sendcloud_shipping_method_country' to EVERY user (portal/public included): no group is set |
| delivery_sendcloud_oca | acl-global-write | access_sendcloud_shipping_method_country_custom — Access rule grants write/create/unlink on 'model_sendcloud_shipping_method_country_custom' to EVERY user (portal/public included): no group is set |
| fieldservice_route | acl-public-write | access_fsm_route_dayroute_portal — Access rule grants write/create on 'model_fsm_route_dayroute' to the portal/public group 'base.group_portal' |
| fieldservice_stock | acl-public-write | access_stock_move_portal — Access rule grants write on 'stock.model_stock_move' to the portal/public group 'base.group_portal' |
| gamification | acl-public-write | goal_portal — Access rule grants write on 'gamification.model_gamification_goal' to the portal/public group 'base.group_portal' |
| gamification | acl-public-write | badge_user_portal — Access rule grants write/create on 'gamification.model_gamification_badge_user' to the portal/public group 'base.group_portal' |
| graphql_demo | route-user-csrf-off | /graphql/demo — HTTP endpoint 'GraphQLController.graphql' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user |
| helpdesk_mgmt | acl-public-write | access_helpdesk_ticket_stage_public — Access rule grants write on 'model_helpdesk_ticket_stage' to the portal/public group 'base.group_public' |
| l10n_es_atc_mod417 | acl-global-write | access_l10n_es_atc_mod417_report_manager — Access rule grants write/create/unlink on 'model_l10n_es_atc_mod417_report' to EVERY user (portal/public included): no group is set |
| l10n_ro_account_anaf_sync | route-user-csrf-off | /l10n_ro_account_anaf_sync/redirect_anaf/<int:anaf_config_id> — HTTP endpoint 'AccountANAFSyncWeb.redirect_anaf' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user |
| acl-public-write | access_mail_message_portal — Access rule grants write/create/unlink on 'model_mail_message' to the portal/public group 'base.group_portal' |
|
| acl-public-write | access_discuss_channel_member_public — Access rule grants write/create/unlink on 'model_discuss_channel_member' to the portal/public group 'base.group_public' |
|
| acl-public-write | access_discuss_channel_member_portal — Access rule grants write/create/unlink on 'model_discuss_channel_member' to the portal/public group 'base.group_portal' |
|
| acl-public-write | access_mail_compose_message_portal — Access rule grants write/create on 'model_mail_compose_message' to the portal/public group 'base.group_portal' |
|
| mrp_subcontracting | acl-public-write | access_subcontracting_portal_stock_move — Access rule grants write/create on 'stock.model_stock_move' to the portal/public group 'base.group_portal' |
| mrp_subcontracting | acl-public-write | access_subcontracting_portal_stock_move_line — Access rule grants write/create/unlink on 'stock.model_stock_move_line' to the portal/public group 'base.group_portal' |
| mrp_subcontracting | acl-public-write | access_subcontracting_portal_lot — Access rule grants create on 'stock.model_stock_lot' to the portal/public group 'base.group_portal' |
| mrp_subcontracting | acl-public-write | access_subcontracting_portal_production — Access rule grants write on 'mrp.model_mrp_production' to the portal/public group 'base.group_portal' |
| mrp_subcontracting | acl-public-write | access_subcontracting_portal_consumption_warning — Access rule grants write/create on 'mrp.model_mrp_consumption_warning' to the portal/public group 'base.group_portal' |
| mrp_subcontracting | acl-public-write | access_subcontracting_portal_consumption_warning_line — Access rule grants write/create on 'mrp.model_mrp_consumption_warning_line' to the portal/public group 'base.group_portal' |
| mrp_subcontracting_account | acl-public-write | access_subcontracting_portal_analytic_line — Access rule grants write on 'mrp_account.model_account_analytic_line' to the portal/public group 'base.group_portal' |
| partner_aging | acl-global-write | res_partner_aging_date — Access rule grants write/create/unlink on 'partner_aging.model_res_partner_aging_date' to EVERY user (portal/public included): no group is set |
| partner_autocomplete | acl-public-write | access_partner_autocomplete_sync_portal — Access rule grants create on 'model_res_partner_autocomplete_sync' to the portal/public group 'base.group_portal' |
| password_security | acl-public-write | access_res_users_pass_history_portal — Access rule grants create on 'model_res_users_pass_history' to the portal/public group 'base.group_portal' |
| project | acl-public-write | access_project_sharing_task_portal — Access rule grants write/create on 'model_project_task' to the portal/public group 'base.group_portal' |
| project_version | acl-global-write | project_version — Access rule grants write/create/unlink on 'model_project_version' to EVERY user (portal/public included): no group is set |
| purchase_invoice_plan | acl-global-write | access_purchase_invoice_plan — Access rule grants write/create/unlink on 'model_purchase_invoice_plan' to EVERY user (portal/public included): no group is set |
| purchase_invoice_plan | acl-global-write | access_purchase_create_invoice_plan — Access rule grants write/create/unlink on 'model_purchase_create_invoice_plan' to EVERY user (portal/public included): no group is set |
| purchase_invoice_plan | acl-global-write | access_purchase_make_planned_invoice — Access rule grants write/create/unlink on 'model_purchase_make_planned_invoice' to EVERY user (portal/public included): no group is set |
| report_wkhtmltopdf_param | acl-global-write | paperformat_parameter_access_employee — Access rule grants create on 'model_report_paperformat_parameter' to EVERY user (portal/public included): no group is set |
| sale_invoice_plan | acl-global-write | access_sale_invoice_plan — Access rule grants write/create/unlink on 'model_sale_invoice_plan' to EVERY user (portal/public included): no group is set |
| sale_invoice_plan | acl-global-write | access_sale_create_invoice_plan — Access rule grants write/create/unlink on 'model_sale_create_invoice_plan' to EVERY user (portal/public included): no group is set |
| sale_invoice_plan | acl-global-write | access_sale_make_planned_invoice — Access rule grants write/create/unlink on 'model_sale_make_planned_invoice' to EVERY user (portal/public included): no group is set |
| sql_export | acl-global-write | access_sql_file_wizard — Access rule grants write/create on 'model_sql_file_wizard' to EVERY user (portal/public included): no group is set |
| stock_reserve_sale | acl-global-write | stock_reserve_sale.access_sale_stock_reserve — Access rule grants write/create/unlink on 'stock_reserve_sale.model_sale_stock_reserve' to EVERY user (portal/public included): no group is set |
| stock_reserve_sale | acl-global-write | stock_reserve_sale.access_sale_stock_reserve_release — Access rule grants write/create/unlink on 'stock_reserve_sale.model_sale_stock_reserve_release' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-public-write | access_test_access_right_some_obj_public — Access rule grants write/create/unlink on 'model_test_access_right_some_obj' to the portal/public group 'base.group_public' |
| test_access_rights | acl-public-write | access_test_access_right_container_public — Access rule grants write/create/unlink on 'model_test_access_right_container' to the portal/public group 'base.group_public' |
| test_access_rights | acl-public-write | access_test_access_right_inherits_public — Access rule grants write/create/unlink on 'model_test_access_right_inherits' to the portal/public group 'base.group_public' |
| test_access_rights | acl-public-write | access_test_access_right_child_public — Access rule grants write/create/unlink on 'model_test_access_right_child' to the portal/public group 'base.group_public' |
| test_component | acl-global-write | access_test_component_collection — Access rule grants write/create/unlink on 'model_test_component_collection' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_test_backend — Access rule grants write/create/unlink on 'model_test_backend' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_connector_test_record — Access rule grants write/create/unlink on 'model_connector_test_record' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_connector_test_binding — Access rule grants write/create/unlink on 'model_connector_test_binding' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_no_inherits_binding — Access rule grants write/create/unlink on 'model_no_inherits_binding' to EVERY user (portal/public included): no group is set |
| test_mail | acl-public-write | access_mail_test_access_portal — Access rule grants write on 'model_mail_test_access' to the portal/public group 'base.group_portal' |
| test_queue_job | acl-global-write | access_test_queue_job — Access rule grants write/create/unlink on 'model_test_queue_job' to EVERY user (portal/public included): no group is set |
| test_queue_job | acl-global-write | access_test_queue_channel — Access rule grants write/create/unlink on 'model_test_queue_channel' to EVERY user (portal/public included): no group is set |
| test_queue_job | acl-global-write | access_test_related_action — Access rule grants write/create/unlink on 'model_test_related_action' to EVERY user (portal/public included): no group is set |
| utm | acl-public-write | access_utm_campaign — Access rule grants create on 'model_utm_campaign' to the portal/public group 'base.group_portal' |
| utm | acl-public-write | access_utm_medium — Access rule grants create on 'model_utm_medium' to the portal/public group 'base.group_portal' |
| utm | acl-public-write | access_utm_source — Access rule grants create on 'model_utm_source' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_post_portal — Access rule grants write/create/unlink on 'model_forum_post' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_post_vote_portal — Access rule grants write/create on 'model_forum_post_vote' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_tag_public — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_public' |
| website_forum | acl-public-write | access_forum_tag_portal — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_portal' |
| website_sale_wishlist | acl-public-write | access_product_wishlist_portal — Access rule grants write/create/unlink on 'model_product_wishlist' to the portal/public group 'base.group_portal' |
Warnings 499
| Module | Code | Message |
|---|---|---|
| account | rule-group-bypass | account_analytic_line_rule_billing_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_analytic_line_rule_readonly_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_rule_group_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_line_rule_group_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_line_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_send_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | ir_rule_res_partner_bank_billing_officers — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | route-public-sudo | /terms — Unauthenticated endpoint 'TermsController.terms_conditions' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| account_brand | acl-global-read | res_partner_account_brand_access — Access rule grants read on 'model_res_partner_account_brand' to every user (portal/public included): no group is set |
| account_payment | rule-group-bypass | payment_token_billing_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account_statement_import_online_gocardless | route-public-csrf-off | /gocardless/response — Public HTTP endpoint 'GocardlessController.gocardless_response' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| account_statement_import_online_gocardless | route-public-sudo | /gocardless/response — Unauthenticated endpoint 'GocardlessController.gocardless_response' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| ai_oca_bridge | route-public-csrf-off | /ai/response/<int:execution_id>/<string:token> — Public HTTP endpoint 'AIController.ai_process_response' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| ai_oca_bridge | route-public-sudo | /ai/response/<int:execution_id>/<string:token> — Unauthenticated endpoint 'AIController.ai_process_response' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_oauth | route-auth-none | /auth_oauth/signin — Endpoint 'OAuthController.signin' uses auth="none": it runs with no user/session at all |
| auth_oauth | route-auth-none | /auth_oauth/oea — Endpoint 'OAuthController.oea' uses auth="none": it runs with no user/session at all |
| auth_oauth_autologin | route-auth-none | /auth/auto_login_redirect_link — Endpoint 'OAuthAutoLogin.auto_login_redirect_link' uses auth="none": it runs with no user/session at all |
| auth_saml | route-public-sudo | /auth_saml/get_auth_request — Unauthenticated endpoint 'AuthSAMLController.get_auth_request' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_saml | route-auth-none | /auth_saml/get_auth_request — Endpoint 'AuthSAMLController.get_auth_request' uses auth="none": it runs with no user/session at all |
| auth_saml | route-public-csrf-off | /auth_saml/signin — Public HTTP endpoint 'AuthSAMLController.signin' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| auth_saml | route-auth-none | /auth_saml/signin — Endpoint 'AuthSAMLController.signin' uses auth="none": it runs with no user/session at all |
| auth_saml | route-public-csrf-off | /auth_saml/metadata — Public HTTP endpoint 'AuthSAMLController.saml_metadata' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| auth_saml | route-public-sudo | /auth_saml/metadata — Unauthenticated endpoint 'AuthSAMLController.saml_metadata' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_saml | route-auth-none | /auth_saml/metadata — Endpoint 'AuthSAMLController.saml_metadata' uses auth="none": it runs with no user/session at all |
| auth_signup | route-public-sudo | /web/signup — Unauthenticated endpoint 'AuthSignupHome.web_auth_signup' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_signup | route-public-sudo | /web/reset_password — Unauthenticated endpoint 'AuthSignupHome.web_auth_reset_password' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| automation_oca | route-public-sudo | /automation_oca/track/<int:record_id>/<string:token>/blank.gif — Unauthenticated endpoint 'AutomationOCAController.automation_oca_mail_open' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| automation_oca | route-public-sudo | /r/<string:code>/au/<int:record_id>/<string:token> — Unauthenticated endpoint 'AutomationOCAController.automation_oca_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| base | route-public-csrf-off | /xmlrpc/<service> — Public HTTP endpoint 'RPC.xmlrpc_1' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base | route-auth-none | /xmlrpc/<service> — Endpoint 'RPC.xmlrpc_1' uses auth="none": it runs with no user/session at all |
| base | route-public-csrf-off | /xmlrpc/2/<service> — Public HTTP endpoint 'RPC.xmlrpc_2' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base | route-auth-none | /xmlrpc/2/<service> — Endpoint 'RPC.xmlrpc_2' uses auth="none": it runs with no user/session at all |
| base | route-auth-none | /jsonrpc — Endpoint 'RPC.jsonrpc' uses auth="none": it runs with no user/session at all |
| base_automation | route-public-csrf-off | /web/hook/<string:rule_uuid> — Public HTTP endpoint 'BaseAutomationController.call_webhook_http' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base_automation | route-public-sudo | /web/hook/<string:rule_uuid> — Unauthenticated endpoint 'BaseAutomationController.call_webhook_http' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| base_ebill_payment_contract | acl-global-read | access_ebill_payment_contract_read — Access rule grants read on 'model_ebill_payment_contract' to every user (portal/public included): no group is set |
| base_import_module | route-public-csrf-off | /base_import_module/login_upload — Public HTTP endpoint 'ImportModule.login_upload' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base_import_module | route-auth-none | /base_import_module/login_upload — Endpoint 'ImportModule.login_upload' uses auth="none": it runs with no user/session at all |
| base_vat | route-public-csrf-off | /base_vat/1/webhook_update_vies — Public HTTP endpoint 'BaseVatWebhookController.webhook_update_vies' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| bus | route-auth-none | /websocket/health — Endpoint 'WebsocketController.health' uses auth="none": it runs with no user/session at all |
| calendar | rule-group-bypass | calendar_event_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| calendar | route-public-sudo | /calendar/join_videocall/<string:access_token> — Unauthenticated endpoint 'CalendarController.calendar_join_videocall' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| connector_jira | route-auth-none | /connector_jira/<int:backend_id>/webhooks/issue — Endpoint 'JiraWebhookController.webhook_issue' uses auth="none": it runs with no user/session at all |
| connector_jira | route-auth-none | /connector_jira/<int:backend_id>/webhooks/worklog — Endpoint 'JiraWebhookController.webhook_worklog' uses auth="none": it runs with no user/session at all |
| crm_salesperson_planner | rule-group-bypass | all_salesperson_planner_visit — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm_salesperson_planner | rule-group-bypass | all_salesperson_planner_visit_template — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| delivery_sendcloud_oca | route-public-sudo | /shop/sendcloud_integration_webhook/<int:company_id> — Unauthenticated endpoint 'DeliverySendcloud.sendcloud_integration_webhook' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| delivery_sendcloud_oca | route-auth-none | /shop/sendcloud_integration_webhook/<int:company_id> — Endpoint 'DeliverySendcloud.sendcloud_integration_webhook' uses auth="none": it runs with no user/session at all |
| digest | route-public-csrf-off | /digest/<int:digest_id>/unsubscribe_oneclik — Public HTTP endpoint 'DigestController.digest_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| digest | route-public-sudo | /digest/<int:digest_id>/unsubscribe — Unauthenticated endpoint 'DigestController.digest_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| dms | route-public-sudo | /my/dms/directory/<int:dms_directory_id> — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_directory' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| dms | route-public-sudo | /my/dms/file/<int:dms_file_id>/download — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_file_download' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| event | route-public-sudo | /event/<int:event_id>/my_tickets — Unauthenticated endpoint 'EventController.event_my_tickets' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| fieldservice | rule-group-bypass | fsm_order_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| fieldservice_account_analytic | rule-group-bypass | analytic_account_fsm_dispatcher — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| fieldservice_recurring | rule-group-bypass | fsm_recurring_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| fieldservice_route | rule-group-bypass | fsm_route_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| fieldservice_route | rule-group-bypass | fsm_route_dayroute_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| helpdesk_mgmt | rule-group-bypass | helpdesk_ticket_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| helpdesk_ticket_partner_response | route-public-sudo | /mail/chatter_post — Unauthenticated endpoint 'HelpdeskCustomerResponse.portal_chatter_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| hr | rule-group-bypass | ir_rule_res_partner_bank_employees — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_attendance | route-public-sudo | /hr_attendance/<token> — Unauthenticated endpoint 'HrAttendance.open_kiosk_mode' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| hr_attendance | route-public-sudo | /hr_attendance/attendance_employee_data — Unauthenticated endpoint 'HrAttendance.employee_attendance_data' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| hr_attendance | route-public-sudo | /hr_attendance/attendance_barcode_scanned — Unauthenticated endpoint 'HrAttendance.scan_barcode' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| hr_attendance | route-public-sudo | /hr_attendance/manual_selection — Unauthenticated endpoint 'HrAttendance.manual_selection_with_geolocation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| hr_attendance_reason | route-public-sudo | /hr_attendance_reason/get_reasons — Unauthenticated endpoint 'HrAttendance.attendance_get_reasons' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| hr_attendance_rfid | rule-group-bypass | hr_attendance_rfid_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_expense | rule-group-bypass | ir_rule_hr_expense_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_expense | rule-group-bypass | ir_rule_hr_expense_sheet_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | hr_leave_rule_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | hr_leave_allocation_rule_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | resource_leaves_base_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | resource_leaves_holidays_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | hr_leave_report_rule_group_holiday_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_homeworking | rule-group-bypass | homeworking_admin_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_homeworking | rule-group-bypass | homeworking_location_wizard_admin_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_personal_equipment_request | rule-group-bypass | personal_equipment_request_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_personal_equipment_request | rule-group-bypass | personal_equipment_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_recruitment | rule-group-bypass | hr_applicant_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_recruitment | rule-group-bypass | hr_job_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_recruitment | rule-group-bypass | mail_message_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_recruitment_skills | rule-group-bypass | hr_applicant_skill_officer_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_resume_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_resume_rule_employee_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_skill_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_skill_rule_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_timesheet_attendance | rule-group-bypass | hr_timesheet_attendance_report_rule_approver — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| http_routing | route-public-sudo | /website/translations/<string:unique> — Unauthenticated endpoint 'Routing.get_website_translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| hw_drivers | route-auth-none | /hw_proxy/hello — Endpoint 'ProxyController.hello' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/handshake — Endpoint 'ProxyController.handshake' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/status_json — Endpoint 'ProxyController.status_json' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_drivers/action — Endpoint 'DriverController.action' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-public-csrf-off | /hw_drivers/check_certificate — Public HTTP endpoint 'DriverController.check_certificate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_drivers | route-auth-none | /hw_drivers/check_certificate — Endpoint 'DriverController.check_certificate' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_drivers/event — Endpoint 'DriverController.event' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-public-csrf-off | /hw_drivers/download_logs — Public HTTP endpoint 'DriverController.download_logs' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_drivers | route-auth-none | /hw_drivers/download_logs — Endpoint 'DriverController.download_logs' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/scale_read — Endpoint 'ScaleReadOldRoute.scale_read' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/default_printer_action — Endpoint 'PrinterController.default_printer_action' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/scanner — Endpoint 'KeyboardUSBController.get_barcode' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-public-csrf-off | /hw_proxy/l10n_ke_cu_send — Public HTTP endpoint 'TremolG03Controller.l10n_ke_cu_send' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_drivers | route-auth-none | /hw_proxy/l10n_ke_cu_send — Endpoint 'TremolG03Controller.l10n_ke_cu_send' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-public-csrf-off | /hw_l10n_eg_eta/certificate — Public HTTP endpoint 'EtaUsbController.eta_certificate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_drivers | route-auth-none | /hw_l10n_eg_eta/certificate — Endpoint 'EtaUsbController.eta_certificate' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-public-csrf-off | /hw_l10n_eg_eta/sign — Public HTTP endpoint 'EtaUsbController.eta_sign' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_drivers | route-auth-none | /hw_l10n_eg_eta/sign — Endpoint 'EtaUsbController.eta_sign' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/display_refresh — Endpoint 'DisplayController.display_refresh' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/customer_facing_display — Endpoint 'DisplayController.customer_facing_display' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/take_control — Endpoint 'DisplayController.take_control' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/test_ownership — Endpoint 'DisplayController.test_ownership' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /point_of_sale/get_serialized_order, /point_of_sale/get_serialized_order/<string:display_identifier> — Endpoint 'DisplayController.get_serialized_order' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /point_of_sale/display, /point_of_sale/display/<string:display_identifier> — Endpoint 'DisplayController.display' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /point_of_sale/iot_devices — Endpoint 'DisplayController.get_iot_devices' uses auth="none": it runs with no user/session at all |
| hw_escpos | route-auth-none | /hw_proxy/open_cashbox — Endpoint 'EscposProxy.open_cashbox' uses auth="none": it runs with no user/session at all |
| hw_escpos | route-auth-none | /hw_proxy/print_receipt — Endpoint 'EscposProxy.print_receipt' uses auth="none": it runs with no user/session at all |
| hw_escpos | route-auth-none | /hw_proxy/print_xml_receipt — Endpoint 'EscposProxy.print_xml_receipt' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_upgrade — Endpoint 'IoTboxHomepage.perform_upgrade' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/get_version — Endpoint 'IoTboxHomepage.check_version' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_flashing_create_partition — Endpoint 'IoTboxHomepage.perform_flashing_create_partition' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_flashing_download_raspios — Endpoint 'IoTboxHomepage.perform_flashing_download_raspios' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_flashing_copy_raspios — Endpoint 'IoTboxHomepage.perform_flashing_copy_raspios' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/restart_odoo_service — Endpoint 'IotBoxOwlHomePage.odoo_service_restart' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/iot_logs — Endpoint 'IotBoxOwlHomePage.get_iot_logs' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/six_payment_terminal_clear — Endpoint 'IotBoxOwlHomePage.clear_six_terminal' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/clear_credential — Endpoint 'IotBoxOwlHomePage.clear_credential' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/wifi_clear — Endpoint 'IotBoxOwlHomePage.clear_wifi_configuration' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/server_clear — Endpoint 'IotBoxOwlHomePage.clear_server_configuration' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/ping — Endpoint 'IotBoxOwlHomePage.ping' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/data — Endpoint 'IotBoxOwlHomePage.get_homepage_data' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/wifi — Endpoint 'IotBoxOwlHomePage.get_available_wifi' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/generate_password — Endpoint 'IotBoxOwlHomePage.generate_password' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/version_info — Endpoint 'IotBoxOwlHomePage.get_version_info' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/log_levels — Endpoint 'IotBoxOwlHomePage.log_levels' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/load_iot_handlers — Endpoint 'IotBoxOwlHomePage.load_iot_log_level' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/clear_iot_handlers — Endpoint 'IotBoxOwlHomePage.clear_iot_handlers' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/six_payment_terminal_add — Endpoint 'IotBoxOwlHomePage.add_six_terminal' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/save_credential — Endpoint 'IotBoxOwlHomePage.save_credential' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/update_wifi — Endpoint 'IotBoxOwlHomePage.update_wifi' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/enable_ngrok — Endpoint 'IotBoxOwlHomePage.enable_remote_connection' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/connect_to_server — Endpoint 'IotBoxOwlHomePage.connect_to_odoo_server' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/log_levels_update — Endpoint 'IotBoxOwlHomePage.update_log_level' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/update_git_tree — Endpoint 'IotBoxOwlHomePage.update_git_tree' uses auth="none": it runs with no user/session at all |
| im_livechat | route-auth-none | /im_livechat/font-awesome — Endpoint 'LivechatController.fontawesome' uses auth="none": it runs with no user/session at all |
| im_livechat | route-auth-none | /im_livechat/odoo_ui_icons — Endpoint 'LivechatController.odoo_ui_icons' uses auth="none": it runs with no user/session at all |
| im_livechat | route-public-sudo | /im_livechat/support/<int:channel_id> — Unauthenticated endpoint 'LivechatController.support_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/loader/<int:channel_id> — Unauthenticated endpoint 'LivechatController.loader' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/init — Unauthenticated endpoint 'LivechatController.livechat_init' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/operator/<int:operator_id>/avatar — Unauthenticated endpoint 'LivechatController.livechat_operator_get_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/get_session — Unauthenticated endpoint 'LivechatController.get_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/feedback — Unauthenticated endpoint 'LivechatController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/history — Unauthenticated endpoint 'LivechatController.history_pages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/email_livechat_transcript — Unauthenticated endpoint 'LivechatController.email_livechat_transcript' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/visitor_leave_session — Unauthenticated endpoint 'LivechatController.visitor_leave_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /chatbot/restart — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_restart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /chatbot/post_welcome_steps — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_post_welcome_steps' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /chatbot/answer/save — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_save_answer' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /chatbot/step/trigger — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_trigger_step' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /chatbot/step/validate_email — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-csrf-off | /im_livechat/cors/attachment/upload — Public HTTP endpoint 'LivechatAttachmentController.im_livechat_attachment_upload' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_input_oca | route-public-csrf-off | /iot/<serial>/action — Public HTTP endpoint 'CallIot.call_unauthorized_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_input_oca | route-public-sudo | /iot/<serial>/action — Unauthenticated endpoint 'CallIot.call_unauthorized_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| iot_input_oca | route-auth-none | /iot/<serial>/action — Endpoint 'CallIot.call_unauthorized_iot' uses auth="none": it runs with no user/session at all |
| iot_input_oca | route-public-csrf-off | /iot/<serial>/multi_input — Public HTTP endpoint 'CallIot.call_unauthorized_iot_multi_input' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_input_oca | route-public-sudo | /iot/<serial>/multi_input — Unauthenticated endpoint 'CallIot.call_unauthorized_iot_multi_input' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| iot_input_oca | route-auth-none | /iot/<serial>/multi_input — Endpoint 'CallIot.call_unauthorized_iot_multi_input' uses auth="none": it runs with no user/session at all |
| iot_input_oca | route-public-csrf-off | /iot/<serial>/check — Public HTTP endpoint 'CallIot.check_unauthorized_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_input_oca | route-public-sudo | /iot/<serial>/check — Unauthenticated endpoint 'CallIot.check_unauthorized_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| iot_input_oca | route-auth-none | /iot/<serial>/check — Endpoint 'CallIot.check_unauthorized_iot' uses auth="none": it runs with no user/session at all |
| iot_template_oca | route-public-csrf-off | /iot/<serial>/configure — Public HTTP endpoint 'CallIot.configure_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_template_oca | route-public-sudo | /iot/<serial>/configure — Unauthenticated endpoint 'CallIot.configure_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| iot_template_oca | route-auth-none | /iot/<serial>/configure — Endpoint 'CallIot.configure_iot' uses auth="none": it runs with no user/session at all |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_admission_type — Access rule grants read on 'model_hr_contract_admission_type' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_labor_bond_type — Access rule grants read on 'model_hr_contract_labor_bond_type' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_labor_regime — Access rule grants read on 'model_hr_contract_labor_regime' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_salary_unit — Access rule grants read on 'model_hr_contract_salary_unit' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_resignation_cause — Access rule grants read on 'model_hr_contract_resignation_cause' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_notice_termination — Access rule grants read on 'model_hr_contract_notice_termination' to every user (portal/public included): no group is set |
| l10n_es_aeat_mod347 | route-public-sudo | /mod347/accept — Unauthenticated endpoint 'Mod347Controller.mod347_accept' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_es_aeat_mod347 | route-public-sudo | /mod347/reject — Unauthenticated endpoint 'Mod347Controller.mod347_reject' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_pe_website_sale | route-public-sudo | /shop/state_infos/<model("res.country.state"):state> — Unauthenticated endpoint 'L10nPEWebsiteSale.state_infos' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_pe_website_sale | route-public-sudo | /shop/city_infos/<model("res.city"):city> — Unauthenticated endpoint 'L10nPEWebsiteSale.city_infos' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_ro_account_anaf_sync | route-public-csrf-off | /l10n_ro_account_anaf_sync/anaf_oauth/<int:anaf_config_id> — Public HTTP endpoint 'AccountANAFSyncWeb.get_anaf_oauth_code' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| l10n_ro_account_anaf_sync | route-public-sudo | /l10n_ro_account_anaf_sync/anaf_oauth/<int:anaf_config_id> — Unauthenticated endpoint 'AccountANAFSyncWeb.get_anaf_oauth_code' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| link_tracker | route-public-sudo | /r/<string:code> — Unauthenticated endpoint 'LinkTracker.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| route-public-sudo | /mail/guest/update_name — Unauthenticated endpoint 'GuestController.mail_guest_update_name' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/message/reaction — Unauthenticated endpoint 'MessageReactionController.mail_message_add_reaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/link_preview — Unauthenticated endpoint 'LinkPreviewController.mail_link_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/link_preview/delete — Unauthenticated endpoint 'LinkPreviewController.mail_link_preview_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/message/update_content — Unauthenticated endpoint 'ThreadController.mail_message_update_content' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/view — Unauthenticated endpoint 'MailController.mail_action_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-csrf-off | /mail/unfollow — Public HTTP endpoint 'MailController.mail_action_unfollow' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
|
| route-public-sudo | /mail/unfollow — Unauthenticated endpoint 'MailController.mail_action_unfollow' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/init_messaging — Unauthenticated endpoint 'WebclientController.mail_init_messaging' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/attachment/upload — Unauthenticated endpoint 'AttachmentController.mail_attachment_upload' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/attachment/delete — Unauthenticated endpoint 'AttachmentController.mail_attachment_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /chat/<int:channel_id>/<string:invitation_token> — Unauthenticated endpoint 'PublicPageController.discuss_channel_invitation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /discuss/channel/<int:channel_id>/partner/<int:partner_id>/avatar_128 — Unauthenticated endpoint 'BinaryController.discuss_channel_partner_avatar_128' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /discuss/channel/<int:channel_id>/guest/<int:guest_id>/avatar_128 — Unauthenticated endpoint 'BinaryController.discuss_channel_guest_avatar_128' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /discuss/channel/<int:channel_id>/attachment/<int:attachment_id> — Unauthenticated endpoint 'BinaryController.discuss_channel_attachment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /discuss/channel/<int:channel_id>/image/<int:attachment_id>, /discuss/channel/<int:channel_id>/image/<int:attachment_id>/<int:width>x<int:height> — Unauthenticated endpoint 'BinaryController.fetch_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/rtc/session/notify_call_members — Unauthenticated endpoint 'RtcController.session_call_notify' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/rtc/session/update_and_broadcast — Unauthenticated endpoint 'RtcController.session_update_and_broadcast' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/rtc/channel/join_call — Unauthenticated endpoint 'RtcController.channel_call_join' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/rtc/channel/leave_call — Unauthenticated endpoint 'RtcController.channel_call_leave' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/rtc/channel/cancel_call_invitation — Unauthenticated endpoint 'RtcController.channel_call_cancel_invitation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /discuss/channel/ping — Unauthenticated endpoint 'RtcController.channel_ping' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /discuss/channel/attachments — Unauthenticated endpoint 'ChannelController.load_attachments' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| mail_gateway | route-public-csrf-off | /gateway/<string:usage>/<string:token>/update — Public HTTP endpoint 'GatewayController.post_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| mail_group | route-public-sudo | /groups — Unauthenticated endpoint 'PortalMailGroup.groups_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_group | route-public-sudo | /groups/<model("mail.group"):group>, /groups/<model("mail.group"):group>/page/<int:page> — Unauthenticated endpoint 'PortalMailGroup.group_view_messages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_group | route-public-sudo | /groups/<model("mail.group"):group>/<model("mail.group.message"):message> — Unauthenticated endpoint 'PortalMailGroup.group_view_message' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_group | route-public-sudo | /groups/<model("mail.group"):group>/<model("mail.group.message"):message>/get_replies — Unauthenticated endpoint 'PortalMailGroup.group_message_get_replies' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_group | route-public-csrf-off | /group/<int:group_id>/unsubscribe_oneclick — Public HTTP endpoint 'PortalMailGroup.group_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| mail_group | route-public-sudo | /group/<int:group_id>/unsubscribe_oneclick — Unauthenticated endpoint 'PortalMailGroup.group_unsubscribe_oneclick' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_group | route-public-sudo | /group/subscribe-confirm — Unauthenticated endpoint 'PortalMailGroup.group_subscribe_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_plugin | route-auth-none | /mail_plugin/auth/check_version — Endpoint 'Authenticate.auth_check_version' uses auth="none": it runs with no user/session at all |
| mail_plugin | route-auth-none | /mail_client_extension/auth/access_token, /mail_plugin/auth/access_token — Endpoint 'Authenticate.auth_access_token' uses auth="none": it runs with no user/session at all |
| mail_template_attachment_per_lang | acl-global-read | access_attachment_language_everyone — Access rule grants read on 'model_ir_attachment_language' to every user (portal/public included): no group is set |
| mail_tracking | route-public-sudo | /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MailTrackingController.mail_tracking_open' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_tracking | route-auth-none | /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Endpoint 'MailTrackingController.mail_tracking_open' uses auth="none": it runs with no user/session at all |
| mail_tracking_mailgun | route-public-sudo | /mail/tracking/mailgun/all — Unauthenticated endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_tracking_mailgun | route-auth-none | /mail/tracking/mailgun/all — Endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' uses auth="none": it runs with no user/session at all |
| mass_mailing | route-public-csrf-off | /mailing/<int:mailing_id>/unsubscribe_oneclick — Public HTTP endpoint 'MassMailController.mailing_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| mass_mailing | route-public-sudo | /mailing/<int:mailing_id>/confirm_unsubscribe — Unauthenticated endpoint 'MassMailController.mailing_confirm_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/list/update — Unauthenticated endpoint 'MassMailController.mailing_update_list_subscription' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/feedback — Unauthenticated endpoint 'MassMailController.mailing_send_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mail/track/<int:mail_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MassMailController.track_mail_open' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /r/<string:code>/m/<int:mailing_trace_id> — Unauthenticated endpoint 'MassMailController.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/report/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing_report_deactivate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/blocklist/add — Unauthenticated endpoint 'MassMailController.mail_blocklist_add' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/blocklist/remove — Unauthenticated endpoint 'MassMailController.mail_blocklist_remove' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing_sms | route-public-sudo | /sms/<int:mailing_id>/unsubscribe/<string:trace_code> — Unauthenticated endpoint 'MailingSMSController.blacklist_number' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing_sms | route-public-sudo | /r/<string:code>/s/<int:sms_id_int> — Unauthenticated endpoint 'MailingSMSController.sms_short_link_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| partner_external_map | acl-global-read | access_map_website_read — Access rule grants read on 'model_map_website' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation — Access rule grants read on 'model_res_partner_relation' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation_type — Access rule grants read on 'model_res_partner_relation_type' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation_type_selection — Access rule grants read on 'model_res_partner_relation_type_selection' to every user (portal/public included): no group is set |
| payment | route-public-sudo | /payment/status/poll — Unauthenticated endpoint 'PaymentPostProcessing.poll_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /payment/pay — Unauthenticated endpoint 'PaymentPortal.payment_pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /payment/confirmation — Unauthenticated endpoint 'PaymentPortal.payment_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-sudo | /payment/adyen/payment_methods — Unauthenticated endpoint 'AdyenController.adyen_payment_methods' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-sudo | /payment/adyen/payments — Unauthenticated endpoint 'AdyenController.adyen_payments' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-sudo | /payment/adyen/payments/details — Unauthenticated endpoint 'AdyenController.adyen_payment_details' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-csrf-off | /payment/adyen/return — Public HTTP endpoint 'AdyenController.adyen_return_from_3ds_auth' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_adyen | route-public-sudo | /payment/adyen/return — Unauthenticated endpoint 'AdyenController.adyen_return_from_3ds_auth' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-csrf-off | AdyenController.adyen_webhook — Public HTTP endpoint 'AdyenController.adyen_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_adyen | route-public-sudo | AdyenController.adyen_webhook — Unauthenticated endpoint 'AdyenController.adyen_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_alipay | route-public-sudo | AlipayController.alipay_return_from_checkout — Unauthenticated endpoint 'AlipayController.alipay_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_alipay | route-public-csrf-off | AlipayController.alipay_webhook — Public HTTP endpoint 'AlipayController.alipay_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_alipay | route-public-sudo | AlipayController.alipay_webhook — Unauthenticated endpoint 'AlipayController.alipay_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_aps | route-public-csrf-off | APSController.aps_return_from_checkout — Public HTTP endpoint 'APSController.aps_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_aps | route-public-sudo | APSController.aps_return_from_checkout — Unauthenticated endpoint 'APSController.aps_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_aps | route-public-csrf-off | APSController.aps_webhook — Public HTTP endpoint 'APSController.aps_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_aps | route-public-sudo | APSController.aps_webhook — Unauthenticated endpoint 'APSController.aps_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_asiapay | route-public-csrf-off | AsiaPayController.asiapay_webhook — Public HTTP endpoint 'AsiaPayController.asiapay_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_asiapay | route-public-sudo | AsiaPayController.asiapay_webhook — Unauthenticated endpoint 'AsiaPayController.asiapay_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_authorize | route-public-sudo | /payment/authorize/payment — Unauthenticated endpoint 'AuthorizeController.authorize_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_buckaroo | route-public-csrf-off | BuckarooController.buckaroo_return_from_checkout — Public HTTP endpoint 'BuckarooController.buckaroo_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_buckaroo | route-public-sudo | BuckarooController.buckaroo_return_from_checkout — Unauthenticated endpoint 'BuckarooController.buckaroo_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_buckaroo | route-public-csrf-off | BuckarooController.buckaroo_webhook — Public HTTP endpoint 'BuckarooController.buckaroo_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_buckaroo | route-public-sudo | BuckarooController.buckaroo_webhook — Unauthenticated endpoint 'BuckarooController.buckaroo_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_custom | route-public-csrf-off | CustomController.custom_process_transaction — Public HTTP endpoint 'CustomController.custom_process_transaction' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_custom | route-public-sudo | CustomController.custom_process_transaction — Unauthenticated endpoint 'CustomController.custom_process_transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_demo | route-public-sudo | PaymentDemoController.demo_simulate_payment — Unauthenticated endpoint 'PaymentDemoController.demo_simulate_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_flutterwave | route-public-sudo | FlutterwaveController.flutterwave_return_from_checkout — Unauthenticated endpoint 'FlutterwaveController.flutterwave_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_flutterwave | route-public-csrf-off | FlutterwaveController.flutterwave_webhook — Public HTTP endpoint 'FlutterwaveController.flutterwave_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_flutterwave | route-public-sudo | FlutterwaveController.flutterwave_webhook — Unauthenticated endpoint 'FlutterwaveController.flutterwave_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_mercado_pago | route-public-sudo | MercadoPagoController.mercado_pago_return_from_checkout — Unauthenticated endpoint 'MercadoPagoController.mercado_pago_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_mercado_pago | route-public-csrf-off | MercadoPagoController.mercado_pago_webhook — Public HTTP endpoint 'MercadoPagoController.mercado_pago_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_mercado_pago | route-public-sudo | MercadoPagoController.mercado_pago_webhook — Unauthenticated endpoint 'MercadoPagoController.mercado_pago_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_mollie | route-public-csrf-off | MollieController.mollie_return_from_checkout — Public HTTP endpoint 'MollieController.mollie_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_mollie | route-public-sudo | MollieController.mollie_return_from_checkout — Unauthenticated endpoint 'MollieController.mollie_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_mollie | route-public-csrf-off | MollieController.mollie_webhook — Public HTTP endpoint 'MollieController.mollie_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_mollie | route-public-sudo | MollieController.mollie_webhook — Unauthenticated endpoint 'MollieController.mollie_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ogone | route-public-csrf-off | OgoneController.ogone_return_from_checkout — Public HTTP endpoint 'OgoneController.ogone_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_ogone | route-public-sudo | OgoneController.ogone_return_from_checkout — Unauthenticated endpoint 'OgoneController.ogone_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_paypal | route-public-csrf-off | PaypalController.paypal_return_from_checkout — Public HTTP endpoint 'PaypalController.paypal_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_paypal | route-public-sudo | PaypalController.paypal_return_from_checkout — Unauthenticated endpoint 'PaypalController.paypal_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_paypal | route-public-sudo | PaypalController.paypal_return_from_canceled_checkout — Unauthenticated endpoint 'PaypalController.paypal_return_from_canceled_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_paypal | route-public-csrf-off | PaypalController.paypal_webhook — Public HTTP endpoint 'PaypalController.paypal_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_paypal | route-public-sudo | PaypalController.paypal_webhook — Unauthenticated endpoint 'PaypalController.paypal_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_payulatam | route-public-sudo | PayuLatamController.payulatam_return_from_checkout — Unauthenticated endpoint 'PayuLatamController.payulatam_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_payulatam | route-public-csrf-off | PayuLatamController.payulatam_webhook — Public HTTP endpoint 'PayuLatamController.payulatam_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_payulatam | route-public-sudo | PayuLatamController.payulatam_webhook — Unauthenticated endpoint 'PayuLatamController.payulatam_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_payumoney | route-public-csrf-off | PayUMoneyController.payumoney_return_from_checkout — Public HTTP endpoint 'PayUMoneyController.payumoney_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_payumoney | route-public-sudo | PayUMoneyController.payumoney_return_from_checkout — Unauthenticated endpoint 'PayUMoneyController.payumoney_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_razorpay | route-public-csrf-off | RazorpayController.razorpay_return_from_checkout — Public HTTP endpoint 'RazorpayController.razorpay_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_razorpay | route-public-csrf-off | RazorpayController.razorpay_webhook — Public HTTP endpoint 'RazorpayController.razorpay_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_razorpay | route-public-sudo | RazorpayController.razorpay_webhook — Unauthenticated endpoint 'RazorpayController.razorpay_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_redsys | route-public-csrf-off | /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Public HTTP endpoint 'RedsysController.redsys_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_redsys | route-public-sudo | /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Unauthenticated endpoint 'RedsysController.redsys_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_sips | route-public-csrf-off | SipsController.sips_return_from_checkout — Public HTTP endpoint 'SipsController.sips_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_sips | route-public-sudo | SipsController.sips_return_from_checkout — Unauthenticated endpoint 'SipsController.sips_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_sips | route-public-csrf-off | SipsController.sips_webhook — Public HTTP endpoint 'SipsController.sips_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_sips | route-public-sudo | SipsController.sips_webhook — Unauthenticated endpoint 'SipsController.sips_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe | route-public-sudo | StripeController.stripe_return — Unauthenticated endpoint 'StripeController.stripe_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe | route-public-csrf-off | StripeController.stripe_webhook — Public HTTP endpoint 'StripeController.stripe_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_stripe | route-public-sudo | StripeController.stripe_webhook — Unauthenticated endpoint 'StripeController.stripe_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe | route-public-csrf-off | StripeController.stripe_apple_pay_get_domain_association_file — Public HTTP endpoint 'StripeController.stripe_apple_pay_get_domain_association_file' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_worldline | route-public-sudo | WorldlineController.worldline_return_from_checkout — Unauthenticated endpoint 'WorldlineController.worldline_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_worldline | route-public-csrf-off | WorldlineController.worldline_webhook — Public HTTP endpoint 'WorldlineController.worldline_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_worldline | route-public-sudo | WorldlineController.worldline_webhook — Unauthenticated endpoint 'WorldlineController.worldline_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_xendit | route-public-csrf-off | XenditController.xendit_webhook — Public HTTP endpoint 'XenditController.xendit_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_xendit | route-public-sudo | XenditController.xendit_webhook — Unauthenticated endpoint 'XenditController.xendit_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_xendit | route-public-sudo | XenditController.xendit_return — Unauthenticated endpoint 'XenditController.xendit_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| point_of_sale | rule-group-bypass | rule_pos_bank_statement_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| point_of_sale | rule-group-bypass | rule_pos_bank_statement_line_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| point_of_sale | route-public-sudo | /pos/ticket — Unauthenticated endpoint 'PosController.invoice_request_screen' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| point_of_sale | route-public-sudo | /pos/ticket/validate — Unauthenticated endpoint 'PosController.show_ticket_validation_screen' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| portal | route-public-sudo | /mail/avatar/mail.message/<int:res_id>/author_avatar/<int:width>x<int:height> — Unauthenticated endpoint 'PortalChatter.portal_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| portal | route-public-sudo | /mail/chatter_post — Unauthenticated endpoint 'PortalChatter.portal_chatter_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| portal | route-public-sudo | /mail/chatter_fetch — Unauthenticated endpoint 'PortalChatter.portal_message_fetch' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_adyen | route-public-sudo | /pos_adyen/notification — Unauthenticated endpoint 'PosAdyenController.notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_mercado_pago | route-public-csrf-off | /pos_mercado_pago/notification — Public HTTP endpoint 'PosMercadoPagoWebhook.notification' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| pos_mercado_pago | route-public-sudo | /pos_mercado_pago/notification — Unauthenticated endpoint 'PosMercadoPagoWebhook.notification' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_mercado_pago | route-auth-none | /pos_mercado_pago/notification — Endpoint 'PosMercadoPagoWebhook.notification' uses auth="none": it runs with no user/session at all |
| pos_online_payment | route-public-sudo | /pos/pay/<int:pos_order_id> — Unauthenticated endpoint 'PaymentPortal.pos_order_pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_online_payment | route-public-sudo | /pos/pay/confirmation/<int:pos_order_id> — Unauthenticated endpoint 'PaymentPortal.pos_order_pay_confirmation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_self_order | route-public-sudo | /pos-self/<config_id>, /pos-self/<config_id>/<path:subpath> — Unauthenticated endpoint 'PosSelfKiosk.start_self_ordering' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_self_order | route-public-sudo | /pos-self/get-category-image/<int:category_id> — Unauthenticated endpoint 'PosSelfKiosk.pos_self_order_get_cat_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_self_order | route-public-sudo | /menu/get-image/<int:product_id>, /menu/get-image/<int:product_id>/<int:image_size> — Unauthenticated endpoint 'PosSelfKiosk.pos_self_order_get_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_viva_wallet | route-public-csrf-off | /pos_viva_wallet/notification — Public HTTP endpoint 'PosVivaWalletController.notification' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| pos_viva_wallet | route-public-sudo | /pos_viva_wallet/notification — Unauthenticated endpoint 'PosVivaWalletController.notification' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_viva_wallet | route-auth-none | /pos_viva_wallet/notification — Endpoint 'PosVivaWalletController.notification' uses auth="none": it runs with no user/session at all |
| privacy_consent | route-public-sudo | /privacy/consent/<any(accept,reject):choice>/<int:consent_id>/<token> — Unauthenticated endpoint 'ConsentController.consent' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| queue_job | route-auth-none | /queue_job/runjob — Endpoint 'RunJobController.runjob' uses auth="none": it runs with no user/session at all |
| repair_picking_after_done | acl-global-write | access_repair_move_transfer_all — Access rule grants write/create/unlink on 'model_repair_move_transfer' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| report_substitute | acl-global-read | action_report_substitution_rule_user_access — Access rule grants read on 'model_ir_actions_report_substitution_rule' to every user (portal/public included): no group is set |
| rma | route-public-sudo | /my/rma/picking/pdf/<int:rma_id>/<int:picking_id> — Unauthenticated endpoint 'PortalRma.portal_my_rma_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sale | rule-group-bypass | payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale | rule-group-bypass | payment_token_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale_stock | route-public-sudo | /my/picking/pdf/<int:picking_id> — Unauthenticated endpoint 'SaleStockPortal.portal_my_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sale_stock | route-public-sudo | /my/picking/return/pdf/<int:picking_id> — Unauthenticated endpoint 'SaleStockPortal.portal_my_picking_return_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sms | route-public-sudo | /sms/status — Unauthenticated endpoint 'SmsController.update_sms_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sms_twilio | route-public-csrf-off | /sms_twilio/status/<string:uuid> — Public HTTP endpoint 'SmsTwilioController.update_sms_status' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| sms_twilio | route-public-sudo | /sms_twilio/status/<string:uuid> — Unauthenticated endpoint 'SmsTwilioController.update_sms_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| spreadsheet_dashboard | route-public-sudo | /dashboard/share/<int:share_id>/<token> — Unauthenticated endpoint 'DashboardShareRoute.share_portal' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| spreadsheet_dashboard | route-public-sudo | /dashboard/data/<int:share_id>/<token> — Unauthenticated endpoint 'DashboardShareRoute.get_shared_dashboard_data' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| survey | rule-group-bypass | survey_survey_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | rule-group-bypass | survey_question_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | rule-group-bypass | survey_question_answer_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | rule-group-bypass | survey_user_input_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | rule-group-bypass | survey_user_input_line_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | route-public-sudo | /survey/get_question_image/<string:survey_token>/<string:answer_token>/<int:question_id>/<int:suggested_answer_id> — Unauthenticated endpoint 'Survey.survey_get_question_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| survey | route-public-sudo | /survey/submit/<string:survey_token>/<string:answer_token> — Unauthenticated endpoint 'Survey.survey_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| test_http | route-auth-none | /test_http/greeting, /test_http/greeting-none — Endpoint 'TestHttp.greeting_none' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/wsgi_environ — Endpoint 'TestHttp.wsgi_environ' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/echo-http-get — Endpoint 'TestHttp.echo_http_get' uses auth="none": it runs with no user/session at all |
| test_http | route-public-csrf-off | /test_http/echo-http-post — Public HTTP endpoint 'TestHttp.echo_http_post' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| test_http | route-auth-none | /test_http/echo-http-post — Endpoint 'TestHttp.echo_http_post' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/echo-http-csrf — Endpoint 'TestHttp.echo_http_csrf' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/echo-json — Endpoint 'TestHttp.echo_json' uses auth="none": it runs with no user/session at all |
| test_http | route-public-csrf-off | /test_http/echo-json-over-http — Public HTTP endpoint 'TestHttp.echo_json_over_http' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| test_http | route-auth-none | /test_http/echo-json-over-http — Endpoint 'TestHttp.echo_json_over_http' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/cors_http_default — Endpoint 'TestHttp.cors_http' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/cors_http_methods — Endpoint 'TestHttp.cors_http_verbs' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/cors_json — Endpoint 'TestHttp.cors_json' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/ensure_db — Endpoint 'TestHttp.ensure_db_endpoint' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/geoip — Endpoint 'TestHttp.geoip' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/save_session — Endpoint 'TestHttp.touch' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/fail — Endpoint 'TestHttp.fail' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/json_value_error — Endpoint 'TestHttp.json_value_error' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/hide_errors/decorator — Endpoint 'TestHttp.hide_errors_decorator' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/hide_errors/context-manager — Endpoint 'TestHttp.hide_errors_context_manager' uses auth="none": it runs with no user/session at all |
| test_http | route-public-csrf-off | /test_http/upload_file — Public HTTP endpoint 'TestHttp.upload_file_retry' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| test_http | route-auth-none | /test_http/upload_file — Endpoint 'TestHttp.upload_file_retry' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/httprequest_attrs — Endpoint 'TestHttp.request_attrs' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/httprequest_environ — Endpoint 'TestHttp.request_environ' uses auth="none": it runs with no user/session at all |
| test_website | route-public-sudo | /test_website/model_item_sudo/<int:record_id> — Unauthenticated endpoint 'WebsiteTest.test_model_item_sudo' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| upgrade_analysis | acl-global-read | access_upgrade_record — Access rule grants read on 'model_upgrade_record' to every user (portal/public included): no group is set |
| upgrade_analysis | acl-global-read | access_upgrade_attribute — Access rule grants read on 'model_upgrade_attribute' to every user (portal/public included): no group is set |
| web | route-auth-none | /web/database/selector — Endpoint 'Database.selector' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/database/manager — Endpoint 'Database.manager' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/create — Public HTTP endpoint 'Database.create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/create — Endpoint 'Database.create' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/duplicate — Public HTTP endpoint 'Database.duplicate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/duplicate — Endpoint 'Database.duplicate' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/drop — Public HTTP endpoint 'Database.drop' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/drop — Endpoint 'Database.drop' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/backup — Public HTTP endpoint 'Database.backup' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/backup — Endpoint 'Database.backup' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/restore — Public HTTP endpoint 'Database.restore' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/restore — Endpoint 'Database.restore' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/change_password — Public HTTP endpoint 'Database.change_password' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/change_password — Endpoint 'Database.change_password' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/database/list — Endpoint 'Database.list' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/filestore/<path:_path> — Endpoint 'Binary.content_filestore' uses auth="none": it runs with no user/session at all |
| web | route-public-sudo | /web/assets/<string:unique>/<string:filename> — Unauthenticated endpoint 'Binary.content_assets' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web | route-public-sudo | /web/image, /web/image/<string:xmlid>, /web/image/<string:xmlid>/<string:filename>, /web/image/<string:xmlid>/<int:width>x<int:height>, /web/image/<string:xmlid>/<int:width>x<int:height>/<string:filename>, /web/image/<string:model>/<int:id>/<string:field>, /web/image/<string:model>/<int:id>/<string:field>/<string:filename>, /web/image/<string:model>/<int:id>/<string:field>/<int:width>x<int:height>, /web/image/<string:model>/<int:id>/<string:field>/<int:width>x<int:height>/<string:filename>, /web/image/<int:id>, /web/image/<int:id>/<string:filename>, /web/image/<int:id>/<int:width>x<int:height>, /web/image/<int:id>/<int:width>x<int:height>/<string:filename>, /web/image/<int:id>-<string:unique>, /web/image/<int:id>-<string:unique>/<string:filename>, /web/image/<int:id>-<string:unique>/<int:width>x<int:height>, /web/image/<int:id>-<string:unique>/<int:width>x<int:height>/<string:filename> — Unauthenticated endpoint 'Binary.content_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web | route-auth-none | /web/binary/company_logo, /logo, /logo.png — Endpoint 'Binary.company_logo' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/pivot/check_xlsxwriter — Endpoint 'TableExporter.check_xlsxwriter' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/authenticate — Endpoint 'Session.authenticate' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/get_lang_list — Endpoint 'Session.get_lang_list' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/logout — Endpoint 'Session.logout' uses auth="none": it runs with no user/session at all |
| web | route-public-sudo | /web/manifest.webmanifest — Unauthenticated endpoint 'WebManifest.webmanifest' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web | route-auth-none | /web/webclient/locale/<string:lang> — Endpoint 'WebClient.load_locale' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/bootstrap_translations — Endpoint 'WebClient.bootstrap_translations' uses auth="none": it runs with no user/session at all |
| web | route-public-sudo | /web/webclient/translations/<string:unique> — Unauthenticated endpoint 'WebClient.translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web | route-auth-none | /web/webclient/version_info — Endpoint 'WebClient.version_info' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/tests/mobile — Endpoint 'WebClient.test_mobile_suite' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | / — Endpoint 'Home.index' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/login — Endpoint 'Home.web_login' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/health — Endpoint 'Home.health' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /robots.txt — Endpoint 'Home.robots' uses auth="none": it runs with no user/session at all |
| web_editor | route-auth-none | /web_editor/font_to_img/<icon>, /web_editor/font_to_img/<icon>/<color>, /web_editor/font_to_img/<icon>/<color>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<int:width>x<int:height>, /web_editor/font_to_img/<icon>/<color>/<int:size>/<int:alpha>, /web_editor/font_to_img/<icon>/<color>/<int:width>x<int:height>/<int:alpha>, /web_editor/font_to_img/<icon>/<color>/<bg>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:width>x<int:height>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:width>x<int:height>/<int:alpha> — Endpoint 'Web_Editor.export_icon_to_png' uses auth="none": it runs with no user/session at all |
| web_editor | route-public-sudo | /web_editor/shape/<module>/<path:filename> — Unauthenticated endpoint 'Web_Editor.shape' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web_pwa_customize | route-public-sudo | /web/manifest.webmanifest — Unauthenticated endpoint 'WebManifest.webmanifest' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web_unsplash | route-public-sudo | /web_unsplash/get_app_id — Unauthenticated endpoint 'Web_Unsplash.get_unsplash_app_id' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| webservice | route-public-csrf-off | /webservice/<int:backend_id>/oauth2/redirect — Public HTTP endpoint 'OAuth2Controller.redirect' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| webservice | route-public-sudo | /webservice/<int:backend_id>/oauth2/redirect — Unauthenticated endpoint 'OAuth2Controller.redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /sitemap.xml — Unauthenticated endpoint 'Website.sitemap_xml_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/info — Unauthenticated endpoint 'Website.website_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/snippet/filters — Unauthenticated endpoint 'Website.get_dynamic_filter' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/snippet/filter_templates — Unauthenticated endpoint 'Website.get_dynamic_snippet_templates' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/snippet/autocomplete — Unauthenticated endpoint 'Website.autocomplete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /google<string(length=16):key>.html — Unauthenticated endpoint 'Website.google_console_search' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/action/<path_or_xml_id_or_id>, /website/action/<path_or_xml_id_or_id>/<path:path> — Unauthenticated endpoint 'Website.actions_server' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /model/<string:page_name_slugified>, /model/<string:page_name_slugified>/page/<int:page_number>, /model/<string:page_name_slugified>/<string:record_slug> — Unauthenticated endpoint 'ModelPageController.generic_model' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-csrf-off | /website/form/<string:model_name> — Public HTTP endpoint 'WebsiteForm.website_form' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| website_crm_partner_assign | route-public-sudo | /partners, /partners/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>, /partners/grade/<model("res.partner.grade"):grade>/page/<int:page>, /partners/country/<model("res.country"):country>, /partners/country/<model("res.country"):country>/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_customer | route-public-sudo | /customers, /customers/page/<int:page>, /customers/country/<model("res.country"):country>, /customers/country/<model("res.country"):country>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>, /customers/industry/<model("res.partner.industry"):industry>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCustomer.customers' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_customer | route-public-sudo | /customers/<partner_id> — Unauthenticated endpoint 'WebsiteCustomer.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event | rule-group-bypass | ir_rule_event_question_event_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_event | rule-group-bypass | ir_rule_event_question_answer_event_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_event | route-public-sudo | /event, /event/page/<int:page>, /events, /events/page/<int:page> — Unauthenticated endpoint 'WebsiteEventController.events' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event | route-public-sudo | /event/<model("event.event"):event>/page/<path:page> — Unauthenticated endpoint 'WebsiteEventController.event_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event | route-public-sudo | /event/<model("event.event"):event>/registration/success — Unauthenticated endpoint 'WebsiteEventController.event_registration_success' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_booth | route-public-sudo | /event/booth/check_availability — Unauthenticated endpoint 'WebsiteEventBoothController.check_booths_availability' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_booth | route-public-sudo | /event/booth_category/get_available_booths — Unauthenticated endpoint 'WebsiteEventBoothController.get_booth_category_available_booths' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_exhibitor | route-public-sudo | /event/<model("event.event", "[('exhibitor_menu', '=', True)]"):event>/exhibitor/<model("event.sponsor", "[('event_id', '=', event.id)]"):sponsor> — Unauthenticated endpoint 'ExhibitorController.event_exhibitor' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_exhibitor | route-public-sudo | /event_sponsor/<int:sponsor_id>/read — Unauthenticated endpoint 'ExhibitorController.event_sponsor_read' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_meet | route-public-sudo | /event/<model('event.event'):event>/meeting_room_create — Unauthenticated endpoint 'WebsiteEventMeetController.create_meeting_room' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_meet | route-public-sudo | /event/active_langs — Unauthenticated endpoint 'WebsiteEventMeetController.active_langs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_meet | route-public-sudo | /event/<model('event.event', "[('community_menu', '=', True)]"):event>/meeting_room/<model("event.meeting.room","[('event_id','=',event.id)]"):meeting_room> — Unauthenticated endpoint 'WebsiteEventMeetController.event_meeting_room_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track | route-public-sudo | /event/<model("event.event", "[('website_track', '=', True)]"):event>/track/<model("event.track", "[('event_id', '=', event.id)]"):track> — Unauthenticated endpoint 'EventTrackController.event_track_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track | route-public-sudo | /event/<model("event.event"):event>/track_proposal/post — Unauthenticated endpoint 'EventTrackController.event_track_proposal_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track_live | route-public-sudo | /event_track/get_track_suggestion — Unauthenticated endpoint 'EventTrackLiveController.get_next_track_suggestion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track_quiz | route-public-sudo | /event_track/quiz/submit — Unauthenticated endpoint 'WebsiteEventTrackQuiz.event_track_quiz_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track_quiz | route-public-sudo | /event_track/quiz/reset — Unauthenticated endpoint 'WebsiteEventTrackQuiz.quiz_reset' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | rule-group-bypass | website_forum_create_website_designer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/<model("forum.post"):question> — Unauthenticated endpoint 'WebsiteForum.question' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/partner/<int:partner_id> — Unauthenticated endpoint 'WebsiteForum.open_partner' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_google_map | route-public-sudo | /google_map — Unauthenticated endpoint 'GoogleMap.google_map' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_hr_recruitment | rule-group-bypass | hr_job_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_hr_recruitment | route-public-sudo | /jobs, /jobs/page/<int:page> — Unauthenticated endpoint 'WebsiteHrRecruitment.jobs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_hr_recruitment | route-public-sudo | /website_hr_recruitment/check_recent_application — Unauthenticated endpoint 'WebsiteHrRecruitment.check_recent_application' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_livechat | route-public-sudo | /livechat/channel/<model("im_livechat.channel"):channel> — Unauthenticated endpoint 'WebsiteLivechat.channel_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail | route-public-sudo | /website_mail/follow — Unauthenticated endpoint 'WebsiteMail.website_message_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail | route-public-sudo | /website_mail/is_follower — Unauthenticated endpoint 'WebsiteMail.is_follower' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_group | route-public-sudo | /group/is_member — Unauthenticated endpoint 'WebsiteMailGroup.group_is_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /website_mass_mailing/is_subscriber — Unauthenticated endpoint 'MassMailController.is_subscriber' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /website_mass_mailing/subscribe — Unauthenticated endpoint 'MassMailController.subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_membership | route-public-sudo | /members, /members/page/<int:page>, /members/association/<membership_id>, /members/association/<membership_id>/page/<int:page>, /members/country/<int:country_id>, /members/country/<country_name>-<int:country_id>, /members/country/<int:country_id>/page/<int:page>, /members/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<country_name>-<int:country_id>, /members/association/<membership_id>/country/<int:country_id>, /members/association/<membership_id>/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteMembership.members' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_membership | route-public-sudo | /members/<partner_id> — Unauthenticated endpoint 'WebsiteMembership.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_partner | route-public-sudo | /partners/<partner_id> — Unauthenticated endpoint 'WebsitePartnerPage.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_product_configurator | route-public-sudo | /website_product_configurator/onchange — Unauthenticated endpoint 'ProductConfigWebsiteSale.onchange' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_product_configurator | route-public-sudo | /website_product_configurator/save_configuration — Unauthenticated endpoint 'ProductConfigWebsiteSale.save_configuration' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_product_configurator | route-public-sudo | /product_configurator/product/<model("product.config.session"):cfg_session_id> — Unauthenticated endpoint 'ProductConfigWebsiteSale.cfg_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_profile | route-public-sudo | /profile/avatar/<int:user_id> — Unauthenticated endpoint 'WebsiteProfile.get_user_profile_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_profile | route-public-sudo | /profile/users, /profile/users/page/<int:page> — Unauthenticated endpoint 'WebsiteProfile.view_all_users_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_profile | route-public-sudo | /profile/validate_email — Unauthenticated endpoint 'WebsiteProfile.validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop, /shop/page/<int:page>, /shop/category/<model("product.public.category"):category>, /shop/category/<model("product.public.category"):category>/page/<int:page> — Unauthenticated endpoint 'WebsiteSale.shop' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/<model("product.template"):product_template>/document/<int:document_id> — Unauthenticated endpoint 'WebsiteSale.product_document' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/pricelist — Unauthenticated endpoint 'WebsiteSale.pricelist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/cart — Unauthenticated endpoint 'WebsiteSale.cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/address — Unauthenticated endpoint 'WebsiteSale.address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/cart/update_address — Unauthenticated endpoint 'WebsiteSale.update_cart_address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/payment/validate — Unauthenticated endpoint 'WebsiteSale.shop_payment_validate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/confirmation — Unauthenticated endpoint 'WebsiteSale.shop_payment_confirmation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/print — Unauthenticated endpoint 'WebsiteSale.print_saleorder' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/products/recently_viewed_delete — Unauthenticated endpoint 'WebsiteSale.products_recently_viewed_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/update_carrier — Unauthenticated endpoint 'WebsiteSaleDelivery.update_eshop_carrier' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/carrier_rate_shipment — Unauthenticated endpoint 'WebsiteSaleDelivery.cart_carrier_rate_shipment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_autocomplete | route-public-sudo | /autocomplete/address — Unauthenticated endpoint 'AutoCompleteController._autocomplete_address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_autocomplete | route-public-sudo | /autocomplete/address_full — Unauthenticated endpoint 'AutoCompleteController._autocomplete_address_full' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_cart_add_product_xlsx_csv | route-public-sudo | /shop/cart/import/example — Unauthenticated endpoint 'WebsiteSaleAddProductXlsxCsv.cart_import_example' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_loyalty | route-public-sudo | /shop/claimreward — Unauthenticated endpoint 'WebsiteSale.claim_reward' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_menu_partner_top_selling | route-public-sudo | /shop/my_regular_products, /shop/my_regular_products/page/<int:page> — Unauthenticated endpoint 'WebsiteSale.user_regular_products' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_mondialrelay | route-public-sudo | /website_sale_mondialrelay/update_shipping — Unauthenticated endpoint 'MondialRelay.mondial_relay_update_shipping' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_product_brand | route-public-sudo | /page/product_brands — Unauthenticated endpoint 'WebsiteSale.product_brands' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_resource_booking | route-public-sudo | /shop/booking/<int:index>/confirm — Unauthenticated endpoint 'WebsiteSale.booking_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_stock | route-public-sudo | /shop/add/stock_notification — Unauthenticated endpoint 'WebsiteSale.add_stock_email_notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_wishlist | route-public-sudo | /shop/wishlist/add — Unauthenticated endpoint 'WebsiteSaleWishlist.add_to_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_wishlist | route-public-sudo | /shop/wishlist/remove/<int:wish_id> — Unauthenticated endpoint 'WebsiteSaleWishlist.rm_from_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | rule-group-bypass | rule_slide_channel_officer_r — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides | rule-group-bypass | rule_slide_slide_officer_r — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides | rule-group-bypass | rule_slide_slide_resource_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides | route-public-sudo | /slides — Unauthenticated endpoint 'WebsiteSlides.slides_channel_home' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/<int:channel_id>, /slides/<int:channel_id>/category/<int:category_id>, /slides/<int:channel_id>/category/<int:category_id>/page/<int:page>, /slides/<model("slide.channel"):channel>, /slides/<model("slide.channel"):channel>/page/<int:page>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>/page/<int:page>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>/page/<int:page> — Unauthenticated endpoint 'WebsiteSlides.channel' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/channel/join — Unauthenticated endpoint 'WebsiteSlides.slide_channel_join' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/<model("slide.slide"):slide> — Unauthenticated endpoint 'WebsiteSlides.slide_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/like — Unauthenticated endpoint 'WebsiteSlides.slide_like' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/quiz/submit — Unauthenticated endpoint 'WebsiteSlides.slide_quiz_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides_forum | rule-group-bypass | website_slides_forum_website_slides_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides_forum | rule-group-bypass | website_slides_forum_website_slides_officer_post — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides_forum | rule-group-bypass | website_slides_forum_website_slides_officer_tag — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_twitter | route-public-sudo | /website_twitter/get_favorites — Unauthenticated endpoint 'Twitter.get_tweets' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
Active Pull Requests 115
0 fresh 0 rotting 0 rotten
Security Findings
Errors 260
| Module | Code | Message |
|---|---|---|
| account_avatax_exemption_base | acl-global-write | access_portal_res_partner_exemption — Access rule grants write/create on 'model_res_partner_exemption' to EVERY user (portal/public included): no group is set |
| account_invoice_merge | acl-global-write | access_invoice_merge — Access rule grants write/create/unlink on 'model_invoice_merge' to EVERY user (portal/public included): no group is set |
| auth_totp_portal | acl-public-write | access_auth_totp_portal_wizard — Access rule grants write/create/unlink on 'auth_totp.model_auth_totp_wizard' to the portal/public group 'base.group_portal' |
| base | acl-privilege-escalation | access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-global-write | access_ir_ui_view_custom_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_custom' to EVERY user (portal/public included): no group is set |
| base | acl-privilege-escalation | access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-global-write | access_report_layout — Access rule grants write/create/unlink on 'model_report_layout' to EVERY user (portal/public included): no group is set |
| base_tier_validation | acl-global-write | access_tier_review — Access rule grants write/create/unlink on 'model_tier_review' to EVERY user (portal/public included): no group is set |
| base_tier_validation | acl-global-write | access_comment_wizard — Access rule grants write/create/unlink on 'model_comment_wizard' to EVERY user (portal/public included): no group is set |
| base_tier_validation_forward | acl-global-write | access_tier_validation_forward_wizard — Access rule grants write/create/unlink on 'model_tier_validation_forward_wizard' to EVERY user (portal/public included): no group is set |
| base_user_role | acl-global-write | access_wizard_groups_into_role — Access rule grants write/create/unlink on 'model_wizard_groups_into_role' to EVERY user (portal/public included): no group is set |
| bus | acl-public-write | access_bus_presence_portal — Access rule grants write/create/unlink on 'model_bus_presence' to the portal/public group 'base.group_portal' |
| calendar | rule-public-bypass | calendar_attendee_rule_my — Record rule with an always-true domain grants portal/public users access to every record of its model |
| excel_import_export | acl-global-write | xlsx_template_user — Access rule grants write/create/unlink on 'model_xlsx_template' to EVERY user (portal/public included): no group is set |
| excel_import_export | acl-global-write | xlsx_template_export_user — Access rule grants write/create/unlink on 'model_xlsx_template_export' to EVERY user (portal/public included): no group is set |
| excel_import_export | acl-global-write | xlsx_template_import_user — Access rule grants write/create/unlink on 'model_xlsx_template_import' to EVERY user (portal/public included): no group is set |
| fieldservice_route | acl-public-write | access_fsm_route_dayroute_portal — Access rule grants write/create on 'model_fsm_route_dayroute' to the portal/public group 'base.group_portal' |
| fieldservice_stock | acl-public-write | access_stock_move_portal — Access rule grants write on 'stock.model_stock_move' to the portal/public group 'base.group_portal' |
| gamification | acl-public-write | goal_portal — Access rule grants write on 'gamification.model_gamification_goal' to the portal/public group 'base.group_portal' |
| gamification | acl-public-write | badge_user_portal — Access rule grants write/create on 'gamification.model_gamification_badge_user' to the portal/public group 'base.group_portal' |
| graphql_demo | route-user-csrf-off | /graphql/demo — HTTP endpoint 'GraphQLController.graphql' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user |
| helpdesk_mgmt | acl-public-write | access_helpdesk_ticket_stage_public — Access rule grants write on 'model_helpdesk_ticket_stage' to the portal/public group 'base.group_public' |
| hr_recruitment | acl-global-write | access_hr_applicant_category — Access rule grants write/create on 'model_hr_applicant_category' to EVERY user (portal/public included): no group is set |
| l10n_it_central_journal_reportlab | acl-global-write | access_wizard_giornale_reportlab_manager — Access rule grants write/create/unlink on 'l10n_it_central_journal_reportlab.model_wizard_giornale_reportlab' to EVERY user (portal/public included): no group is set |
| l10n_it_delivery_note | acl-global-write | access_stock_delivery_note_confirm_wizard_manager — Access rule grants write/create/unlink on 'l10n_it_delivery_note.model_stock_delivery_note_confirm_wizard' to EVERY user (portal/public included): no group is set |
| l10n_it_delivery_note | acl-global-write | access_stock_delivery_note_create_wizard_manager — Access rule grants write/create/unlink on 'l10n_it_delivery_note.model_stock_delivery_note_create_wizard' to EVERY user (portal/public included): no group is set |
| l10n_it_delivery_note | acl-global-write | access_stock_delivery_note_select_wizard_manager — Access rule grants write/create/unlink on 'l10n_it_delivery_note.model_stock_delivery_note_select_wizard' to EVERY user (portal/public included): no group is set |
| l10n_it_delivery_note | acl-global-write | access_stock_delivery_note_base_wizard_manager — Access rule grants write/create/unlink on 'l10n_it_delivery_note.model_stock_delivery_note_base_wizard' to EVERY user (portal/public included): no group is set |
| l10n_it_delivery_note | acl-global-write | access_stock_delivery_note_invoice_wizard_manager — Access rule grants write/create/unlink on 'l10n_it_delivery_note.model_stock_delivery_note_invoice_wizard' to EVERY user (portal/public included): no group is set |
| l10n_it_intrastat_statement | acl-global-write | acc_manager_account_intrastat_export_file — Access rule grants write/create/unlink on 'l10n_it_intrastat_statement.model_account_intrastat_export_file' to EVERY user (portal/public included): no group is set |
| l10n_it_sdi_channel | acl-global-write | access_wizard_fatturapa_send_to_sdi — Access rule grants write/create/unlink on 'model_wizard_fatturapa_send_to_sdi' to EVERY user (portal/public included): no group is set |
| l10n_mx_res_partner_csf | acl-global-write | access_import_csf — Access rule grants write/create/unlink on 'model_import_csf' to EVERY user (portal/public included): no group is set |
| l10n_ro_account_anaf_sync | route-user-csrf-off | /l10n_ro_account_anaf_sync/redirect_anaf/<int:anaf_config_id> — HTTP endpoint 'AccountANAFSyncWeb.redirect_anaf' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user |
| l10n_ro_stock_account_tracking | acl-global-write | access_l10n_ro_stock_valuation_layer_tracking — Access rule grants write/create/unlink on 'model_l10n_ro_stock_valuation_layer_tracking' to EVERY user (portal/public included): no group is set |
| acl-public-write | access_mail_message_portal — Access rule grants write/create/unlink on 'model_mail_message' to the portal/public group 'base.group_portal' |
|
| acl-public-write | access_mail_channel_member_portal — Access rule grants write/create/unlink on 'model_mail_channel_member' to the portal/public group 'base.group_portal' |
|
| acl-public-write | access_mail_compose_message_portal — Access rule grants write/create on 'model_mail_compose_message' to the portal/public group 'base.group_portal' |
|
| mrp_subcontracting | acl-public-write | access_subcontracting_portal_stock_move — Access rule grants write/create on 'stock.model_stock_move' to the portal/public group 'base.group_portal' |
| mrp_subcontracting | acl-public-write | access_subcontracting_portal_stock_move_line — Access rule grants write/create/unlink on 'stock.model_stock_move_line' to the portal/public group 'base.group_portal' |
| mrp_subcontracting | acl-public-write | access_subcontracting_portal_lot — Access rule grants create on 'stock.model_stock_lot' to the portal/public group 'base.group_portal' |
| mrp_subcontracting | acl-public-write | access_subcontracting_portal_production — Access rule grants write on 'mrp.model_mrp_production' to the portal/public group 'base.group_portal' |
| mrp_subcontracting | acl-public-write | access_subcontracting_portal_consumption_warning — Access rule grants write/create on 'mrp.model_mrp_consumption_warning' to the portal/public group 'base.group_portal' |
| mrp_subcontracting | acl-public-write | access_subcontracting_portal_consumption_warning_line — Access rule grants write/create on 'mrp.model_mrp_consumption_warning_line' to the portal/public group 'base.group_portal' |
| mrp_subcontracting_account | acl-public-write | access_subcontracting_portal_analytic_line — Access rule grants write on 'mrp_account.model_account_analytic_line' to the portal/public group 'base.group_portal' |
| partner_aging | acl-global-write | res_partner_aging_date — Access rule grants write/create/unlink on 'partner_aging.model_res_partner_aging_date' to EVERY user (portal/public included): no group is set |
| partner_autocomplete | acl-public-write | access_partner_autocomplete_sync_portal — Access rule grants create on 'model_res_partner_autocomplete_sync' to the portal/public group 'base.group_portal' |
| password_security | acl-public-write | access_res_users_pass_history_portal — Access rule grants create on 'model_res_users_pass_history' to the portal/public group 'base.group_portal' |
| payment | acl-public-write | payment_token_portal — Access rule grants write/create/unlink on 'model_payment_token' to the portal/public group 'base.group_portal' |
| pms | acl-public-write | user_access_res_partner_portal — Access rule grants write/create/unlink on 'model_res_partner' to the portal/public group 'base.group_portal' |
| pms | acl-public-write | user_access_pms_precheckin_portal — Access rule grants write/create/unlink on 'model_pms_checkin_partner' to the portal/public group 'base.group_portal' |
| pms | rule-public-bypass | pms_folio_rule_portal — Record rule with an always-true domain grants portal/public users access to every record of its model |
| pms | rule-public-bypass | pms_reservation_rule_portal — Record rule with an always-true domain grants portal/public users access to every record of its model |
| pms | rule-public-bypass | pms_precheckin_rule_portal — Record rule with an always-true domain grants portal/public users access to every record of its model |
| pms | rule-public-bypass | res_partner_rule_portal — Record rule with an always-true domain grants portal/public users access to every record of its model |
| pms | rule-public-bypass | res_checkin_partner_rule_portal — Record rule with an always-true domain grants portal/public users access to every record of its model |
| project | acl-public-write | access_project_sharing_task_portal — Access rule grants write/create on 'model_project_task' to the portal/public group 'base.group_portal' |
| project_task_recurring_activity | acl-global-write | project_recurring_activity — Access rule grants write/create/unlink on 'model_recurring_activity' to EVERY user (portal/public included): no group is set |
| project_version | acl-global-write | project_version — Access rule grants write/create/unlink on 'model_project_version' to EVERY user (portal/public included): no group is set |
| purchase_invoice_plan | acl-global-write | access_purchase_invoice_plan — Access rule grants write/create/unlink on 'model_purchase_invoice_plan' to EVERY user (portal/public included): no group is set |
| purchase_invoice_plan | acl-global-write | access_purchase_create_invoice_plan — Access rule grants write/create/unlink on 'model_purchase_create_invoice_plan' to EVERY user (portal/public included): no group is set |
| purchase_invoice_plan | acl-global-write | access_purchase_make_planned_invoice — Access rule grants write/create/unlink on 'model_purchase_make_planned_invoice' to EVERY user (portal/public included): no group is set |
| purchase_work_acceptance | acl-global-write | access_work_accepted_date_wizard — Access rule grants write/create/unlink on 'model_work_accepted_date_wizard' to EVERY user (portal/public included): no group is set |
| purchase_work_acceptance_evaluation | acl-global-write | access_work_acceptance_evaluation_result — Access rule grants write/create/unlink on 'model_work_acceptance_evaluation_result' to EVERY user (portal/public included): no group is set |
| report_wkhtmltopdf_param | acl-global-write | paperformat_parameter_access_employee — Access rule grants create on 'model_report_paperformat_parameter' to EVERY user (portal/public included): no group is set |
| sale_invoice_plan | acl-global-write | access_sale_invoice_plan — Access rule grants write/create/unlink on 'model_sale_invoice_plan' to EVERY user (portal/public included): no group is set |
| sale_invoice_plan | acl-global-write | access_sale_create_invoice_plan — Access rule grants write/create/unlink on 'model_sale_create_invoice_plan' to EVERY user (portal/public included): no group is set |
| sale_invoice_plan | acl-global-write | access_sale_make_planned_invoice — Access rule grants write/create/unlink on 'model_sale_make_planned_invoice' to EVERY user (portal/public included): no group is set |
| sql_export | acl-global-write | access_sql_file_wizard — Access rule grants write/create on 'model_sql_file_wizard' to EVERY user (portal/public included): no group is set |
| stock_picking_portal | acl-public-write | access_stock_picking_portal — Access rule grants write on 'stock.model_stock_picking' to the portal/public group 'base.group_portal' |
| test_access_rights | acl-global-write | access_test_access_right_some_obj — Access rule grants write/create/unlink on 'model_test_access_right_some_obj' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_container — Access rule grants write/create/unlink on 'model_test_access_right_container' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_parent — Access rule grants write/create/unlink on 'model_test_access_right_parent' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_child — Access rule grants write/create/unlink on 'model_test_access_right_child' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_obj_categ — Access rule grants write/create/unlink on 'model_test_access_right_obj_categ' to EVERY user (portal/public included): no group is set |
| test_action_bindings | acl-global-write | access_tab_a — Access rule grants write/create/unlink on 'model_tab_a' to EVERY user (portal/public included): no group is set |
| test_action_bindings | acl-global-write | access_tab_b — Access rule grants write/create/unlink on 'model_tab_b' to EVERY user (portal/public included): no group is set |
| test_base_automation | acl-global-write | access_base_automation_link_test — Access rule grants write/create/unlink on 'model_base_automation_link_test' to EVERY user (portal/public included): no group is set |
| test_base_automation | acl-global-write | access_base_automation_linked_test — Access rule grants write/create/unlink on 'model_base_automation_linked_test' to EVERY user (portal/public included): no group is set |
| test_base_automation | acl-global-write | access_test_base_automation_project — Access rule grants write/create/unlink on 'model_test_base_automation_project' to EVERY user (portal/public included): no group is set |
| test_base_automation | acl-global-write | access_test_base_automation_task — Access rule grants write/create/unlink on 'model_test_base_automation_task' to EVERY user (portal/public included): no group is set |
| test_component | acl-global-write | access_test_component_collection — Access rule grants write/create/unlink on 'model_test_component_collection' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_test_backend — Access rule grants write/create/unlink on 'model_test_backend' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_connector_test_record — Access rule grants write/create/unlink on 'model_connector_test_record' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_connector_test_binding — Access rule grants write/create/unlink on 'model_connector_test_binding' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_no_inherits_binding — Access rule grants write/create/unlink on 'model_no_inherits_binding' to EVERY user (portal/public included): no group is set |
| test_convert | acl-global-write | access_test_convert_test_model — Access rule grants write/create/unlink on 'model_test_convert_test_model' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_converter_model — Access rule grants write/create/unlink on 'model_test_converter_test_model' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_test_converter_test_model_sub — Access rule grants write/create/unlink on 'model_test_converter_test_model_sub' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_test_converter_monetary — Access rule grants write/create/unlink on 'model_test_converter_monetary' to EVERY user (portal/public included): no group is set |
| test_exceptions | acl-global-write | access_test_exceptions_model — Access rule grants write/create/unlink on 'model_test_exceptions_model' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_boolean — Access rule grants write/create/unlink on 'model_export_boolean' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_float — Access rule grants write/create/unlink on 'model_export_float' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_decimal — Access rule grants write/create/unlink on 'model_export_decimal' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string_bounded — Access rule grants write/create/unlink on 'model_export_string_bounded' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string_required — Access rule grants write/create/unlink on 'model_export_string_required' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string — Access rule grants write/create/unlink on 'model_export_string' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_date — Access rule grants write/create/unlink on 'model_export_date' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_datetime — Access rule grants write/create/unlink on 'model_export_datetime' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_text — Access rule grants write/create/unlink on 'model_export_text' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection — Access rule grants write/create/unlink on 'model_export_selection' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection_function — Access rule grants write/create/unlink on 'model_export_selection_function' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2one — Access rule grants write/create/unlink on 'model_export_many2one' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many — Access rule grants write/create/unlink on 'model_export_one2many' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2many — Access rule grants write/create/unlink on 'model_export_many2many' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_function — Access rule grants write/create/unlink on 'model_export_function' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child — Access rule grants write/create/unlink on 'model_export_one2many_child' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_multiple — Access rule grants write/create/unlink on 'model_export_one2many_multiple' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_multiple_child — Access rule grants write/create/unlink on 'model_export_one2many_multiple_child' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child_1 — Access rule grants write/create/unlink on 'model_export_one2many_child_1' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child_2 — Access rule grants write/create/unlink on 'model_export_one2many_child_2' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2many_other — Access rule grants write/create/unlink on 'model_export_many2many_other' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection_withdefault — Access rule grants write/create/unlink on 'model_export_selection_withdefault' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_recursive — Access rule grants write/create/unlink on 'model_export_one2many_recursive' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_unique — Access rule grants write/create/unlink on 'model_export_unique' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_inherits_parent — Access rule grants write/create/unlink on 'model_export_inherits_parent' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_inherits_child — Access rule grants write/create/unlink on 'model_export_inherits_child' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_m2o_str — Access rule grants write/create/unlink on 'model_export_m2o_str' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_m2o_str_child — Access rule grants write/create/unlink on 'model_export_m2o_str_child' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_with_required_field — Access rule grants write/create/unlink on 'model_export_with_required_field' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2one_required_subfield — Access rule grants write/create/unlink on 'model_export_many2one_required_subfield' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_mother — Access rule grants write/create/unlink on 'model_test_inherit_mother' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_daughter — Access rule grants write/create/unlink on 'model_test_inherit_daughter' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_property — Access rule grants write/create/unlink on 'model_test_inherit_property' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_unit — Access rule grants write/create/unlink on 'model_test_unit' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_unit_line — Access rule grants write/create/unlink on 'model_test_unit_line' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_box — Access rule grants write/create/unlink on 'model_test_box' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_pallet — Access rule grants write/create/unlink on 'model_test_pallet' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_another_unit — Access rule grants write/create/unlink on 'model_test_another_unit' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_another_box — Access rule grants write/create/unlink on 'model_test_another_box' to EVERY user (portal/public included): no group is set |
| test_limits | acl-global-write | access_test_limits_model — Access rule grants write/create/unlink on 'model_test_limits_model' to EVERY user (portal/public included): no group is set |
| test_mail | acl-global-write | access_mail_performance_thread — Access rule grants write/create/unlink on 'model_mail_performance_thread' to EVERY user (portal/public included): no group is set |
| test_mail | acl-public-write | access_mail_test_access_portal — Access rule grants write on 'model_mail_test_access' to the portal/public group 'base.group_portal' |
| test_new_api | acl-global-write | access_category — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_category' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_discussion — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_discussion' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_message — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_message' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_emailmessage — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_emailmessage' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi_line — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi_line2 — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line2' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi_tag — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_tag' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_creativework_edition — Access rule grants write/create/unlink on 'model_test_new_api_creativework_edition' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_creativework_book — Access rule grants write/create/unlink on 'model_test_new_api_creativework_book' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_creativework_movie — Access rule grants write/create/unlink on 'model_test_new_api_creativework_movie' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_mixed — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_mixed' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_domain_bool — Access rule grants write/create/unlink on 'model_domain_bool' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_foo — Access rule grants write/create/unlink on 'model_test_new_api_foo' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_bar — Access rule grants write/create/unlink on 'model_test_new_api_bar' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_related — Access rule grants write/create/unlink on 'model_test_new_api_related' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_company — Access rule grants write/create/unlink on 'model_test_new_api_company' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_company_attr — Access rule grants write/create/unlink on 'model_test_new_api_company_attr' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_inverse — Access rule grants write/create/unlink on 'model_test_new_api_compute_inverse' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_readonly — Access rule grants write/create/unlink on 'model_test_new_api_compute_readonly' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_multi_compute_inverse — Access rule grants write/create/unlink on 'model_test_new_api_multi_compute_inverse' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_recursive — Access rule grants write/create/unlink on 'model_test_new_api_recursive' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_recursive_tree — Access rule grants write/create/unlink on 'model_test_new_api_recursive_tree' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_recursive_order — Access rule grants write/create/unlink on 'model_test_new_api_recursive_order' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_recursive_line — Access rule grants write/create/unlink on 'model_test_new_api_recursive_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_recursive_task — Access rule grants write/create/unlink on 'model_test_new_api_recursive_task' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_cascade — Access rule grants write/create/unlink on 'model_test_new_api_cascade' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_readwrite — Access rule grants write/create/unlink on 'model_test_new_api_compute_readwrite' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_onchange — Access rule grants write/create/unlink on 'model_test_new_api_compute_onchange' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_onchange_line — Access rule grants write/create/unlink on 'model_test_new_api_compute_onchange_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_dynamic_depends — Access rule grants write/create/unlink on 'model_test_new_api_compute_dynamic_depends' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_unassigned — Access rule grants write/create/unlink on 'model_test_new_api_compute_unassigned' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_one2many — Access rule grants write/create/unlink on 'model_test_new_api_one2many' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_one2many_line — Access rule grants write/create/unlink on 'model_test_new_api_one2many_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_binary_svg — Access rule grants write/create/unlink on 'model_test_new_api_binary_svg' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_base — Access rule grants write/create/unlink on 'model_test_new_api_monetary_base' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_related — Access rule grants write/create/unlink on 'model_test_new_api_monetary_related' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_custom — Access rule grants write/create/unlink on 'model_test_new_api_monetary_custom' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_inherits — Access rule grants write/create/unlink on 'model_test_new_api_monetary_inherits' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_field_with_caps — Access rule grants write/create/unlink on 'model_test_new_api_field_with_caps' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_req_m2o — Access rule grants write/create/unlink on 'model_test_new_api_req_m2o' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_selection — Access rule grants write/create/unlink on 'model_test_new_api_selection' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_attachment — Access rule grants write/create/unlink on 'model_test_new_api_attachment' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_attachment_host — Access rule grants write/create/unlink on 'model_test_new_api_attachment_host' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_image — Access rule grants write/create/unlink on 'model_test_new_api_model_image' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_a — Access rule grants write/create/unlink on 'model_test_new_api_model_a' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_b — Access rule grants write/create/unlink on 'model_test_new_api_model_b' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_parent — Access rule grants write/create/unlink on 'model_test_new_api_model_parent' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_child — Access rule grants write/create/unlink on 'model_test_new_api_model_child' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_child_nocheck — Access rule grants write/create/unlink on 'model_test_new_api_model_child_nocheck' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_display — Access rule grants write/create/unlink on 'model_test_new_api_display' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_active_field — Access rule grants write/create/unlink on 'model_test_new_api_model_active_field' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_many2one_reference — Access rule grants write/create/unlink on 'model_test_new_api_model_many2one_reference' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_inverse_m2o_ref — Access rule grants write/create/unlink on 'model_test_new_api_inverse_m2o_ref' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_binary — Access rule grants write/create/unlink on 'model_test_new_api_model_binary' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_child_m2o — Access rule grants write/create/unlink on 'model_test_new_api_model_child_m2o' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_parent_m2o — Access rule grants write/create/unlink on 'model_test_new_api_model_parent_m2o' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_partner — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_partner' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_order — Access rule grants write/create/unlink on 'model_test_new_api_monetary_order' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_order_line — Access rule grants write/create/unlink on 'model_test_new_api_monetary_order_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_selection_base — Access rule grants write/create/unlink on 'model_test_new_api_model_selection_base' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_selection_required — Access rule grants write/create/unlink on 'model_test_new_api_model_selection_required' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_selection_non_stored — Access rule grants write/create/unlink on 'model_test_new_api_model_selection_non_stored' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_selection_required_for_write_override — Access rule grants write/create/unlink on 'model_test_new_api_model_selection_required_for_write_override' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_move — Access rule grants write/create/unlink on 'model_test_new_api_move' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_move_line — Access rule grants write/create/unlink on 'model_test_new_api_move_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_payment — Access rule grants write/create/unlink on 'model_test_new_api_payment' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_order — Access rule grants write/create/unlink on 'model_test_new_api_order' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_order_line — Access rule grants write/create/unlink on 'model_test_new_api_order_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_shared_cache_compute_parent — Access rule grants write/create/unlink on 'model_test_new_api_model_shared_cache_compute_parent' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_shared_cache_compute_line — Access rule grants write/create/unlink on 'model_test_new_api_model_shared_cache_compute_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_container — Access rule grants write/create/unlink on 'model_test_new_api_compute_container' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_member — Access rule grants write/create/unlink on 'model_test_new_api_compute_member' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_editable — Access rule grants write/create/unlink on 'model_test_new_api_compute_editable' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_editable_line — Access rule grants write/create/unlink on 'model_test_new_api_compute_editable_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_constrained_unlinks — Access rule grants write/create/unlink on 'model_test_new_api_model_constrained_unlinks' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_trigger_left — Access rule grants write/create/unlink on 'model_test_new_api_trigger_left' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_trigger_middle — Access rule grants write/create/unlink on 'model_test_new_api_trigger_middle' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_trigger_right — Access rule grants write/create/unlink on 'model_test_new_api_trigger_right' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_related_translation_1 — Access rule grants write/create/unlink on 'model_test_new_api_related_translation_1' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_related_translation_2 — Access rule grants write/create/unlink on 'model_test_new_api_related_translation_2' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_related_translation_3 — Access rule grants write/create/unlink on 'model_test_new_api_related_translation_3' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_indexed_translation — Access rule grants write/create/unlink on 'model_test_new_api_indexed_translation' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_empty_char — Access rule grants write/create/unlink on 'model_test_new_api_empty_char' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_unlink_container — Access rule grants write/create/unlink on 'model_test_new_api_unlink_container' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_unlink_line — Access rule grants write/create/unlink on 'model_test_new_api_unlink_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_unsearchable_o2m — Access rule grants write/create/unlink on 'model_test_new_api_unsearchable_o2m' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_base — Access rule grants write/create/unlink on 'model_test_performance_base' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_line — Access rule grants write/create/unlink on 'model_test_performance_line' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_tag — Access rule grants write/create/unlink on 'model_test_performance_tag' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_bacon — Access rule grants write/create/unlink on 'model_test_performance_bacon' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_eggs — Access rule grants write/create/unlink on 'model_test_performance_eggs' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_mozzarella — Access rule grants write/create/unlink on 'model_test_performance_mozzarella' to EVERY user (portal/public included): no group is set |
| test_populate | acl-global-write | access_test_populate — Access rule grants write/create/unlink on 'model_test_populate' to EVERY user (portal/public included): no group is set |
| test_populate | acl-global-write | access_test_populate_category — Access rule grants write/create/unlink on 'model_test_populate_category' to EVERY user (portal/public included): no group is set |
| test_populate | acl-global-write | access_test_no_populat — Access rule grants write/create/unlink on 'model_test_no_populate' to EVERY user (portal/public included): no group is set |
| test_populate | acl-global-write | access_test_populate_inherit — Access rule grants write/create/unlink on 'model_test_populate_inherit' to EVERY user (portal/public included): no group is set |
| test_queue_job | acl-global-write | access_test_queue_job — Access rule grants write/create/unlink on 'model_test_queue_job' to EVERY user (portal/public included): no group is set |
| test_queue_job | acl-global-write | access_test_queue_channel — Access rule grants write/create/unlink on 'model_test_queue_channel' to EVERY user (portal/public included): no group is set |
| test_queue_job | acl-global-write | access_test_related_action — Access rule grants write/create/unlink on 'model_test_related_action' to EVERY user (portal/public included): no group is set |
| test_rpc | acl-global-write | access_test_rpc_model_a — Access rule grants write/create/unlink on 'model_test_rpc_model_a' to EVERY user (portal/public included): no group is set |
| test_rpc | acl-global-write | access_test_rpc_model_b — Access rule grants write/create/unlink on 'model_test_rpc_model_b' to EVERY user (portal/public included): no group is set |
| test_testing_utilities | acl-global-write | access_model_test_testing_utilities_onchange_count — Access rule grants write/create/unlink on 'model_test_testing_utilities_onchange_count' to EVERY user (portal/public included): no group is set |
| test_testing_utilities | acl-global-write | access_test_testing_utilities_onchange_count_sub — Access rule grants write/create/unlink on 'model_test_testing_utilities_onchange_count_sub' to EVERY user (portal/public included): no group is set |
| test_testing_utilities | acl-global-write | access_o2m_readonly_subfield_parent — Access rule grants write/create/unlink on 'model_o2m_readonly_subfield_parent' to EVERY user (portal/public included): no group is set |
| test_testing_utilities | acl-global-write | access_o2m_readonly_subfield_child — Access rule grants write/create/unlink on 'model_o2m_readonly_subfield_child' to EVERY user (portal/public included): no group is set |
| test_uninstall | acl-global-write | access_test_uninstall_model — Access rule grants write/create/unlink on 'model_test_uninstall_model' to EVERY user (portal/public included): no group is set |
| test_xlsx_export | acl-global-write | access_export_group_operator — Access rule grants write/create/unlink on 'model_export_group_operator' to EVERY user (portal/public included): no group is set |
| test_xlsx_export | acl-global-write | access_export_group_operator_one2many — Access rule grants write/create/unlink on 'model_export_group_operator_one2many' to EVERY user (portal/public included): no group is set |
| test_xlsx_export | acl-global-write | access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set |
| utm | acl-global-write | access_utm_campaign — Access rule grants create on 'model_utm_campaign' to EVERY user (portal/public included): no group is set |
| utm | acl-global-write | access_utm_medium — Access rule grants create on 'model_utm_medium' to EVERY user (portal/public included): no group is set |
| utm | acl-global-write | access_utm_source — Access rule grants create on 'model_utm_source' to EVERY user (portal/public included): no group is set |
| web_editor | acl-global-write | access_web_editor_converter_test — Access rule grants write/create/unlink on 'model_web_editor_converter_test' to EVERY user (portal/public included): no group is set |
| web_editor | acl-global-write | access_web_editor_converter_test_sub — Access rule grants write/create/unlink on 'model_web_editor_converter_test_sub' to EVERY user (portal/public included): no group is set |
| web_ir_actions_act_multi | acl-global-write | crud_ir_actions_act_multi — Access rule grants write/create/unlink on 'model_ir_actions_act_multi' to EVERY user (portal/public included): no group is set |
| web_ir_actions_act_window_message | acl-global-write | crud_ir_actions_act_window_message — Access rule grants write/create/unlink on 'model_ir_actions_act_window_message' to EVERY user (portal/public included): no group is set |
| website | route-user-csrf-off | /website/reset_template — HTTP endpoint 'Website.reset_template' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user |
| website_forum | acl-public-write | access_forum_post_portal — Access rule grants write/create/unlink on 'model_forum_post' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_post_vote_portal — Access rule grants write/create on 'model_forum_post_vote' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_tag_public — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_public' |
| website_forum | acl-public-write | access_forum_tag_portal — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_portal' |
| website_sale_wishlist | acl-public-write | access_product_wishlist_portal — Access rule grants write/create/unlink on 'model_product_wishlist' to the portal/public group 'base.group_portal' |
Warnings 676
| Module | Code | Message |
|---|---|---|
| account | rule-group-bypass | account_analytic_line_rule_billing_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_analytic_line_rule_readonly_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_rule_group_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_line_rule_group_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_line_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_invoice_send_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | ir_rule_res_partner_bank_billing_officers — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | route-public-sudo | /terms — Unauthenticated endpoint 'TermsController.terms_conditions' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| account_avatax_exemption | acl-global-read | access_portal_exemption_code — Access rule grants read on 'account_avatax_oca.model_exemption_code' to every user (portal/public included): no group is set |
| account_avatax_exemption | route-public-sudo | /exemption/<int:exemption_id> — Unauthenticated endpoint 'Exemption.get_exemption' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| account_avatax_exemption_base | acl-global-read | access_portal_group_of_states — Access rule grants read on 'model_res_partner_group_state' to every user (portal/public included): no group is set |
| account_avatax_exemption_base | acl-global-read | access_portal_res_partner_exemption_line — Access rule grants read on 'model_res_partner_exemption_line' to every user (portal/public included): no group is set |
| account_avatax_exemption_base | acl-global-read | access_portal_res_partner_exemption_type — Access rule grants read on 'model_res_partner_exemption_type' to every user (portal/public included): no group is set |
| account_avatax_exemption_base | acl-global-read | access_portal_res_partner_exemption_business_type — Access rule grants read on 'model_res_partner_exemption_business_type' to every user (portal/public included): no group is set |
| account_brand | acl-global-read | res_partner_account_brand_access — Access rule grants read on 'model_res_partner_account_brand' to every user (portal/public included): no group is set |
| account_cash_deposit | acl-global-read | cash_unit_read — Access rule grants read on 'model_cash_unit' to every user (portal/public included): no group is set |
| account_edi | acl-global-read | access_account_edi_format_readonly — Access rule grants read on 'model_account_edi_format' to every user (portal/public included): no group is set |
| account_edi | acl-global-read | access_account_edi_document_readonly — Access rule grants read on 'model_account_edi_document' to every user (portal/public included): no group is set |
| account_invoice_transmit_method | acl-global-read | access_transmit_method_read — Access rule grants read on 'model_transmit_method' to every user (portal/public included): no group is set |
| account_move_transfer_partner | acl-global-write | access_wizard_account_move_transfer_partner_all — Access rule grants write/create/unlink on 'model_wizard_account_move_transfer_partner' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| account_payment | rule-group-bypass | payment_transaction_billing_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account_payment | rule-group-bypass | payment_token_billing_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account_statement_import_online_gocardless | route-public-csrf-off | /gocardless/response — Public HTTP endpoint 'GocardlessController.gocardless_response' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| account_statement_import_online_gocardless | route-public-sudo | /gocardless/response — Unauthenticated endpoint 'GocardlessController.gocardless_response' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| ai_oca_bridge | route-public-csrf-off | /ai/response/<int:execution_id>/<string:token> — Public HTTP endpoint 'AIController.ai_process_response' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| ai_oca_bridge | route-public-sudo | /ai/response/<int:execution_id>/<string:token> — Unauthenticated endpoint 'AIController.ai_process_response' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| ai_oca_mcp | route-public-csrf-off | /mcp/<string:key> — Public HTTP endpoint 'McpController.mcp_endpoint' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| ai_oca_mcp | route-public-sudo | /mcp/<string:key> — Unauthenticated endpoint 'McpController.mcp_endpoint' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| ai_oca_mcp | route-auth-none | /mcp/<string:key> — Endpoint 'McpController.mcp_endpoint' uses auth="none": it runs with no user/session at all |
| attachment_queue | acl-global-read | access_attachment_queue_user — Access rule grants read on 'model_attachment_queue' to every user (portal/public included): no group is set |
| auth_oauth | route-auth-none | /auth_oauth/signin — Endpoint 'OAuthController.signin' uses auth="none": it runs with no user/session at all |
| auth_oauth | route-auth-none | /auth_oauth/oea — Endpoint 'OAuthController.oea' uses auth="none": it runs with no user/session at all |
| auth_oauth_autologin | route-auth-none | /auth/auto_login_redirect_link — Endpoint 'OAuthAutoLogin.auto_login_redirect_link' uses auth="none": it runs with no user/session at all |
| auth_saml | route-public-sudo | /auth_saml/get_auth_request — Unauthenticated endpoint 'AuthSAMLController.get_auth_request' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_saml | route-auth-none | /auth_saml/get_auth_request — Endpoint 'AuthSAMLController.get_auth_request' uses auth="none": it runs with no user/session at all |
| auth_saml | route-public-csrf-off | /auth_saml/signin — Public HTTP endpoint 'AuthSAMLController.signin' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| auth_saml | route-auth-none | /auth_saml/signin — Endpoint 'AuthSAMLController.signin' uses auth="none": it runs with no user/session at all |
| auth_saml | route-public-csrf-off | /auth_saml/metadata — Public HTTP endpoint 'AuthSAMLController.saml_metadata' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| auth_saml | route-public-sudo | /auth_saml/metadata — Unauthenticated endpoint 'AuthSAMLController.saml_metadata' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_saml | route-auth-none | /auth_saml/metadata — Endpoint 'AuthSAMLController.saml_metadata' uses auth="none": it runs with no user/session at all |
| auth_signup | route-public-sudo | /web/signup — Unauthenticated endpoint 'AuthSignupHome.web_auth_signup' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_signup | route-public-sudo | /web/reset_password — Unauthenticated endpoint 'AuthSignupHome.web_auth_reset_password' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| automation_oca | route-public-sudo | /automation_oca/track/<int:record_id>/<string:token>/blank.gif — Unauthenticated endpoint 'AutomationOCAController.automation_oca_mail_open' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| automation_oca | route-public-sudo | /r/<string:code>/au/<int:record_id>/<string:token> — Unauthenticated endpoint 'AutomationOCAController.automation_oca_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| base | acl-global-read | access_res_company_group_user — Access rule grants read on 'model_res_company' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_partner_title_group_partner_manager — Access rule grants read on 'model_res_partner_title' to every user (portal/public included): no group is set |
| base | acl-global-write | access_res_users_log_all — Access rule grants create on 'model_res_users_log' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| base | acl-global-read | paperformat_access_portal — Access rule grants read on 'model_report_paperformat' to every user (portal/public included): no group is set |
| base | route-public-csrf-off | /xmlrpc/<service> — Public HTTP endpoint 'RPC.xmlrpc_1' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base | route-auth-none | /xmlrpc/<service> — Endpoint 'RPC.xmlrpc_1' uses auth="none": it runs with no user/session at all |
| base | route-public-csrf-off | /xmlrpc/2/<service> — Public HTTP endpoint 'RPC.xmlrpc_2' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base | route-auth-none | /xmlrpc/2/<service> — Endpoint 'RPC.xmlrpc_2' uses auth="none": it runs with no user/session at all |
| base | route-auth-none | /jsonrpc — Endpoint 'RPC.jsonrpc' uses auth="none": it runs with no user/session at all |
| base_comment_template | acl-global-read | access_base_comment_template_user — Access rule grants read on 'model_base_comment_template' to every user (portal/public included): no group is set |
| base_ebill_payment_contract | acl-global-read | access_ebill_payment_contract_read — Access rule grants read on 'model_ebill_payment_contract' to every user (portal/public included): no group is set |
| base_import_module | route-public-csrf-off | /base_import_module/login_upload — Public HTTP endpoint 'ImportModule.login_upload' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base_import_module | route-auth-none | /base_import_module/login_upload — Endpoint 'ImportModule.login_upload' uses auth="none": it runs with no user/session at all |
| base_tier_validation_correction | acl-global-read | access_tier_correction_user — Access rule grants read on 'model_tier_correction' to every user (portal/public included): no group is set |
| base_tier_validation_correction | acl-global-read | access_tier_correction_item_user — Access rule grants read on 'model_tier_correction_item' to every user (portal/public included): no group is set |
| base_tier_validation_correction | acl-global-read | access_affected_tier_reviews — Access rule grants read on 'model_affected_tier_reviews' to every user (portal/public included): no group is set |
| base_unece | acl-global-read | access_unece_code_list_read — Access rule grants read on 'model_unece_code_list' to every user (portal/public included): no group is set |
| base_user_locale | route-public-sudo | /web/webclient/translations/<string:unique> — Unauthenticated endpoint 'WebClient.translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| bus | route-auth-none | /websocket/health — Endpoint 'WebsocketController.health' uses auth="none": it runs with no user/session at all |
| bus | route-public-sudo | /websocket/peek_notifications — Unauthenticated endpoint 'WebsocketController.peek_notifications' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| calendar | rule-group-bypass | calendar_event_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| calendar | route-public-sudo | /calendar/join_videocall/<string:access_token> — Unauthenticated endpoint 'CalendarController.calendar_join_videocall' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| cooperator_website | route-public-sudo | /subscription/get_share_product — Unauthenticated endpoint 'WebsiteSubscription.get_share_product' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| cooperator_website | route-public-sudo | /subscription/subscribe_share — Unauthenticated endpoint 'WebsiteSubscription.share_subscription' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| crm | acl-global-read | access_crm_stage — Access rule grants read on 'model_crm_stage' to every user (portal/public included): no group is set |
| crm | rule-group-bypass | crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm | rule-group-bypass | crm_activity_report_rule_all_activities — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm_salesperson_planner | rule-group-bypass | all_salesperson_planner_visit — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm_salesperson_planner | rule-group-bypass | all_salesperson_planner_visit_template — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| cross_connect_client | route-public-sudo | /cross_connect_server/<int:server_id> — Unauthenticated endpoint 'CrossConnectController.cross_connect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| delivery_deliverea | route-public-sudo | /deliverea-tracking-webhook — Unauthenticated endpoint 'DelivereaWebhook.order_import_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| digest | route-public-csrf-off | /digest/<int:digest_id>/unsubscribe_oneclik — Public HTTP endpoint 'DigestController.digest_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| digest | route-public-sudo | /digest/<int:digest_id>/unsubscribe — Unauthenticated endpoint 'DigestController.digest_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| dms | route-public-sudo | /my/dms/directory/<int:dms_directory_id> — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_directory' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| dms | route-public-sudo | /my/dms/file/<int:dms_file_id>/download — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_file_download' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| endpoint_route_handler | acl-global-read | access_endpoint_route_handler_tool_edit — Access rule grants read on 'model_endpoint_route_handler' to every user (portal/public included): no group is set |
| endpoint_route_handler | acl-global-read | access_endpoint_route_handler_edit — Access rule grants read on 'model_endpoint_route_handler_tool' to every user (portal/public included): no group is set |
| fieldservice | rule-group-bypass | fsm_order_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| fieldservice_account_analytic | rule-group-bypass | analytic_account_fsm_dispatcher — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| github_connector | acl-global-read | access_github_analysis_rule_reader — Access rule grants read on 'model_github_analysis_rule' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_analysis_rule_group_reader — Access rule grants read on 'model_github_analysis_rule_group' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_organization_reader — Access rule grants read on 'model_github_organization' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_organization_serie_reader — Access rule grants read on 'model_github_organization_serie' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_repository_branch_rule_info_report_reader — Access rule grants read on 'model_github_repository_branch_rule_info_report' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_repository_reader — Access rule grants read on 'model_github_repository' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_repository_branch_reader — Access rule grants read on 'model_github_repository_branch' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_team_reader — Access rule grants read on 'model_github_team' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_team_partner_reader — Access rule grants read on 'model_github_team_partner' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_team_repository_reader — Access rule grants read on 'model_github_team_repository' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_author_reader — Access rule grants read on 'model_odoo_author' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_lib_bin_reader — Access rule grants read on 'model_odoo_lib_bin' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_lib_python_reader — Access rule grants read on 'model_odoo_lib_python' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_license_reader — Access rule grants read on 'model_odoo_license' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_module_reader — Access rule grants read on 'model_odoo_module' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_module_version_reader — Access rule grants read on 'model_odoo_module_version' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_module_version_rule_info_report_reader — Access rule grants read on 'model_odoo_module_version_rule_info_report' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_category_reader — Access rule grants read on 'model_odoo_category' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_manifest_key_reader — Access rule grants read on 'model_odoo_manifest_key' to every user (portal/public included): no group is set |
| helpdesk_mgmt | rule-group-bypass | helpdesk_ticket_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| helpdesk_ticket_partner_response | route-public-sudo | /mail/chatter_post — Unauthenticated endpoint 'HelpdeskCustomerResponse.portal_chatter_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| hr | rule-group-bypass | ir_rule_res_partner_bank_employees — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_appraisal_oca | acl-global-write | access_hr_appraisal_all — Access rule grants write/create/unlink on 'model_hr_appraisal' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| hr_appraisal_oca | acl-global-write | access_hr_appraisal_template_all — Access rule grants write/create/unlink on 'model_hr_appraisal_template' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| hr_appraisal_oca | acl-global-write | access_send_email_with_template_all — Access rule grants write/create/unlink on 'model_send_email_with_template' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| hr_appraisal_oca | acl-global-write | access_hr_appraisal_tag_all — Access rule grants write/create/unlink on 'model_hr_appraisal_tag' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| hr_appraisal_oca | rule-group-bypass | hr_appraisal_hr_officer_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_attendance | rule-group-bypass | hr_attendance_rule_attendance_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_attendance | rule-group-bypass | hr_attendance_rule_attendance_overtime_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_attendance_rfid | rule-group-bypass | hr_attendance_rfid_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_employee_group_overview_readonly | rule-group-bypass | hr_attendance_view_all_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_expense | rule-group-bypass | ir_rule_hr_expense_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_expense | rule-group-bypass | ir_rule_hr_expense_sheet_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | hr_leave_rule_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | hr_leave_allocation_rule_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | resource_leaves_base_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | resource_leaves_holidays_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | hr_leave_report_rule_group_holiday_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_personal_equipment_request | rule-group-bypass | personal_equipment_request_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_personal_equipment_request | rule-group-bypass | personal_equipment_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_resume_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_resume_rule_employee_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_skill_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_skill_rule_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_timesheet_attendance | rule-group-bypass | hr_timesheet_attendance_report_rule_approver — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| http_routing | route-public-sudo | /website/translations/<string:unique> — Unauthenticated endpoint 'Routing.get_website_translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| http_routing | route-auth-none | /web/session/logout — Endpoint 'SessionWebsite.logout' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/hello — Endpoint 'ProxyController.hello' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/handshake — Endpoint 'ProxyController.handshake' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/status_json — Endpoint 'ProxyController.status_json' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_drivers/action — Endpoint 'DriverController.action' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-public-csrf-off | /hw_drivers/check_certificate — Public HTTP endpoint 'DriverController.check_certificate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_drivers | route-auth-none | /hw_drivers/check_certificate — Endpoint 'DriverController.check_certificate' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_drivers/event — Endpoint 'DriverController.event' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-public-csrf-off | /hw_drivers/download_logs — Public HTTP endpoint 'DriverController.download_logs' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_drivers | route-auth-none | /hw_drivers/download_logs — Endpoint 'DriverController.download_logs' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/scale_read — Endpoint 'ScaleReadOldRoute.scale_read' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/default_printer_action — Endpoint 'PrinterController.default_printer_action' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/scanner — Endpoint 'KeyboardUSBController.get_barcode' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-public-csrf-off | /hw_proxy/l10n_ke_cu_send — Public HTTP endpoint 'TremolG03Controller.l10n_ke_cu_send' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_drivers | route-auth-none | /hw_proxy/l10n_ke_cu_send — Endpoint 'TremolG03Controller.l10n_ke_cu_send' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-public-csrf-off | /hw_l10n_eg_eta/certificate — Public HTTP endpoint 'EtaUsbController.eta_certificate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_drivers | route-auth-none | /hw_l10n_eg_eta/certificate — Endpoint 'EtaUsbController.eta_certificate' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-public-csrf-off | /hw_l10n_eg_eta/sign — Public HTTP endpoint 'EtaUsbController.eta_sign' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_drivers | route-auth-none | /hw_l10n_eg_eta/sign — Endpoint 'EtaUsbController.eta_sign' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/display_refresh — Endpoint 'DisplayController.display_refresh' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/customer_facing_display — Endpoint 'DisplayController.customer_facing_display' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/take_control — Endpoint 'DisplayController.take_control' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/test_ownership — Endpoint 'DisplayController.test_ownership' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /point_of_sale/get_serialized_order, /point_of_sale/get_serialized_order/<string:display_identifier> — Endpoint 'DisplayController.get_serialized_order' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /point_of_sale/display, /point_of_sale/display/<string:display_identifier> — Endpoint 'DisplayController.display' uses auth="none": it runs with no user/session at all |
| hw_escpos | route-auth-none | /hw_proxy/open_cashbox — Endpoint 'EscposProxy.open_cashbox' uses auth="none": it runs with no user/session at all |
| hw_escpos | route-auth-none | /hw_proxy/print_receipt — Endpoint 'EscposProxy.print_receipt' uses auth="none": it runs with no user/session at all |
| hw_escpos | route-auth-none | /hw_proxy/print_xml_receipt — Endpoint 'EscposProxy.print_xml_receipt' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | / — Endpoint 'IoTboxHomepage.index' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /list_handlers — Public HTTP endpoint 'IoTboxHomepage.list_handlers' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /list_handlers — Endpoint 'IoTboxHomepage.list_handlers' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /load_iot_handlers — Endpoint 'IoTboxHomepage.load_iot_handlers' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /list_credential — Endpoint 'IoTboxHomepage.list_credential' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /save_credential — Public HTTP endpoint 'IoTboxHomepage.save_credential' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /save_credential — Endpoint 'IoTboxHomepage.save_credential' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /clear_credential — Public HTTP endpoint 'IoTboxHomepage.clear_credential' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /clear_credential — Endpoint 'IoTboxHomepage.clear_credential' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /wifi — Endpoint 'IoTboxHomepage.wifi' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /wifi_connect — Public HTTP endpoint 'IoTboxHomepage.connect_to_wifi' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /wifi_connect — Endpoint 'IoTboxHomepage.connect_to_wifi' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /wifi_clear — Public HTTP endpoint 'IoTboxHomepage.clear_wifi_configuration' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /wifi_clear — Endpoint 'IoTboxHomepage.clear_wifi_configuration' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /server_clear — Public HTTP endpoint 'IoTboxHomepage.clear_server_configuration' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /server_clear — Endpoint 'IoTboxHomepage.clear_server_configuration' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /handlers_clear — Public HTTP endpoint 'IoTboxHomepage.clear_handlers_list' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /handlers_clear — Endpoint 'IoTboxHomepage.clear_handlers_list' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /server_connect — Public HTTP endpoint 'IoTboxHomepage.connect_to_server' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /server_connect — Endpoint 'IoTboxHomepage.connect_to_server' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /steps — Public HTTP endpoint 'IoTboxHomepage.step_by_step_configure_page' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /steps — Endpoint 'IoTboxHomepage.step_by_step_configure_page' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /step_configure — Public HTTP endpoint 'IoTboxHomepage.step_by_step_configure' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /step_configure — Endpoint 'IoTboxHomepage.step_by_step_configure' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /server — Endpoint 'IoTboxHomepage.server' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_posbox_homepage/password — Endpoint 'IoTboxHomepage.view_password' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /remote_connect — Endpoint 'IoTboxHomepage.remote_connect' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /enable_ngrok — Public HTTP endpoint 'IoTboxHomepage.enable_ngrok' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /enable_ngrok — Endpoint 'IoTboxHomepage.enable_ngrok' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /six_payment_terminal — Public HTTP endpoint 'IoTboxHomepage.six_payment_terminal' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /six_payment_terminal — Endpoint 'IoTboxHomepage.six_payment_terminal' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /six_payment_terminal_add — Public HTTP endpoint 'IoTboxHomepage.add_six_payment_terminal' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /six_payment_terminal_add — Endpoint 'IoTboxHomepage.add_six_payment_terminal' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /six_payment_terminal_clear — Public HTTP endpoint 'IoTboxHomepage.clear_six_payment_terminal' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /six_payment_terminal_clear — Endpoint 'IoTboxHomepage.clear_six_payment_terminal' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/upgrade — Endpoint 'IoTboxHomepage.upgrade' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_upgrade — Endpoint 'IoTboxHomepage.perform_upgrade' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/get_version — Endpoint 'IoTboxHomepage.check_version' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_flashing_create_partition — Endpoint 'IoTboxHomepage.perform_flashing_create_partition' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_flashing_download_raspios — Endpoint 'IoTboxHomepage.perform_flashing_download_raspios' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_flashing_copy_raspios — Endpoint 'IoTboxHomepage.perform_flashing_copy_raspios' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /iot_restart_odoo_or_reboot — Endpoint 'IoTboxHomepage.iot_restart_odoo_or_reboot' uses auth="none": it runs with no user/session at all |
| im_livechat | acl-global-read | access_livechat_channel — Access rule grants read on 'model_im_livechat_channel' to every user (portal/public included): no group is set |
| im_livechat | acl-global-read | access_livechat_channel_rule — Access rule grants read on 'model_im_livechat_channel_rule' to every user (portal/public included): no group is set |
| im_livechat | acl-global-read | access_chatbot_script — Access rule grants read on 'model_chatbot_script' to every user (portal/public included): no group is set |
| im_livechat | route-auth-none | /im_livechat/load_templates — Endpoint 'LivechatController.load_templates' uses auth="none": it runs with no user/session at all |
| im_livechat | route-public-sudo | /im_livechat/support/<int:channel_id> — Unauthenticated endpoint 'LivechatController.support_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/loader/<int:channel_id> — Unauthenticated endpoint 'LivechatController.loader' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/init — Unauthenticated endpoint 'LivechatController.livechat_init' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/operator/<int:operator_id>/avatar — Unauthenticated endpoint 'LivechatController.livechat_operator_get_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/get_session — Unauthenticated endpoint 'LivechatController.get_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/feedback — Unauthenticated endpoint 'LivechatController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/history — Unauthenticated endpoint 'LivechatController.history_pages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/notify_typing — Unauthenticated endpoint 'LivechatController.notify_typing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/email_livechat_transcript — Unauthenticated endpoint 'LivechatController.email_livechat_transcript' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/visitor_leave_session — Unauthenticated endpoint 'LivechatController.visitor_leave_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /chatbot/restart — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_restart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /chatbot/post_welcome_steps — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_post_welcome_steps' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /chatbot/answer/save — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_save_answer' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /chatbot/step/trigger — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_trigger_step' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /chatbot/step/validate_email — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| intrastat_product | acl-global-read | access_intrastat_unit_read — Access rule grants read on 'model_intrastat_unit' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_transaction_read — Access rule grants read on 'model_intrastat_transaction' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_transport_mode_read — Access rule grants read on 'model_intrastat_transport_mode' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_region_read — Access rule grants read on 'model_intrastat_region' to every user (portal/public included): no group is set |
| iot_input_oca | route-public-csrf-off | /iot/<serial>/action — Public HTTP endpoint 'CallIot.call_unauthorized_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_input_oca | route-public-sudo | /iot/<serial>/action — Unauthenticated endpoint 'CallIot.call_unauthorized_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| iot_input_oca | route-auth-none | /iot/<serial>/action — Endpoint 'CallIot.call_unauthorized_iot' uses auth="none": it runs with no user/session at all |
| iot_input_oca | route-public-csrf-off | /iot/<serial>/multi_input — Public HTTP endpoint 'CallIot.call_unauthorized_iot_multi_input' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_input_oca | route-public-sudo | /iot/<serial>/multi_input — Unauthenticated endpoint 'CallIot.call_unauthorized_iot_multi_input' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| iot_input_oca | route-auth-none | /iot/<serial>/multi_input — Endpoint 'CallIot.call_unauthorized_iot_multi_input' uses auth="none": it runs with no user/session at all |
| iot_input_oca | route-public-csrf-off | /iot/<serial>/check — Public HTTP endpoint 'CallIot.check_unauthorized_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_input_oca | route-public-sudo | /iot/<serial>/check — Unauthenticated endpoint 'CallIot.check_unauthorized_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| iot_input_oca | route-auth-none | /iot/<serial>/check — Endpoint 'CallIot.check_unauthorized_iot' uses auth="none": it runs with no user/session at all |
| iot_template_oca | route-public-csrf-off | /iot/<serial>/configure — Public HTTP endpoint 'CallIot.configure_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_template_oca | route-public-sudo | /iot/<serial>/configure — Unauthenticated endpoint 'CallIot.configure_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| iot_template_oca | route-auth-none | /iot/<serial>/configure — Endpoint 'CallIot.configure_iot' uses auth="none": it runs with no user/session at all |
| l10n_ar_afipws | acl-global-read | access_afipws_connection_user — Access rule grants read on 'model_afipws_connection' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_deficiency — Access rule grants read on 'model_hr_deficiency' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_identity_type — Access rule grants read on 'model_hr_identity_type' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_civil_certificate_type — Access rule grants read on 'model_hr_civil_certificate_type' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_ethnicity — Access rule grants read on 'model_hr_ethnicity' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_admission_type — Access rule grants read on 'model_hr_contract_admission_type' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_labor_bond_type — Access rule grants read on 'model_hr_contract_labor_bond_type' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_labor_regime — Access rule grants read on 'model_hr_contract_labor_regime' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_salary_unit — Access rule grants read on 'model_hr_contract_salary_unit' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_resignation_cause — Access rule grants read on 'model_hr_contract_resignation_cause' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_notice_termination — Access rule grants read on 'model_hr_contract_notice_termination' to every user (portal/public included): no group is set |
| l10n_ec | acl-global-read | access_l10n_ec_sri_payment_public — Access rule grants read on 'model_l10n_ec_sri_payment' to every user (portal/public included): no group is set |
| l10n_es_aeat_mod347 | route-public-sudo | /mod347/accept — Unauthenticated endpoint 'Mod347Controller.mod347_accept' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_es_aeat_mod347 | route-public-sudo | /mod347/reject — Unauthenticated endpoint 'Mod347Controller.mod347_reject' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_it_account_tax_kind | acl-global-read | access_account_tax_kind_user — Access rule grants read on 'model_account_tax_kind' to every user (portal/public included): no group is set |
| l10n_ro_account_anaf_sync | route-public-csrf-off | /l10n_ro_account_anaf_sync/anaf_oauth/<int:anaf_config_id> — Public HTTP endpoint 'AccountANAFSyncWeb.get_anaf_oauth_code' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| l10n_ro_account_anaf_sync | route-public-sudo | /l10n_ro_account_anaf_sync/anaf_oauth/<int:anaf_config_id> — Unauthenticated endpoint 'AccountANAFSyncWeb.get_anaf_oauth_code' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_th_account_tax | acl-global-read | access_personal_income_tax_user — Access rule grants read on 'model_personal_income_tax' to every user (portal/public included): no group is set |
| l10n_th_account_tax | acl-global-read | access_personal_income_tax_rate_user — Access rule grants read on 'model_personal_income_tax_rate' to every user (portal/public included): no group is set |
| letsencrypt | route-auth-none | /.well-known/acme-challenge/<filename> — Endpoint 'Letsencrypt.acme_challenge' uses auth="none": it runs with no user/session at all |
| link_tracker | route-public-sudo | /r/<string:code> — Unauthenticated endpoint 'LinkTracker.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| acl-global-write | access_publisher_warranty_contract_all — Access rule grants write/create/unlink on 'model_publisher_warranty_contract' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
|
| route-public-sudo | /mail/chat_post — Unauthenticated endpoint 'MailChatController.mail_chat_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/chat_history — Unauthenticated endpoint 'MailChatController.mail_chat_history' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/view — Unauthenticated endpoint 'MailController.mail_action_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /chat/<int:channel_id>/<string:invitation_token> — Unauthenticated endpoint 'DiscussController.discuss_channel_invitation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/channel/<int:channel_id>/partner/<int:partner_id>/avatar_128 — Unauthenticated endpoint 'DiscussController.mail_channel_partner_avatar_128' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/channel/<int:channel_id>/guest/<int:guest_id>/avatar_128 — Unauthenticated endpoint 'DiscussController.mail_channel_guest_avatar_128' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/init_messaging — Unauthenticated endpoint 'DiscussController.mail_init_messaging' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/message/update_content — Unauthenticated endpoint 'DiscussController.mail_message_update_content' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/attachment/delete — Unauthenticated endpoint 'DiscussController.mail_attachment_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/message/add_reaction — Unauthenticated endpoint 'DiscussController.mail_message_add_reaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/message/remove_reaction — Unauthenticated endpoint 'DiscussController.mail_message_remove_reaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/channel/add_guest_as_member — Unauthenticated endpoint 'DiscussController.mail_channel_add_guest_as_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/rtc/session/notify_call_members — Unauthenticated endpoint 'DiscussController.session_call_notify' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/rtc/session/update_and_broadcast — Unauthenticated endpoint 'DiscussController.session_update_and_broadcast' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/guest/update_name — Unauthenticated endpoint 'DiscussController.mail_guest_update_name' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/link_preview — Unauthenticated endpoint 'DiscussController.mail_link_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/link_preview/delete — Unauthenticated endpoint 'DiscussController.mail_link_preview_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| mail_gateway | route-public-csrf-off | /gateway/<string:usage>/<string:token>/update — Public HTTP endpoint 'GatewayController.post_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| mail_group | route-public-sudo | /groups — Unauthenticated endpoint 'PortalMailGroup.groups_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_group | route-public-sudo | /groups/<model("mail.group"):group>, /groups/<model("mail.group"):group>/page/<int:page> — Unauthenticated endpoint 'PortalMailGroup.group_view_messages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_group | route-public-sudo | /groups/<model("mail.group"):group>/<model("mail.group.message"):message> — Unauthenticated endpoint 'PortalMailGroup.group_view_message' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_group | route-public-sudo | /groups/<model("mail.group"):group>/<model("mail.group.message"):message>/get_replies — Unauthenticated endpoint 'PortalMailGroup.group_message_get_replies' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_group | route-public-csrf-off | /group/<int:group_id>/unsubscribe_oneclick — Public HTTP endpoint 'PortalMailGroup.group_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| mail_group | route-public-sudo | /group/<int:group_id>/unsubscribe_oneclick — Unauthenticated endpoint 'PortalMailGroup.group_unsubscribe_oneclick' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_group | route-public-sudo | /group/subscribe-confirm — Unauthenticated endpoint 'PortalMailGroup.group_subscribe_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_plugin | route-auth-none | /mail_plugin/auth/check_version — Endpoint 'Authenticate.auth_check_version' uses auth="none": it runs with no user/session at all |
| mail_plugin | route-auth-none | /mail_client_extension/auth/access_token, /mail_plugin/auth/access_token — Endpoint 'Authenticate.auth_access_token' uses auth="none": it runs with no user/session at all |
| mail_template_attachment_i18n | acl-global-read | access_attachment_language_everyone — Access rule grants read on 'model_ir_attachment_language' to every user (portal/public included): no group is set |
| mail_tracking | route-public-sudo | /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MailTrackingController.mail_tracking_open' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_tracking | route-auth-none | /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Endpoint 'MailTrackingController.mail_tracking_open' uses auth="none": it runs with no user/session at all |
| mail_tracking_mailgun | route-public-sudo | /mail/tracking/mailgun/all — Unauthenticated endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_tracking_mailgun | route-auth-none | /mail/tracking/mailgun/all — Endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' uses auth="none": it runs with no user/session at all |
| mass | acl-global-read | access_mass_request_type_user — Access rule grants read on 'model_mass_request_type' to every user (portal/public included): no group is set |
| mass_mailing | route-public-csrf-off | /mail/mailing/<int:mailing_id>/unsubscribe_oneclick — Public HTTP endpoint 'MassMailController.mailing_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| mass_mailing | route-public-sudo | /mailing/<int:mailing_id>/confirm_unsubscribe — Unauthenticated endpoint 'MassMailController.mailing_confirm_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mail/mailing/<int:mailing_id>/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mail/mailing/unsubscribe — Unauthenticated endpoint 'MassMailController.unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/feedback — Unauthenticated endpoint 'MassMailController.send_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mail/track/<int:mail_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MassMailController.track_mail_open' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /r/<string:code>/m/<int:mailing_trace_id> — Unauthenticated endpoint 'MassMailController.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/report/unsubscribe — Unauthenticated endpoint 'MassMailController.turn_off_mailing_reports' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/<int:mailing_id>/view — Unauthenticated endpoint 'MassMailController.view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/blacklist/check — Unauthenticated endpoint 'MassMailController.blacklist_check' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/blacklist/add — Unauthenticated endpoint 'MassMailController.blacklist_add' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/blacklist/remove — Unauthenticated endpoint 'MassMailController.blacklist_remove' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing_sms | route-public-sudo | /sms/<int:mailing_id>/unsubscribe/<string:trace_code> — Unauthenticated endpoint 'MailingSMSController.blacklist_number' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing_sms | route-public-sudo | /r/<string:code>/s/<int:sms_sms_id> — Unauthenticated endpoint 'MailingSMSController.sms_short_link_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| membership | acl-global-read | access_membership_membership_line — Access rule grants read on 'model_membership_membership_line' to every user (portal/public included): no group is set |
| odoo_repository | route-public-csrf-off | /odoo-repository/data — Public HTTP endpoint 'OdooRepository.index' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| odoo_repository | route-public-sudo | /odoo-repository/data — Unauthenticated endpoint 'OdooRepository.index' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| odoo_repository | route-auth-none | /odoo-repository/data — Endpoint 'OdooRepository.index' uses auth="none": it runs with no user/session at all |
| operating_unit | acl-global-read | access_account_operating_unit_user — Access rule grants read on 'model_operating_unit' to every user (portal/public included): no group is set |
| partner_external_map | acl-global-read | access_map_website_read — Access rule grants read on 'model_map_website' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation — Access rule grants read on 'model_res_partner_relation' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation_type — Access rule grants read on 'model_res_partner_relation_type' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation_type_selection — Access rule grants read on 'model_res_partner_relation_type_selection' to every user (portal/public included): no group is set |
| partner_stage | acl-global-read | access_partner_stage_read — Access rule grants read on 'model_res_partner_stage' to every user (portal/public included): no group is set |
| payment | route-public-sudo | /payment/status/poll — Unauthenticated endpoint 'PaymentPostProcessing.poll_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /payment/pay — Unauthenticated endpoint 'PaymentPortal.payment_pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /payment/confirmation — Unauthenticated endpoint 'PaymentPortal.payment_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-sudo | /payment/adyen/provider_info — Unauthenticated endpoint 'AdyenController.adyen_provider_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-sudo | /payment/adyen/payment_methods — Unauthenticated endpoint 'AdyenController.adyen_payment_methods' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-sudo | /payment/adyen/payments — Unauthenticated endpoint 'AdyenController.adyen_payments' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-sudo | /payment/adyen/payment_details — Unauthenticated endpoint 'AdyenController.adyen_payment_details' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-csrf-off | /payment/adyen/return — Public HTTP endpoint 'AdyenController.adyen_return_from_3ds_auth' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_adyen | route-public-sudo | /payment/adyen/return — Unauthenticated endpoint 'AdyenController.adyen_return_from_3ds_auth' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-sudo | AdyenController.adyen_webhook — Unauthenticated endpoint 'AdyenController.adyen_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_alipay | route-public-sudo | AlipayController.alipay_return_from_checkout — Unauthenticated endpoint 'AlipayController.alipay_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_alipay | route-public-csrf-off | AlipayController.alipay_webhook — Public HTTP endpoint 'AlipayController.alipay_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_alipay | route-public-sudo | AlipayController.alipay_webhook — Unauthenticated endpoint 'AlipayController.alipay_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_aps | route-public-csrf-off | APSController.aps_return_from_checkout — Public HTTP endpoint 'APSController.aps_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_aps | route-public-sudo | APSController.aps_return_from_checkout — Unauthenticated endpoint 'APSController.aps_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_aps | route-public-csrf-off | APSController.aps_webhook — Public HTTP endpoint 'APSController.aps_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_aps | route-public-sudo | APSController.aps_webhook — Unauthenticated endpoint 'APSController.aps_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_asiapay | route-public-csrf-off | AsiaPayController.asiapay_webhook — Public HTTP endpoint 'AsiaPayController.asiapay_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_asiapay | route-public-sudo | AsiaPayController.asiapay_webhook — Unauthenticated endpoint 'AsiaPayController.asiapay_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_authorize | route-public-sudo | /payment/authorize/get_provider_info — Unauthenticated endpoint 'AuthorizeController.authorize_get_provider_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_authorize | route-public-sudo | /payment/authorize/payment — Unauthenticated endpoint 'AuthorizeController.authorize_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_buckaroo | route-public-csrf-off | BuckarooController.buckaroo_return_from_checkout — Public HTTP endpoint 'BuckarooController.buckaroo_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_buckaroo | route-public-sudo | BuckarooController.buckaroo_return_from_checkout — Unauthenticated endpoint 'BuckarooController.buckaroo_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_buckaroo | route-public-csrf-off | BuckarooController.buckaroo_webhook — Public HTTP endpoint 'BuckarooController.buckaroo_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_buckaroo | route-public-sudo | BuckarooController.buckaroo_webhook — Unauthenticated endpoint 'BuckarooController.buckaroo_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_custom | route-public-csrf-off | CustomController.custom_process_transaction — Public HTTP endpoint 'CustomController.custom_process_transaction' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_custom | route-public-sudo | CustomController.custom_process_transaction — Unauthenticated endpoint 'CustomController.custom_process_transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_demo | route-public-sudo | PaymentDemoController.demo_simulate_payment — Unauthenticated endpoint 'PaymentDemoController.demo_simulate_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_flutterwave | route-public-sudo | FlutterwaveController.flutterwave_return_from_checkout — Unauthenticated endpoint 'FlutterwaveController.flutterwave_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_flutterwave | route-public-csrf-off | FlutterwaveController.flutterwave_webhook — Public HTTP endpoint 'FlutterwaveController.flutterwave_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_flutterwave | route-public-sudo | FlutterwaveController.flutterwave_webhook — Unauthenticated endpoint 'FlutterwaveController.flutterwave_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_mercado_pago | route-public-sudo | MercadoPagoController.mercado_pago_return_from_checkout — Unauthenticated endpoint 'MercadoPagoController.mercado_pago_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_mercado_pago | route-public-csrf-off | MercadoPagoController.mercado_pago_webhook — Public HTTP endpoint 'MercadoPagoController.mercado_pago_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_mercado_pago | route-public-sudo | MercadoPagoController.mercado_pago_webhook — Unauthenticated endpoint 'MercadoPagoController.mercado_pago_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_mollie | route-public-csrf-off | MollieController.mollie_return_from_checkout — Public HTTP endpoint 'MollieController.mollie_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_mollie | route-public-sudo | MollieController.mollie_return_from_checkout — Unauthenticated endpoint 'MollieController.mollie_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_mollie | route-public-csrf-off | MollieController.mollie_webhook — Public HTTP endpoint 'MollieController.mollie_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_mollie | route-public-sudo | MollieController.mollie_webhook — Unauthenticated endpoint 'MollieController.mollie_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ogone | route-public-csrf-off | OgoneController.ogone_return_from_checkout — Public HTTP endpoint 'OgoneController.ogone_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_ogone | route-public-sudo | OgoneController.ogone_return_from_checkout — Unauthenticated endpoint 'OgoneController.ogone_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_paypal | route-public-csrf-off | PaypalController.paypal_return_from_checkout — Public HTTP endpoint 'PaypalController.paypal_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_paypal | route-public-sudo | PaypalController.paypal_return_from_checkout — Unauthenticated endpoint 'PaypalController.paypal_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_paypal | route-public-csrf-off | PaypalController.paypal_webhook — Public HTTP endpoint 'PaypalController.paypal_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_paypal | route-public-sudo | PaypalController.paypal_webhook — Unauthenticated endpoint 'PaypalController.paypal_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_payulatam | route-public-sudo | PayuLatamController.payulatam_return_from_checkout — Unauthenticated endpoint 'PayuLatamController.payulatam_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_payulatam | route-public-csrf-off | PayuLatamController.payulatam_webhook — Public HTTP endpoint 'PayuLatamController.payulatam_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_payulatam | route-public-sudo | PayuLatamController.payulatam_webhook — Unauthenticated endpoint 'PayuLatamController.payulatam_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_payumoney | route-public-csrf-off | PayUMoneyController.payumoney_return_from_checkout — Public HTTP endpoint 'PayUMoneyController.payumoney_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_payumoney | route-public-sudo | PayUMoneyController.payumoney_return_from_checkout — Unauthenticated endpoint 'PayUMoneyController.payumoney_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_razorpay | route-public-csrf-off | RazorpayController.razorpay_return_from_checkout — Public HTTP endpoint 'RazorpayController.razorpay_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_razorpay | route-public-sudo | RazorpayController.razorpay_return_from_checkout — Unauthenticated endpoint 'RazorpayController.razorpay_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_razorpay | route-public-csrf-off | RazorpayController.razorpay_webhook — Public HTTP endpoint 'RazorpayController.razorpay_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_razorpay | route-public-sudo | RazorpayController.razorpay_webhook — Unauthenticated endpoint 'RazorpayController.razorpay_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_redsys | route-public-csrf-off | /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Public HTTP endpoint 'RedsysController.redsys_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_redsys | route-public-sudo | /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Unauthenticated endpoint 'RedsysController.redsys_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_sips | route-public-csrf-off | SipsController.sips_return_from_checkout — Public HTTP endpoint 'SipsController.sips_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_sips | route-public-sudo | SipsController.sips_return_from_checkout — Unauthenticated endpoint 'SipsController.sips_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_sips | route-public-csrf-off | SipsController.sips_webhook — Public HTTP endpoint 'SipsController.sips_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_sips | route-public-sudo | SipsController.sips_webhook — Unauthenticated endpoint 'SipsController.sips_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe | route-public-csrf-off | StripeController.stripe_return_from_checkout — Public HTTP endpoint 'StripeController.stripe_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_stripe | route-public-sudo | StripeController.stripe_return_from_checkout — Unauthenticated endpoint 'StripeController.stripe_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe | route-public-csrf-off | StripeController.stripe_return_from_validation — Public HTTP endpoint 'StripeController.stripe_return_from_validation' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_stripe | route-public-sudo | StripeController.stripe_return_from_validation — Unauthenticated endpoint 'StripeController.stripe_return_from_validation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe | route-public-sudo | StripeController.stripe_webhook — Unauthenticated endpoint 'StripeController.stripe_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe | route-public-csrf-off | StripeController.stripe_apple_pay_get_domain_association_file — Public HTTP endpoint 'StripeController.stripe_apple_pay_get_domain_association_file' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_worldline | route-public-sudo | WorldlineController.worldline_return_from_checkout — Unauthenticated endpoint 'WorldlineController.worldline_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_worldline | route-public-csrf-off | WorldlineController.worldline_webhook — Public HTTP endpoint 'WorldlineController.worldline_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_worldline | route-public-sudo | WorldlineController.worldline_webhook — Unauthenticated endpoint 'WorldlineController.worldline_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pingen | route-public-csrf-off | /pingen/letter_issues — Public HTTP endpoint 'PingenController.letter_issues' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| pingen | route-auth-none | /pingen/letter_issues — Endpoint 'PingenController.letter_issues' uses auth="none": it runs with no user/session at all |
| pingen | route-public-csrf-off | /pingen/sent_letters — Public HTTP endpoint 'PingenController.sent_letters' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| pingen | route-auth-none | /pingen/sent_letters — Endpoint 'PingenController.sent_letters' uses auth="none": it runs with no user/session at all |
| pingen | route-public-csrf-off | /pingen/undeliverable_letters — Public HTTP endpoint 'PingenController.undeliverable_letters' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| pingen | route-auth-none | /pingen/undeliverable_letters — Endpoint 'PingenController.undeliverable_letters' uses auth="none": it runs with no user/session at all |
| pms | route-public-sudo | /my/folios, /my/folios/page/<int:page> — Unauthenticated endpoint 'PortalFolio.portal_my_folios' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pms | route-public-sudo | /my/reservations, /my/reservations/page/<int:page> — Unauthenticated endpoint 'PortalReservation.portal_my_reservations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| point_of_sale | rule-group-bypass | rule_pos_bank_statement_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| point_of_sale | rule-group-bypass | rule_pos_bank_statement_line_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| point_of_sale | route-public-sudo | /pos/ticket/validate — Unauthenticated endpoint 'PosController.show_ticket_validation_screen' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| portal | route-public-sudo | /mail/avatar/mail.message/<int:res_id>/author_avatar/<int:width>x<int:height> — Unauthenticated endpoint 'PortalChatter.portal_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| portal | route-public-sudo | /mail/chatter_post — Unauthenticated endpoint 'PortalChatter.portal_chatter_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| portal | route-public-sudo | /mail/chatter_fetch — Unauthenticated endpoint 'PortalChatter.portal_message_fetch' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_adyen | route-public-sudo | /pos_adyen/notification — Unauthenticated endpoint 'PosAdyenController.notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_mercury | acl-global-read | access_pos_mercury_mercury_transaction — Access rule grants read on 'model_pos_mercury_mercury_transaction' to every user (portal/public included): no group is set |
| printing_simple_configuration | acl-global-read | print_conf_user — Access rule grants read on 'model_print_config' to every user (portal/public included): no group is set |
| printing_simple_configuration | acl-global-read | printer_user — Access rule grants read on 'model_printer' to every user (portal/public included): no group is set |
| privacy_consent | route-public-sudo | /privacy/consent/<any(accept,reject):choice>/<int:consent_id>/<token> — Unauthenticated endpoint 'ConsentController.consent' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| product_brand | acl-global-read | access_product_brand_public — Access rule grants read on 'model_product_brand' to every user (portal/public included): no group is set |
| product_brand_tag | acl-global-read | access_product_brand_tag_public — Access rule grants read on 'model_product_brand_tag' to every user (portal/public included): no group is set |
| product_harmonized_system | acl-global-read | access_hs_code_read — Access rule grants read on 'model_hs_code' to every user (portal/public included): no group is set |
| product_price_category | acl-global-read | access_product_price_category_user — Access rule grants read on 'model_product_price_category' to every user (portal/public included): no group is set |
| product_print_category | acl-global-read | ir_model_access_product_print_category_rule_user — Access rule grants read on 'product_print_category.model_product_print_category_rule' to every user (portal/public included): no group is set |
| product_state | acl-global-read | access_product_state_public — Access rule grants read on 'model_product_state' to every user (portal/public included): no group is set |
| project_update_portal | acl-global-read | project.access_project_update_portal — Access rule grants read on '?' to every user (portal/public included): no group is set |
| purchase_manual_delivery | acl-global-write | create_stock_picking_wizard_all — Access rule grants write/create/unlink on 'model_create_stock_picking_wizard' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| purchase_manual_delivery | acl-global-write | create_stock_picking_wizard_line_all — Access rule grants write/create/unlink on 'model_create_stock_picking_wizard_line' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| purchase_work_acceptance_evaluation | acl-global-read | access_work_acceptance_evaluation_report — Access rule grants read on 'model_work_acceptance_evaluation_report' to every user (portal/public included): no group is set |
| queue_job | route-auth-none | /queue_job/runjob — Endpoint 'RunJobController.runjob' uses auth="none": it runs with no user/session at all |
| repair_picking_after_done | acl-global-write | access_repair_move_transfer_all — Access rule grants write/create/unlink on 'model_repair_move_transfer' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| report_substitute | acl-global-read | action_report_substitution_rule_user_access — Access rule grants read on 'model_ir_actions_report_substitution_rule' to every user (portal/public included): no group is set |
| res_company_category | acl-global-read | access_res_company_category_user — Access rule grants read on 'model_res_company_category' to every user (portal/public included): no group is set |
| rma | route-public-sudo | /my/rma/picking/pdf/<int:rma_id>/<int:picking_id> — Unauthenticated endpoint 'PortalRma.portal_my_rma_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sale | rule-group-bypass | payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale | rule-group-bypass | payment_token_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale_manual_delivery | acl-global-write | access_manual_delivery_all — Access rule grants write/create/unlink on 'model_manual_delivery' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| sale_manual_delivery | acl-global-write | access_manual_delivery_line_all — Access rule grants write/create/unlink on 'model_manual_delivery_line' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| sale_planner_calendar | rule-group-bypass | partner_all_documents_follower_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale_report_delivered | rule-group-bypass | sale_report_delivered_see_all_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale_stock | route-public-sudo | /my/picking/pdf/<int:picking_id> — Unauthenticated endpoint 'SaleStockPortal.portal_my_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sales_team | rule-group-bypass | crm_rule_all_salesteam — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| shopfloor_base | acl-global-read | access_shopfloor_app_users — Access rule grants read on 'model_shopfloor_app' to every user (portal/public included): no group is set |
| sql_request_abstract | route-auth-none | /web/static/lib/ace/mode-pgsql.js — Endpoint 'SqlRequestAbstractWebClient.call_mode_pgsql_file' uses auth="none": it runs with no user/session at all |
| stay | acl-global-read | access_stay_date_label_user — Access rule grants read on 'model_stay_date_label' to every user (portal/public included): no group is set |
| storage_file | acl-global-read | access_storage_file_read_public — Access rule grants read on 'model_storage_file' to every user (portal/public included): no group is set |
| survey | rule-group-bypass | survey_survey_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | rule-group-bypass | survey_question_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | rule-group-bypass | survey_question_answer_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | rule-group-bypass | survey_user_input_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | rule-group-bypass | survey_user_input_line_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | route-public-sudo | /survey/get_question_image/<string:survey_token>/<string:answer_token>/<int:question_id>/<int:suggested_answer_id> — Unauthenticated endpoint 'Survey.survey_get_question_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| test_http | route-auth-none | /test_http/greeting, /test_http/greeting-none — Endpoint 'TestHttp.greeting_none' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/wsgi_environ — Endpoint 'TestHttp.wsgi_environ' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/echo-http-get — Endpoint 'TestHttp.echo_http_get' uses auth="none": it runs with no user/session at all |
| test_http | route-public-csrf-off | /test_http/echo-http-post — Public HTTP endpoint 'TestHttp.echo_http_post' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| test_http | route-auth-none | /test_http/echo-http-post — Endpoint 'TestHttp.echo_http_post' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/echo-http-csrf — Endpoint 'TestHttp.echo_http_csrf' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/echo-json — Endpoint 'TestHttp.echo_json' uses auth="none": it runs with no user/session at all |
| test_http | route-public-csrf-off | /test_http/echo-json-over-http — Public HTTP endpoint 'TestHttp.echo_json_over_http' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| test_http | route-auth-none | /test_http/echo-json-over-http — Endpoint 'TestHttp.echo_json_over_http' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/cors_http_default — Endpoint 'TestHttp.cors_http' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/cors_http_methods — Endpoint 'TestHttp.cors_http_verbs' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/cors_json — Endpoint 'TestHttp.cors_json' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/ensure_db — Endpoint 'TestHttp.ensure_db_endpoint' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/geoip — Endpoint 'TestHttp.geoip' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/save_session — Endpoint 'TestHttp.touch' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/fail — Endpoint 'TestHttp.fail' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/json_value_error — Endpoint 'TestHttp.json_value_error' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/hide_errors/decorator — Endpoint 'TestHttp.hide_errors_decorator' uses auth="none": it runs with no user/session at all |
| test_http | route-auth-none | /test_http/hide_errors/context-manager — Endpoint 'TestHttp.hide_errors_context_manager' uses auth="none": it runs with no user/session at all |
| test_http | route-public-csrf-off | /test_http/upload_file — Public HTTP endpoint 'TestHttp.upload_file_retry' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| test_http | route-auth-none | /test_http/upload_file — Endpoint 'TestHttp.upload_file_retry' uses auth="none": it runs with no user/session at all |
| test_new_api | acl-global-write | access_decimal_precision_test_all — Access rule grants write/create/unlink on 'model_decimal_precision_test' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| test_new_api | acl-global-read | access_test_new_api_precompute — Access rule grants read on 'model_test_new_api_precompute' to every user (portal/public included): no group is set |
| test_new_api | acl-global-read | access_test_new_api_precompute_line — Access rule grants read on 'model_test_new_api_precompute_line' to every user (portal/public included): no group is set |
| test_new_api | acl-global-read | access_test_new_api_precompute_combo — Access rule grants read on 'model_test_new_api_precompute_combo' to every user (portal/public included): no group is set |
| test_new_api | acl-global-read | access_test_new_api_precompute_editable — Access rule grants read on 'model_test_new_api_precompute_editable' to every user (portal/public included): no group is set |
| test_new_api | acl-global-read | access_test_new_api_precompute_readonly — Access rule grants read on 'model_test_new_api_precompute_readonly' to every user (portal/public included): no group is set |
| test_new_api | acl-global-read | access_test_new_api_precompute_required — Access rule grants read on 'model_test_new_api_precompute_required' to every user (portal/public included): no group is set |
| test_new_api | acl-global-read | access_test_new_api_precompute_monetary — Access rule grants read on 'model_test_new_api_precompute_monetary' to every user (portal/public included): no group is set |
| test_new_api | acl-global-read | access_test_new_api_prefetch — Access rule grants read on 'model_test_new_api_prefetch' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_on_date — Access rule grants read on 'model_test_read_group_on_date' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_aggregate_boolean — Access rule grants read on 'model_test_read_group_aggregate_boolean' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_aggregate — Access rule grants read on 'model_test_read_group_aggregate' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_on_selection — Access rule grants read on 'model_test_read_group_on_selection' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_fill_temporal — Access rule grants read on 'model_test_read_group_fill_temporal' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_order — Access rule grants read on 'model_test_read_group_order' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_order_line — Access rule grants read on 'model_test_read_group_order_line' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_user — Access rule grants read on 'model_test_read_group_user' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_task — Access rule grants read on 'model_test_read_group_task' to every user (portal/public included): no group is set |
| test_search_panel | acl-global-read | access_test_search_panel_source_model — Access rule grants read on 'model_test_search_panel_source_model' to every user (portal/public included): no group is set |
| test_search_panel | acl-global-read | access_test_search_panel_category_target_model — Access rule grants read on 'model_test_search_panel_category_target_model' to every user (portal/public included): no group is set |
| test_search_panel | acl-global-read | access_test_search_panel_category_target_model_no_parent_name — Access rule grants read on 'model_test_search_panel_category_target_model_no_parent_name' to every user (portal/public included): no group is set |
| test_search_panel | acl-global-read | access_test_search_panel_filter_target_model — Access rule grants read on 'model_test_search_panel_filter_target_model' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_a — Access rule grants read on 'model_test_testing_utilities_a' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_readonly — Access rule grants read on 'model_test_testing_utilities_readonly' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_c — Access rule grants read on 'model_test_testing_utilities_c' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_d — Access rule grants read on 'model_test_testing_utilities_d' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_e — Access rule grants read on 'model_test_testing_utilities_e' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_f — Access rule grants read on 'model_test_testing_utilities_f' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_g — Access rule grants read on 'model_test_testing_utilities_g' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_m2o — Access rule grants read on 'model_test_testing_utilities_m2o' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_default — Access rule grants read on 'model_test_testing_utilities_default' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_parent — Access rule grants read on 'model_test_testing_utilities_parent' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_sub — Access rule grants read on 'model_test_testing_utilities_sub' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_sub2 — Access rule grants read on 'model_test_testing_utilities_sub2' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_sub3 — Access rule grants read on 'model_test_testing_utilities_sub3' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_recursive — Access rule grants read on 'model_test_testing_utilities_recursive' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_onchange_parent — Access rule grants read on 'model_test_testing_utilities_onchange_parent' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_onchange_line — Access rule grants read on 'model_test_testing_utilities_onchange_line' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_req_bool — Access rule grants read on 'model_test_testing_utilities_req_bool' to every user (portal/public included): no group is set |
| test_website | acl-global-read | access_test_model — Access rule grants read on 'model_test_model' to every user (portal/public included): no group is set |
| test_website | acl-global-read | access_test_model_multi_website — Access rule grants read on 'model_test_model_multi_website' to every user (portal/public included): no group is set |
| test_website | route-public-sudo | /test_website/model_item/<int:record_id> — Unauthenticated endpoint 'WebsiteTest.test_model_item' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| upgrade_analysis | acl-global-read | access_upgrade_record — Access rule grants read on 'model_upgrade_record' to every user (portal/public included): no group is set |
| upgrade_analysis | acl-global-read | access_upgrade_attribute — Access rule grants read on 'model_upgrade_attribute' to every user (portal/public included): no group is set |
| vault | route-public-sudo | /vault/inbox/<string:token> — Unauthenticated endpoint 'Controller.vault_inbox' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| vault_share | route-public-sudo | /vault/share/<string:token> — Unauthenticated endpoint 'Controller.vault_share' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web | route-auth-none | /web/database/selector — Endpoint 'Database.selector' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/database/manager — Endpoint 'Database.manager' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/create — Public HTTP endpoint 'Database.create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/create — Endpoint 'Database.create' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/duplicate — Public HTTP endpoint 'Database.duplicate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/duplicate — Endpoint 'Database.duplicate' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/drop — Public HTTP endpoint 'Database.drop' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/drop — Endpoint 'Database.drop' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/backup — Public HTTP endpoint 'Database.backup' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/backup — Endpoint 'Database.backup' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/restore — Public HTTP endpoint 'Database.restore' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/restore — Endpoint 'Database.restore' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/change_password — Public HTTP endpoint 'Database.change_password' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/change_password — Endpoint 'Database.change_password' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/database/list — Endpoint 'Database.list' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/filestore/<path:_path> — Endpoint 'Binary.content_filestore' uses auth="none": it runs with no user/session at all |
| web | route-public-sudo | /web/assets/debug/<string:filename>, /web/assets/debug/<path:extra>/<string:filename>, /web/assets/<int:id>/<string:filename>, /web/assets/<int:id>-<string:unique>/<string:filename>, /web/assets/<int:id>-<string:unique>/<path:extra>/<string:filename> — Unauthenticated endpoint 'Binary.content_assets' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web | route-public-sudo | /web/image, /web/image/<string:xmlid>, /web/image/<string:xmlid>/<string:filename>, /web/image/<string:xmlid>/<int:width>x<int:height>, /web/image/<string:xmlid>/<int:width>x<int:height>/<string:filename>, /web/image/<string:model>/<int:id>/<string:field>, /web/image/<string:model>/<int:id>/<string:field>/<string:filename>, /web/image/<string:model>/<int:id>/<string:field>/<int:width>x<int:height>, /web/image/<string:model>/<int:id>/<string:field>/<int:width>x<int:height>/<string:filename>, /web/image/<int:id>, /web/image/<int:id>/<string:filename>, /web/image/<int:id>/<int:width>x<int:height>, /web/image/<int:id>/<int:width>x<int:height>/<string:filename>, /web/image/<int:id>-<string:unique>, /web/image/<int:id>-<string:unique>/<string:filename>, /web/image/<int:id>-<string:unique>/<int:width>x<int:height>, /web/image/<int:id>-<string:unique>/<int:width>x<int:height>/<string:filename> — Unauthenticated endpoint 'Binary.content_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web | route-auth-none | /web/binary/company_logo, /logo, /logo.png — Endpoint 'Binary.company_logo' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/pivot/check_xlsxwriter — Endpoint 'TableExporter.check_xlsxwriter' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/authenticate — Endpoint 'Session.authenticate' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/get_lang_list — Endpoint 'Session.get_lang_list' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/logout — Endpoint 'Session.logout' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/locale/<string:lang> — Endpoint 'WebClient.load_locale' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/bootstrap_translations — Endpoint 'WebClient.bootstrap_translations' uses auth="none": it runs with no user/session at all |
| web | route-public-sudo | /web/webclient/translations/<string:unique> — Unauthenticated endpoint 'WebClient.translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web | route-auth-none | /web/webclient/version_info — Endpoint 'WebClient.version_info' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/tests/mobile — Endpoint 'WebClient.test_mobile_suite' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/benchmarks — Endpoint 'WebClient.benchmarks' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | / — Endpoint 'Home.index' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/login — Endpoint 'Home.web_login' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/health — Endpoint 'Home.health' uses auth="none": it runs with no user/session at all |
| web_editor | route-auth-none | /web_editor/font_to_img/<icon>, /web_editor/font_to_img/<icon>/<color>, /web_editor/font_to_img/<icon>/<color>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<int:width>x<int:height>, /web_editor/font_to_img/<icon>/<color>/<int:size>/<int:alpha>, /web_editor/font_to_img/<icon>/<color>/<int:width>x<int:height>/<int:alpha>, /web_editor/font_to_img/<icon>/<color>/<bg>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:width>x<int:height>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:width>x<int:height>/<int:alpha> — Endpoint 'Web_Editor.export_icon_to_png' uses auth="none": it runs with no user/session at all |
| web_editor | route-public-sudo | /web_editor/shape/<module>/<path:filename> — Unauthenticated endpoint 'Web_Editor.shape' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web_tour | acl-global-read | access_web_tour_tour — Access rule grants read on 'model_web_tour_tour' to every user (portal/public included): no group is set |
| web_unsplash | route-public-sudo | /web_unsplash/get_app_id — Unauthenticated endpoint 'Web_Unsplash.get_unsplash_app_id' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| webservice | route-public-csrf-off | /webservice/<int:backend_id>/oauth2/redirect — Public HTTP endpoint 'OAuth2Controller.redirect' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| webservice | route-public-sudo | /webservice/<int:backend_id>/oauth2/redirect — Unauthenticated endpoint 'OAuth2Controller.redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | acl-global-read | access_website_public — Access rule grants read on 'website.model_website' to every user (portal/public included): no group is set |
| website | acl-global-read | access_website_menu — Access rule grants read on 'model_website_menu' to every user (portal/public included): no group is set |
| website | acl-global-read | access_seo_public — Access rule grants read on 'model_website_seo_metadata' to every user (portal/public included): no group is set |
| website | route-public-sudo | /sitemap.xml — Unauthenticated endpoint 'Website.sitemap_xml_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/info — Unauthenticated endpoint 'Website.website_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/snippet/filters — Unauthenticated endpoint 'Website.get_dynamic_filter' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/snippet/filter_templates — Unauthenticated endpoint 'Website.get_dynamic_snippet_templates' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/snippet/autocomplete — Unauthenticated endpoint 'Website.autocomplete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /google<string(length=16):key>.html — Unauthenticated endpoint 'Website.google_console_search' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/action/<path_or_xml_id_or_id>, /website/action/<path_or_xml_id_or_id>/<path:path> — Unauthenticated endpoint 'Website.actions_server' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-csrf-off | /website/form/<string:model_name> — Public HTTP endpoint 'WebsiteForm.website_form' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| website_blog | acl-global-read | blog_tag — Access rule grants read on 'model_blog_tag' to every user (portal/public included): no group is set |
| website_crm_partner_assign | route-public-sudo | /partners, /partners/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>, /partners/grade/<model("res.partner.grade"):grade>/page/<int:page>, /partners/country/<model("res.country"):country>, /partners/country/<model("res.country"):country>/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_crm_partner_assign | route-public-sudo | /partners/<partner_id> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_customer | acl-global-read | res_partner_tag_sale_manager — Access rule grants read on 'model_res_partner_tag' to every user (portal/public included): no group is set |
| website_customer | route-public-sudo | /customers, /customers/page/<int:page>, /customers/country/<model("res.country"):country>, /customers/country/<model("res.country"):country>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>, /customers/industry/<model("res.partner.industry"):industry>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCustomer.customers' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_customer | route-public-sudo | /customers/<partner_id> — Unauthenticated endpoint 'WebsiteCustomer.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event | acl-global-read | access_event_event — Access rule grants read on 'model_event_event' to every user (portal/public included): no group is set |
| website_event | acl-global-read | access_event_event_ticket — Access rule grants read on 'event.model_event_event_ticket' to every user (portal/public included): no group is set |
| website_event | acl-global-read | access_event_tag_category — Access rule grants read on 'event.model_event_tag_category' to every user (portal/public included): no group is set |
| website_event | acl-global-read | access_event_tag — Access rule grants read on 'event.model_event_tag' to every user (portal/public included): no group is set |
| website_event | acl-global-read | access_website_event_menu — Access rule grants read on 'model_website_event_menu' to every user (portal/public included): no group is set |
| website_event | route-public-sudo | /event, /event/page/<int:page>, /events, /events/page/<int:page> — Unauthenticated endpoint 'WebsiteEventController.events' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event | route-public-sudo | /event/<model("event.event"):event>/page/<path:page> — Unauthenticated endpoint 'WebsiteEventController.event_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event | route-public-sudo | /event/<model("event.event"):event>/registration/success — Unauthenticated endpoint 'WebsiteEventController.event_registration_success' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_booth | acl-global-read | access_event_booth_category — Access rule grants read on 'event_booth.model_event_booth_category' to every user (portal/public included): no group is set |
| website_event_booth | route-public-sudo | /event/<model("event.event"):event>/booth — Unauthenticated endpoint 'WebsiteEventBoothController.event_booth_main' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_booth | route-public-sudo | /event/<model("event.event"):event>/booth/register_form — Unauthenticated endpoint 'WebsiteEventBoothController.event_booth_contact_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_booth | route-public-sudo | /event/booth/check_availability — Unauthenticated endpoint 'WebsiteEventBoothController.check_booths_availability' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_booth | route-public-sudo | /event/booth_category/get_available_booths — Unauthenticated endpoint 'WebsiteEventBoothController.get_booth_category_available_booths' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_exhibitor | acl-global-read | access_event_sponsor_type_public — Access rule grants read on 'model_event_sponsor_type' to every user (portal/public included): no group is set |
| website_event_exhibitor | acl-global-read | access_event_sponsor_public — Access rule grants read on 'model_event_sponsor' to every user (portal/public included): no group is set |
| website_event_exhibitor | route-public-sudo | /event/<model("event.event", "[('exhibitor_menu', '=', True)]"):event>/exhibitor/<model("event.sponsor", "[('event_id', '=', event.id)]"):sponsor> — Unauthenticated endpoint 'ExhibitorController.event_exhibitor' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_meet | acl-global-read | access_event_meeting_room — Access rule grants read on 'model_event_meeting_room' to every user (portal/public included): no group is set |
| website_event_meet | route-public-sudo | /event/<model('event.event'):event>/meeting_room_create — Unauthenticated endpoint 'WebsiteEventMeetController.create_meeting_room' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_meet | route-public-sudo | /event/active_langs — Unauthenticated endpoint 'WebsiteEventMeetController.active_langs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_meet | route-public-sudo | /event/<model('event.event', "[('community_menu', '=', True)]"):event>/meeting_room/<model("event.meeting.room","[('event_id','=',event.id)]"):meeting_room> — Unauthenticated endpoint 'WebsiteEventMeetController.event_meeting_room_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_questions | acl-global-read | access_event_question — Access rule grants read on 'model_event_question' to every user (portal/public included): no group is set |
| website_event_questions | acl-global-read | access_event_question_answer — Access rule grants read on 'model_event_question_answer' to every user (portal/public included): no group is set |
| website_event_questions | rule-group-bypass | ir_rule_event_question_event_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_event_questions | rule-group-bypass | ir_rule_event_question_answer_event_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_event_track | acl-global-read | access_event_track — Access rule grants read on 'model_event_track' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_tag — Access rule grants read on 'model_event_track_tag' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_location — Access rule grants read on 'model_event_track_location' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_stage — Access rule grants read on 'model_event_track_stage' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_tag_category — Access rule grants read on 'model_event_track_tag_category' to every user (portal/public included): no group is set |
| website_event_track | route-public-sudo | /event/<model("event.event", "[('website_track', '=', True)]"):event>/track/<model("event.track", "[('event_id', '=', event.id)]"):track> — Unauthenticated endpoint 'EventTrackController.event_track_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track | route-public-sudo | /event/<model("event.event"):event>/track_proposal/post — Unauthenticated endpoint 'EventTrackController.event_track_proposal_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track_live | route-public-sudo | /event_track/get_track_suggestion — Unauthenticated endpoint 'EventTrackLiveController.get_next_track_suggestion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track_quiz | route-public-sudo | /event_track/quiz/submit — Unauthenticated endpoint 'WebsiteEventTrackQuiz.event_track_quiz_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track_quiz | route-public-sudo | /event_track/quiz/reset — Unauthenticated endpoint 'WebsiteEventTrackQuiz.quiz_reset' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | acl-global-read | access_forum_forum — Access rule grants read on 'model_forum_forum' to every user (portal/public included): no group is set |
| website_forum | rule-group-bypass | website_forum_create_website_designer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/<model("forum.post", "[('forum_id','=',forum.id),('parent_id','=',False),('can_view', '=', True)]"):question> — Unauthenticated endpoint 'WebsiteForum.question' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/partner/<int:partner_id> — Unauthenticated endpoint 'WebsiteForum.open_partner' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_google_map | route-public-sudo | /google_map — Unauthenticated endpoint 'GoogleMap.google_map' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_hr_recruitment | acl-global-read | access_hr_job_public — Access rule grants read on 'hr.model_hr_job' to every user (portal/public included): no group is set |
| website_hr_recruitment | rule-group-bypass | hr_job_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_hr_recruitment | route-public-sudo | /jobs, /jobs/country/<model("res.country"):country>, /jobs/department/<model("hr.department"):department>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>, /jobs/office/<int:office_id>, /jobs/country/<model("res.country"):country>/office/<int:office_id>, /jobs/department/<model("hr.department"):department>/office/<int:office_id>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>/office/<int:office_id>, /jobs/employment_type/<int:contract_type_id>, /jobs/country/<model("res.country"):country>/employment_type/<int:contract_type_id>, /jobs/department/<model("hr.department"):department>/employment_type/<int:contract_type_id>, /jobs/office/<int:office_id>/employment_type/<int:contract_type_id>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>/employment_type/<int:contract_type_id>, /jobs/country/<model("res.country"):country>/office/<int:office_id>/employment_type/<int:contract_type_id>, /jobs/department/<model("hr.department"):department>/office/<int:office_id>/employment_type/<int:contract_type_id>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>/office/<int:office_id>/employment_type/<int:contract_type_id> — Unauthenticated endpoint 'WebsiteHrRecruitment.jobs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_livechat | acl-global-read | access_im_livechat_channel_public — Access rule grants read on 'im_livechat.model_im_livechat_channel' to every user (portal/public included): no group is set |
| website_livechat | route-public-sudo | /livechat/channel/<model("im_livechat.channel"):channel> — Unauthenticated endpoint 'WebsiteLivechat.channel_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail | route-public-sudo | /website_mail/follow — Unauthenticated endpoint 'WebsiteMail.website_message_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail | route-public-sudo | /website_mail/is_follower — Unauthenticated endpoint 'WebsiteMail.is_follower' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_group | route-public-sudo | /group/is_member — Unauthenticated endpoint 'WebsiteMailGroup.group_is_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /website_mass_mailing/is_subscriber — Unauthenticated endpoint 'MassMailController.is_subscriber' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /website_mass_mailing/subscribe — Unauthenticated endpoint 'MassMailController.subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_membership | route-public-sudo | /members, /members/page/<int:page>, /members/association/<membership_id>, /members/association/<membership_id>/page/<int:page>, /members/country/<int:country_id>, /members/country/<country_name>-<int:country_id>, /members/country/<int:country_id>/page/<int:page>, /members/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<country_name>-<int:country_id>, /members/association/<membership_id>/country/<int:country_id>, /members/association/<membership_id>/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteMembership.members' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_membership | route-public-sudo | /members/<partner_id> — Unauthenticated endpoint 'WebsiteMembership.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_partner | route-public-sudo | /partners/<partner_id> — Unauthenticated endpoint 'WebsitePartnerPage.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_payment | route-public-sudo | /donation/get_provider_fees — Unauthenticated endpoint 'PaymentPortal.get_provider_fees' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_profile | route-public-sudo | /profile/avatar/<int:user_id> — Unauthenticated endpoint 'WebsiteProfile.get_user_profile_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_profile | route-public-sudo | /profile/users, /profile/users/page/<int:page> — Unauthenticated endpoint 'WebsiteProfile.view_all_users_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_profile | route-public-sudo | /profile/validate_email — Unauthenticated endpoint 'WebsiteProfile.validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | acl-global-read | access_product_product_public — Access rule grants read on 'product.model_product_product' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_template_public — Access rule grants read on 'product.model_product_template' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_category_public — Access rule grants read on 'product.model_product_category' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_tag_public — Access rule grants read on 'product.model_product_tag' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_public_category_public — Access rule grants read on 'model_product_public_category' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_pricelist_public — Access rule grants read on 'product.model_product_pricelist' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_pricelist_item_public — Access rule grants read on 'product.model_product_pricelist_item' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_ribbon_public — Access rule grants read on 'website_sale.model_product_ribbon' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_public — Access rule grants read on 'product.model_product_attribute' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_value_public — Access rule grants read on 'product.model_product_attribute_value' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_product_attribute — Access rule grants read on 'product.model_product_template_attribute_value' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_product_attribute_custom_value — Access rule grants read on 'sale.model_product_attribute_custom_value' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_template_attribute_exclusion — Access rule grants read on 'product.model_product_template_attribute_exclusion' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_template_attribute_line_public — Access rule grants read on 'product.model_product_template_attribute_line' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_image_public — Access rule grants read on 'model_product_image' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_ecom_extra_fields_public — Access rule grants read on 'model_website_sale_extra_field' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_website_base_unit_public — Access rule grants read on 'model_website_base_unit' to every user (portal/public included): no group is set |
| website_sale | route-public-sudo | /shop, /shop/page/<int:page>, /shop/category/<model("product.public.category"):category>, /shop/category/<model("product.public.category"):category>/page/<int:page> — Unauthenticated endpoint 'WebsiteSale.shop' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/pricelist — Unauthenticated endpoint 'WebsiteSale.pricelist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/cart — Unauthenticated endpoint 'WebsiteSale.cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/address — Unauthenticated endpoint 'WebsiteSale.address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/checkout — Unauthenticated endpoint 'WebsiteSale.checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/payment/get_status/<int:sale_order_id> — Unauthenticated endpoint 'WebsiteSale.shop_payment_get_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/payment/validate — Unauthenticated endpoint 'WebsiteSale.shop_payment_validate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/confirmation — Unauthenticated endpoint 'WebsiteSale.shop_payment_confirmation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/print — Unauthenticated endpoint 'WebsiteSale.print_saleorder' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/products/recently_viewed_delete — Unauthenticated endpoint 'WebsiteSale.products_recently_viewed_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_autocomplete | route-public-sudo | /autocomplete/address — Unauthenticated endpoint 'AutoCompleteController._autocomplete_address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_autocomplete | route-public-sudo | /autocomplete/address_full — Unauthenticated endpoint 'AutoCompleteController._autocomplete_address_full' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_comparison | acl-global-read | access_product_attribute_category_public — Access rule grants read on 'model_product_attribute_category' to every user (portal/public included): no group is set |
| website_sale_delivery | route-public-sudo | /shop/carrier_rate_shipment — Unauthenticated endpoint 'WebsiteSaleDelivery.cart_carrier_rate_shipment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_delivery_mondialrelay | route-public-sudo | /website_sale_delivery_mondialrelay/update_shipping — Unauthenticated endpoint 'MondialRelay.mondial_relay_update_shipping' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_digital | route-public-sudo | /my/orders/<int:order_id> — Unauthenticated endpoint 'WebsiteSaleDigital.portal_order_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_digital | route-public-sudo | /my/download — Unauthenticated endpoint 'WebsiteSaleDigital.download_attachment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_financial_risk | route-public-csrf-off | CreditController.custom_process_transaction — Public HTTP endpoint 'CreditController.custom_process_transaction' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| website_sale_financial_risk | route-public-sudo | CreditController.custom_process_transaction — Unauthenticated endpoint 'CreditController.custom_process_transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_loyalty | route-public-sudo | /shop/claimreward — Unauthenticated endpoint 'WebsiteSale.claim_reward' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_loyalty_page | route-public-sudo | /promotions — Unauthenticated endpoint 'WebsiteSale.promotion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_loyalty_suggestion_wizard | route-public-sudo | /promotions/<int:program_id>/apply — Unauthenticated endpoint 'WebsiteSaleLoyaltySuggestionWizard.promotion_program_apply' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_loyalty_suggestion_wizard | route-public-sudo | /website_sale_loyalty_suggestion_wizard/get_defaults — Unauthenticated endpoint 'WebsiteSaleLoyaltySuggestionWizardController.get_default_products' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_loyalty_suggestion_wizard | route-public-sudo | /website_sale_loyalty_suggestion_wizard/apply — Unauthenticated endpoint 'WebsiteSaleLoyaltySuggestionWizardController.apply_promotion_public' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_product_assortment | route-public-sudo | /sale/get_info_assortment_preview — Unauthenticated endpoint 'WebsiteSaleVariantController.get_info_assortment_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_product_brand | route-public-sudo | /page/product_brands — Unauthenticated endpoint 'WebsiteSale.product_brands' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_product_minimal_price | route-public-sudo | /sale/get_combination_info_minimal_price — Unauthenticated endpoint 'WebsiteSaleVariantController.get_combination_info_minimal_price' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_stock | route-public-sudo | /shop/add/stock_notification — Unauthenticated endpoint 'WebsiteSale.add_stock_email_notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_stock_list_preview | route-public-sudo | /sale/get_combination_info_stock_preview — Unauthenticated endpoint 'WebsiteSaleVariantController.get_combination_info_stock_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_wishlist | route-public-sudo | /shop/wishlist/add — Unauthenticated endpoint 'WebsiteSaleWishlist.add_to_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_wishlist | route-public-sudo | /shop/wishlist/remove/<model("product.wishlist"):wish> — Unauthenticated endpoint 'WebsiteSaleWishlist.rm_from_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | rule-group-bypass | rule_slide_channel_officer_r — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides | rule-group-bypass | rule_slide_slide_officer_r — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides | rule-group-bypass | rule_slide_slide_resource_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides | route-public-sudo | /slides — Unauthenticated endpoint 'WebsiteSlides.slides_channel_home' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/<model("slide.channel"):channel>, /slides/<model("slide.channel"):channel>/page/<int:page>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>/page/<int:page>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>/page/<int:page> — Unauthenticated endpoint 'WebsiteSlides.channel' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/channel/join — Unauthenticated endpoint 'WebsiteSlides.slide_channel_join' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/<model("slide.slide"):slide> — Unauthenticated endpoint 'WebsiteSlides.slide_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/like — Unauthenticated endpoint 'WebsiteSlides.slide_like' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/quiz/submit — Unauthenticated endpoint 'WebsiteSlides.slide_quiz_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /mail/chatter_post — Unauthenticated endpoint 'SlidesPortalChatter.portal_chatter_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides_forum | rule-group-bypass | website_slides_forum_website_slides_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides_forum | rule-group-bypass | website_slides_forum_website_slides_officer_post — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides_forum | rule-group-bypass | website_slides_forum_website_slides_officer_tag — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_twitter | acl-global-read | access_website_twitter_tweet_public — Access rule grants read on 'website_twitter.model_website_twitter_tweet' to every user (portal/public included): no group is set |
| website_twitter | route-public-sudo | /website_twitter/get_favorites — Unauthenticated endpoint 'Twitter.get_tweets' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
Active Pull Requests 23
0 fresh 0 rotting 0 rotten
Security Findings
Errors 239
| Module | Code | Message |
|---|---|---|
| account_avatax_exemption_base | acl-global-write | access_portal_res_partner_exemption — Access rule grants write/create on 'model_res_partner_exemption' to EVERY user (portal/public included): no group is set |
| account_invoice_merge | acl-global-write | access_invoice_merge — Access rule grants write/create/unlink on 'model_invoice_merge' to EVERY user (portal/public included): no group is set |
| auth_totp_portal | acl-public-write | access_auth_totp_portal_wizard — Access rule grants write/create/unlink on 'auth_totp.model_auth_totp_wizard' to the portal/public group 'base.group_portal' |
| base | acl-privilege-escalation | access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-global-write | access_ir_ui_view_custom_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_custom' to EVERY user (portal/public included): no group is set |
| base | acl-privilege-escalation | access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-global-write | access_report_layout — Access rule grants write/create/unlink on 'model_report_layout' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_template — Access rule grants write/create/unlink on 'model_custom_info_template' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_property — Access rule grants write/create/unlink on 'model_custom_info_property' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_value — Access rule grants write/create/unlink on 'model_custom_info_value' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_option — Access rule grants write/create/unlink on 'model_custom_info_option' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_category — Access rule grants write/create/unlink on 'model_custom_info_category' to EVERY user (portal/public included): no group is set |
| base_tier_validation | acl-global-write | access_tier_review — Access rule grants write/create/unlink on 'model_tier_review' to EVERY user (portal/public included): no group is set |
| base_tier_validation | acl-global-write | access_comment_wizard — Access rule grants write/create/unlink on 'model_comment_wizard' to EVERY user (portal/public included): no group is set |
| base_tier_validation_forward | acl-global-write | access_tier_validation_forward_wizard — Access rule grants write/create/unlink on 'model_tier_validation_forward_wizard' to EVERY user (portal/public included): no group is set |
| base_user_role | acl-global-write | access_wizard_groups_into_role — Access rule grants write/create/unlink on 'model_wizard_groups_into_role' to EVERY user (portal/public included): no group is set |
| bus | acl-public-write | access_bus_presence_portal — Access rule grants write/create/unlink on 'model_bus_presence' to the portal/public group 'base.group_portal' |
| calendar | rule-public-bypass | calendar_attendee_rule_my — Record rule with an always-true domain grants portal/public users access to every record of its model |
| crm_won_reason | acl-global-write | access_crm_lead_won — Access rule grants write/create/unlink on 'model_crm_lead_won' to EVERY user (portal/public included): no group is set |
| excel_import_export | acl-global-write | xlsx_template_user — Access rule grants write/create/unlink on 'model_xlsx_template' to EVERY user (portal/public included): no group is set |
| excel_import_export | acl-global-write | xlsx_template_export_user — Access rule grants write/create/unlink on 'model_xlsx_template_export' to EVERY user (portal/public included): no group is set |
| excel_import_export | acl-global-write | xlsx_template_import_user — Access rule grants write/create/unlink on 'model_xlsx_template_import' to EVERY user (portal/public included): no group is set |
| fieldservice_route | acl-public-write | access_fsm_route_dayroute_portal — Access rule grants write/create on 'model_fsm_route_dayroute' to the portal/public group 'base.group_portal' |
| fieldservice_stock | acl-public-write | access_stock_move_portal — Access rule grants write on 'stock.model_stock_move' to the portal/public group 'base.group_portal' |
| gamification | acl-public-write | goal_portal — Access rule grants write on 'gamification.model_gamification_goal' to the portal/public group 'base.group_portal' |
| gamification | acl-public-write | badge_user_portal — Access rule grants write/create on 'gamification.model_gamification_badge_user' to the portal/public group 'base.group_portal' |
| graphql_demo | route-user-csrf-off | /graphql/demo — HTTP endpoint 'GraphQLController.graphql' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user |
| helpdesk_mgmt | acl-public-write | access_helpdesk_ticket_stage_public — Access rule grants write on 'model_helpdesk_ticket_stage' to the portal/public group 'base.group_public' |
| hr_expense_portal | acl-public-write | access_hr_expense_portal — Access rule grants write on 'hr_expense.model_hr_expense' to the portal/public group 'base.group_portal' |
| hr_recruitment | acl-global-write | access_hr_applicant_category — Access rule grants write/create on 'model_hr_applicant_category' to EVERY user (portal/public included): no group is set |
| l10n_br_hr | acl-global-write | access_hr_employee_dependent — Access rule grants write/create/unlink on 'model_hr_employee_dependent' to EVERY user (portal/public included): no group is set |
| l10n_ro_account_anaf_sync | route-user-csrf-off | /l10n_ro_account_anaf_sync/redirect_anaf/<int:anaf_config_id> — HTTP endpoint 'AccountANAFSyncWeb.redirect_anaf' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user |
| l10n_ro_stock_account | acl-global-write | access_l10n_ro_stock_valuation_layer_tracking — Access rule grants write/create/unlink on 'model_l10n_ro_stock_valuation_layer_tracking' to EVERY user (portal/public included): no group is set |
| l10n_th_bank_payment_export | acl-global-write | access_bank_export_format — Access rule grants write/create/unlink on 'model_bank_export_format' to EVERY user (portal/public included): no group is set |
| l10n_th_bank_payment_export | acl-global-write | access_bank_export_format_line — Access rule grants write/create/unlink on 'model_bank_export_format_line' to EVERY user (portal/public included): no group is set |
| l10n_th_gov_account_asset_management | acl-global-write | access_account_asset_location_user — Access rule grants write on 'model_account_asset_location' to EVERY user (portal/public included): no group is set |
| l10n_th_gov_purchase_report | acl-global-write | access_purchase_report_wizard — Access rule grants write/create/unlink on 'model_purchase_report_wizard' to EVERY user (portal/public included): no group is set |
| l10n_th_gov_purchase_report | acl-global-write | access_non_purchase_report_wizard — Access rule grants write/create/unlink on 'model_non_purchase_report_wizard' to EVERY user (portal/public included): no group is set |
| l10n_th_gov_purchase_report | acl-global-write | access_purchase_tracking_report_wizard — Access rule grants write/create/unlink on 'model_purchase_tracking_report_wizard' to EVERY user (portal/public included): no group is set |
| l10n_th_gov_purchase_report | acl-global-write | access_purchase_tracking_report_view — Access rule grants write/create/unlink on 'model_purchase_tracking_report_view' to EVERY user (portal/public included): no group is set |
| acl-public-write | access_mail_message_portal — Access rule grants write/create/unlink on 'model_mail_message' to the portal/public group 'base.group_portal' |
|
| acl-public-write | access_mail_channel_partner_portal — Access rule grants write/create/unlink on 'model_mail_channel_partner' to the portal/public group 'base.group_portal' |
|
| acl-public-write | access_mail_compose_message_portal — Access rule grants write/create on 'model_mail_compose_message' to the portal/public group 'base.group_portal' |
|
| partner_aging | acl-global-write | res_partner_aging_date — Access rule grants write/create/unlink on 'partner_aging.model_res_partner_aging_date' to EVERY user (portal/public included): no group is set |
| partner_autocomplete | acl-public-write | access_partner_autocomplete_sync_portal — Access rule grants create on 'model_res_partner_autocomplete_sync' to the portal/public group 'base.group_portal' |
| payment | acl-public-write | payment_token_portal — Access rule grants write/create/unlink on 'model_payment_token' to the portal/public group 'base.group_portal' |
| project | acl-public-write | access_project_sharing_task_portal — Access rule grants write/create on 'model_project_task' to the portal/public group 'base.group_portal' |
| purchase_invoice_plan | acl-global-write | access_purchase_invoice_plan — Access rule grants write/create/unlink on 'model_purchase_invoice_plan' to EVERY user (portal/public included): no group is set |
| purchase_invoice_plan | acl-global-write | access_purchase_create_invoice_plan — Access rule grants write/create/unlink on 'model_purchase_create_invoice_plan' to EVERY user (portal/public included): no group is set |
| purchase_invoice_plan | acl-global-write | access_purchase_make_planned_invoice — Access rule grants write/create/unlink on 'model_purchase_make_planned_invoice' to EVERY user (portal/public included): no group is set |
| purchase_work_acceptance | acl-global-write | access_work_accepted_date_wizard — Access rule grants write/create/unlink on 'model_work_accepted_date_wizard' to EVERY user (portal/public included): no group is set |
| purchase_work_acceptance_evaluation | acl-global-write | access_work_acceptance_evaluation_result — Access rule grants write/create/unlink on 'model_work_acceptance_evaluation_result' to EVERY user (portal/public included): no group is set |
| purchase_work_acceptance_invoice_plan | acl-global-write | access_select_work_acceptance_invoice_plan_wizard — Access rule grants write/create/unlink on 'model_select_work_acceptance_invoice_plan_wizard' to EVERY user (portal/public included): no group is set |
| purchase_work_acceptance_invoice_plan | acl-global-write | access_select_work_acceptance_invoice_plan_qty — Access rule grants write/create/unlink on 'model_select_work_acceptance_invoice_plan_qty' to EVERY user (portal/public included): no group is set |
| report_wkhtmltopdf_param | acl-global-write | paperformat_parameter_access_employee — Access rule grants create on 'model_report_paperformat_parameter' to EVERY user (portal/public included): no group is set |
| sale_credit_point | acl-global-write | access_credit_point_history — Access rule grants write/create/unlink on 'model_credit_point_history' to EVERY user (portal/public included): no group is set |
| sale_credit_point | acl-privilege-escalation | credit_points_access_res_users — Access rule grants write on security model 'base.model_res_users' to group 'sale_credit_point.group_manage_credit_point': members can escalate their own permissions |
| sale_invoice_plan | acl-global-write | access_sale_invoice_plan — Access rule grants write/create/unlink on 'model_sale_invoice_plan' to EVERY user (portal/public included): no group is set |
| sale_invoice_plan | acl-global-write | access_sale_create_invoice_plan — Access rule grants write/create/unlink on 'model_sale_create_invoice_plan' to EVERY user (portal/public included): no group is set |
| sale_invoice_plan | acl-global-write | access_sale_make_planned_invoice — Access rule grants write/create/unlink on 'model_sale_make_planned_invoice' to EVERY user (portal/public included): no group is set |
| sql_export | acl-global-write | access_sql_file_wizard — Access rule grants write/create on 'model_sql_file_wizard' to EVERY user (portal/public included): no group is set |
| storage_image_backend_migration | acl-global-write | access_storage_image_backend_migration_wizard — Access rule grants write/create/unlink on 'model_storage_image_backend_migration_wizard' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_some_obj — Access rule grants write/create/unlink on 'model_test_access_right_some_obj' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_container — Access rule grants write/create/unlink on 'model_test_access_right_container' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_parent — Access rule grants write/create/unlink on 'model_test_access_right_parent' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_obj_categ — Access rule grants write/create/unlink on 'model_test_access_right_obj_categ' to EVERY user (portal/public included): no group is set |
| test_action_bindings | acl-global-write | access_tab_a — Access rule grants write/create/unlink on 'model_tab_a' to EVERY user (portal/public included): no group is set |
| test_action_bindings | acl-global-write | access_tab_b — Access rule grants write/create/unlink on 'model_tab_b' to EVERY user (portal/public included): no group is set |
| test_base_automation | acl-global-write | access_base_automation_link_test — Access rule grants write/create/unlink on 'model_base_automation_link_test' to EVERY user (portal/public included): no group is set |
| test_base_automation | acl-global-write | access_base_automation_linked_test — Access rule grants write/create/unlink on 'model_base_automation_linked_test' to EVERY user (portal/public included): no group is set |
| test_base_automation | acl-global-write | access_test_base_automation_project — Access rule grants write/create/unlink on 'model_test_base_automation_project' to EVERY user (portal/public included): no group is set |
| test_base_automation | acl-global-write | access_test_base_automation_task — Access rule grants write/create/unlink on 'model_test_base_automation_task' to EVERY user (portal/public included): no group is set |
| test_component | acl-global-write | access_test_component_collection — Access rule grants write/create/unlink on 'model_test_component_collection' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_test_backend — Access rule grants write/create/unlink on 'model_test_backend' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_connector_test_record — Access rule grants write/create/unlink on 'model_connector_test_record' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_connector_test_binding — Access rule grants write/create/unlink on 'model_connector_test_binding' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_no_inherits_binding — Access rule grants write/create/unlink on 'model_no_inherits_binding' to EVERY user (portal/public included): no group is set |
| test_convert | acl-global-write | access_test_convert_test_model — Access rule grants write/create/unlink on 'model_test_convert_test_model' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_converter_model — Access rule grants write/create/unlink on 'model_test_converter_test_model' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_test_converter_test_model_sub — Access rule grants write/create/unlink on 'model_test_converter_test_model_sub' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_test_converter_monetary — Access rule grants write/create/unlink on 'model_test_converter_monetary' to EVERY user (portal/public included): no group is set |
| test_exceptions | acl-global-write | access_test_exceptions_model — Access rule grants write/create/unlink on 'model_test_exceptions_model' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_boolean — Access rule grants write/create/unlink on 'model_export_boolean' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_float — Access rule grants write/create/unlink on 'model_export_float' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_decimal — Access rule grants write/create/unlink on 'model_export_decimal' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string_bounded — Access rule grants write/create/unlink on 'model_export_string_bounded' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string_required — Access rule grants write/create/unlink on 'model_export_string_required' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string — Access rule grants write/create/unlink on 'model_export_string' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_date — Access rule grants write/create/unlink on 'model_export_date' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_datetime — Access rule grants write/create/unlink on 'model_export_datetime' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_text — Access rule grants write/create/unlink on 'model_export_text' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection — Access rule grants write/create/unlink on 'model_export_selection' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection_function — Access rule grants write/create/unlink on 'model_export_selection_function' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2one — Access rule grants write/create/unlink on 'model_export_many2one' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many — Access rule grants write/create/unlink on 'model_export_one2many' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2many — Access rule grants write/create/unlink on 'model_export_many2many' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_function — Access rule grants write/create/unlink on 'model_export_function' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child — Access rule grants write/create/unlink on 'model_export_one2many_child' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_multiple — Access rule grants write/create/unlink on 'model_export_one2many_multiple' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_multiple_child — Access rule grants write/create/unlink on 'model_export_one2many_multiple_child' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child_1 — Access rule grants write/create/unlink on 'model_export_one2many_child_1' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child_2 — Access rule grants write/create/unlink on 'model_export_one2many_child_2' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2many_other — Access rule grants write/create/unlink on 'model_export_many2many_other' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection_withdefault — Access rule grants write/create/unlink on 'model_export_selection_withdefault' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_recursive — Access rule grants write/create/unlink on 'model_export_one2many_recursive' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_unique — Access rule grants write/create/unlink on 'model_export_unique' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_inherits_parent — Access rule grants write/create/unlink on 'model_export_inherits_parent' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_inherits_child — Access rule grants write/create/unlink on 'model_export_inherits_child' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_m2o_str — Access rule grants write/create/unlink on 'model_export_m2o_str' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_m2o_str_child — Access rule grants write/create/unlink on 'model_export_m2o_str_child' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_mother — Access rule grants write/create/unlink on 'model_test_inherit_mother' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_daughter — Access rule grants write/create/unlink on 'model_test_inherit_daughter' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_property — Access rule grants write/create/unlink on 'model_test_inherit_property' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_unit — Access rule grants write/create/unlink on 'model_test_unit' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_unit_line — Access rule grants write/create/unlink on 'model_test_unit_line' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_box — Access rule grants write/create/unlink on 'model_test_box' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_pallet — Access rule grants write/create/unlink on 'model_test_pallet' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_another_unit — Access rule grants write/create/unlink on 'model_test_another_unit' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_another_box — Access rule grants write/create/unlink on 'model_test_another_box' to EVERY user (portal/public included): no group is set |
| test_limits | acl-global-write | access_test_limits_model — Access rule grants write/create/unlink on 'model_test_limits_model' to EVERY user (portal/public included): no group is set |
| test_mail | acl-global-write | access_mail_performance_thread — Access rule grants write/create/unlink on 'model_mail_performance_thread' to EVERY user (portal/public included): no group is set |
| test_mail | acl-public-write | access_mail_test_container_portal — Access rule grants write on 'model_mail_test_container' to the portal/public group 'base.group_portal' |
| test_new_api | acl-global-write | access_category — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_category' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_discussion — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_discussion' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_message — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_message' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_emailmessage — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_emailmessage' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi_line — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi_line2 — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line2' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi_tag — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_tag' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_creativework_edition — Access rule grants write/create/unlink on 'model_test_new_api_creativework_edition' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_creativework_book — Access rule grants write/create/unlink on 'model_test_new_api_creativework_book' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_creativework_movie — Access rule grants write/create/unlink on 'model_test_new_api_creativework_movie' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_mixed — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_mixed' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_domain_bool — Access rule grants write/create/unlink on 'model_domain_bool' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_foo — Access rule grants write/create/unlink on 'model_test_new_api_foo' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_bar — Access rule grants write/create/unlink on 'model_test_new_api_bar' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_related — Access rule grants write/create/unlink on 'model_test_new_api_related' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_company — Access rule grants write/create/unlink on 'model_test_new_api_company' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_company_attr — Access rule grants write/create/unlink on 'model_test_new_api_company_attr' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_inverse — Access rule grants write/create/unlink on 'model_test_new_api_compute_inverse' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_readonly — Access rule grants write/create/unlink on 'model_test_new_api_compute_readonly' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_multi_compute_inverse — Access rule grants write/create/unlink on 'model_test_new_api_multi_compute_inverse' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_recursive — Access rule grants write/create/unlink on 'model_test_new_api_recursive' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_recursive_tree — Access rule grants write/create/unlink on 'model_test_new_api_recursive_tree' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_cascade — Access rule grants write/create/unlink on 'model_test_new_api_cascade' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_readwrite — Access rule grants write/create/unlink on 'model_test_new_api_compute_readwrite' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_onchange — Access rule grants write/create/unlink on 'model_test_new_api_compute_onchange' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_onchange_line — Access rule grants write/create/unlink on 'model_test_new_api_compute_onchange_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_dynamic_depends — Access rule grants write/create/unlink on 'model_test_new_api_compute_dynamic_depends' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_unassigned — Access rule grants write/create/unlink on 'model_test_new_api_compute_unassigned' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_one2many — Access rule grants write/create/unlink on 'model_test_new_api_one2many' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_one2many_line — Access rule grants write/create/unlink on 'model_test_new_api_one2many_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_binary_svg — Access rule grants write/create/unlink on 'model_test_new_api_binary_svg' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_base — Access rule grants write/create/unlink on 'model_test_new_api_monetary_base' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_related — Access rule grants write/create/unlink on 'model_test_new_api_monetary_related' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_custom — Access rule grants write/create/unlink on 'model_test_new_api_monetary_custom' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_inherits — Access rule grants write/create/unlink on 'model_test_new_api_monetary_inherits' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_field_with_caps — Access rule grants write/create/unlink on 'model_test_new_api_field_with_caps' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_req_m2o — Access rule grants write/create/unlink on 'model_test_new_api_req_m2o' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_selection — Access rule grants write/create/unlink on 'model_test_new_api_selection' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_attachment — Access rule grants write/create/unlink on 'model_test_new_api_attachment' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_attachment_host — Access rule grants write/create/unlink on 'model_test_new_api_attachment_host' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_image — Access rule grants write/create/unlink on 'model_test_new_api_model_image' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_a — Access rule grants write/create/unlink on 'model_test_new_api_model_a' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_b — Access rule grants write/create/unlink on 'model_test_new_api_model_b' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_parent — Access rule grants write/create/unlink on 'model_test_new_api_model_parent' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_child — Access rule grants write/create/unlink on 'model_test_new_api_model_child' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_child_nocheck — Access rule grants write/create/unlink on 'model_test_new_api_model_child_nocheck' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_display — Access rule grants write/create/unlink on 'model_test_new_api_display' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_active_field — Access rule grants write/create/unlink on 'model_test_new_api_model_active_field' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_many2one_reference — Access rule grants write/create/unlink on 'model_test_new_api_model_many2one_reference' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_inverse_m2o_ref — Access rule grants write/create/unlink on 'model_test_new_api_inverse_m2o_ref' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_binary — Access rule grants write/create/unlink on 'model_test_new_api_model_binary' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_child_m2o — Access rule grants write/create/unlink on 'model_test_new_api_model_child_m2o' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_parent_m2o — Access rule grants write/create/unlink on 'model_test_new_api_model_parent_m2o' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_order — Access rule grants write/create/unlink on 'model_test_new_api_monetary_order' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_order_line — Access rule grants write/create/unlink on 'model_test_new_api_monetary_order_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_selection_base — Access rule grants write/create/unlink on 'model_test_new_api_model_selection_base' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_selection_required — Access rule grants write/create/unlink on 'model_test_new_api_model_selection_required' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_selection_non_stored — Access rule grants write/create/unlink on 'model_test_new_api_model_selection_non_stored' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_selection_required_for_write_override — Access rule grants write/create/unlink on 'model_test_new_api_model_selection_required_for_write_override' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_move — Access rule grants write/create/unlink on 'model_test_new_api_move' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_move_line — Access rule grants write/create/unlink on 'model_test_new_api_move_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_payment — Access rule grants write/create/unlink on 'model_test_new_api_payment' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_order — Access rule grants write/create/unlink on 'model_test_new_api_order' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_order_line — Access rule grants write/create/unlink on 'model_test_new_api_order_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_shared_cache_compute_parent — Access rule grants write/create/unlink on 'model_test_new_api_model_shared_cache_compute_parent' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_shared_cache_compute_line — Access rule grants write/create/unlink on 'model_test_new_api_model_shared_cache_compute_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_container — Access rule grants write/create/unlink on 'model_test_new_api_compute_container' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_member — Access rule grants write/create/unlink on 'model_test_new_api_compute_member' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_editable — Access rule grants write/create/unlink on 'model_test_new_api_compute_editable' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_editable_line — Access rule grants write/create/unlink on 'model_test_new_api_compute_editable_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_constrained_unlinks — Access rule grants write/create/unlink on 'model_test_new_api_model_constrained_unlinks' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_trigger_left — Access rule grants write/create/unlink on 'model_test_new_api_trigger_left' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_trigger_middle — Access rule grants write/create/unlink on 'model_test_new_api_trigger_middle' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_trigger_right — Access rule grants write/create/unlink on 'model_test_new_api_trigger_right' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_base — Access rule grants write/create/unlink on 'model_test_performance_base' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_line — Access rule grants write/create/unlink on 'model_test_performance_line' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_tag — Access rule grants write/create/unlink on 'model_test_performance_tag' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_bacon — Access rule grants write/create/unlink on 'model_test_performance_bacon' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_eggs — Access rule grants write/create/unlink on 'model_test_performance_eggs' to EVERY user (portal/public included): no group is set |
| test_populate | acl-global-write | access_test_populate — Access rule grants write/create/unlink on 'model_test_populate' to EVERY user (portal/public included): no group is set |
| test_populate | acl-global-write | access_test_populate_category — Access rule grants write/create/unlink on 'model_test_populate_category' to EVERY user (portal/public included): no group is set |
| test_populate | acl-global-write | access_test_no_populat — Access rule grants write/create/unlink on 'model_test_no_populate' to EVERY user (portal/public included): no group is set |
| test_populate | acl-global-write | access_test_populate_inherit — Access rule grants write/create/unlink on 'model_test_populate_inherit' to EVERY user (portal/public included): no group is set |
| test_queue_job | acl-global-write | access_test_queue_job — Access rule grants write/create/unlink on 'model_test_queue_job' to EVERY user (portal/public included): no group is set |
| test_queue_job | acl-global-write | access_test_queue_channel — Access rule grants write/create/unlink on 'model_test_queue_channel' to EVERY user (portal/public included): no group is set |
| test_queue_job | acl-global-write | access_test_related_action — Access rule grants write/create/unlink on 'model_test_related_action' to EVERY user (portal/public included): no group is set |
| test_rpc | acl-global-write | access_test_rpc_model_a — Access rule grants write/create/unlink on 'model_test_rpc_model_a' to EVERY user (portal/public included): no group is set |
| test_rpc | acl-global-write | access_test_rpc_model_b — Access rule grants write/create/unlink on 'model_test_rpc_model_b' to EVERY user (portal/public included): no group is set |
| test_testing_utilities | acl-global-write | access_model_test_testing_utilities_onchange_count — Access rule grants write/create/unlink on 'model_test_testing_utilities_onchange_count' to EVERY user (portal/public included): no group is set |
| test_testing_utilities | acl-global-write | access_test_testing_utilities_onchange_count_sub — Access rule grants write/create/unlink on 'model_test_testing_utilities_onchange_count_sub' to EVERY user (portal/public included): no group is set |
| test_testing_utilities | acl-global-write | access_o2m_readonly_subfield_parent — Access rule grants write/create/unlink on 'model_o2m_readonly_subfield_parent' to EVERY user (portal/public included): no group is set |
| test_testing_utilities | acl-global-write | access_o2m_readonly_subfield_child — Access rule grants write/create/unlink on 'model_o2m_readonly_subfield_child' to EVERY user (portal/public included): no group is set |
| test_uninstall | acl-global-write | access_test_uninstall_model — Access rule grants write/create/unlink on 'model_test_uninstall_model' to EVERY user (portal/public included): no group is set |
| test_xlsx_export | acl-global-write | access_export_group_operator — Access rule grants write/create/unlink on 'model_export_group_operator' to EVERY user (portal/public included): no group is set |
| test_xlsx_export | acl-global-write | access_export_group_operator_one2many — Access rule grants write/create/unlink on 'model_export_group_operator_one2many' to EVERY user (portal/public included): no group is set |
| test_xlsx_export | acl-global-write | access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set |
| utm | acl-global-write | access_utm_campaign — Access rule grants create on 'model_utm_campaign' to EVERY user (portal/public included): no group is set |
| utm | acl-global-write | access_utm_medium — Access rule grants create on 'model_utm_medium' to EVERY user (portal/public included): no group is set |
| utm | acl-global-write | access_utm_source — Access rule grants create on 'model_utm_source' to EVERY user (portal/public included): no group is set |
| web_editor | acl-global-write | access_web_editor_converter_test — Access rule grants write/create/unlink on 'model_web_editor_converter_test' to EVERY user (portal/public included): no group is set |
| web_editor | acl-global-write | access_web_editor_converter_test_sub — Access rule grants write/create/unlink on 'model_web_editor_converter_test_sub' to EVERY user (portal/public included): no group is set |
| web_ir_actions_act_multi | acl-global-write | crud_ir_actions_act_multi — Access rule grants write/create/unlink on 'model_ir_actions_act_multi' to EVERY user (portal/public included): no group is set |
| web_ir_actions_act_window_message | acl-global-write | crud_ir_actions_act_window_message — Access rule grants write/create/unlink on 'model_ir_actions_act_window_message' to EVERY user (portal/public included): no group is set |
| website | route-user-csrf-off | /website/reset_template — HTTP endpoint 'Website.reset_template' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user |
| website_crm_partner_assign | acl-public-write | partner_access_crm_lead — Access rule grants write on 'crm.model_crm_lead' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_post_portal — Access rule grants write/create/unlink on 'model_forum_post' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_post_vote_portal — Access rule grants write/create on 'model_forum_post_vote' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_tag_public — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_public' |
| website_forum | acl-public-write | access_forum_tag_portal — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_portal' |
| website_sale_wishlist | acl-public-write | access_product_wishlist_portal — Access rule grants write/create/unlink on 'model_product_wishlist' to the portal/public group 'base.group_portal' |
| website_snippet_dynamic_link | acl-global-write | website_dynamic_link_access — Access rule grants write/create/unlink on 'model_website_dynamic_link' to EVERY user (portal/public included): no group is set |
Warnings 569
| Module | Code | Message |
|---|---|---|
| account | rule-group-bypass | account_analytic_line_rule_billing_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_rule_group_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_line_rule_group_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_line_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_invoice_send_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | route-public-sudo | /terms — Unauthenticated endpoint 'TermsController.terms_conditions' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| account_avatax_exemption_base | acl-global-read | access_portal_group_of_states — Access rule grants read on 'model_res_partner_group_state' to every user (portal/public included): no group is set |
| account_avatax_exemption_base | acl-global-read | access_portal_res_partner_exemption_line — Access rule grants read on 'model_res_partner_exemption_line' to every user (portal/public included): no group is set |
| account_avatax_exemption_base | acl-global-read | access_portal_res_partner_exemption_type — Access rule grants read on 'model_res_partner_exemption_type' to every user (portal/public included): no group is set |
| account_avatax_exemption_base | acl-global-read | access_portal_res_partner_exemption_business_type — Access rule grants read on 'model_res_partner_exemption_business_type' to every user (portal/public included): no group is set |
| account_brand | acl-global-read | res_partner_account_brand_access — Access rule grants read on 'model_res_partner_account_brand' to every user (portal/public included): no group is set |
| account_edi | acl-global-read | access_account_edi_format_readonly — Access rule grants read on 'model_account_edi_format' to every user (portal/public included): no group is set |
| account_edi | acl-global-read | access_account_edi_document_readonly — Access rule grants read on 'model_account_edi_document' to every user (portal/public included): no group is set |
| account_invoice_transmit_method | acl-global-read | access_transmit_method_read — Access rule grants read on 'model_transmit_method' to every user (portal/public included): no group is set |
| account_statement_import_online_gocardless | route-public-csrf-off | /gocardless/response — Public HTTP endpoint 'GocardlessController.gocardless_response' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| account_statement_import_online_gocardless | route-public-sudo | /gocardless/response — Unauthenticated endpoint 'GocardlessController.gocardless_response' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_oauth | route-public-sudo | /auth_oauth/signin — Unauthenticated endpoint 'OAuthController.signin' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_oauth | route-auth-none | /auth_oauth/signin — Endpoint 'OAuthController.signin' uses auth="none": it runs with no user/session at all |
| auth_oauth | route-auth-none | /auth_oauth/oea — Endpoint 'OAuthController.oea' uses auth="none": it runs with no user/session at all |
| auth_oauth_autologin | route-auth-none | /auth/auto_login_redirect_link — Endpoint 'OAuthAutoLogin.auto_login_redirect_link' uses auth="none": it runs with no user/session at all |
| auth_saml | route-public-sudo | /auth_saml/get_auth_request — Unauthenticated endpoint 'AuthSAMLController.get_auth_request' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_saml | route-auth-none | /auth_saml/get_auth_request — Endpoint 'AuthSAMLController.get_auth_request' uses auth="none": it runs with no user/session at all |
| auth_saml | route-public-csrf-off | /auth_saml/signin — Public HTTP endpoint 'AuthSAMLController.signin' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| auth_saml | route-public-sudo | /auth_saml/signin — Unauthenticated endpoint 'AuthSAMLController.signin' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_saml | route-auth-none | /auth_saml/signin — Endpoint 'AuthSAMLController.signin' uses auth="none": it runs with no user/session at all |
| auth_saml | route-public-csrf-off | /auth_saml/metadata — Public HTTP endpoint 'AuthSAMLController.saml_metadata' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| auth_saml | route-public-sudo | /auth_saml/metadata — Unauthenticated endpoint 'AuthSAMLController.saml_metadata' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_saml | route-auth-none | /auth_saml/metadata — Endpoint 'AuthSAMLController.saml_metadata' uses auth="none": it runs with no user/session at all |
| auth_saml | route-auth-none | /web/session/logout — Endpoint 'Session.logout' uses auth="none": it runs with no user/session at all |
| auth_signup | route-public-sudo | /web/signup — Unauthenticated endpoint 'AuthSignupHome.web_auth_signup' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_signup | route-public-sudo | /web/reset_password — Unauthenticated endpoint 'AuthSignupHome.web_auth_reset_password' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| base | acl-global-read | access_res_company_group_user — Access rule grants read on 'model_res_company' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_partner_title_group_partner_manager — Access rule grants read on 'model_res_partner_title' to every user (portal/public included): no group is set |
| base | acl-global-write | access_res_users_log_all — Access rule grants create on 'model_res_users_log' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| base | acl-global-read | paperformat_access_portal — Access rule grants read on 'model_report_paperformat' to every user (portal/public included): no group is set |
| base | route-public-csrf-off | /xmlrpc/<service> — Public HTTP endpoint 'RPC.xmlrpc_1' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base | route-auth-none | /xmlrpc/<service> — Endpoint 'RPC.xmlrpc_1' uses auth="none": it runs with no user/session at all |
| base | route-public-csrf-off | /xmlrpc/2/<service> — Public HTTP endpoint 'RPC.xmlrpc_2' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base | route-auth-none | /xmlrpc/2/<service> — Endpoint 'RPC.xmlrpc_2' uses auth="none": it runs with no user/session at all |
| base | route-auth-none | /jsonrpc — Endpoint 'RPC.jsonrpc' uses auth="none": it runs with no user/session at all |
| base_comment_template | acl-global-read | access_base_comment_template_user — Access rule grants read on 'model_base_comment_template' to every user (portal/public included): no group is set |
| base_ical | route-auth-none | /base_ical/<int:calendar_id> — Endpoint 'ICalController.get_ical' uses auth="none": it runs with no user/session at all |
| base_import_module | route-public-csrf-off | /base_import_module/login_upload — Public HTTP endpoint 'ImportModule.login_upload' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base_import_module | route-auth-none | /base_import_module/login_upload — Endpoint 'ImportModule.login_upload' uses auth="none": it runs with no user/session at all |
| base_multi_branch_company | acl-global-read | access_res_branch_user — Access rule grants read on 'model_res_branch' to every user (portal/public included): no group is set |
| base_unece | acl-global-read | access_unece_code_list_read — Access rule grants read on 'model_unece_code_list' to every user (portal/public included): no group is set |
| bus | route-auth-none | /longpolling/health — Endpoint 'BusController.health' uses auth="none": it runs with no user/session at all |
| calendar | rule-group-bypass | calendar_event_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| connector_jira | route-auth-none | /connector_jira/webhooks/issue — Endpoint 'JiraWebhookController.webhook_issue' uses auth="none": it runs with no user/session at all |
| connector_jira | route-auth-none | /connector_jira/webhooks/worklog — Endpoint 'JiraWebhookController.webhook_worklog' uses auth="none": it runs with no user/session at all |
| crm | acl-global-read | access_crm_stage — Access rule grants read on 'model_crm_stage' to every user (portal/public included): no group is set |
| crm | rule-group-bypass | crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm | rule-group-bypass | crm_activity_report_rule_all_activities — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm_salesperson_planner | rule-group-bypass | all_salesperson_planner_visit — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm_salesperson_planner | rule-group-bypass | all_salesperson_planner_visit_template — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| digest | route-public-csrf-off | /digest/<int:digest_id>/unsubscribe_oneclik — Public HTTP endpoint 'DigestController.digest_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| digest | route-public-sudo | /digest/<int:digest_id>/unsubscribe — Unauthenticated endpoint 'DigestController.digest_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| dms | route-public-sudo | /my/dms/directory/<int:dms_directory_id> — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_directory' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| dms | route-public-sudo | /my/dms/file/<int:dms_file_id>/download — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_file_download' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| fieldservice | rule-group-bypass | fsm_order_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| fieldservice_account_analytic | rule-group-bypass | analytic_account_fsm_dispatcher — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| fieldservice_route | rule-group-bypass | fsm_route_own_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| fieldservice_route | rule-group-bypass | fsm_route_dayroute_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| fieldservice_website_sale | route-public-sudo | /fieldservice/get_route_info — Unauthenticated endpoint 'FieldServiceController.get_route_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| fieldservice_website_sale | route-public-sudo | /fieldservice/get_enabled_days — Unauthenticated endpoint 'FieldServiceController.get_enabled_days' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| fieldservice_website_sale | route-public-sudo | /fieldservice/get_blackout_days — Unauthenticated endpoint 'FieldServiceController.get_blackout_days' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| github_connector | acl-global-read | access_github_analysis_rule_reader — Access rule grants read on 'model_github_analysis_rule' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_analysis_rule_group_reader — Access rule grants read on 'model_github_analysis_rule_group' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_organization_reader — Access rule grants read on 'model_github_organization' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_organization_serie_reader — Access rule grants read on 'model_github_organization_serie' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_repository_branch_rule_info_report_reader — Access rule grants read on 'model_github_repository_branch_rule_info_report' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_repository_reader — Access rule grants read on 'model_github_repository' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_repository_branch_reader — Access rule grants read on 'model_github_repository_branch' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_team_reader — Access rule grants read on 'model_github_team' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_team_partner_reader — Access rule grants read on 'model_github_team_partner' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_team_repository_reader — Access rule grants read on 'model_github_team_repository' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_author_reader — Access rule grants read on 'model_odoo_author' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_lib_bin_reader — Access rule grants read on 'model_odoo_lib_bin' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_lib_python_reader — Access rule grants read on 'model_odoo_lib_python' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_license_reader — Access rule grants read on 'model_odoo_license' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_module_reader — Access rule grants read on 'model_odoo_module' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_module_version_reader — Access rule grants read on 'model_odoo_module_version' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_module_version_rule_info_report_reader — Access rule grants read on 'model_odoo_module_version_rule_info_report' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_category_reader — Access rule grants read on 'model_odoo_category' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_manifest_key_reader — Access rule grants read on 'model_odoo_manifest_key' to every user (portal/public included): no group is set |
| helpdesk_mgmt | rule-group-bypass | helpdesk_ticket_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_attendance | rule-group-bypass | hr_attendance_rule_attendance_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_attendance | rule-group-bypass | hr_attendance_rule_attendance_overtime_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_attendance_rfid | rule-group-bypass | hr_attendance_rfid_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_expense | rule-group-bypass | ir_rule_hr_expense_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_expense | rule-group-bypass | ir_rule_hr_expense_sheet_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_expense_advance_overdue_reminder | acl-global-read | access_hr_advance_overdue_reminder_user — Access rule grants read on 'model_hr_advance_overdue_reminder' to every user (portal/public included): no group is set |
| hr_holidays | rule-group-bypass | hr_leave_rule_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | hr_leave_allocation_rule_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | resource_leaves_base_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | resource_leaves_holidays_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | hr_leave_report_rule_group_holiday_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_personal_equipment_request | rule-group-bypass | personal_equipment_request_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_personal_equipment_request | rule-group-bypass | personal_equipment_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_resume_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_resume_rule_employee_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_skill_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_skill_rule_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| http_routing | route-public-sudo | /website/translations/<string:unique> — Unauthenticated endpoint 'Routing.get_website_translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| http_routing | route-auth-none | /web/session/logout — Endpoint 'SessionWebsite.logout' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/hello — Endpoint 'ProxyController.hello' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/handshake — Endpoint 'ProxyController.handshake' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/status_json — Endpoint 'ProxyController.status_json' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_drivers/action — Endpoint 'DriverController.action' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-public-csrf-off | /hw_drivers/check_certificate — Public HTTP endpoint 'DriverController.check_certificate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_drivers | route-auth-none | /hw_drivers/check_certificate — Endpoint 'DriverController.check_certificate' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_drivers/event — Endpoint 'DriverController.event' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-public-csrf-off | /hw_drivers/box/connect — Public HTTP endpoint 'DriverController.connect_box' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_drivers | route-auth-none | /hw_drivers/box/connect — Endpoint 'DriverController.connect_box' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-public-csrf-off | /hw_drivers/download_logs — Public HTTP endpoint 'DriverController.download_logs' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_drivers | route-auth-none | /hw_drivers/download_logs — Endpoint 'DriverController.download_logs' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/scanner — Endpoint 'KeyboardUSBController.get_barcode' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/default_printer_action — Endpoint 'PrinterController.default_printer_action' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/scale_read — Endpoint 'ScaleReadOldRoute.scale_read' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/display_refresh — Endpoint 'DisplayController.display_refresh' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/customer_facing_display — Endpoint 'DisplayController.customer_facing_display' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/take_control — Endpoint 'DisplayController.take_control' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/test_ownership — Endpoint 'DisplayController.test_ownership' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /point_of_sale/get_serialized_order, /point_of_sale/get_serialized_order/<string:display_identifier> — Endpoint 'DisplayController.get_serialized_order' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /point_of_sale/display, /point_of_sale/display/<string:display_identifier> — Endpoint 'DisplayController.display' uses auth="none": it runs with no user/session at all |
| hw_escpos | route-auth-none | /hw_proxy/open_cashbox — Endpoint 'EscposProxy.open_cashbox' uses auth="none": it runs with no user/session at all |
| hw_escpos | route-auth-none | /hw_proxy/print_receipt — Endpoint 'EscposProxy.print_receipt' uses auth="none": it runs with no user/session at all |
| hw_escpos | route-auth-none | /hw_proxy/print_xml_receipt — Endpoint 'EscposProxy.print_xml_receipt' uses auth="none": it runs with no user/session at all |
| hw_l10n_eg_eta | route-public-csrf-off | /hw_l10n_eg_eta/certificate — Public HTTP endpoint 'EtaUsbController.eta_certificate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_l10n_eg_eta | route-auth-none | /hw_l10n_eg_eta/certificate — Endpoint 'EtaUsbController.eta_certificate' uses auth="none": it runs with no user/session at all |
| hw_l10n_eg_eta | route-public-csrf-off | /hw_l10n_eg_eta/sign — Public HTTP endpoint 'EtaUsbController.eta_sign' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_l10n_eg_eta | route-auth-none | /hw_l10n_eg_eta/sign — Endpoint 'EtaUsbController.eta_sign' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | / — Endpoint 'IoTboxHomepage.index' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /list_handlers — Public HTTP endpoint 'IoTboxHomepage.list_handlers' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /list_handlers — Endpoint 'IoTboxHomepage.list_handlers' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /load_iot_handlers — Endpoint 'IoTboxHomepage.load_iot_handlers' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /list_credential — Endpoint 'IoTboxHomepage.list_credential' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /save_credential — Public HTTP endpoint 'IoTboxHomepage.save_credential' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /save_credential — Endpoint 'IoTboxHomepage.save_credential' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /clear_credential — Public HTTP endpoint 'IoTboxHomepage.clear_credential' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /clear_credential — Endpoint 'IoTboxHomepage.clear_credential' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /wifi — Endpoint 'IoTboxHomepage.wifi' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /wifi_connect — Public HTTP endpoint 'IoTboxHomepage.connect_to_wifi' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /wifi_connect — Endpoint 'IoTboxHomepage.connect_to_wifi' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /wifi_clear — Public HTTP endpoint 'IoTboxHomepage.clear_wifi_configuration' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /wifi_clear — Endpoint 'IoTboxHomepage.clear_wifi_configuration' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /server_clear — Public HTTP endpoint 'IoTboxHomepage.clear_server_configuration' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /server_clear — Endpoint 'IoTboxHomepage.clear_server_configuration' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /handlers_clear — Public HTTP endpoint 'IoTboxHomepage.clear_handlers_list' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /handlers_clear — Endpoint 'IoTboxHomepage.clear_handlers_list' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /server_connect — Public HTTP endpoint 'IoTboxHomepage.connect_to_server' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /server_connect — Endpoint 'IoTboxHomepage.connect_to_server' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /steps — Public HTTP endpoint 'IoTboxHomepage.step_by_step_configure_page' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /steps — Endpoint 'IoTboxHomepage.step_by_step_configure_page' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /step_configure — Public HTTP endpoint 'IoTboxHomepage.step_by_step_configure' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /step_configure — Endpoint 'IoTboxHomepage.step_by_step_configure' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /server — Endpoint 'IoTboxHomepage.server' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /remote_connect — Endpoint 'IoTboxHomepage.remote_connect' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /enable_ngrok — Public HTTP endpoint 'IoTboxHomepage.enable_ngrok' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /enable_ngrok — Endpoint 'IoTboxHomepage.enable_ngrok' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /six_payment_terminal — Public HTTP endpoint 'IoTboxHomepage.six_payment_terminal' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /six_payment_terminal — Endpoint 'IoTboxHomepage.six_payment_terminal' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /six_payment_terminal_add — Public HTTP endpoint 'IoTboxHomepage.add_six_payment_terminal' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /six_payment_terminal_add — Endpoint 'IoTboxHomepage.add_six_payment_terminal' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /six_payment_terminal_clear — Public HTTP endpoint 'IoTboxHomepage.clear_six_payment_terminal' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /six_payment_terminal_clear — Endpoint 'IoTboxHomepage.clear_six_payment_terminal' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/upgrade — Endpoint 'IoTboxHomepage.upgrade' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_upgrade — Endpoint 'IoTboxHomepage.perform_upgrade' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/get_version — Endpoint 'IoTboxHomepage.check_version' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_flashing_create_partition — Endpoint 'IoTboxHomepage.perform_flashing_create_partition' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_flashing_download_raspios — Endpoint 'IoTboxHomepage.perform_flashing_download_raspios' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_flashing_copy_raspios — Endpoint 'IoTboxHomepage.perform_flashing_copy_raspios' uses auth="none": it runs with no user/session at all |
| im_livechat | acl-global-read | access_livechat_channel — Access rule grants read on 'model_im_livechat_channel' to every user (portal/public included): no group is set |
| im_livechat | acl-global-read | access_livechat_channel_rule — Access rule grants read on 'model_im_livechat_channel_rule' to every user (portal/public included): no group is set |
| im_livechat | route-auth-none | /im_livechat/load_templates — Endpoint 'LivechatController.load_templates' uses auth="none": it runs with no user/session at all |
| im_livechat | route-public-sudo | /im_livechat/support/<int:channel_id> — Unauthenticated endpoint 'LivechatController.support_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/loader/<int:channel_id> — Unauthenticated endpoint 'LivechatController.loader' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/init — Unauthenticated endpoint 'LivechatController.livechat_init' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/get_session — Unauthenticated endpoint 'LivechatController.get_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/feedback — Unauthenticated endpoint 'LivechatController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/history — Unauthenticated endpoint 'LivechatController.history_pages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/notify_typing — Unauthenticated endpoint 'LivechatController.notify_typing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/email_livechat_transcript — Unauthenticated endpoint 'LivechatController.email_livechat_transcript' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/visitor_leave_session — Unauthenticated endpoint 'LivechatController.visitor_leave_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| intrastat_product | acl-global-read | access_intrastat_unit_read — Access rule grants read on 'model_intrastat_unit' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_transaction_read — Access rule grants read on 'model_intrastat_transaction' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_transport_mode_read — Access rule grants read on 'model_intrastat_transport_mode' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_region_read — Access rule grants read on 'model_intrastat_region' to every user (portal/public included): no group is set |
| iot_input_oca | route-public-csrf-off | /iot/<serial>/action — Public HTTP endpoint 'CallIot.call_unauthorized_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_input_oca | route-public-sudo | /iot/<serial>/action — Unauthenticated endpoint 'CallIot.call_unauthorized_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| iot_input_oca | route-auth-none | /iot/<serial>/action — Endpoint 'CallIot.call_unauthorized_iot' uses auth="none": it runs with no user/session at all |
| iot_input_oca | route-public-csrf-off | /iot/<serial>/multi_input — Public HTTP endpoint 'CallIot.call_unauthorized_iot_multi_input' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_input_oca | route-public-sudo | /iot/<serial>/multi_input — Unauthenticated endpoint 'CallIot.call_unauthorized_iot_multi_input' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| iot_input_oca | route-auth-none | /iot/<serial>/multi_input — Endpoint 'CallIot.call_unauthorized_iot_multi_input' uses auth="none": it runs with no user/session at all |
| iot_input_oca | route-public-csrf-off | /iot/<serial>/check — Public HTTP endpoint 'CallIot.check_unauthorized_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_input_oca | route-public-sudo | /iot/<serial>/check — Unauthenticated endpoint 'CallIot.check_unauthorized_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| iot_input_oca | route-auth-none | /iot/<serial>/check — Endpoint 'CallIot.check_unauthorized_iot' uses auth="none": it runs with no user/session at all |
| iot_template_oca | route-public-csrf-off | /iot/<serial>/configure — Public HTTP endpoint 'CallIot.configure_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_template_oca | route-public-sudo | /iot/<serial>/configure — Unauthenticated endpoint 'CallIot.configure_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| iot_template_oca | route-auth-none | /iot/<serial>/configure — Endpoint 'CallIot.configure_iot' uses auth="none": it runs with no user/session at all |
| l10n_br_hr | acl-global-read | access_hr_deficiency — Access rule grants read on 'model_hr_deficiency' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_identity_type — Access rule grants read on 'model_hr_identity_type' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_civil_certificate_type — Access rule grants read on 'model_hr_civil_certificate_type' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_dependent_type — Access rule grants read on 'model_hr_dependent_type' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_ethnicity — Access rule grants read on 'model_hr_ethnicity' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_educational_attainment — Access rule grants read on 'model_hr_educational_attainment' to every user (portal/public included): no group is set |
| l10n_ec | acl-global-read | access_l10n_ec_sri_payment_public — Access rule grants read on 'model_l10n_ec_sri_payment' to every user (portal/public included): no group is set |
| l10n_ee_reporting | acl-global-read | access_l10n_ee_reporting_kmd_inf — Access rule grants read on 'model_l10n_ee_reporting_kmd_inf' to every user (portal/public included): no group is set |
| l10n_ee_reporting | acl-global-read | access_l10n_ee_reporting_vies_declaration — Access rule grants read on 'model_l10n_ee_reporting_vies_declaration' to every user (portal/public included): no group is set |
| l10n_es_aeat_mod347 | route-public-sudo | /mod347/accept — Unauthenticated endpoint 'Mod347Controller.mod347_accept' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_es_aeat_mod347 | route-public-sudo | /mod347/reject — Unauthenticated endpoint 'Mod347Controller.mod347_reject' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_in | acl-global-read | access_l10n_in_account_invoice_report — Access rule grants read on 'model_l10n_in_account_invoice_report' to every user (portal/public included): no group is set |
| l10n_in | acl-global-read | access_l10n_in_advances_payment_report — Access rule grants read on 'model_l10n_in_advances_payment_report' to every user (portal/public included): no group is set |
| l10n_in | acl-global-read | access_l10n_in_advances_payment_adjustment_report — Access rule grants read on 'model_l10n_in_advances_payment_adjustment_report' to every user (portal/public included): no group is set |
| l10n_in | acl-global-read | access_l10n_in_product_hsn_report — Access rule grants read on 'model_l10n_in_product_hsn_report' to every user (portal/public included): no group is set |
| l10n_in | acl-global-read | access_l10n_in_exempted_report — Access rule grants read on 'model_l10n_in_exempted_report' to every user (portal/public included): no group is set |
| l10n_ro_account_anaf_sync | route-public-csrf-off | /l10n_ro_account_anaf_sync/anaf_oauth/<int:anaf_config_id> — Public HTTP endpoint 'AccountANAFSyncWeb.get_anaf_oauth_code' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| l10n_ro_account_anaf_sync | route-public-sudo | /l10n_ro_account_anaf_sync/anaf_oauth/<int:anaf_config_id> — Unauthenticated endpoint 'AccountANAFSyncWeb.get_anaf_oauth_code' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_th_account_tax | acl-global-read | access_personal_income_tax_user — Access rule grants read on 'model_personal_income_tax' to every user (portal/public included): no group is set |
| l10n_th_account_tax | acl-global-read | access_personal_income_tax_rate_user — Access rule grants read on 'model_personal_income_tax_rate' to every user (portal/public included): no group is set |
| l10n_th_gov_purchase_report | acl-global-read | access_purchase_report_view — Access rule grants read on 'model_purchase_report_view' to every user (portal/public included): no group is set |
| letsencrypt | route-auth-none | /.well-known/acme-challenge/<filename> — Endpoint 'Letsencrypt.acme_challenge' uses auth="none": it runs with no user/session at all |
| link_tracker | route-public-sudo | /r/<string:code> — Unauthenticated endpoint 'LinkTracker.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| acl-global-write | access_publisher_warranty_contract_all — Access rule grants write/create/unlink on 'model_publisher_warranty_contract' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
|
| route-public-sudo | /mail/chat_post — Unauthenticated endpoint 'MailChatController.mail_chat_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/chat_history — Unauthenticated endpoint 'MailChatController.mail_chat_history' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/view — Unauthenticated endpoint 'MailController.mail_action_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /chat/<int:channel_id>/<string:invitation_token> — Unauthenticated endpoint 'DiscussController.discuss_channel_invitation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/channel/<int:channel_id>/partner/<int:partner_id>/avatar_128 — Unauthenticated endpoint 'DiscussController.mail_channel_partner_avatar_128' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/channel/<int:channel_id>/guest/<int:guest_id>/avatar_128 — Unauthenticated endpoint 'DiscussController.mail_channel_guest_avatar_128' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/init_messaging — Unauthenticated endpoint 'DiscussController.mail_init_messaging' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/message/update_content — Unauthenticated endpoint 'DiscussController.mail_message_update_content' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/attachment/delete — Unauthenticated endpoint 'DiscussController.mail_attachment_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/message/add_reaction — Unauthenticated endpoint 'DiscussController.mail_message_add_reaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/message/remove_reaction — Unauthenticated endpoint 'DiscussController.mail_message_remove_reaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/channel/add_guest_as_member — Unauthenticated endpoint 'DiscussController.mail_channel_add_guest_as_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/rtc/session/notify_call_members — Unauthenticated endpoint 'DiscussController.session_call_notify' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/rtc/session/update_and_broadcast — Unauthenticated endpoint 'DiscussController.session_update_and_broadcast' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/guest/update_name — Unauthenticated endpoint 'DiscussController.mail_guest_update_name' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| mail_group | route-public-sudo | /groups — Unauthenticated endpoint 'PortalMailGroup.groups_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_group | route-public-sudo | /groups/<model("mail.group"):group>, /groups/<model("mail.group"):group>/page/<int:page> — Unauthenticated endpoint 'PortalMailGroup.group_view_messages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_group | route-public-sudo | /groups/<model("mail.group"):group>/<model("mail.group.message"):message> — Unauthenticated endpoint 'PortalMailGroup.group_view_message' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_group | route-public-sudo | /groups/<model("mail.group"):group>/<model("mail.group.message"):message>/get_replies — Unauthenticated endpoint 'PortalMailGroup.group_message_get_replies' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_group | route-public-csrf-off | /group/<int:group_id>/unsubscribe_oneclick — Public HTTP endpoint 'PortalMailGroup.group_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| mail_group | route-public-sudo | /group/<int:group_id>/unsubscribe_oneclick — Unauthenticated endpoint 'PortalMailGroup.group_unsubscribe_oneclick' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_group | route-public-sudo | /group/subscribe-confirm — Unauthenticated endpoint 'PortalMailGroup.group_subscribe_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_plugin | route-auth-none | /mail_client_extension/auth/access_token, /mail_plugin/auth/access_token — Endpoint 'Authenticate.auth_access_token' uses auth="none": it runs with no user/session at all |
| mail_tracking | route-public-csrf-off | /mail/tracking/all/<string:db>, /mail/tracking/event/<string:db>/<string:event_type> — Public HTTP endpoint 'MailTrackingController.mail_tracking_event' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| mail_tracking | route-auth-none | /mail/tracking/all/<string:db>, /mail/tracking/event/<string:db>/<string:event_type> — Endpoint 'MailTrackingController.mail_tracking_event' uses auth="none": it runs with no user/session at all |
| mail_tracking | route-public-sudo | /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MailTrackingController.mail_tracking_open' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_tracking | route-auth-none | /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Endpoint 'MailTrackingController.mail_tracking_open' uses auth="none": it runs with no user/session at all |
| mail_tracking_mailgun | route-public-sudo | /mail/tracking/mailgun/all — Unauthenticated endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_tracking_mailgun | route-auth-none | /mail/tracking/mailgun/all — Endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' uses auth="none": it runs with no user/session at all |
| mass_mailing | route-public-csrf-off | /mail/mailing/<int:mailing_id>/unsubscribe_oneclick — Public HTTP endpoint 'MassMailController.mailing_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| mass_mailing | route-public-sudo | /mail/mailing/<int:mailing_id>/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mail/mailing/unsubscribe — Unauthenticated endpoint 'MassMailController.unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mail/track/<int:mail_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MassMailController.track_mail_open' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/<int:mailing_id>/view — Unauthenticated endpoint 'MassMailController.view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /r/<string:code>/m/<int:mailing_trace_id> — Unauthenticated endpoint 'MassMailController.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/blacklist/check — Unauthenticated endpoint 'MassMailController.blacklist_check' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/blacklist/add — Unauthenticated endpoint 'MassMailController.blacklist_add' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/blacklist/remove — Unauthenticated endpoint 'MassMailController.blacklist_remove' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/feedback — Unauthenticated endpoint 'MassMailController.send_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing_sms | route-public-sudo | /sms/<int:mailing_id>/unsubscribe/<string:trace_code> — Unauthenticated endpoint 'MailingSMSController.blacklist_number' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing_sms | route-public-sudo | /r/<string:code>/s/<int:sms_sms_id> — Unauthenticated endpoint 'MailingSMSController.sms_short_link_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| membership | acl-global-read | access_membership_membership_line — Access rule grants read on 'model_membership_membership_line' to every user (portal/public included): no group is set |
| monitoring | route-public-sudo | /monitoring/<string:token> — Unauthenticated endpoint 'MonitoringHome.monitoring' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| monitoring | route-auth-none | /monitoring/<string:token> — Endpoint 'MonitoringHome.monitoring' uses auth="none": it runs with no user/session at all |
| operating_unit | acl-global-read | access_account_operating_unit_user — Access rule grants read on 'model_operating_unit' to every user (portal/public included): no group is set |
| partner_external_map | acl-global-read | access_map_website_read — Access rule grants read on 'model_map_website' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation — Access rule grants read on 'model_res_partner_relation' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation_type — Access rule grants read on 'model_res_partner_relation_type' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation_type_selection — Access rule grants read on 'model_res_partner_relation_type_selection' to every user (portal/public included): no group is set |
| partner_stage | acl-global-read | access_partner_stage_read — Access rule grants read on 'model_res_partner_stage' to every user (portal/public included): no group is set |
| password_security | route-auth-none | /password_security/estimate — Endpoint 'PasswordSecurityHome.estimate' uses auth="none": it runs with no user/session at all |
| payment | rule-group-bypass | payment_transaction_billing_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| payment | rule-group-bypass | payment_token_billing_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| payment | route-public-sudo | /payment/status/poll — Unauthenticated endpoint 'PaymentPostProcessing.poll_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /payment/pay — Unauthenticated endpoint 'PaymentPortal.payment_pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /payment/confirmation — Unauthenticated endpoint 'PaymentPortal.payment_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-sudo | /payment/adyen/acquirer_info — Unauthenticated endpoint 'AdyenController.adyen_acquirer_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-sudo | /payment/adyen/payment_methods — Unauthenticated endpoint 'AdyenController.adyen_payment_methods' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-sudo | /payment/adyen/payments — Unauthenticated endpoint 'AdyenController.adyen_payments' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-sudo | /payment/adyen/payment_details — Unauthenticated endpoint 'AdyenController.adyen_payment_details' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-csrf-off | /payment/adyen/return — Public HTTP endpoint 'AdyenController.adyen_return_from_redirect' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_adyen | route-public-sudo | /payment/adyen/return — Unauthenticated endpoint 'AdyenController.adyen_return_from_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-sudo | /payment/adyen/notification — Unauthenticated endpoint 'AdyenController.adyen_notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_alipay | route-public-sudo | AlipayController.alipay_return_from_redirect — Unauthenticated endpoint 'AlipayController.alipay_return_from_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_alipay | route-public-csrf-off | AlipayController.alipay_notify — Public HTTP endpoint 'AlipayController.alipay_notify' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_alipay | route-public-sudo | AlipayController.alipay_notify — Unauthenticated endpoint 'AlipayController.alipay_notify' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_authorize | route-public-sudo | /payment/authorize/get_acquirer_info — Unauthenticated endpoint 'AuthorizeController.authorize_get_acquirer_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_authorize | route-public-sudo | /payment/authorize/payment — Unauthenticated endpoint 'AuthorizeController.authorize_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_buckaroo | route-public-csrf-off | BuckarooController.buckaroo_return_from_redirect — Public HTTP endpoint 'BuckarooController.buckaroo_return_from_redirect' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_buckaroo | route-public-sudo | BuckarooController.buckaroo_return_from_redirect — Unauthenticated endpoint 'BuckarooController.buckaroo_return_from_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_mollie | route-public-csrf-off | MollieController.mollie_return — Public HTTP endpoint 'MollieController.mollie_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_mollie | route-public-sudo | MollieController.mollie_return — Unauthenticated endpoint 'MollieController.mollie_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_mollie | route-public-csrf-off | MollieController.mollie_notify — Public HTTP endpoint 'MollieController.mollie_notify' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_mollie | route-public-sudo | MollieController.mollie_notify — Unauthenticated endpoint 'MollieController.mollie_notify' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ogone | route-public-csrf-off | OgoneController.ogone_return_from_redirect — Public HTTP endpoint 'OgoneController.ogone_return_from_redirect' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_ogone | route-public-sudo | OgoneController.ogone_return_from_redirect — Unauthenticated endpoint 'OgoneController.ogone_return_from_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_paypal | route-public-csrf-off | PaypalController.paypal_dpn — Public HTTP endpoint 'PaypalController.paypal_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_paypal | route-public-sudo | PaypalController.paypal_dpn — Unauthenticated endpoint 'PaypalController.paypal_dpn' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_paypal | route-public-csrf-off | PaypalController.paypal_ipn — Public HTTP endpoint 'PaypalController.paypal_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_paypal | route-public-sudo | PaypalController.paypal_ipn — Unauthenticated endpoint 'PaypalController.paypal_ipn' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_payulatam | route-public-sudo | PayuLatamController.payulatam_return — Unauthenticated endpoint 'PayuLatamController.payulatam_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_payulatam | route-public-csrf-off | PayuLatamController.payulatam_webhook — Public HTTP endpoint 'PayuLatamController.payulatam_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_payulatam | route-public-sudo | PayuLatamController.payulatam_webhook — Unauthenticated endpoint 'PayuLatamController.payulatam_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_payumoney | route-public-csrf-off | PayUMoneyController.payumoney_return — Public HTTP endpoint 'PayUMoneyController.payumoney_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_payumoney | route-public-sudo | PayUMoneyController.payumoney_return — Unauthenticated endpoint 'PayUMoneyController.payumoney_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_redsys | route-public-csrf-off | /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Public HTTP endpoint 'RedsysController.redsys_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_redsys | route-public-sudo | /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Unauthenticated endpoint 'RedsysController.redsys_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_sips | route-public-csrf-off | SipsController.sips_dpn — Public HTTP endpoint 'SipsController.sips_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_sips | route-public-sudo | SipsController.sips_dpn — Unauthenticated endpoint 'SipsController.sips_dpn' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_sips | route-public-csrf-off | SipsController.sips_ipn — Public HTTP endpoint 'SipsController.sips_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_sips | route-public-sudo | SipsController.sips_ipn — Unauthenticated endpoint 'SipsController.sips_ipn' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe | route-public-csrf-off | StripeController.stripe_return_from_checkout — Public HTTP endpoint 'StripeController.stripe_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_stripe | route-public-sudo | StripeController.stripe_return_from_checkout — Unauthenticated endpoint 'StripeController.stripe_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe | route-public-csrf-off | StripeController.stripe_return_from_validation — Public HTTP endpoint 'StripeController.stripe_return_from_validation' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_stripe | route-public-sudo | StripeController.stripe_return_from_validation — Unauthenticated endpoint 'StripeController.stripe_return_from_validation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe | route-public-sudo | StripeController.stripe_webhook — Unauthenticated endpoint 'StripeController.stripe_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_test | route-public-sudo | /payment/test/simulate_payment — Unauthenticated endpoint 'PaymentTestController.test_simulate_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_transfer | route-public-csrf-off | TransferController.transfer_form_feedback — Public HTTP endpoint 'TransferController.transfer_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_transfer | route-public-sudo | TransferController.transfer_form_feedback — Unauthenticated endpoint 'TransferController.transfer_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| point_of_sale | rule-group-bypass | rule_pos_bank_statement_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| point_of_sale | rule-group-bypass | rule_pos_bank_statement_line_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| point_of_sale | rule-group-bypass | rule_pos_cashbox_line_accountant — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| portal | route-public-sudo | /mail/chatter_post — Unauthenticated endpoint 'PortalChatter.portal_chatter_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| portal | route-public-sudo | /mail/chatter_fetch — Unauthenticated endpoint 'PortalChatter.portal_message_fetch' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| portal | route-public-sudo | /web — Unauthenticated endpoint 'Home.web_client' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| portal | route-auth-none | /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all |
| pos_adyen | route-public-sudo | /pos_adyen/notification — Unauthenticated endpoint 'PosAdyenController.notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_mercury | acl-global-read | access_pos_mercury_mercury_transaction — Access rule grants read on 'model_pos_mercury_mercury_transaction' to every user (portal/public included): no group is set |
| privacy_consent | route-public-sudo | /privacy/consent/<any(accept,reject):choice>/<int:consent_id>/<token> — Unauthenticated endpoint 'ConsentController.consent' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| product_brand | acl-global-read | access_product_brand_public — Access rule grants read on 'model_product_brand' to every user (portal/public included): no group is set |
| product_harmonized_system | acl-global-read | access_hs_code_read — Access rule grants read on 'model_hs_code' to every user (portal/public included): no group is set |
| product_state | acl-global-read | access_product_state_public — Access rule grants read on 'model_product_state' to every user (portal/public included): no group is set |
| product_variant_configurator_manual_creation | acl-global-write | access_wizard_product_variant_configurator_manual_creation_all — Access rule grants write/create/unlink on 'model_wizard_product_variant_configurator_manual_creation' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| product_variant_configurator_manual_creation | acl-global-write | access_wizard_product_variant_configurator_manual_creation_line_all — Access rule grants write/create/unlink on 'model_wizard_product_variant_configurator_manual_creation_line' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| purchase_work_acceptance_evaluation | acl-global-read | access_work_acceptance_evaluation_report — Access rule grants read on 'model_work_acceptance_evaluation_report' to every user (portal/public included): no group is set |
| queue_job | route-auth-none | /queue_job/runjob — Endpoint 'RunJobController.runjob' uses auth="none": it runs with no user/session at all |
| rating | route-public-sudo | /rate/<string:token>/<int:rate> — Unauthenticated endpoint 'Rating.action_open_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| rating | route-public-sudo | /rate/<string:token>/submit_feedback — Unauthenticated endpoint 'Rating.action_submit_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| rma | route-public-sudo | /my/rma/picking/pdf/<int:rma_id>/<int:picking_id> — Unauthenticated endpoint 'PortalRma.portal_my_rma_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sale | rule-group-bypass | payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale | rule-group-bypass | payment_token_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale_coupon_selection_wizard | route-public-sudo | /sale_coupon_selection_wizard/configure — Unauthenticated endpoint 'CouponSelectionWizardController.configure_promotion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sale_missing_tracking | rule-group-bypass | sale_missing_tracking_manager_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale_missing_tracking | rule-group-bypass | sale_missing_tracking_exception_manager_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale_planner_calendar | rule-group-bypass | partner_all_documents_follower_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale_report_delivered | rule-group-bypass | sale_report_delivered_see_all_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale_stock_invoice_plan | acl-global-read | access_stock_scrap_sale_invoice_plan_ — Access rule grants read on 'stock.model_stock_scrap' to every user (portal/public included): no group is set |
| sales_team | rule-group-bypass | crm_rule_all_salesteam — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| storage_file | acl-global-read | access_storage_file_read_public — Access rule grants read on 'model_storage_file' to every user (portal/public included): no group is set |
| survey | rule-group-bypass | survey_survey_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | rule-group-bypass | survey_question_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | rule-group-bypass | survey_question_answer_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | rule-group-bypass | survey_user_input_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | rule-group-bypass | survey_user_input_line_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | route-public-sudo | /survey/get_background_image/<string:survey_token>/<string:answer_token> — Unauthenticated endpoint 'Survey.survey_get_background' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| survey | route-public-sudo | /survey/get_question_image/<string:survey_token>/<string:answer_token>/<int:question_id>/<int:suggested_answer_id> — Unauthenticated endpoint 'Survey.survey_get_question_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| test_http | route-public-csrf-off | /test_http/upload_file — Public HTTP endpoint 'HttpTest.upload_file_retry' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| test_http | route-auth-none | /test_http/upload_file — Endpoint 'HttpTest.upload_file_retry' uses auth="none": it runs with no user/session at all |
| test_new_api | acl-global-write | access_decimal_precision_test_all — Access rule grants write/create/unlink on 'model_decimal_precision_test' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| test_read_group | acl-global-read | access_test_read_group_on_date — Access rule grants read on 'model_test_read_group_on_date' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_aggregate_boolean — Access rule grants read on 'model_test_read_group_aggregate_boolean' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_aggregate — Access rule grants read on 'model_test_read_group_aggregate' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_on_selection — Access rule grants read on 'model_test_read_group_on_selection' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_fill_temporal — Access rule grants read on 'model_test_read_group_fill_temporal' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_order — Access rule grants read on 'model_test_read_group_order' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_order_line — Access rule grants read on 'model_test_read_group_order_line' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_user — Access rule grants read on 'model_test_read_group_user' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_task — Access rule grants read on 'model_test_read_group_task' to every user (portal/public included): no group is set |
| test_search_panel | acl-global-read | access_test_search_panel_source_model — Access rule grants read on 'model_test_search_panel_source_model' to every user (portal/public included): no group is set |
| test_search_panel | acl-global-read | access_test_search_panel_category_target_model — Access rule grants read on 'model_test_search_panel_category_target_model' to every user (portal/public included): no group is set |
| test_search_panel | acl-global-read | access_test_search_panel_category_target_model_no_parent_name — Access rule grants read on 'model_test_search_panel_category_target_model_no_parent_name' to every user (portal/public included): no group is set |
| test_search_panel | acl-global-read | access_test_search_panel_filter_target_model — Access rule grants read on 'model_test_search_panel_filter_target_model' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_a — Access rule grants read on 'model_test_testing_utilities_a' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_readonly — Access rule grants read on 'model_test_testing_utilities_readonly' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_c — Access rule grants read on 'model_test_testing_utilities_c' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_d — Access rule grants read on 'model_test_testing_utilities_d' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_e — Access rule grants read on 'model_test_testing_utilities_e' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_f — Access rule grants read on 'model_test_testing_utilities_f' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_g — Access rule grants read on 'model_test_testing_utilities_g' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_m2o — Access rule grants read on 'model_test_testing_utilities_m2o' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_default — Access rule grants read on 'model_test_testing_utilities_default' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_parent — Access rule grants read on 'model_test_testing_utilities_parent' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_sub — Access rule grants read on 'model_test_testing_utilities_sub' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_sub2 — Access rule grants read on 'model_test_testing_utilities_sub2' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_sub3 — Access rule grants read on 'model_test_testing_utilities_sub3' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_recursive — Access rule grants read on 'model_test_testing_utilities_recursive' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_onchange_parent — Access rule grants read on 'model_test_testing_utilities_onchange_parent' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_onchange_line — Access rule grants read on 'model_test_testing_utilities_onchange_line' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_req_bool — Access rule grants read on 'model_test_testing_utilities_req_bool' to every user (portal/public included): no group is set |
| test_website | acl-global-read | access_test_model — Access rule grants read on 'model_test_model' to every user (portal/public included): no group is set |
| upgrade_analysis | acl-global-read | access_upgrade_record — Access rule grants read on 'model_upgrade_record' to every user (portal/public included): no group is set |
| upgrade_analysis | acl-global-read | access_upgrade_attribute — Access rule grants read on 'model_upgrade_attribute' to every user (portal/public included): no group is set |
| vault | route-public-sudo | /vault/inbox/<string:token> — Unauthenticated endpoint 'Controller.vault_inbox' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| vault_share | route-public-sudo | /vault/share/<string:token> — Unauthenticated endpoint 'Controller.vault_share' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web | route-auth-none | / — Endpoint 'Home.index' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/login — Endpoint 'Home.web_login' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/health — Endpoint 'Home.health' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/locale/<string:lang> — Endpoint 'WebClient.load_locale' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/qweb/<string:unique> — Endpoint 'WebClient.qweb' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/bootstrap_translations — Endpoint 'WebClient.bootstrap_translations' uses auth="none": it runs with no user/session at all |
| web | route-public-sudo | /web/webclient/translations/<string:unique> — Unauthenticated endpoint 'WebClient.translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web | route-auth-none | /web/webclient/version_info — Endpoint 'WebClient.version_info' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/tests/mobile — Endpoint 'WebClient.test_mobile_suite' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/benchmarks — Endpoint 'WebClient.benchmarks' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/database/selector — Endpoint 'Database.selector' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/database/manager — Endpoint 'Database.manager' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/create — Public HTTP endpoint 'Database.create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/create — Endpoint 'Database.create' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/duplicate — Public HTTP endpoint 'Database.duplicate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/duplicate — Endpoint 'Database.duplicate' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/drop — Public HTTP endpoint 'Database.drop' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/drop — Endpoint 'Database.drop' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/backup — Public HTTP endpoint 'Database.backup' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/backup — Endpoint 'Database.backup' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/restore — Public HTTP endpoint 'Database.restore' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/restore — Endpoint 'Database.restore' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/change_password — Public HTTP endpoint 'Database.change_password' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/change_password — Endpoint 'Database.change_password' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/database/list — Endpoint 'Database.list' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/get_session_info — Endpoint 'Session.get_session_info' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/authenticate — Endpoint 'Session.authenticate' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/get_lang_list — Endpoint 'Session.get_lang_list' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/logout — Endpoint 'Session.logout' uses auth="none": it runs with no user/session at all |
| web | route-public-sudo | /web/assets/debug/<string:filename>, /web/assets/debug/<path:extra>/<string:filename>, /web/assets/<int:id>/<string:filename>, /web/assets/<int:id>-<string:unique>/<string:filename>, /web/assets/<int:id>-<string:unique>/<path:extra>/<string:filename> — Unauthenticated endpoint 'Binary.content_assets' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web | route-auth-none | /web/binary/company_logo, /logo, /logo.png — Endpoint 'Binary.company_logo' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/pivot/check_xlsxwriter — Endpoint 'TableExporter.check_xlsxwriter' uses auth="none": it runs with no user/session at all |
| web_editor | route-auth-none | /web_editor/font_to_img/<icon>, /web_editor/font_to_img/<icon>/<color>, /web_editor/font_to_img/<icon>/<color>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<int:width>x<int:height>, /web_editor/font_to_img/<icon>/<color>/<int:size>/<int:alpha>, /web_editor/font_to_img/<icon>/<color>/<int:width>x<int:height>/<int:alpha>, /web_editor/font_to_img/<icon>/<color>/<bg>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:width>x<int:height>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:width>x<int:height>/<int:alpha> — Endpoint 'Web_Editor.export_icon_to_png' uses auth="none": it runs with no user/session at all |
| web_editor | route-public-sudo | /web_editor/shape/<module>/<path:filename> — Unauthenticated endpoint 'Web_Editor.shape' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web_tour | acl-global-read | access_web_tour_tour — Access rule grants read on 'model_web_tour_tour' to every user (portal/public included): no group is set |
| web_unsplash | route-public-sudo | /web_unsplash/get_app_id — Unauthenticated endpoint 'Web_Unsplash.get_unsplash_app_id' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | acl-global-read | access_website_public — Access rule grants read on 'website.model_website' to every user (portal/public included): no group is set |
| website | acl-global-read | access_website_menu — Access rule grants read on 'model_website_menu' to every user (portal/public included): no group is set |
| website | acl-global-read | access_seo_public — Access rule grants read on 'model_website_seo_metadata' to every user (portal/public included): no group is set |
| website | route-public-sudo | / — Unauthenticated endpoint 'Website.index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /sitemap.xml — Unauthenticated endpoint 'Website.sitemap_xml_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/info — Unauthenticated endpoint 'Website.website_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/snippet/filters — Unauthenticated endpoint 'Website.get_dynamic_filter' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/snippet/filter_templates — Unauthenticated endpoint 'Website.get_dynamic_snippet_templates' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/snippet/autocomplete — Unauthenticated endpoint 'Website.autocomplete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /google<string(length=16):key>.html — Unauthenticated endpoint 'Website.google_console_search' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/action/<path_or_xml_id_or_id>, /website/action/<path_or_xml_id_or_id>/<path:path> — Unauthenticated endpoint 'Website.actions_server' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-csrf-off | /website/form/<string:model_name> — Public HTTP endpoint 'WebsiteForm.website_form' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| website_blog | acl-global-read | blog_tag — Access rule grants read on 'model_blog_tag' to every user (portal/public included): no group is set |
| website_crm_partner_assign | route-public-sudo | /partners, /partners/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>, /partners/grade/<model("res.partner.grade"):grade>/page/<int:page>, /partners/country/<model("res.country"):country>, /partners/country/<model("res.country"):country>/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_crm_partner_assign | route-public-sudo | /partners/<partner_id> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_customer | acl-global-read | res_partner_tag_sale_manager — Access rule grants read on 'model_res_partner_tag' to every user (portal/public included): no group is set |
| website_customer | route-public-sudo | /customers, /customers/page/<int:page>, /customers/country/<model("res.country"):country>, /customers/country/<model("res.country"):country>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>, /customers/industry/<model("res.partner.industry"):industry>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCustomer.customers' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_customer | route-public-sudo | /customers/<partner_id> — Unauthenticated endpoint 'WebsiteCustomer.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event | acl-global-read | access_event_event — Access rule grants read on 'model_event_event' to every user (portal/public included): no group is set |
| website_event | acl-global-read | access_event_event_ticket — Access rule grants read on 'event.model_event_event_ticket' to every user (portal/public included): no group is set |
| website_event | acl-global-read | access_event_tag_category — Access rule grants read on 'event.model_event_tag_category' to every user (portal/public included): no group is set |
| website_event | acl-global-read | access_event_tag — Access rule grants read on 'event.model_event_tag' to every user (portal/public included): no group is set |
| website_event | acl-global-read | access_website_event_menu — Access rule grants read on 'model_website_event_menu' to every user (portal/public included): no group is set |
| website_event | route-public-sudo | /event, /event/page/<int:page>, /events, /events/page/<int:page> — Unauthenticated endpoint 'WebsiteEventController.events' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event | route-public-sudo | /event/<model("event.event"):event>/registration/success — Unauthenticated endpoint 'WebsiteEventController.event_registration_success' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_booth | route-public-sudo | /event/<model("event.event"):event>/booth — Unauthenticated endpoint 'WebsiteEventBoothController.event_booth_main' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_booth | route-public-sudo | /event/<model("event.event"):event>/booth/register_form — Unauthenticated endpoint 'WebsiteEventBoothController.event_booth_contact_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_booth | route-public-sudo | /event/<model("event.event"):event>/booth/success — Unauthenticated endpoint 'WebsiteEventBoothController.event_booth_registration_complete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_booth | route-public-sudo | /event/booth/check_availability — Unauthenticated endpoint 'WebsiteEventBoothController.check_booths_availability' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_booth | route-public-sudo | /event/booth_category/get_available_booths — Unauthenticated endpoint 'WebsiteEventBoothController.get_booth_category_available_booths' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_exhibitor | acl-global-read | access_event_sponsor_type_public — Access rule grants read on 'model_event_sponsor_type' to every user (portal/public included): no group is set |
| website_event_exhibitor | acl-global-read | access_event_sponsor_public — Access rule grants read on 'model_event_sponsor' to every user (portal/public included): no group is set |
| website_event_exhibitor | route-public-sudo | /event/<model("event.event", "[('exhibitor_menu', '=', True)]"):event>/exhibitor/<model("event.sponsor", "[('event_id', '=', event.id)]"):sponsor> — Unauthenticated endpoint 'ExhibitorController.event_exhibitor' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_meet | acl-global-read | access_event_meeting_room — Access rule grants read on 'model_event_meeting_room' to every user (portal/public included): no group is set |
| website_event_meet | route-public-sudo | /event/<model('event.event'):event>/meeting_room_create — Unauthenticated endpoint 'WebsiteEventMeetController.create_meeting_room' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_meet | route-public-sudo | /event/active_langs — Unauthenticated endpoint 'WebsiteEventMeetController.active_langs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_meet | route-public-sudo | /event/<model('event.event', "[('community_menu', '=', True)]"):event>/meeting_room/<model("event.meeting.room","[('event_id','=',event.id)]"):meeting_room> — Unauthenticated endpoint 'WebsiteEventMeetController.event_meeting_room_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_questions | acl-global-read | access_event_question — Access rule grants read on 'model_event_question' to every user (portal/public included): no group is set |
| website_event_questions | acl-global-read | access_event_question_answer — Access rule grants read on 'model_event_question_answer' to every user (portal/public included): no group is set |
| website_event_questions | rule-group-bypass | ir_rule_event_question_event_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_event_questions | rule-group-bypass | ir_rule_event_question_answer_event_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_event_sale | acl-global-read | access_event_event_ticket — Access rule grants read on 'event.model_event_event_ticket' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track — Access rule grants read on 'model_event_track' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_tag — Access rule grants read on 'model_event_track_tag' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_location — Access rule grants read on 'model_event_track_location' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_stage — Access rule grants read on 'model_event_track_stage' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_tag_category — Access rule grants read on 'model_event_track_tag_category' to every user (portal/public included): no group is set |
| website_event_track | route-public-sudo | /event/<model("event.event", "[('website_track', '=', True)]"):event>/track/<model("event.track", "[('event_id', '=', event.id)]"):track> — Unauthenticated endpoint 'EventTrackController.event_track_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track | route-public-sudo | /event/<model("event.event"):event>/track_proposal/post — Unauthenticated endpoint 'EventTrackController.event_track_proposal_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track_live | route-public-sudo | /event_track/get_track_suggestion — Unauthenticated endpoint 'EventTrackLiveController.get_next_track_suggestion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track_quiz | route-public-sudo | /event_track/quiz/submit — Unauthenticated endpoint 'WebsiteEventTrackQuiz.event_track_quiz_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track_quiz | route-public-sudo | /event_track/quiz/reset — Unauthenticated endpoint 'WebsiteEventTrackQuiz.quiz_reset' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | acl-global-read | access_forum_forum — Access rule grants read on 'model_forum_forum' to every user (portal/public included): no group is set |
| website_forum | rule-group-bypass | website_forum_create_website_designer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/<model("forum.post", "[('forum_id','=',forum.id),('parent_id','=',False),('can_view', '=', True)]"):question> — Unauthenticated endpoint 'WebsiteForum.question' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/partner/<int:partner_id> — Unauthenticated endpoint 'WebsiteForum.open_partner' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_google_map | route-public-sudo | /google_map — Unauthenticated endpoint 'GoogleMap.google_map' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_hr_recruitment | acl-global-read | access_hr_job_public — Access rule grants read on 'hr.model_hr_job' to every user (portal/public included): no group is set |
| website_hr_recruitment | rule-group-bypass | hr_job_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_hr_recruitment | route-public-sudo | /jobs, /jobs/country/<model("res.country"):country>, /jobs/department/<model("hr.department"):department>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>, /jobs/office/<int:office_id>, /jobs/country/<model("res.country"):country>/office/<int:office_id>, /jobs/department/<model("hr.department"):department>/office/<int:office_id>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>/office/<int:office_id> — Unauthenticated endpoint 'WebsiteHrRecruitment.jobs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_livechat | acl-global-read | access_im_livechat_channel_public — Access rule grants read on 'im_livechat.model_im_livechat_channel' to every user (portal/public included): no group is set |
| website_livechat | route-public-sudo | /livechat/channel/<model("im_livechat.channel"):channel> — Unauthenticated endpoint 'WebsiteLivechat.channel_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail | route-public-sudo | /website_mail/follow — Unauthenticated endpoint 'WebsiteMail.website_message_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail | route-public-sudo | /website_mail/is_follower — Unauthenticated endpoint 'WebsiteMail.is_follower' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_group | route-public-sudo | /group/is_member — Unauthenticated endpoint 'WebsiteMailGroup.group_is_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /website_mass_mailing/is_subscriber — Unauthenticated endpoint 'MassMailController.is_subscriber' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /website_mass_mailing/subscribe — Unauthenticated endpoint 'MassMailController.subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_membership | route-public-sudo | /members, /members/page/<int:page>, /members/association/<membership_id>, /members/association/<membership_id>/page/<int:page>, /members/country/<int:country_id>, /members/country/<country_name>-<int:country_id>, /members/country/<int:country_id>/page/<int:page>, /members/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<country_name>-<int:country_id>, /members/association/<membership_id>/country/<int:country_id>, /members/association/<membership_id>/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteMembership.members' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_membership | route-public-sudo | /members/<partner_id> — Unauthenticated endpoint 'WebsiteMembership.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_partner | route-public-sudo | /partners/<partner_id> — Unauthenticated endpoint 'WebsitePartnerPage.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_payment | route-public-sudo | /donation/get_acquirer_fees — Unauthenticated endpoint 'PaymentPortal.get_acquirer_fees' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_profile | route-public-sudo | /profile/avatar/<int:user_id> — Unauthenticated endpoint 'WebsiteProfile.get_user_profile_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_profile | route-public-sudo | /profile/users, /profile/users/page/<int:page> — Unauthenticated endpoint 'WebsiteProfile.view_all_users_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_profile | route-public-sudo | /profile/validate_email — Unauthenticated endpoint 'WebsiteProfile.validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | acl-global-read | access_product_product_public — Access rule grants read on 'product.model_product_product' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_template_public — Access rule grants read on 'product.model_product_template' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_category_public — Access rule grants read on 'product.model_product_category' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_public_category_public — Access rule grants read on 'model_product_public_category' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_pricelist_public — Access rule grants read on 'product.model_product_pricelist' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_pricelist_item_public — Access rule grants read on 'product.model_product_pricelist_item' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_ribbon_public — Access rule grants read on 'website_sale.model_product_ribbon' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_public — Access rule grants read on 'product.model_product_attribute' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_value_public — Access rule grants read on 'product.model_product_attribute_value' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_product_attribute — Access rule grants read on 'product.model_product_template_attribute_value' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_product_attribute_custom_value — Access rule grants read on 'sale.model_product_attribute_custom_value' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_template_attribute_exclusion — Access rule grants read on 'product.model_product_template_attribute_exclusion' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_template_attribute_line_public — Access rule grants read on 'product.model_product_template_attribute_line' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_image_public — Access rule grants read on 'model_product_image' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_ecom_extra_fields_public — Access rule grants read on 'model_website_sale_extra_field' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_website_base_unit_public — Access rule grants read on 'model_website_base_unit' to every user (portal/public included): no group is set |
| website_sale | route-public-sudo | /shop/pricelist — Unauthenticated endpoint 'WebsiteSale.pricelist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/cart — Unauthenticated endpoint 'WebsiteSale.cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/address — Unauthenticated endpoint 'WebsiteSale.address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/checkout — Unauthenticated endpoint 'WebsiteSale.checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/payment/get_status/<int:sale_order_id> — Unauthenticated endpoint 'WebsiteSale.shop_payment_get_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/payment/validate — Unauthenticated endpoint 'WebsiteSale.shop_payment_validate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/confirmation — Unauthenticated endpoint 'WebsiteSale.shop_payment_confirmation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/products/recently_viewed_delete — Unauthenticated endpoint 'WebsiteSale.products_recently_viewed_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_charge_payment_fee | route-public-sudo | /shop/payment — Unauthenticated endpoint 'WebsiteSaleFee.shop_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_comparison | acl-global-read | access_product_attribute_category_public — Access rule grants read on 'model_product_attribute_category' to every user (portal/public included): no group is set |
| website_sale_coupon_page | route-public-sudo | /promotions — Unauthenticated endpoint 'WebsiteSale.promotion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_coupon_selection_wizard | route-public-sudo | /promotions/<int:program_id>/apply — Unauthenticated endpoint 'WebsiteSaleCouponWizard.promotion_program_apply' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_delivery | route-public-sudo | /shop/carrier_rate_shipment — Unauthenticated endpoint 'WebsiteSaleDelivery.cart_carrier_rate_shipment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_delivery_mondialrelay | route-public-sudo | /website_sale_delivery_mondialrelay/update_shipping — Unauthenticated endpoint 'MondialRelay.mondial_relay_update_shipping' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_digital | route-public-sudo | /my/orders/<int:order_id> — Unauthenticated endpoint 'WebsiteSaleDigital.portal_order_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_digital | route-public-sudo | /my/download — Unauthenticated endpoint 'WebsiteSaleDigital.download_attachment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_gift_card | route-public-sudo | /shop/pay_with_gift_card — Unauthenticated endpoint 'GiftCardController.add_gift_card' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_menu_partner_top_selling | route-public-sudo | /shop/my_regular_products, /shop/my_regular_products/page/<int:page> — Unauthenticated endpoint 'WebsiteSale.user_regular_products' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_order_cancel | route-public-sudo | /cancel/confirm — Unauthenticated endpoint 'SaleOrderCancel.confirm_cancel_sale_order' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_product_assortment | route-public-sudo | /sale/get_info_assortment_preview — Unauthenticated endpoint 'WebsiteSaleVariantController.get_info_assortment_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_product_brand | route-public-sudo | /page/product_brands — Unauthenticated endpoint 'WebsiteSale.product_brands' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_product_minimal_price | route-public-sudo | /sale/get_combination_info_minimal_price — Unauthenticated endpoint 'WebsiteSaleVariantController.get_combination_info_minimal_price' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_resource_booking | route-public-sudo | /shop/booking/<int:index>/confirm — Unauthenticated endpoint 'WebsiteSale.booking_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_stock_list_preview | route-public-sudo | /sale/get_combination_info_stock_preview — Unauthenticated endpoint 'WebsiteSaleVariantController.get_combination_info_stock_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_wishlist | route-public-sudo | /shop/wishlist/add — Unauthenticated endpoint 'WebsiteSaleWishlist.add_to_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_wishlist | route-public-sudo | /shop/wishlist/remove/<model("product.wishlist"):wish> — Unauthenticated endpoint 'WebsiteSaleWishlist.rm_from_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | rule-group-bypass | rule_slide_channel_officer_r — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides | rule-group-bypass | rule_slide_slide_officer_r — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides | rule-group-bypass | rule_slide_slide_resource_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides | route-public-sudo | /slides — Unauthenticated endpoint 'WebsiteSlides.slides_channel_home' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/<model("slide.channel"):channel>, /slides/<model("slide.channel"):channel>/page/<int:page>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>/page/<int:page>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>/page/<int:page> — Unauthenticated endpoint 'WebsiteSlides.channel' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/channel/join — Unauthenticated endpoint 'WebsiteSlides.slide_channel_join' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/<model("slide.slide"):slide> — Unauthenticated endpoint 'WebsiteSlides.slide_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/<int:slide_id>/get_image — Unauthenticated endpoint 'WebsiteSlides.slide_get_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/like — Unauthenticated endpoint 'WebsiteSlides.slide_like' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/quiz/submit — Unauthenticated endpoint 'WebsiteSlides.slide_quiz_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/embed/<int:slide_id> — Unauthenticated endpoint 'WebsiteSlides.slides_embed' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /mail/chatter_post — Unauthenticated endpoint 'SlidesPortalChatter.portal_chatter_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides_forum | rule-group-bypass | website_slides_forum_website_slides_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides_forum | rule-group-bypass | website_slides_forum_website_slides_officer_post — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides_forum | rule-group-bypass | website_slides_forum_website_slides_officer_tag — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_twitter | acl-global-read | access_website_twitter_tweet_public — Access rule grants read on 'website_twitter.model_website_twitter_tweet' to every user (portal/public included): no group is set |
| website_twitter | route-public-sudo | /website_twitter/get_favorites — Unauthenticated endpoint 'Twitter.get_tweets' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
Active Pull Requests 29
0 fresh 0 rotting 0 rotten
Security Findings
Errors 254
| Module | Code | Message |
|---|---|---|
| account_avatax_exemption_base | acl-global-write | access_portal_res_partner_exemption — Access rule grants write/create on 'model_res_partner_exemption' to EVERY user (portal/public included): no group is set |
| account_chart_update | acl-global-write | access_wizard_update_charts_accounts — Access rule grants write/create/unlink on 'model_wizard_update_charts_accounts' to EVERY user (portal/public included): no group is set |
| account_chart_update | acl-global-write | access_wizard_update_charts_accounts_account — Access rule grants write/create/unlink on 'model_wizard_update_charts_accounts_account' to EVERY user (portal/public included): no group is set |
| account_chart_update | acl-global-write | access_wizard_tax_matching — Access rule grants write/create/unlink on 'model_wizard_tax_matching' to EVERY user (portal/public included): no group is set |
| account_chart_update | acl-global-write | access_wizard_fp_matching — Access rule grants write/create/unlink on 'model_wizard_fp_matching' to EVERY user (portal/public included): no group is set |
| account_chart_update | acl-global-write | access_wizard_account_matching — Access rule grants write/create/unlink on 'model_wizard_account_matching' to EVERY user (portal/public included): no group is set |
| account_chart_update | acl-global-write | access_wizard_update_charts_accounts_tax — Access rule grants write/create/unlink on 'model_wizard_update_charts_accounts_tax' to EVERY user (portal/public included): no group is set |
| account_chart_update | acl-global-write | access_wizard_matching — Access rule grants write/create/unlink on 'model_wizard_matching' to EVERY user (portal/public included): no group is set |
| account_chart_update | acl-global-write | access_wizard_update_charts_accounts_fiscal_position — Access rule grants write/create/unlink on 'model_wizard_update_charts_accounts_fiscal_position' to EVERY user (portal/public included): no group is set |
| account_chart_update | acl-global-write | access_wizard_account_groupo_matching — Access rule grants write/create/unlink on 'model_wizard_account_group_matching' to EVERY user (portal/public included): no group is set |
| account_chart_update | acl-global-write | access_wizard_update_charts_accounts_account_group — Access rule grants write/create/unlink on 'model_wizard_update_charts_accounts_account_group' to EVERY user (portal/public included): no group is set |
| attachment_db_by_checksum | acl-public-write | access_ir_attachment_portal — Access rule grants create on 'model_ir_attachment_content' to the portal/public group 'base.group_portal' |
| auth_totp_portal | acl-public-write | access_auth_totp_portal_wizard — Access rule grants write/create/unlink on 'auth_totp.model_auth_totp_wizard' to the portal/public group 'base.group_portal' |
| base | acl-privilege-escalation | access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-global-write | access_ir_ui_view_custom_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_custom' to EVERY user (portal/public included): no group is set |
| base | acl-privilege-escalation | access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-global-write | access_report_layout — Access rule grants write/create/unlink on 'model_report_layout' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_template — Access rule grants write/create/unlink on 'model_custom_info_template' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_property — Access rule grants write/create/unlink on 'model_custom_info_property' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_value — Access rule grants write/create/unlink on 'model_custom_info_value' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_option — Access rule grants write/create/unlink on 'model_custom_info_option' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_category — Access rule grants write/create/unlink on 'model_custom_info_category' to EVERY user (portal/public included): no group is set |
| base_tier_validation | acl-global-write | access_tier_review — Access rule grants write/create/unlink on 'model_tier_review' to EVERY user (portal/public included): no group is set |
| base_tier_validation | acl-global-write | access_comment_wizard — Access rule grants write/create/unlink on 'model_comment_wizard' to EVERY user (portal/public included): no group is set |
| base_tier_validation_forward | acl-global-write | access_tier_validation_forward_wizard — Access rule grants write/create/unlink on 'model_tier_validation_forward_wizard' to EVERY user (portal/public included): no group is set |
| bi_view_editor | acl-global-write | access_bve_view_everyone — Access rule grants write/create/unlink on 'bi_view_editor.model_bve_view' to EVERY user (portal/public included): no group is set |
| bi_view_editor | acl-global-write | access_bve_view_line — Access rule grants write/create/unlink on 'model_bve_view_line' to EVERY user (portal/public included): no group is set |
| bus | acl-public-write | access_bus_presence_portal — Access rule grants write/create/unlink on 'model_bus_presence' to the portal/public group 'base.group_portal' |
| calendar | rule-public-bypass | calendar_attendee_rule_my — Record rule with an always-true domain grants portal/public users access to every record of its model |
| excel_import_export | acl-global-write | xlsx_template_user — Access rule grants write/create/unlink on 'model_xlsx_template' to EVERY user (portal/public included): no group is set |
| excel_import_export | acl-global-write | xlsx_template_export_user — Access rule grants write/create/unlink on 'model_xlsx_template_export' to EVERY user (portal/public included): no group is set |
| excel_import_export | acl-global-write | xlsx_template_import_user — Access rule grants write/create/unlink on 'model_xlsx_template_import' to EVERY user (portal/public included): no group is set |
| fieldservice_route | acl-public-write | access_fsm_route_dayroute_portal — Access rule grants write/create on 'model_fsm_route_dayroute' to the portal/public group 'base.group_portal' |
| fieldservice_stock | acl-public-write | access_stock_move_portal — Access rule grants write on 'stock.model_stock_move' to the portal/public group 'base.group_portal' |
| gamification | acl-public-write | goal_portal — Access rule grants write on 'gamification.model_gamification_goal' to the portal/public group 'base.group_portal' |
| gamification | acl-public-write | badge_user_portal — Access rule grants write/create on 'gamification.model_gamification_badge_user' to the portal/public group 'base.group_portal' |
| graphql_demo | route-user-csrf-off | /graphql/demo — HTTP endpoint 'GraphQLController.graphql' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user |
| helpdesk_mgmt | acl-public-write | access_helpdesk_ticket_stage_public — Access rule grants write on 'model_helpdesk_ticket_stage' to the portal/public group 'base.group_public' |
| hr_recruitment | acl-global-write | access_hr_applicant_category — Access rule grants write/create on 'model_hr_applicant_category' to EVERY user (portal/public included): no group is set |
| l10n_br_hr | acl-global-write | access_hr_employee_dependent — Access rule grants write/create/unlink on 'model_hr_employee_dependent' to EVERY user (portal/public included): no group is set |
| l10n_it_central_journal | acl-global-write | access_wizard_giornale_manager — Access rule grants write/create/unlink on 'l10n_it_central_journal.model_wizard_giornale' to EVERY user (portal/public included): no group is set |
| l10n_it_central_journal_reportlab | acl-global-write | access_wizard_giornale_reportlab_manager — Access rule grants write/create/unlink on 'l10n_it_central_journal_reportlab.model_wizard_giornale_reportlab' to EVERY user (portal/public included): no group is set |
| l10n_it_delivery_note | acl-global-write | access_stock_delivery_note_confirm_wizard_manager — Access rule grants write/create/unlink on 'l10n_it_delivery_note.model_stock_delivery_note_confirm_wizard' to EVERY user (portal/public included): no group is set |
| l10n_it_delivery_note | acl-global-write | access_stock_delivery_note_create_wizard_manager — Access rule grants write/create/unlink on 'l10n_it_delivery_note.model_stock_delivery_note_create_wizard' to EVERY user (portal/public included): no group is set |
| l10n_it_delivery_note | acl-global-write | access_stock_delivery_note_select_wizard_manager — Access rule grants write/create/unlink on 'l10n_it_delivery_note.model_stock_delivery_note_select_wizard' to EVERY user (portal/public included): no group is set |
| l10n_it_delivery_note | acl-global-write | access_stock_delivery_note_base_wizard_manager — Access rule grants write/create/unlink on 'l10n_it_delivery_note.model_stock_delivery_note_base_wizard' to EVERY user (portal/public included): no group is set |
| l10n_it_delivery_note | acl-global-write | access_stock_delivery_note_invoice_wizard_manager — Access rule grants write/create/unlink on 'l10n_it_delivery_note.model_stock_delivery_note_invoice_wizard' to EVERY user (portal/public included): no group is set |
| l10n_it_intrastat_statement | acl-global-write | acc_manager_account_intrastat_export_file — Access rule grants write/create/unlink on 'l10n_it_intrastat_statement.model_account_intrastat_export_file' to EVERY user (portal/public included): no group is set |
| l10n_it_sdi_channel | acl-global-write | access_wizard_fatturapa_send_to_sdi — Access rule grants write/create/unlink on 'model_wizard_fatturapa_send_to_sdi' to EVERY user (portal/public included): no group is set |
| l10n_ro_account_anaf_sync | route-user-csrf-off | /l10n_ro_account_anaf_sync/redirect_anaf/<int:anaf_config_id> — HTTP endpoint 'AccountANAFSyncWeb.redirect_anaf' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user |
| l10n_ro_stock_account | acl-global-write | access_l10n_ro_stock_valuation_layer_tracking — Access rule grants write/create/unlink on 'model_l10n_ro_stock_valuation_layer_tracking' to EVERY user (portal/public included): no group is set |
| acl-public-write | access_mail_message_portal — Access rule grants write/create/unlink on 'model_mail_message' to the portal/public group 'base.group_portal' |
|
| acl-public-write | access_mail_channel_partner_portal — Access rule grants write/create/unlink on 'model_mail_channel_partner' to the portal/public group 'base.group_portal' |
|
| acl-public-write | access_mail_compose_message_portal — Access rule grants write/create on 'model_mail_compose_message' to the portal/public group 'base.group_portal' |
|
| partner_aging | acl-global-write | res_partner_aging_date — Access rule grants write/create/unlink on 'partner_aging.model_res_partner_aging_date' to EVERY user (portal/public included): no group is set |
| partner_autocomplete | acl-public-write | access_partner_autocomplete_sync_portal — Access rule grants create on 'model_res_partner_autocomplete_sync' to the portal/public group 'base.group_portal' |
| payment | acl-public-write | payment_method_portal — Access rule grants write/create/unlink on 'model_payment_token' to the portal/public group 'base.group_portal' |
| pms | acl-public-write | user_access_res_partner_portal — Access rule grants write/create/unlink on 'model_res_partner' to the portal/public group 'base.group_portal' |
| pms | acl-public-write | user_access_pms_precheckin_portal — Access rule grants write/create/unlink on 'model_pms_checkin_partner' to the portal/public group 'base.group_portal' |
| pms | rule-public-bypass | pms_folio_rule_portal — Record rule with an always-true domain grants portal/public users access to every record of its model |
| pms | rule-public-bypass | pms_reservation_rule_portal — Record rule with an always-true domain grants portal/public users access to every record of its model |
| pms | rule-public-bypass | pms_precheckin_rule_portal — Record rule with an always-true domain grants portal/public users access to every record of its model |
| pms | rule-public-bypass | res_partner_rule_portal — Record rule with an always-true domain grants portal/public users access to every record of its model |
| pms | rule-public-bypass | res_checkin_partner_rule_portal — Record rule with an always-true domain grants portal/public users access to every record of its model |
| project_gtd | acl-global-write | access_project_timebox_empty_wizard — Access rule grants write/create/unlink on 'model_project_timebox_empty' to EVERY user (portal/public included): no group is set |
| project_gtd | acl-global-write | access_project_timebox_fill_plan_wizard — Access rule grants write/create/unlink on 'model_project_timebox_fill_plan' to EVERY user (portal/public included): no group is set |
| project_task_recurring_activity | acl-global-write | project_recurring_activity — Access rule grants write/create/unlink on 'model_recurring_activity' to EVERY user (portal/public included): no group is set |
| purchase_invoice_plan | acl-global-write | access_purchase_invoice_plan — Access rule grants write/create/unlink on 'model_purchase_invoice_plan' to EVERY user (portal/public included): no group is set |
| purchase_invoice_plan | acl-global-write | access_purchase_create_invoice_plan — Access rule grants write/create/unlink on 'model_purchase_create_invoice_plan' to EVERY user (portal/public included): no group is set |
| purchase_invoice_plan | acl-global-write | access_purchase_make_planned_invoice — Access rule grants write/create/unlink on 'model_purchase_make_planned_invoice' to EVERY user (portal/public included): no group is set |
| purchase_work_acceptance | acl-global-write | access_work_accepted_date_wizard — Access rule grants write/create/unlink on 'model_work_accepted_date_wizard' to EVERY user (portal/public included): no group is set |
| purchase_work_acceptance_evaluation | acl-global-write | access_work_acceptance_evaluation_result — Access rule grants write/create/unlink on 'model_work_acceptance_evaluation_result' to EVERY user (portal/public included): no group is set |
| purchase_work_acceptance_invoice_plan | acl-global-write | access_select_work_acceptance_invoice_plan_wizard — Access rule grants write/create/unlink on 'model_select_work_acceptance_invoice_plan_wizard' to EVERY user (portal/public included): no group is set |
| purchase_work_acceptance_invoice_plan | acl-global-write | access_select_work_acceptance_invoice_plan_qty — Access rule grants write/create/unlink on 'model_select_work_acceptance_invoice_plan_qty' to EVERY user (portal/public included): no group is set |
| report_wkhtmltopdf_param | acl-global-write | paperformat_parameter_access_employee — Access rule grants create on 'model_report_paperformat_parameter' to EVERY user (portal/public included): no group is set |
| sale_invoice_plan | acl-global-write | access_sale_invoice_plan — Access rule grants write/create/unlink on 'model_sale_invoice_plan' to EVERY user (portal/public included): no group is set |
| sale_invoice_plan | acl-global-write | access_sale_create_invoice_plan — Access rule grants write/create/unlink on 'model_sale_create_invoice_plan' to EVERY user (portal/public included): no group is set |
| sale_invoice_plan | acl-global-write | access_sale_make_planned_invoice — Access rule grants write/create/unlink on 'model_sale_make_planned_invoice' to EVERY user (portal/public included): no group is set |
| sql_export | acl-global-write | access_sql_file_wizard — Access rule grants write/create on 'model_sql_file_wizard' to EVERY user (portal/public included): no group is set |
| storage_image_backend_migration | acl-global-write | access_storage_image_backend_migration_wizard — Access rule grants write/create/unlink on 'model_storage_image_backend_migration_wizard' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_some_obj — Access rule grants write/create/unlink on 'model_test_access_right_some_obj' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_container — Access rule grants write/create/unlink on 'model_test_access_right_container' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_parent — Access rule grants write/create/unlink on 'model_test_access_right_parent' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_obj_categ — Access rule grants write/create/unlink on 'model_test_access_right_obj_categ' to EVERY user (portal/public included): no group is set |
| test_action_bindings | acl-global-write | access_tab_a — Access rule grants write/create/unlink on 'model_tab_a' to EVERY user (portal/public included): no group is set |
| test_action_bindings | acl-global-write | access_tab_b — Access rule grants write/create/unlink on 'model_tab_b' to EVERY user (portal/public included): no group is set |
| test_base_automation | acl-global-write | access_base_automation_link_test — Access rule grants write/create/unlink on 'model_base_automation_link_test' to EVERY user (portal/public included): no group is set |
| test_base_automation | acl-global-write | access_base_automation_linked_test — Access rule grants write/create/unlink on 'model_base_automation_linked_test' to EVERY user (portal/public included): no group is set |
| test_base_automation | acl-global-write | access_test_base_automation_project — Access rule grants write/create/unlink on 'model_test_base_automation_project' to EVERY user (portal/public included): no group is set |
| test_base_automation | acl-global-write | access_test_base_automation_task — Access rule grants write/create/unlink on 'model_test_base_automation_task' to EVERY user (portal/public included): no group is set |
| test_component | acl-global-write | access_test_component_collection — Access rule grants write/create/unlink on 'model_test_component_collection' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_test_backend — Access rule grants write/create/unlink on 'model_test_backend' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_connector_test_record — Access rule grants write/create/unlink on 'model_connector_test_record' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_connector_test_binding — Access rule grants write/create/unlink on 'model_connector_test_binding' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_no_inherits_binding — Access rule grants write/create/unlink on 'model_no_inherits_binding' to EVERY user (portal/public included): no group is set |
| test_convert | acl-global-write | access_test_convert_test_model — Access rule grants write/create/unlink on 'model_test_convert_test_model' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_converter_model — Access rule grants write/create/unlink on 'model_test_converter_test_model' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_test_converter_test_model_sub — Access rule grants write/create/unlink on 'model_test_converter_test_model_sub' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_test_converter_monetary — Access rule grants write/create/unlink on 'model_test_converter_monetary' to EVERY user (portal/public included): no group is set |
| test_exceptions | acl-global-write | access_test_exceptions_model — Access rule grants write/create/unlink on 'model_test_exceptions_model' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_boolean — Access rule grants write/create/unlink on 'model_export_boolean' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_float — Access rule grants write/create/unlink on 'model_export_float' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_decimal — Access rule grants write/create/unlink on 'model_export_decimal' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string_bounded — Access rule grants write/create/unlink on 'model_export_string_bounded' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string_required — Access rule grants write/create/unlink on 'model_export_string_required' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string — Access rule grants write/create/unlink on 'model_export_string' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_date — Access rule grants write/create/unlink on 'model_export_date' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_datetime — Access rule grants write/create/unlink on 'model_export_datetime' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_text — Access rule grants write/create/unlink on 'model_export_text' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection — Access rule grants write/create/unlink on 'model_export_selection' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection_function — Access rule grants write/create/unlink on 'model_export_selection_function' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2one — Access rule grants write/create/unlink on 'model_export_many2one' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many — Access rule grants write/create/unlink on 'model_export_one2many' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2many — Access rule grants write/create/unlink on 'model_export_many2many' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_function — Access rule grants write/create/unlink on 'model_export_function' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child — Access rule grants write/create/unlink on 'model_export_one2many_child' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_multiple — Access rule grants write/create/unlink on 'model_export_one2many_multiple' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_multiple_child — Access rule grants write/create/unlink on 'model_export_one2many_multiple_child' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child_1 — Access rule grants write/create/unlink on 'model_export_one2many_child_1' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child_2 — Access rule grants write/create/unlink on 'model_export_one2many_child_2' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2many_other — Access rule grants write/create/unlink on 'model_export_many2many_other' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection_withdefault — Access rule grants write/create/unlink on 'model_export_selection_withdefault' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_recursive — Access rule grants write/create/unlink on 'model_export_one2many_recursive' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_unique — Access rule grants write/create/unlink on 'model_export_unique' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_inherits_parent — Access rule grants write/create/unlink on 'model_export_inherits_parent' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_inherits_child — Access rule grants write/create/unlink on 'model_export_inherits_child' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_m2o_str — Access rule grants write/create/unlink on 'model_export_m2o_str' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_m2o_str_child — Access rule grants write/create/unlink on 'model_export_m2o_str_child' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_mother — Access rule grants write/create/unlink on 'model_test_inherit_mother' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_daughter — Access rule grants write/create/unlink on 'model_test_inherit_daughter' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_property — Access rule grants write/create/unlink on 'model_test_inherit_property' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_unit — Access rule grants write/create/unlink on 'model_test_unit' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_unit_line — Access rule grants write/create/unlink on 'model_test_unit_line' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_box — Access rule grants write/create/unlink on 'model_test_box' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_pallet — Access rule grants write/create/unlink on 'model_test_pallet' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_another_unit — Access rule grants write/create/unlink on 'model_test_another_unit' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_another_box — Access rule grants write/create/unlink on 'model_test_another_box' to EVERY user (portal/public included): no group is set |
| test_limits | acl-global-write | access_test_limits_model — Access rule grants write/create/unlink on 'model_test_limits_model' to EVERY user (portal/public included): no group is set |
| test_mail | acl-global-write | access_mail_performance_thread — Access rule grants write/create/unlink on 'model_mail_performance_thread' to EVERY user (portal/public included): no group is set |
| test_mail | acl-public-write | access_mail_test_container_portal — Access rule grants write on 'model_mail_test_container' to the portal/public group 'base.group_portal' |
| test_new_api | acl-global-write | access_category — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_category' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_discussion — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_discussion' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_message — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_message' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_emailmessage — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_emailmessage' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi_line — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi_line2 — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line2' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi_tag — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_tag' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_creativework_edition — Access rule grants write/create/unlink on 'model_test_new_api_creativework_edition' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_creativework_book — Access rule grants write/create/unlink on 'model_test_new_api_creativework_book' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_creativework_movie — Access rule grants write/create/unlink on 'model_test_new_api_creativework_movie' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_mixed — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_mixed' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_domain_bool — Access rule grants write/create/unlink on 'model_domain_bool' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_foo — Access rule grants write/create/unlink on 'model_test_new_api_foo' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_bar — Access rule grants write/create/unlink on 'model_test_new_api_bar' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_related — Access rule grants write/create/unlink on 'model_test_new_api_related' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_company — Access rule grants write/create/unlink on 'model_test_new_api_company' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_company_attr — Access rule grants write/create/unlink on 'model_test_new_api_company_attr' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_inverse — Access rule grants write/create/unlink on 'model_test_new_api_compute_inverse' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_readonly — Access rule grants write/create/unlink on 'model_test_new_api_compute_readonly' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_multi_compute_inverse — Access rule grants write/create/unlink on 'model_test_new_api_multi_compute_inverse' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_recursive — Access rule grants write/create/unlink on 'model_test_new_api_recursive' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_recursive_tree — Access rule grants write/create/unlink on 'model_test_new_api_recursive_tree' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_cascade — Access rule grants write/create/unlink on 'model_test_new_api_cascade' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_readwrite — Access rule grants write/create/unlink on 'model_test_new_api_compute_readwrite' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_onchange — Access rule grants write/create/unlink on 'model_test_new_api_compute_onchange' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_onchange_line — Access rule grants write/create/unlink on 'model_test_new_api_compute_onchange_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_dynamic_depends — Access rule grants write/create/unlink on 'model_test_new_api_compute_dynamic_depends' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_unassigned — Access rule grants write/create/unlink on 'model_test_new_api_compute_unassigned' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_one2many — Access rule grants write/create/unlink on 'model_test_new_api_one2many' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_one2many_line — Access rule grants write/create/unlink on 'model_test_new_api_one2many_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_binary_svg — Access rule grants write/create/unlink on 'model_test_new_api_binary_svg' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_base — Access rule grants write/create/unlink on 'model_test_new_api_monetary_base' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_related — Access rule grants write/create/unlink on 'model_test_new_api_monetary_related' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_custom — Access rule grants write/create/unlink on 'model_test_new_api_monetary_custom' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_inherits — Access rule grants write/create/unlink on 'model_test_new_api_monetary_inherits' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_field_with_caps — Access rule grants write/create/unlink on 'model_test_new_api_field_with_caps' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_req_m2o — Access rule grants write/create/unlink on 'model_test_new_api_req_m2o' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_selection — Access rule grants write/create/unlink on 'model_test_new_api_selection' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_attachment — Access rule grants write/create/unlink on 'model_test_new_api_attachment' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_attachment_host — Access rule grants write/create/unlink on 'model_test_new_api_attachment_host' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_image — Access rule grants write/create/unlink on 'model_test_new_api_model_image' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_a — Access rule grants write/create/unlink on 'model_test_new_api_model_a' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_b — Access rule grants write/create/unlink on 'model_test_new_api_model_b' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_parent — Access rule grants write/create/unlink on 'model_test_new_api_model_parent' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_child — Access rule grants write/create/unlink on 'model_test_new_api_model_child' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_child_nocheck — Access rule grants write/create/unlink on 'model_test_new_api_model_child_nocheck' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_display — Access rule grants write/create/unlink on 'model_test_new_api_display' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_active_field — Access rule grants write/create/unlink on 'model_test_new_api_model_active_field' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_many2one_reference — Access rule grants write/create/unlink on 'model_test_new_api_model_many2one_reference' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_inverse_m2o_ref — Access rule grants write/create/unlink on 'model_test_new_api_inverse_m2o_ref' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_binary — Access rule grants write/create/unlink on 'model_test_new_api_model_binary' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_child_m2o — Access rule grants write/create/unlink on 'model_test_new_api_model_child_m2o' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_parent_m2o — Access rule grants write/create/unlink on 'model_test_new_api_model_parent_m2o' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_order — Access rule grants write/create/unlink on 'model_test_new_api_monetary_order' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_order_line — Access rule grants write/create/unlink on 'model_test_new_api_monetary_order_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_selection_base — Access rule grants write/create/unlink on 'model_test_new_api_model_selection_base' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_selection_required — Access rule grants write/create/unlink on 'model_test_new_api_model_selection_required' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_selection_non_stored — Access rule grants write/create/unlink on 'model_test_new_api_model_selection_non_stored' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_selection_required_for_write_override — Access rule grants write/create/unlink on 'model_test_new_api_model_selection_required_for_write_override' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_move — Access rule grants write/create/unlink on 'model_test_new_api_move' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_move_line — Access rule grants write/create/unlink on 'model_test_new_api_move_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_payment — Access rule grants write/create/unlink on 'model_test_new_api_payment' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_order — Access rule grants write/create/unlink on 'model_test_new_api_order' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_order_line — Access rule grants write/create/unlink on 'model_test_new_api_order_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_shared_cache_compute_parent — Access rule grants write/create/unlink on 'model_test_new_api_model_shared_cache_compute_parent' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_shared_cache_compute_line — Access rule grants write/create/unlink on 'model_test_new_api_model_shared_cache_compute_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_container — Access rule grants write/create/unlink on 'model_test_new_api_compute_container' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_member — Access rule grants write/create/unlink on 'model_test_new_api_compute_member' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_editable — Access rule grants write/create/unlink on 'model_test_new_api_compute_editable' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_editable_line — Access rule grants write/create/unlink on 'model_test_new_api_compute_editable_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_trigger_left — Access rule grants write/create/unlink on 'model_test_new_api_trigger_left' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_trigger_middle — Access rule grants write/create/unlink on 'model_test_new_api_trigger_middle' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_trigger_right — Access rule grants write/create/unlink on 'model_test_new_api_trigger_right' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_base — Access rule grants write/create/unlink on 'model_test_performance_base' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_line — Access rule grants write/create/unlink on 'model_test_performance_line' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_tag — Access rule grants write/create/unlink on 'model_test_performance_tag' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_bacon — Access rule grants write/create/unlink on 'model_test_performance_bacon' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_eggs — Access rule grants write/create/unlink on 'model_test_performance_eggs' to EVERY user (portal/public included): no group is set |
| test_populate | acl-global-write | access_test_populate — Access rule grants write/create/unlink on 'model_test_populate' to EVERY user (portal/public included): no group is set |
| test_populate | acl-global-write | access_test_populate_category — Access rule grants write/create/unlink on 'model_test_populate_category' to EVERY user (portal/public included): no group is set |
| test_populate | acl-global-write | access_test_no_populat — Access rule grants write/create/unlink on 'model_test_no_populate' to EVERY user (portal/public included): no group is set |
| test_populate | acl-global-write | access_test_populate_inherit — Access rule grants write/create/unlink on 'model_test_populate_inherit' to EVERY user (portal/public included): no group is set |
| test_queue_job | acl-global-write | access_test_queue_job — Access rule grants write/create/unlink on 'model_test_queue_job' to EVERY user (portal/public included): no group is set |
| test_queue_job | acl-global-write | access_test_queue_channel — Access rule grants write/create/unlink on 'model_test_queue_channel' to EVERY user (portal/public included): no group is set |
| test_queue_job | acl-global-write | access_test_related_action — Access rule grants write/create/unlink on 'model_test_related_action' to EVERY user (portal/public included): no group is set |
| test_rpc | acl-global-write | access_test_rpc_model_a — Access rule grants write/create/unlink on 'model_test_rpc_model_a' to EVERY user (portal/public included): no group is set |
| test_rpc | acl-global-write | access_test_rpc_model_b — Access rule grants write/create/unlink on 'model_test_rpc_model_b' to EVERY user (portal/public included): no group is set |
| test_testing_utilities | acl-global-write | access_model_test_testing_utilities_onchange_count — Access rule grants write/create/unlink on 'model_test_testing_utilities_onchange_count' to EVERY user (portal/public included): no group is set |
| test_testing_utilities | acl-global-write | access_test_testing_utilities_onchange_count_sub — Access rule grants write/create/unlink on 'model_test_testing_utilities_onchange_count_sub' to EVERY user (portal/public included): no group is set |
| test_testing_utilities | acl-global-write | access_o2m_readonly_subfield_parent — Access rule grants write/create/unlink on 'model_o2m_readonly_subfield_parent' to EVERY user (portal/public included): no group is set |
| test_testing_utilities | acl-global-write | access_o2m_readonly_subfield_child — Access rule grants write/create/unlink on 'model_o2m_readonly_subfield_child' to EVERY user (portal/public included): no group is set |
| test_uninstall | acl-global-write | access_test_uninstall_model — Access rule grants write/create/unlink on 'model_test_uninstall_model' to EVERY user (portal/public included): no group is set |
| test_xlsx_export | acl-global-write | access_export_group_operator — Access rule grants write/create/unlink on 'model_export_group_operator' to EVERY user (portal/public included): no group is set |
| test_xlsx_export | acl-global-write | access_export_group_operator_one2many — Access rule grants write/create/unlink on 'model_export_group_operator_one2many' to EVERY user (portal/public included): no group is set |
| test_xlsx_export | acl-global-write | access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set |
| test_xlsx_export | acl-global-write | access_export_computed_binary — Access rule grants write/create/unlink on 'model_export_computed_binary' to EVERY user (portal/public included): no group is set |
| utm | acl-global-write | access_utm_campaign — Access rule grants create on 'model_utm_campaign' to EVERY user (portal/public included): no group is set |
| utm | acl-global-write | access_utm_medium — Access rule grants create on 'model_utm_medium' to EVERY user (portal/public included): no group is set |
| utm | acl-global-write | access_utm_source — Access rule grants create on 'model_utm_source' to EVERY user (portal/public included): no group is set |
| web_editor | acl-global-write | access_web_editor_converter_test — Access rule grants write/create/unlink on 'model_web_editor_converter_test' to EVERY user (portal/public included): no group is set |
| web_editor | acl-global-write | access_web_editor_converter_test_sub — Access rule grants write/create/unlink on 'model_web_editor_converter_test_sub' to EVERY user (portal/public included): no group is set |
| website | route-user-csrf-off | /website/reset_template — HTTP endpoint 'Website.reset_template' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user |
| website_crm_partner_assign | acl-public-write | partner_access_crm_lead — Access rule grants write on 'crm.model_crm_lead' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_post_portal — Access rule grants write/create/unlink on 'model_forum_post' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_post_vote_portal — Access rule grants write/create on 'model_forum_post_vote' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_tag_public — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_public' |
| website_forum | acl-public-write | access_forum_tag_portal — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_portal' |
| website_sale_wishlist | acl-public-write | access_product_wishlist_portal — Access rule grants write/create/unlink on 'model_product_wishlist' to the portal/public group 'base.group_portal' |
Warnings 574
| Module | Code | Message |
|---|---|---|
| account | rule-group-bypass | account_analytic_line_rule_billing_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_rule_group_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_line_rule_group_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_move_line_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account | rule-group-bypass | account_invoice_send_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account_avatax_exemption | acl-global-read | access_portal_exemption_code — Access rule grants read on 'account_avatax_oca.model_exemption_code' to every user (portal/public included): no group is set |
| account_avatax_exemption | route-public-sudo | /exemption/<int:exemption_id> — Unauthenticated endpoint 'Exemption.get_exemption' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| account_avatax_exemption_base | acl-global-read | access_portal_group_of_states — Access rule grants read on 'model_res_partner_group_state' to every user (portal/public included): no group is set |
| account_avatax_exemption_base | acl-global-read | access_portal_res_partner_exemption_line — Access rule grants read on 'model_res_partner_exemption_line' to every user (portal/public included): no group is set |
| account_avatax_exemption_base | acl-global-read | access_portal_res_partner_exemption_type — Access rule grants read on 'model_res_partner_exemption_type' to every user (portal/public included): no group is set |
| account_avatax_exemption_base | acl-global-read | access_portal_res_partner_exemption_business_type — Access rule grants read on 'model_res_partner_exemption_business_type' to every user (portal/public included): no group is set |
| account_brand | acl-global-read | res_partner_account_brand_access — Access rule grants read on 'model_res_partner_account_brand' to every user (portal/public included): no group is set |
| account_cash_deposit | acl-global-read | cash_unit_read — Access rule grants read on 'model_cash_unit' to every user (portal/public included): no group is set |
| account_consolidation_oca | acl-global-read | access_company_consolidation_profile — Access rule grants read on 'model_company_consolidation_profile' to every user (portal/public included): no group is set |
| account_edi | acl-global-read | access_account_edi_format_readonly — Access rule grants read on 'model_account_edi_format' to every user (portal/public included): no group is set |
| account_edi | acl-global-read | access_account_edi_document_readonly — Access rule grants read on 'model_account_edi_document' to every user (portal/public included): no group is set |
| account_invoice_transmit_method | acl-global-read | access_transmit_method_read — Access rule grants read on 'model_transmit_method' to every user (portal/public included): no group is set |
| account_move_transfer_partner | acl-global-write | access_wizard_account_move_transfer_partner_all — Access rule grants write/create/unlink on 'model_wizard_account_move_transfer_partner' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| account_payment | route-public-sudo | /invoice/pay/<int:invoice_id>/form_tx — Unauthenticated endpoint 'PaymentPortal.invoice_pay_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| account_payment | route-public-sudo | /invoice/pay/<int:invoice_id>/s2s_token_tx — Unauthenticated endpoint 'PaymentPortal.invoice_pay_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| attachment_queue | acl-global-read | access_attachment_queue_user — Access rule grants read on 'model_attachment_queue' to every user (portal/public included): no group is set |
| auth_oauth | route-public-sudo | /auth_oauth/signin — Unauthenticated endpoint 'OAuthController.signin' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_oauth | route-auth-none | /auth_oauth/signin — Endpoint 'OAuthController.signin' uses auth="none": it runs with no user/session at all |
| auth_oauth | route-auth-none | /auth_oauth/oea — Endpoint 'OAuthController.oea' uses auth="none": it runs with no user/session at all |
| auth_oidc | route-public-sudo | /web/session/logout — Unauthenticated endpoint 'OpenIDLogout.logout' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_oidc | route-auth-none | /web/session/logout — Endpoint 'OpenIDLogout.logout' uses auth="none": it runs with no user/session at all |
| auth_saml | route-public-sudo | /auth_saml/get_auth_request — Unauthenticated endpoint 'AuthSAMLController.get_auth_request' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_saml | route-auth-none | /auth_saml/get_auth_request — Endpoint 'AuthSAMLController.get_auth_request' uses auth="none": it runs with no user/session at all |
| auth_saml | route-public-csrf-off | /auth_saml/signin — Public HTTP endpoint 'AuthSAMLController.signin' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| auth_saml | route-public-sudo | /auth_saml/signin — Unauthenticated endpoint 'AuthSAMLController.signin' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_saml | route-auth-none | /auth_saml/signin — Endpoint 'AuthSAMLController.signin' uses auth="none": it runs with no user/session at all |
| auth_saml | route-public-csrf-off | /auth_saml/metadata — Public HTTP endpoint 'AuthSAMLController.saml_metadata' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| auth_saml | route-public-sudo | /auth_saml/metadata — Unauthenticated endpoint 'AuthSAMLController.saml_metadata' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_saml | route-auth-none | /auth_saml/metadata — Endpoint 'AuthSAMLController.saml_metadata' uses auth="none": it runs with no user/session at all |
| auth_signup | route-public-sudo | /web/signup — Unauthenticated endpoint 'AuthSignupHome.web_auth_signup' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_signup | route-public-sudo | /web/reset_password — Unauthenticated endpoint 'AuthSignupHome.web_auth_reset_password' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| base | acl-global-read | access_res_company_group_user — Access rule grants read on 'model_res_company' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_partner_title_group_partner_manager — Access rule grants read on 'model_res_partner_title' to every user (portal/public included): no group is set |
| base | acl-global-write | access_res_users_log_all — Access rule grants create on 'model_res_users_log' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| base | acl-global-read | paperformat_access_portal — Access rule grants read on 'model_report_paperformat' to every user (portal/public included): no group is set |
| base | route-public-csrf-off | /xmlrpc/<service> — Public HTTP endpoint 'RPC.xmlrpc_1' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base | route-auth-none | /xmlrpc/<service> — Endpoint 'RPC.xmlrpc_1' uses auth="none": it runs with no user/session at all |
| base | route-public-csrf-off | /xmlrpc/2/<service> — Public HTTP endpoint 'RPC.xmlrpc_2' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base | route-auth-none | /xmlrpc/2/<service> — Endpoint 'RPC.xmlrpc_2' uses auth="none": it runs with no user/session at all |
| base | route-auth-none | /jsonrpc — Endpoint 'RPC.jsonrpc' uses auth="none": it runs with no user/session at all |
| base_comment_template | acl-global-read | access_base_comment_template_user — Access rule grants read on 'model_base_comment_template' to every user (portal/public included): no group is set |
| base_ebill_payment_contract | acl-global-read | access_ebill_payment_contract_read — Access rule grants read on 'model_ebill_payment_contract' to every user (portal/public included): no group is set |
| base_import_module | route-public-csrf-off | /base_import_module/login_upload — Public HTTP endpoint 'ImportModule.login_upload' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base_import_module | route-auth-none | /base_import_module/login_upload — Endpoint 'ImportModule.login_upload' uses auth="none": it runs with no user/session at all |
| base_tier_validation_correction | acl-global-read | access_tier_correction_user — Access rule grants read on 'model_tier_correction' to every user (portal/public included): no group is set |
| base_tier_validation_correction | acl-global-read | access_tier_correction_item_user — Access rule grants read on 'model_tier_correction_item' to every user (portal/public included): no group is set |
| base_tier_validation_correction | acl-global-read | access_affected_tier_reviews — Access rule grants read on 'model_affected_tier_reviews' to every user (portal/public included): no group is set |
| base_unece | acl-global-read | access_unece_code_list_read — Access rule grants read on 'model_unece_code_list' to every user (portal/public included): no group is set |
| calendar | rule-group-bypass | calendar_event_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| cooperator_website | route-public-sudo | /subscription/get_share_product — Unauthenticated endpoint 'WebsiteSubscription.get_share_product' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| cooperator_website | route-public-sudo | /subscription/subscribe_share — Unauthenticated endpoint 'WebsiteSubscription.share_subscription' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| crm | acl-global-read | access_crm_stage — Access rule grants read on 'model_crm_stage' to every user (portal/public included): no group is set |
| crm | rule-group-bypass | crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm | rule-group-bypass | crm_activity_report_rule_all_activities — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm_phone | rule-group-bypass | all_crm_phonecall_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crowdfunding | route-public-sudo | /crowdfunding/<model('crowdfunding.challenge'):challenge>/pay — Unauthenticated endpoint 'Payment.crowdfunding_pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| dms | route-public-sudo | /my/dms/directory/<int:dms_directory_id> — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_directory' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| dms | route-public-sudo | /my/dms/file/<int:dms_file_id>/download — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_file_download' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| document_page_portal | rule-group-bypass | knowledge_user_document_page_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| endpoint_route_handler | acl-global-read | access_endpoint_route_handler_tool_edit — Access rule grants read on 'model_endpoint_route_handler' to every user (portal/public included): no group is set |
| endpoint_route_handler | acl-global-read | access_endpoint_route_handler_edit — Access rule grants read on 'model_endpoint_route_handler_tool' to every user (portal/public included): no group is set |
| event | acl-global-read | access_event_event_portal — Access rule grants read on 'model_event_event' to every user (portal/public included): no group is set |
| fieldservice | rule-group-bypass | fsm_order_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| fieldservice_account_analytic | rule-group-bypass | analytic_account_fsm_dispatcher — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| fieldservice_activity | rule-group-bypass | fsm_activity_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| github_connector | acl-global-read | access_github_analysis_rule_reader — Access rule grants read on 'model_github_analysis_rule' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_analysis_rule_group_reader — Access rule grants read on 'model_github_analysis_rule_group' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_organization_reader — Access rule grants read on 'model_github_organization' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_organization_serie_reader — Access rule grants read on 'model_github_organization_serie' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_repository_branch_rule_info_report_reader — Access rule grants read on 'model_github_repository_branch_rule_info_report' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_repository_reader — Access rule grants read on 'model_github_repository' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_repository_branch_reader — Access rule grants read on 'model_github_repository_branch' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_team_reader — Access rule grants read on 'model_github_team' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_team_partner_reader — Access rule grants read on 'model_github_team_partner' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_team_repository_reader — Access rule grants read on 'model_github_team_repository' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_author_reader — Access rule grants read on 'model_odoo_author' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_lib_bin_reader — Access rule grants read on 'model_odoo_lib_bin' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_lib_python_reader — Access rule grants read on 'model_odoo_lib_python' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_license_reader — Access rule grants read on 'model_odoo_license' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_module_reader — Access rule grants read on 'model_odoo_module' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_module_version_reader — Access rule grants read on 'model_odoo_module_version' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_module_version_rule_info_report_reader — Access rule grants read on 'model_odoo_module_version_rule_info_report' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_category_reader — Access rule grants read on 'model_odoo_category' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_manifest_key_reader — Access rule grants read on 'model_odoo_manifest_key' to every user (portal/public included): no group is set |
| helpdesk_mgmt | rule-group-bypass | helpdesk_ticket_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_attendance | rule-group-bypass | hr_attendance_rule_attendance_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_attendance_rfid | rule-group-bypass | hr_attendance_rfid_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_expense | rule-group-bypass | ir_rule_hr_expense_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_expense | rule-group-bypass | ir_rule_hr_expense_sheet_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | hr_leave_rule_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | hr_leave_allocation_rule_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | resource_leaves_base_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | resource_leaves_holidays_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays_security | rule-group-bypass | hr_leave_report_rule_group_holiday_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_personal_equipment_request | rule-group-bypass | personal_equipment_request_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_personal_equipment_request | rule-group-bypass | personal_equipment_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_resume_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_resume_rule_employee_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_skill_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_skill_rule_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| http_routing | route-public-sudo | /website/translations/<string:unique> — Unauthenticated endpoint 'Routing.get_website_translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| hw_drivers | route-auth-none | /hw_proxy/hello — Endpoint 'ProxyController.hello' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/handshake — Endpoint 'ProxyController.handshake' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/status_json — Endpoint 'ProxyController.status_json' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_drivers/action — Endpoint 'DriverController.action' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-public-csrf-off | /hw_drivers/check_certificate — Public HTTP endpoint 'DriverController.check_certificate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_drivers | route-auth-none | /hw_drivers/check_certificate — Endpoint 'DriverController.check_certificate' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_drivers/event — Endpoint 'DriverController.event' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-public-csrf-off | /hw_drivers/box/connect — Public HTTP endpoint 'DriverController.connect_box' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_drivers | route-auth-none | /hw_drivers/box/connect — Endpoint 'DriverController.connect_box' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-public-csrf-off | /hw_drivers/download_logs — Public HTTP endpoint 'DriverController.download_logs' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_drivers | route-auth-none | /hw_drivers/download_logs — Endpoint 'DriverController.download_logs' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/scanner — Endpoint 'KeyboardUSBController.get_barcode' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/default_printer_action — Endpoint 'PrinterController.default_printer_action' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/scale_read — Endpoint 'ScaleReadOldRoute.scale_read' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/display_refresh — Endpoint 'DisplayController.display_refresh' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/customer_facing_display — Endpoint 'DisplayController.customer_facing_display' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/take_control — Endpoint 'DisplayController.take_control' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/test_ownership — Endpoint 'DisplayController.test_ownership' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /point_of_sale/get_serialized_order, /point_of_sale/get_serialized_order/<string:display_identifier> — Endpoint 'DisplayController.get_serialized_order' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /point_of_sale/display, /point_of_sale/display/<string:display_identifier> — Endpoint 'DisplayController.display' uses auth="none": it runs with no user/session at all |
| hw_escpos | route-auth-none | /hw_proxy/open_cashbox — Endpoint 'EscposProxy.open_cashbox' uses auth="none": it runs with no user/session at all |
| hw_escpos | route-auth-none | /hw_proxy/print_receipt — Endpoint 'EscposProxy.print_receipt' uses auth="none": it runs with no user/session at all |
| hw_escpos | route-auth-none | /hw_proxy/print_xml_receipt — Endpoint 'EscposProxy.print_xml_receipt' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | / — Endpoint 'IoTboxHomepage.index' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /list_handlers — Public HTTP endpoint 'IoTboxHomepage.list_handlers' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /list_handlers — Endpoint 'IoTboxHomepage.list_handlers' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /load_iot_handlers — Endpoint 'IoTboxHomepage.load_iot_handlers' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /list_credential — Endpoint 'IoTboxHomepage.list_credential' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /save_credential — Public HTTP endpoint 'IoTboxHomepage.save_credential' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /save_credential — Endpoint 'IoTboxHomepage.save_credential' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /clear_credential — Public HTTP endpoint 'IoTboxHomepage.clear_credential' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /clear_credential — Endpoint 'IoTboxHomepage.clear_credential' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /wifi — Endpoint 'IoTboxHomepage.wifi' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /wifi_connect — Public HTTP endpoint 'IoTboxHomepage.connect_to_wifi' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /wifi_connect — Endpoint 'IoTboxHomepage.connect_to_wifi' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /wifi_clear — Public HTTP endpoint 'IoTboxHomepage.clear_wifi_configuration' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /wifi_clear — Endpoint 'IoTboxHomepage.clear_wifi_configuration' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /server_clear — Public HTTP endpoint 'IoTboxHomepage.clear_server_configuration' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /server_clear — Endpoint 'IoTboxHomepage.clear_server_configuration' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /handlers_clear — Public HTTP endpoint 'IoTboxHomepage.clear_handlers_list' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /handlers_clear — Endpoint 'IoTboxHomepage.clear_handlers_list' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /server_connect — Public HTTP endpoint 'IoTboxHomepage.connect_to_server' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /server_connect — Endpoint 'IoTboxHomepage.connect_to_server' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /steps — Public HTTP endpoint 'IoTboxHomepage.step_by_step_configure_page' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /steps — Endpoint 'IoTboxHomepage.step_by_step_configure_page' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /step_configure — Public HTTP endpoint 'IoTboxHomepage.step_by_step_configure' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /step_configure — Endpoint 'IoTboxHomepage.step_by_step_configure' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /server — Endpoint 'IoTboxHomepage.server' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /remote_connect — Endpoint 'IoTboxHomepage.remote_connect' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /enable_ngrok — Public HTTP endpoint 'IoTboxHomepage.enable_ngrok' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /enable_ngrok — Endpoint 'IoTboxHomepage.enable_ngrok' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /six_payment_terminal — Public HTTP endpoint 'IoTboxHomepage.six_payment_terminal' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /six_payment_terminal — Endpoint 'IoTboxHomepage.six_payment_terminal' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /six_payment_terminal_add — Public HTTP endpoint 'IoTboxHomepage.add_six_payment_terminal' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /six_payment_terminal_add — Endpoint 'IoTboxHomepage.add_six_payment_terminal' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /six_payment_terminal_clear — Public HTTP endpoint 'IoTboxHomepage.clear_six_payment_terminal' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /six_payment_terminal_clear — Endpoint 'IoTboxHomepage.clear_six_payment_terminal' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/upgrade — Endpoint 'IoTboxHomepage.upgrade' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_upgrade — Endpoint 'IoTboxHomepage.perform_upgrade' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/get_version — Endpoint 'IoTboxHomepage.check_version' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_flashing_create_partition — Endpoint 'IoTboxHomepage.perform_flashing_create_partition' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_flashing_download_raspios — Endpoint 'IoTboxHomepage.perform_flashing_download_raspios' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_flashing_copy_raspios — Endpoint 'IoTboxHomepage.perform_flashing_copy_raspios' uses auth="none": it runs with no user/session at all |
| im_livechat | acl-global-read | access_livechat_channel — Access rule grants read on 'model_im_livechat_channel' to every user (portal/public included): no group is set |
| im_livechat | acl-global-read | access_livechat_channel_rule — Access rule grants read on 'model_im_livechat_channel_rule' to every user (portal/public included): no group is set |
| im_livechat | route-auth-none | /im_livechat/load_templates — Endpoint 'LivechatController.load_templates' uses auth="none": it runs with no user/session at all |
| im_livechat | route-public-sudo | /im_livechat/support/<int:channel_id> — Unauthenticated endpoint 'LivechatController.support_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/loader/<int:channel_id> — Unauthenticated endpoint 'LivechatController.loader' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/init — Unauthenticated endpoint 'LivechatController.livechat_init' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/get_session — Unauthenticated endpoint 'LivechatController.get_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/feedback — Unauthenticated endpoint 'LivechatController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/history — Unauthenticated endpoint 'LivechatController.history_pages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/notify_typing — Unauthenticated endpoint 'LivechatController.notify_typing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/email_livechat_transcript — Unauthenticated endpoint 'LivechatController.email_livechat_transcript' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/visitor_leave_session — Unauthenticated endpoint 'LivechatController.visitor_leave_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| intrastat_product | acl-global-read | access_intrastat_unit_read — Access rule grants read on 'model_intrastat_unit' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_transaction_read — Access rule grants read on 'model_intrastat_transaction' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_transport_mode_read — Access rule grants read on 'model_intrastat_transport_mode' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_region_read — Access rule grants read on 'model_intrastat_region' to every user (portal/public included): no group is set |
| iot_input_oca | route-public-csrf-off | /iot/<serial>/action — Public HTTP endpoint 'CallIot.call_unauthorized_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_input_oca | route-public-sudo | /iot/<serial>/action — Unauthenticated endpoint 'CallIot.call_unauthorized_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| iot_input_oca | route-auth-none | /iot/<serial>/action — Endpoint 'CallIot.call_unauthorized_iot' uses auth="none": it runs with no user/session at all |
| iot_input_oca | route-public-csrf-off | /iot/<serial>/multi_input — Public HTTP endpoint 'CallIot.call_unauthorized_iot_multi_input' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_input_oca | route-public-sudo | /iot/<serial>/multi_input — Unauthenticated endpoint 'CallIot.call_unauthorized_iot_multi_input' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| iot_input_oca | route-auth-none | /iot/<serial>/multi_input — Endpoint 'CallIot.call_unauthorized_iot_multi_input' uses auth="none": it runs with no user/session at all |
| iot_input_oca | route-public-csrf-off | /iot/<serial>/check — Public HTTP endpoint 'CallIot.check_unauthorized_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_input_oca | route-public-sudo | /iot/<serial>/check — Unauthenticated endpoint 'CallIot.check_unauthorized_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| iot_input_oca | route-auth-none | /iot/<serial>/check — Endpoint 'CallIot.check_unauthorized_iot' uses auth="none": it runs with no user/session at all |
| iot_template_oca | route-public-csrf-off | /iot/<serial>/configure — Public HTTP endpoint 'CallIot.configure_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_template_oca | route-public-sudo | /iot/<serial>/configure — Unauthenticated endpoint 'CallIot.configure_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| iot_template_oca | route-auth-none | /iot/<serial>/configure — Endpoint 'CallIot.configure_iot' uses auth="none": it runs with no user/session at all |
| l10n_ar_afipws | acl-global-read | access_afipws_connection_user — Access rule grants read on 'model_afipws_connection' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_deficiency — Access rule grants read on 'model_hr_deficiency' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_identity_type — Access rule grants read on 'model_hr_identity_type' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_civil_certificate_type — Access rule grants read on 'model_hr_civil_certificate_type' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_dependent_type — Access rule grants read on 'model_hr_dependent_type' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_ethnicity — Access rule grants read on 'model_hr_ethnicity' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_educational_attainment — Access rule grants read on 'model_hr_educational_attainment' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_admission_type — Access rule grants read on 'model_hr_contract_admission_type' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_labor_bond_type — Access rule grants read on 'model_hr_contract_labor_bond_type' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_labor_regime — Access rule grants read on 'model_hr_contract_labor_regime' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_salary_unit — Access rule grants read on 'model_hr_contract_salary_unit' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_resignation_cause — Access rule grants read on 'model_hr_contract_resignation_cause' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_notice_termination — Access rule grants read on 'model_hr_contract_notice_termination' to every user (portal/public included): no group is set |
| l10n_br_website_sale | route-public-sudo | /shop/address — Unauthenticated endpoint 'L10nBrWebsiteSale.address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_br_website_sale | route-public-sudo | /l10n_br/zip_search_public — Unauthenticated endpoint 'L10nBrWebsiteSale.zip_search' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_ee_reporting | acl-global-read | access_l10n_ee_reporting_kmd_inf — Access rule grants read on 'model_l10n_ee_reporting_kmd_inf' to every user (portal/public included): no group is set |
| l10n_ee_reporting | acl-global-read | access_l10n_ee_reporting_vies_declaration — Access rule grants read on 'model_l10n_ee_reporting_vies_declaration' to every user (portal/public included): no group is set |
| l10n_es_aeat_mod347 | route-public-sudo | /mod347/accept — Unauthenticated endpoint 'Mod347Controller.mod347_accept' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_es_aeat_mod347 | route-public-sudo | /mod347/reject — Unauthenticated endpoint 'Mod347Controller.mod347_reject' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_eu_service | acl-global-read | access_l10n_eu_service_service_tax_rate_user — Access rule grants read on 'model_l10n_eu_service_service_tax_rate' to every user (portal/public included): no group is set |
| l10n_in | acl-global-read | access_l10n_in_account_invoice_report — Access rule grants read on 'model_l10n_in_account_invoice_report' to every user (portal/public included): no group is set |
| l10n_in | acl-global-read | access_l10n_in_advances_payment_report — Access rule grants read on 'model_l10n_in_advances_payment_report' to every user (portal/public included): no group is set |
| l10n_in | acl-global-read | access_l10n_in_advances_payment_adjustment_report — Access rule grants read on 'model_l10n_in_advances_payment_adjustment_report' to every user (portal/public included): no group is set |
| l10n_in | acl-global-read | access_l10n_in_product_hsn_report — Access rule grants read on 'model_l10n_in_product_hsn_report' to every user (portal/public included): no group is set |
| l10n_in | acl-global-read | access_l10n_in_exempted_report — Access rule grants read on 'model_l10n_in_exempted_report' to every user (portal/public included): no group is set |
| l10n_it_account_tax_kind | acl-global-read | access_account_tax_kind_user — Access rule grants read on 'model_account_tax_kind' to every user (portal/public included): no group is set |
| l10n_ro_account_anaf_sync | route-public-csrf-off | /l10n_ro_account_anaf_sync/anaf_oauth/<int:anaf_config_id> — Public HTTP endpoint 'AccountANAFSyncWeb.get_anaf_oauth_code' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| l10n_ro_account_anaf_sync | route-public-sudo | /l10n_ro_account_anaf_sync/anaf_oauth/<int:anaf_config_id> — Unauthenticated endpoint 'AccountANAFSyncWeb.get_anaf_oauth_code' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| letsencrypt | route-auth-none | /.well-known/acme-challenge/<filename> — Endpoint 'Letsencrypt.acme_challenge' uses auth="none": it runs with no user/session at all |
| link_tracker | route-public-sudo | /r/<string:code> — Unauthenticated endpoint 'LinkTracker.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| acl-global-write | access_publisher_warranty_contract_all — Access rule grants write/create/unlink on 'model_publisher_warranty_contract' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
|
| route-public-sudo | /mail/view — Unauthenticated endpoint 'MailController.mail_action_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/<string:res_model>/<int:res_id>/avatar/<int:partner_id> — Unauthenticated endpoint 'MailController.avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/chat_post — Unauthenticated endpoint 'MailChatController.mail_chat_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/chat_history — Unauthenticated endpoint 'MailChatController.mail_chat_history' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| mail_allow_portal_internal_note | route-public-sudo | /mail/chatter_post — Unauthenticated endpoint 'PortalChatterExt.portal_chatter_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_client_extension | route-auth-none | /mail_client_extension/auth/access_token — Endpoint 'MailClientExtensionController.auth_access_token' uses auth="none": it runs with no user/session at all |
| mail_tracking | route-public-csrf-off | /mail/tracking/all/<string:db>, /mail/tracking/event/<string:db>/<string:event_type> — Public HTTP endpoint 'MailTrackingController.mail_tracking_event' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| mail_tracking | route-auth-none | /mail/tracking/all/<string:db>, /mail/tracking/event/<string:db>/<string:event_type> — Endpoint 'MailTrackingController.mail_tracking_event' uses auth="none": it runs with no user/session at all |
| mail_tracking | route-public-sudo | /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MailTrackingController.mail_tracking_open' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_tracking | route-auth-none | /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Endpoint 'MailTrackingController.mail_tracking_open' uses auth="none": it runs with no user/session at all |
| mail_tracking_mailgun | route-public-sudo | /mail/tracking/mailgun/all — Unauthenticated endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_tracking_mailgun | route-auth-none | /mail/tracking/mailgun/all — Endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' uses auth="none": it runs with no user/session at all |
| mass | acl-global-read | access_mass_request_type_user — Access rule grants read on 'model_mass_request_type' to every user (portal/public included): no group is set |
| mass_mailing | route-public-sudo | /mail/mailing/<int:mailing_id>/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mail/mailing/unsubscribe — Unauthenticated endpoint 'MassMailController.unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mail/track/<int:mail_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MassMailController.track_mail_open' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/<int:mailing_id>/view — Unauthenticated endpoint 'MassMailController.view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /r/<string:code>/m/<int:mailing_trace_id> — Unauthenticated endpoint 'MassMailController.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/blacklist/check — Unauthenticated endpoint 'MassMailController.blacklist_check' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/blacklist/add — Unauthenticated endpoint 'MassMailController.blacklist_add' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/blacklist/remove — Unauthenticated endpoint 'MassMailController.blacklist_remove' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/feedback — Unauthenticated endpoint 'MassMailController.send_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing_sms | route-public-sudo | /sms/<int:mailing_id>/unsubscribe/<string:trace_code> — Unauthenticated endpoint 'MailingSMSController.blacklist_number' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing_sms | route-public-sudo | /r/<string:code>/s/<int:sms_sms_id> — Unauthenticated endpoint 'MailingSMSController.sms_short_link_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing_subscription_email | route-public-sudo | /mail/mailing/contact/<int:res_id>/unsubscribe — Unauthenticated endpoint 'MassMailSubscriptionEmailController.mailing_contact_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| membership | acl-global-read | access_membership_membership_line — Access rule grants read on 'model_membership_membership_line' to every user (portal/public included): no group is set |
| operating_unit | acl-global-read | access_account_operating_unit_user — Access rule grants read on 'model_operating_unit' to every user (portal/public included): no group is set |
| partner_external_map | acl-global-read | access_map_website_read — Access rule grants read on 'model_map_website' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation — Access rule grants read on 'model_res_partner_relation' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation_type — Access rule grants read on 'model_res_partner_relation_type' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation_type_selection — Access rule grants read on 'model_res_partner_relation_type_selection' to every user (portal/public included): no group is set |
| partner_stage | acl-global-read | access_partner_stage_read — Access rule grants read on 'model_res_partner_stage' to every user (portal/public included): no group is set |
| password_security | route-auth-none | /password_security/estimate — Endpoint 'PasswordSecurityHome.estimate' uses auth="none": it runs with no user/session at all |
| payment | rule-group-bypass | payment_transaction_billing_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| payment | rule-group-bypass | payment_token_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| payment | route-public-sudo | /payment/process — Unauthenticated endpoint 'PaymentProcessing.payment_status_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /payment/process/poll — Unauthenticated endpoint 'PaymentProcessing.payment_status_poll' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /website_payment/pay — Unauthenticated endpoint 'WebsitePayment.pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /website_payment/transaction/<string:reference>/<string:amount>/<string:currency_id>, /website_payment/transaction/v2/<string:amount>/<string:currency_id>/<path:reference>, /website_payment/transaction/v2/<string:amount>/<string:currency_id>/<path:reference>/<int:partner_id> — Unauthenticated endpoint 'WebsitePayment.transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /website_payment/token/<string:reference>/<string:amount>/<string:currency_id>, /website_payment/token/v2/<string:amount>/<string:currency_id>/<path:reference>, /website_payment/token/v2/<string:amount>/<string:currency_id>/<path:reference>/<int:partner_id> — Unauthenticated endpoint 'WebsitePayment.payment_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /website_payment/confirm — Unauthenticated endpoint 'WebsitePayment.confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-csrf-off | /payment/adyen/return — Public HTTP endpoint 'AdyenController.adyen_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_adyen | route-public-sudo | /payment/adyen/return — Unauthenticated endpoint 'AdyenController.adyen_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-csrf-off | /payment/adyen/notification — Public HTTP endpoint 'AdyenController.adyen_notification' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_adyen | route-public-sudo | /payment/adyen/notification — Unauthenticated endpoint 'AdyenController.adyen_notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_alipay | route-public-csrf-off | /payment/alipay/notify — Public HTTP endpoint 'AlipayController.alipay_notify' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_authorize | route-public-csrf-off | /payment/authorize/return/, /payment/authorize/cancel/ — Public HTTP endpoint 'AuthorizeController.authorize_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_authorize | route-public-sudo | /payment/authorize/return/, /payment/authorize/cancel/ — Unauthenticated endpoint 'AuthorizeController.authorize_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_authorize | route-public-sudo | /payment/authorize/s2s/create_json_3ds — Unauthenticated endpoint 'AuthorizeController.authorize_s2s_create_json_3ds' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_bacen_pix | route-public-csrf-off | /payment/bacenpix/feedback — Public HTTP endpoint 'PaymentController.transfer_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_bacen_pix | route-public-sudo | /payment/bacenpix/feedback — Unauthenticated endpoint 'PaymentController.transfer_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_bacen_pix | route-public-sudo | /webhook/<string:tx_reference> — Unauthenticated endpoint 'PaymentController.bacenpix_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_buckaroo | route-public-csrf-off | /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Public HTTP endpoint 'BuckarooController.buckaroo_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_buckaroo | route-public-sudo | /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Unauthenticated endpoint 'BuckarooController.buckaroo_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ingenico | route-public-csrf-off | /payment/ogone/accept, /payment/ogone/test/accept, /payment/ogone/decline, /payment/ogone/test/decline, /payment/ogone/exception, /payment/ogone/test/exception, /payment/ogone/cancel, /payment/ogone/test/cancel — Public HTTP endpoint 'OgoneController.ogone_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_ingenico | route-public-sudo | /payment/ogone/accept, /payment/ogone/test/accept, /payment/ogone/decline, /payment/ogone/test/decline, /payment/ogone/exception, /payment/ogone/test/exception, /payment/ogone/cancel, /payment/ogone/test/cancel — Unauthenticated endpoint 'OgoneController.ogone_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ingenico | route-public-sudo | /payment/ogone/s2s/create_json_3ds — Unauthenticated endpoint 'OgoneController.ogone_s2s_create_json_3ds' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ingenico | route-public-csrf-off | /payment/ogone/s2s/create — Public HTTP endpoint 'OgoneController.ogone_s2s_create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_ingenico | route-public-sudo | /payment/ogone/s2s/create — Unauthenticated endpoint 'OgoneController.ogone_s2s_create' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ingenico | route-public-sudo | /payment/ogone/validate/accept, /payment/ogone/validate/decline, /payment/ogone/validate/exception — Unauthenticated endpoint 'OgoneController.ogone_validation_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ingenico | route-public-csrf-off | /payment/ogone/s2s/feedback — Public HTTP endpoint 'OgoneController.feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_ingenico | route-public-sudo | /payment/ogone/s2s/feedback — Unauthenticated endpoint 'OgoneController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_odoo_by_adyen | route-public-sudo | /payment/odoo_adyen/notification — Unauthenticated endpoint 'OdooByAdyenController.odoo_adyen_notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_paypal | route-public-csrf-off | /payment/paypal/ipn/ — Public HTTP endpoint 'PaypalController.paypal_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_paypal | route-public-csrf-off | /payment/paypal/dpn — Public HTTP endpoint 'PaypalController.paypal_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_paypal | route-public-csrf-off | /payment/paypal/cancel — Public HTTP endpoint 'PaypalController.paypal_cancel' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_payulatam | route-public-csrf-off | /payment/payulatam/response — Public HTTP endpoint 'PayuLatamController.payulatam_response' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_payulatam | route-public-sudo | /payment/payulatam/response — Unauthenticated endpoint 'PayuLatamController.payulatam_response' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_payulatam | route-public-csrf-off | /payment/payulatam/webhook — Public HTTP endpoint 'PayuLatamController.payulatam_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_payulatam | route-public-sudo | /payment/payulatam/webhook — Unauthenticated endpoint 'PayuLatamController.payulatam_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_payumoney | route-public-csrf-off | /payment/payumoney/return, /payment/payumoney/cancel, /payment/payumoney/error — Public HTTP endpoint 'PayuMoneyController.payu_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_payumoney | route-public-sudo | /payment/payumoney/return, /payment/payumoney/cancel, /payment/payumoney/error — Unauthenticated endpoint 'PayuMoneyController.payu_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_redsys | route-public-csrf-off | /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Public HTTP endpoint 'RedsysController.redsys_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_redsys | route-public-sudo | /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Unauthenticated endpoint 'RedsysController.redsys_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_sips | route-public-csrf-off | /payment/sips/ipn/ — Public HTTP endpoint 'SipsController.sips_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_sips | route-public-csrf-off | /payment/sips/dpn — Public HTTP endpoint 'SipsController.sips_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_stripe | route-public-sudo | /payment/stripe/success, /payment/stripe/cancel — Unauthenticated endpoint 'StripeController.stripe_success' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe | route-public-sudo | /payment/stripe/s2s/process_payment_intent — Unauthenticated endpoint 'StripeController.stripe_s2s_process_payment_intent' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe | route-public-sudo | /payment/stripe/s2s/process_payment_error — Unauthenticated endpoint 'StripeController.stripe_s2s_process_payment_error' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe | route-public-sudo | /payment/stripe/webhook — Unauthenticated endpoint 'StripeController.stripe_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_transfer | route-public-csrf-off | /payment/transfer/feedback — Public HTTP endpoint 'TransferController.transfer_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_transfer | route-public-sudo | /payment/transfer/feedback — Unauthenticated endpoint 'TransferController.transfer_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pms | route-public-sudo | /folio/pay/<int:folio_id>/form_tx — Unauthenticated endpoint 'PortalFolio.folio_pay_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pms | route-public-sudo | /my/folios, /my/folios/page/<int:page> — Unauthenticated endpoint 'PortalFolio.portal_my_folios' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pms | route-public-sudo | /my/reservations, /my/reservations/page/<int:page> — Unauthenticated endpoint 'PortalReservation.portal_my_reservations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pms | route-public-csrf-off | /my/folios/<int:folio_id>/reservations — Public HTTP endpoint 'PortalPrecheckin.portal_precheckin_folio' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| pms | route-public-csrf-off | /my/folios/<int:folio_id>/reservations/<int:reservation_id>/checkins — Public HTTP endpoint 'PortalPrecheckin.portal_precheckin_reservation' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| pms | route-public-sudo | /my/folios/<int:folio_id>/reservations/<int:reservation_id>/checkins — Unauthenticated endpoint 'PortalPrecheckin.portal_precheckin_reservation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pms | route-public-csrf-off | /my/folios/<int:folio_id>/reservations/<int:reservation_id>/checkins/<int:checkin_partner_id> — Public HTTP endpoint 'PortalPrecheckin.portal_precheckin' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| pms | route-public-csrf-off | /my/folios/<int:folio_id>/reservations/<int:reservation_id>/checkins/<int:checkin_partner_id>/submit — Public HTTP endpoint 'PortalPrecheckin.portal_precheckin_submit' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| pms | route-public-sudo | /my/folios/<int:folio_id>/reservations/<int:reservation_id>/checkins/<int:checkin_partner_id>/submit — Unauthenticated endpoint 'PortalPrecheckin.portal_precheckin_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pms | route-public-csrf-off | /my/folios/<int:folio_id>/invitations — Public HTTP endpoint 'PortalPrecheckin.portal_precheckin_invitation' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| pms | route-public-sudo | /my/precheckin/send_invitation — Unauthenticated endpoint 'PortalPrecheckin.portal_precheckin_folio_send_invitation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| point_of_sale | rule-group-bypass | rule_pos_bank_statement_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| point_of_sale | rule-group-bypass | rule_pos_bank_statement_line_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| point_of_sale | rule-group-bypass | rule_pos_cashbox_line_accountant — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| portal | route-public-sudo | /mail/chatter_post — Unauthenticated endpoint 'PortalChatter.portal_chatter_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| portal | route-public-sudo | /mail/chatter_fetch — Unauthenticated endpoint 'PortalChatter.portal_message_fetch' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| portal | route-public-sudo | /web — Unauthenticated endpoint 'Home.web_client' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| portal | route-auth-none | /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all |
| pos_adyen | route-public-sudo | /pos_adyen/notification — Unauthenticated endpoint 'PosAdyenController.notification' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_adyen | route-auth-none | /pos_adyen/notification — Endpoint 'PosAdyenController.notification' uses auth="none": it runs with no user/session at all |
| pos_mercury | acl-global-read | access_pos_mercury_mercury_transaction — Access rule grants read on 'model_pos_mercury_mercury_transaction' to every user (portal/public included): no group is set |
| privacy_consent | route-public-sudo | /privacy/consent/<any(accept,reject):choice>/<int:consent_id>/<token> — Unauthenticated endpoint 'ConsentController.consent' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| product_brand | acl-global-read | access_product_brand_public — Access rule grants read on 'model_product_brand' to every user (portal/public included): no group is set |
| product_brand_social_responsibility | acl-global-read | access_product_brand_tag_csr_public — Access rule grants read on 'model_product_brand_tag_csr' to every user (portal/public included): no group is set |
| product_brand_tag | acl-global-read | access_product_brand_tag_public — Access rule grants read on 'model_product_brand_tag' to every user (portal/public included): no group is set |
| product_harmonized_system | acl-global-read | access_hs_code_read — Access rule grants read on 'model_hs_code' to every user (portal/public included): no group is set |
| product_state | acl-global-read | access_product_state_public — Access rule grants read on 'model_product_state' to every user (portal/public included): no group is set |
| product_variant_configurator_manual_creation | acl-global-write | access_wizard_product_variant_configurator_manual_creation_all — Access rule grants write/create/unlink on 'model_wizard_product_variant_configurator_manual_creation' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| product_variant_configurator_manual_creation | acl-global-write | access_wizard_product_variant_configurator_manual_creation_line_all — Access rule grants write/create/unlink on 'model_wizard_product_variant_configurator_manual_creation_line' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| purchase_manual_delivery | acl-global-write | create_stock_picking_wizard_all — Access rule grants write/create/unlink on 'model_create_stock_picking_wizard' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| purchase_manual_delivery | acl-global-write | create_stock_picking_wizard_line_all — Access rule grants write/create/unlink on 'model_create_stock_picking_wizard_line' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| purchase_work_acceptance_evaluation | acl-global-read | access_work_acceptance_evaluation_report — Access rule grants read on 'model_work_acceptance_evaluation_report' to every user (portal/public included): no group is set |
| queue_job | route-auth-none | /queue_job/runjob — Endpoint 'RunJobController.runjob' uses auth="none": it runs with no user/session at all |
| rating | route-public-sudo | /rate/<string:token>/<int:rate> — Unauthenticated endpoint 'Rating.action_open_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| rating | route-public-sudo | /rate/<string:token>/submit_feedback — Unauthenticated endpoint 'Rating.action_submit_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| repair_picking_after_done | acl-global-write | access_repair_move_transfer_all — Access rule grants write/create/unlink on 'model_repair_move_transfer' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| rma | route-public-sudo | /my/rma/picking/pdf/<int:rma_id>/<int:picking_id> — Unauthenticated endpoint 'PortalRma.portal_my_rma_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sale | rule-group-bypass | payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale | rule-group-bypass | payment_token_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale | rule-group-bypass | payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale | route-public-sudo | /my/orders/<int:order_id>/transaction/ — Unauthenticated endpoint 'CustomerPortal.payment_transaction_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sale | route-public-sudo | /my/orders/<int:order_id>/transaction/token — Unauthenticated endpoint 'CustomerPortal.payment_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sale_invoice_plan | acl-global-read | access_stock_scrap_sale_invoice_plan_ — Access rule grants read on 'stock.model_stock_scrap' to every user (portal/public included): no group is set |
| sale_manual_delivery | acl-global-write | access_manual_delivery_all — Access rule grants write/create/unlink on 'model_manual_delivery' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| sale_manual_delivery | acl-global-write | access_manual_delivery_line_all — Access rule grants write/create/unlink on 'model_manual_delivery_line' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| sale_purchase_requisition | rule-group-bypass | purchaseperson_purchase_requisition_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale_purchase_requisition | rule-group-bypass | purchaseperson_purchase_requisition_line_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale_purchase_requisition | rule-group-bypass | purchaseperson_purchase_order_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sales_team | rule-group-bypass | crm_rule_all_salesteam — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| shopfloor_base | acl-global-read | access_shopfloor_app_users — Access rule grants read on 'model_shopfloor_app' to every user (portal/public included): no group is set |
| stay | acl-global-read | access_stay_date_label_user — Access rule grants read on 'model_stay_date_label' to every user (portal/public included): no group is set |
| stock_measuring_device_zippcube | route-auth-none | /stock/zippcube/<string:zippcube_device_name>/measurement — Endpoint 'ZippcubeController.measurement' uses auth="none": it runs with no user/session at all |
| stock_vertical_lift | route-public-csrf-off | /vertical-lift — Public HTTP endpoint 'VerticalLiftController.vertical_lift' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| stock_vertical_lift | route-public-sudo | /vertical-lift — Unauthenticated endpoint 'VerticalLiftController.vertical_lift' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| storage_file | acl-global-read | access_storage_file_read_public — Access rule grants read on 'model_storage_file' to every user (portal/public included): no group is set |
| survey | rule-group-bypass | survey_survey_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | rule-group-bypass | survey_question_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | rule-group-bypass | survey_question_answer_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | rule-group-bypass | survey_user_input_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | rule-group-bypass | survey_user_input_line_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | route-public-sudo | /survey/get_background_image/<string:survey_token>/<string:answer_token> — Unauthenticated endpoint 'Survey.survey_get_background' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| survey | route-public-sudo | /survey/get_question_image/<string:survey_token>/<string:answer_token>/<int:question_id>/<int:suggested_answer_id> — Unauthenticated endpoint 'Survey.survey_get_question_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| test_http | route-public-csrf-off | /test_http/upload_file — Public HTTP endpoint 'HttpTest.upload_file_retry' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| test_http | route-auth-none | /test_http/upload_file — Endpoint 'HttpTest.upload_file_retry' uses auth="none": it runs with no user/session at all |
| test_new_api | acl-global-write | access_decimal_precision_test_all — Access rule grants write/create/unlink on 'model_decimal_precision_test' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| test_read_group | acl-global-read | access_test_read_group_on_date — Access rule grants read on 'model_test_read_group_on_date' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_aggregate_boolean — Access rule grants read on 'model_test_read_group_aggregate_boolean' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_aggregate — Access rule grants read on 'model_test_read_group_aggregate' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_on_selection — Access rule grants read on 'model_test_read_group_on_selection' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_fill_temporal — Access rule grants read on 'model_test_read_group_fill_temporal' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_order — Access rule grants read on 'model_test_read_group_order' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_order_line — Access rule grants read on 'model_test_read_group_order_line' to every user (portal/public included): no group is set |
| test_search_panel | acl-global-read | access_test_search_panel_source_model — Access rule grants read on 'model_test_search_panel_source_model' to every user (portal/public included): no group is set |
| test_search_panel | acl-global-read | access_test_search_panel_category_target_model — Access rule grants read on 'model_test_search_panel_category_target_model' to every user (portal/public included): no group is set |
| test_search_panel | acl-global-read | access_test_search_panel_category_target_model_no_parent_name — Access rule grants read on 'model_test_search_panel_category_target_model_no_parent_name' to every user (portal/public included): no group is set |
| test_search_panel | acl-global-read | access_test_search_panel_filter_target_model — Access rule grants read on 'model_test_search_panel_filter_target_model' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_a — Access rule grants read on 'model_test_testing_utilities_a' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_readonly — Access rule grants read on 'model_test_testing_utilities_readonly' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_c — Access rule grants read on 'model_test_testing_utilities_c' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_d — Access rule grants read on 'model_test_testing_utilities_d' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_e — Access rule grants read on 'model_test_testing_utilities_e' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_f — Access rule grants read on 'model_test_testing_utilities_f' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_g — Access rule grants read on 'model_test_testing_utilities_g' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_m2o — Access rule grants read on 'model_test_testing_utilities_m2o' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_default — Access rule grants read on 'model_test_testing_utilities_default' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_parent — Access rule grants read on 'model_test_testing_utilities_parent' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_sub — Access rule grants read on 'model_test_testing_utilities_sub' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_sub2 — Access rule grants read on 'model_test_testing_utilities_sub2' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_sub3 — Access rule grants read on 'model_test_testing_utilities_sub3' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_recursive — Access rule grants read on 'model_test_testing_utilities_recursive' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_onchange_parent — Access rule grants read on 'model_test_testing_utilities_onchange_parent' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_onchange_line — Access rule grants read on 'model_test_testing_utilities_onchange_line' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_req_bool — Access rule grants read on 'model_test_testing_utilities_req_bool' to every user (portal/public included): no group is set |
| test_website | acl-global-read | access_test_model — Access rule grants read on 'model_test_model' to every user (portal/public included): no group is set |
| upgrade_analysis | acl-global-read | access_upgrade_record — Access rule grants read on 'model_upgrade_record' to every user (portal/public included): no group is set |
| upgrade_analysis | acl-global-read | access_upgrade_attribute — Access rule grants read on 'model_upgrade_attribute' to every user (portal/public included): no group is set |
| vault | route-public-sudo | /vault/inbox/<string:token> — Unauthenticated endpoint 'Controller.vault_inbox' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| vault_share | route-public-sudo | /vault/share/<string:token> — Unauthenticated endpoint 'Controller.vault_share' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web | route-auth-none | / — Endpoint 'Home.index' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/login — Endpoint 'Home.web_login' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/csslist — Endpoint 'WebClient.csslist' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/jslist — Endpoint 'WebClient.jslist' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/locale/<string:lang> — Endpoint 'WebClient.load_locale' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/qweb/<string:unique> — Endpoint 'WebClient.qweb' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/bootstrap_translations — Endpoint 'WebClient.bootstrap_translations' uses auth="none": it runs with no user/session at all |
| web | route-public-sudo | /web/webclient/translations/<string:unique> — Unauthenticated endpoint 'WebClient.translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web | route-auth-none | /web/webclient/version_info — Endpoint 'WebClient.version_info' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/tests/mobile — Endpoint 'WebClient.test_mobile_suite' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/benchmarks — Endpoint 'WebClient.benchmarks' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/database/selector — Endpoint 'Database.selector' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/database/manager — Endpoint 'Database.manager' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/create — Public HTTP endpoint 'Database.create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/create — Endpoint 'Database.create' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/duplicate — Public HTTP endpoint 'Database.duplicate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/duplicate — Endpoint 'Database.duplicate' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/drop — Public HTTP endpoint 'Database.drop' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/drop — Endpoint 'Database.drop' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/backup — Public HTTP endpoint 'Database.backup' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/backup — Endpoint 'Database.backup' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/restore — Public HTTP endpoint 'Database.restore' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/restore — Endpoint 'Database.restore' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/change_password — Public HTTP endpoint 'Database.change_password' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/change_password — Endpoint 'Database.change_password' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/database/list — Endpoint 'Database.list' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/get_session_info — Endpoint 'Session.get_session_info' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/authenticate — Endpoint 'Session.authenticate' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/get_lang_list — Endpoint 'Session.get_lang_list' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/logout — Endpoint 'Session.logout' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/binary/company_logo, /logo, /logo.png — Endpoint 'Binary.company_logo' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/pivot/check_xlsxwriter — Endpoint 'TableExporter.check_xlsxwriter' uses auth="none": it runs with no user/session at all |
| web_editor | route-auth-none | /web_editor/font_to_img/<icon>, /web_editor/font_to_img/<icon>/<color>, /web_editor/font_to_img/<icon>/<color>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<int:size>/<int:alpha> — Endpoint 'Web_Editor.export_icon_to_png' uses auth="none": it runs with no user/session at all |
| web_editor | route-public-sudo | /web_editor/public_render_template — Unauthenticated endpoint 'Web_Editor.public_render_template' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web_editor | route-public-sudo | /web_editor/shape/<module>/<path:filename> — Unauthenticated endpoint 'Web_Editor.shape' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web_tour | acl-global-read | access_web_tour_tour — Access rule grants read on 'model_web_tour_tour' to every user (portal/public included): no group is set |
| web_unsplash | route-public-sudo | /web_unsplash/get_app_id — Unauthenticated endpoint 'Web_Unsplash.get_unsplash_app_id' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | acl-global-read | access_website_public — Access rule grants read on 'website.model_website' to every user (portal/public included): no group is set |
| website | acl-global-read | access_website_menu — Access rule grants read on 'model_website_menu' to every user (portal/public included): no group is set |
| website | acl-global-read | access_seo_public — Access rule grants read on 'model_website_seo_metadata' to every user (portal/public included): no group is set |
| website | route-public-sudo | / — Unauthenticated endpoint 'Website.index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /sitemap.xml — Unauthenticated endpoint 'Website.sitemap_xml_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/info — Unauthenticated endpoint 'Website.website_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/snippet/filters — Unauthenticated endpoint 'Website.get_dynamic_filter' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/snippet/filter_templates — Unauthenticated endpoint 'Website.get_dynamic_snippet_templates' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /google<string(length=16):key>.html — Unauthenticated endpoint 'Website.google_console_search' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/action/<path_or_xml_id_or_id>, /website/action/<path_or_xml_id_or_id>/<path:path> — Unauthenticated endpoint 'Website.actions_server' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_blog | acl-global-read | blog_tag — Access rule grants read on 'model_blog_tag' to every user (portal/public included): no group is set |
| website_crm_partner_assign | route-public-sudo | /partners, /partners/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>, /partners/grade/<model("res.partner.grade"):grade>/page/<int:page>, /partners/country/<model("res.country"):country>, /partners/country/<model("res.country"):country>/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_crm_partner_assign | route-public-sudo | /partners/<partner_id> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_customer | acl-global-read | res_partner_tag_sale_manager — Access rule grants read on 'model_res_partner_tag' to every user (portal/public included): no group is set |
| website_customer | route-public-sudo | /customers, /customers/page/<int:page>, /customers/country/<model("res.country"):country>, /customers/country/<model("res.country"):country>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>, /customers/industry/<model("res.partner.industry"):industry>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCustomer.customers' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_customer | route-public-sudo | /customers/<partner_id> — Unauthenticated endpoint 'WebsiteCustomer.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event | acl-global-read | access_event_category_public — Access rule grants read on 'event.model_event_tag_category' to every user (portal/public included): no group is set |
| website_event | acl-global-read | access_event_tag_public — Access rule grants read on 'event.model_event_tag' to every user (portal/public included): no group is set |
| website_event | acl-global-read | access_website_event_menu_public — Access rule grants read on 'model_website_event_menu' to every user (portal/public included): no group is set |
| website_event | route-public-sudo | /event, /event/page/<int:page>, /events, /events/page/<int:page> — Unauthenticated endpoint 'WebsiteEventController.events' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_meet | route-public-sudo | /event/<model('event.event'):event>/meeting_room_create — Unauthenticated endpoint 'WebsiteEventMeetController.create_meeting_room' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_meet | route-public-sudo | /event/active_langs — Unauthenticated endpoint 'WebsiteEventMeetController.active_langs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_meet | route-public-sudo | /event/<model('event.event', "[('community_menu', '=', True)]"):event>/meeting_room/<model("event.meeting.room","[('event_id','=',event.id)]"):meeting_room> — Unauthenticated endpoint 'WebsiteEventMeetController.event_meeting_room_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_questions | rule-group-bypass | ir_rule_event_question_event_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_event_questions | rule-group-bypass | ir_rule_event_question_answer_event_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_event_track | acl-global-read | access_event_track_tag_public — Access rule grants read on 'model_event_track_tag' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_location_public — Access rule grants read on 'model_event_track_location' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track__public — Access rule grants read on 'model_event_track' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_sponsor_type_public — Access rule grants read on 'model_event_sponsor_type' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_sponsor_public — Access rule grants read on 'model_event_sponsor' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | event_track_tag_category_access_public — Access rule grants read on 'model_event_track_tag_category' to every user (portal/public included): no group is set |
| website_event_track | route-public-sudo | /event/<model("event.event", "[('website_track', '=', True)]"):event>/track/<model("event.track", "[('event_id', '=', event.id)]"):track> — Unauthenticated endpoint 'EventTrackController.event_track_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track | route-public-sudo | /event/<model("event.event"):event>/track_proposal/post — Unauthenticated endpoint 'EventTrackController.event_track_proposal_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track_exhibitor | route-public-sudo | /event/<model("event.event", "[('exhibitor_menu', '=', True)]"):event>/exhibitor/<model("event.sponsor", "[('event_id', '=', event.id)]"):sponsor> — Unauthenticated endpoint 'ExhibitorController.event_exhibitor' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track_live | route-public-sudo | /event_track/get_track_suggestion — Unauthenticated endpoint 'EventTrackLiveController.get_next_track_suggestion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_form | route-public-csrf-off | /website_form/<string:model_name> — Public HTTP endpoint 'WebsiteForm.website_form' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| website_forum | acl-global-read | access_forum_forum — Access rule grants read on 'model_forum_forum' to every user (portal/public included): no group is set |
| website_forum | rule-group-bypass | website_forum_create_website_designer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/<model("forum.post", "[('forum_id','=',forum.id),('parent_id','=',False),('can_view', '=', True)]"):question> — Unauthenticated endpoint 'WebsiteForum.question' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/partner/<int:partner_id> — Unauthenticated endpoint 'WebsiteForum.open_partner' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_google_map | route-public-sudo | /google_map — Unauthenticated endpoint 'GoogleMap.google_map' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_hr_recruitment | acl-global-read | access_hr_job_public — Access rule grants read on 'hr.model_hr_job' to every user (portal/public included): no group is set |
| website_hr_recruitment | rule-group-bypass | hr_job_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_hr_recruitment | route-public-sudo | /jobs, /jobs/country/<model("res.country"):country>, /jobs/department/<model("hr.department"):department>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>, /jobs/office/<int:office_id>, /jobs/country/<model("res.country"):country>/office/<int:office_id>, /jobs/department/<model("hr.department"):department>/office/<int:office_id>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>/office/<int:office_id> — Unauthenticated endpoint 'WebsiteHrRecruitment.jobs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_livechat | acl-global-read | access_im_livechat_channel_public — Access rule grants read on 'im_livechat.model_im_livechat_channel' to every user (portal/public included): no group is set |
| website_livechat | route-public-sudo | /livechat/channel/<model("im_livechat.channel"):channel> — Unauthenticated endpoint 'WebsiteLivechat.channel_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail | route-public-sudo | /website_mail/follow — Unauthenticated endpoint 'WebsiteMail.website_message_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail | route-public-sudo | /website_mail/is_follower — Unauthenticated endpoint 'WebsiteMail.is_follower' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_channel | route-public-sudo | /groups — Unauthenticated endpoint 'MailGroup.view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_channel | route-public-sudo | /groups/is_member — Unauthenticated endpoint 'MailGroup.is_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_channel | route-public-sudo | /groups/subscription — Unauthenticated endpoint 'MailGroup.subscription' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_channel | route-public-sudo | /groups/subscribe/<model('mail.channel'):channel>/<int:partner_id>/<string:token> — Unauthenticated endpoint 'MailGroup.confirm_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_channel | route-public-sudo | /groups/unsubscribe/<model('mail.channel'):channel>/<int:partner_id>/<string:token> — Unauthenticated endpoint 'MailGroup.confirm_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /website_mass_mailing/is_subscriber — Unauthenticated endpoint 'MassMailController.is_subscriber' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /website_mass_mailing/subscribe — Unauthenticated endpoint 'MassMailController.subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /website_mass_mailing/get_content — Unauthenticated endpoint 'MassMailController.get_mass_mailing_content' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_membership | route-public-sudo | /members, /members/page/<int:page>, /members/association/<membership_id>, /members/association/<membership_id>/page/<int:page>, /members/country/<int:country_id>, /members/country/<country_name>-<int:country_id>, /members/country/<int:country_id>/page/<int:page>, /members/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<country_name>-<int:country_id>, /members/association/<membership_id>/country/<int:country_id>, /members/association/<membership_id>/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteMembership.members' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_membership | route-public-sudo | /members/<partner_id> — Unauthenticated endpoint 'WebsiteMembership.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_no_crawler | route-public-sudo | /robots.txt — Unauthenticated endpoint 'Website.robots' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_oca_integrator | acl-global-read | access_sponsorship_line — Access rule grants read on 'model_sponsorship_line' to every user (portal/public included): no group is set |
| website_oca_integrator | acl-global-read | access_contributor_module_reader — Access rule grants read on 'model_contributor_module_line' to every user (portal/public included): no group is set |
| website_oca_integrator | route-public-sudo | /integrators, /integrators/page/<int:page>, /integrators/country/<model("res.country"):country>, /integrators/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteIntegrator.integrators' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_oca_integrator | route-public-sudo | /integrators/<integrator_id> — Unauthenticated endpoint 'WebsiteIntegrator.integrators_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_oca_integrator | route-public-sudo | /integrators/<integrator_id>/contributors, /integrators/<integrator_id>/contributors/page/<int:page>, /integrators/<integrator_id>/contributors/country/<int:country_id>, /integrators/<integrator_id>/contributors/country/<int:country_id>/page/<int:page>, /integrators/<integrator_id>/contributors/country/<country_name>-<int:country_id>, /integrators/<integrator_id>/contributors/country/<country_name>-<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteIntegrator.integrator_contributors' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_oca_psc_team | route-public-sudo | /psc-teams — Unauthenticated endpoint 'WebsitePscTeam.psc_teams' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_oca_psc_team | route-public-sudo | /psc-teams/<project_id> — Unauthenticated endpoint 'WebsitePscTeam.psc_team_project_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_partner | route-public-sudo | /partners/<partner_id> — Unauthenticated endpoint 'WebsitePartnerPage.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_product_configurator | route-public-sudo | /website_product_configurator/onchange — Unauthenticated endpoint 'ProductConfigWebsiteSale.onchange' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_product_configurator | route-public-sudo | /website_product_configurator/save_configuration — Unauthenticated endpoint 'ProductConfigWebsiteSale.save_configuration' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_product_configurator_mrp | route-public-csrf-off | /shop/cart/update — Public HTTP endpoint 'WebsiteProductConfigMrp.cart_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| website_profile | route-public-sudo | /profile/avatar/<int:user_id> — Unauthenticated endpoint 'WebsiteProfile.get_user_profile_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_profile | route-public-sudo | /profile/users, /profile/users/page/<int:page> — Unauthenticated endpoint 'WebsiteProfile.view_all_users_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_profile | route-public-sudo | /profile/validate_email — Unauthenticated endpoint 'WebsiteProfile.validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | acl-global-read | access_product_product_public — Access rule grants read on 'product.model_product_product' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_template_public — Access rule grants read on 'product.model_product_template' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_category_public — Access rule grants read on 'product.model_product_category' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_public_category_public — Access rule grants read on 'model_product_public_category' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_pricelist_public — Access rule grants read on 'product.model_product_pricelist' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_pricelist_item_public — Access rule grants read on 'product.model_product_pricelist_item' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_ribbon_public — Access rule grants read on 'website_sale.model_product_ribbon' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_public — Access rule grants read on 'product.model_product_attribute' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_value_public — Access rule grants read on 'product.model_product_attribute_value' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_product_attribute — Access rule grants read on 'product.model_product_template_attribute_value' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_product_attribute_custom_value — Access rule grants read on 'sale.model_product_attribute_custom_value' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_template_attribute_exclusion — Access rule grants read on 'product.model_product_template_attribute_exclusion' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_template_attribute_line_public — Access rule grants read on 'product.model_product_template_attribute_line' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_image_public — Access rule grants read on 'model_product_image' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_ecom_extra_fields_public — Access rule grants read on 'model_website_sale_extra_field' to every user (portal/public included): no group is set |
| website_sale | route-public-sudo | /shop/pricelist — Unauthenticated endpoint 'WebsiteSale.pricelist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/cart — Unauthenticated endpoint 'WebsiteSale.cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/address — Unauthenticated endpoint 'WebsiteSale.address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/checkout — Unauthenticated endpoint 'WebsiteSale.checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/payment/transaction/, /shop/payment/transaction/<int:so_id>, /shop/payment/transaction/<int:so_id>/<string:access_token> — Unauthenticated endpoint 'WebsiteSale.payment_transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/payment/token — Unauthenticated endpoint 'WebsiteSale.payment_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/payment/get_status/<int:sale_order_id> — Unauthenticated endpoint 'WebsiteSale.payment_get_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/payment/validate — Unauthenticated endpoint 'WebsiteSale.payment_validate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/confirmation — Unauthenticated endpoint 'WebsiteSale.payment_confirmation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/tracking_last_order — Unauthenticated endpoint 'WebsiteSale.tracking_cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/products/recently_viewed_delete — Unauthenticated endpoint 'WebsiteSale.products_recently_viewed_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_charge_payment_fee | route-public-sudo | /shop/payment — Unauthenticated endpoint 'WebsiteSaleFee.payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_comparison | acl-global-read | access_product_attribute_category_public — Access rule grants read on 'model_product_attribute_category' to every user (portal/public included): no group is set |
| website_sale_delivery | route-public-sudo | /shop/carrier_rate_shipment — Unauthenticated endpoint 'WebsiteSaleDelivery.cart_carrier_rate_shipment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_digital | route-public-sudo | /my/orders/<int:order_id> — Unauthenticated endpoint 'WebsiteSaleDigital.portal_order_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_digital | route-public-sudo | /my/download — Unauthenticated endpoint 'WebsiteSaleDigital.download_attachment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_product_assortment | route-public-sudo | /sale/get_info_assortment_preview — Unauthenticated endpoint 'WebsiteSaleVariantController.get_info_assortment_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_product_brand | route-public-sudo | /page/product_brands — Unauthenticated endpoint 'WebsiteSale.product_brands' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_product_minimal_price | route-public-sudo | /sale/get_combination_info_minimal_price — Unauthenticated endpoint 'WebsiteSaleVariantController.get_combination_info_minimal_price' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_stock_list_preview | route-public-sudo | /sale/get_combination_info_stock_preview — Unauthenticated endpoint 'WebsiteSaleVariantController.get_combination_info_stock_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_wishlist | route-public-sudo | /shop/wishlist/add — Unauthenticated endpoint 'WebsiteSaleWishlist.add_to_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_wishlist | route-public-sudo | /shop/wishlist/remove/<model("product.wishlist"):wish> — Unauthenticated endpoint 'WebsiteSaleWishlist.rm_from_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | rule-group-bypass | rule_slide_channel_officer_r — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides | rule-group-bypass | rule_slide_slide_officer_r — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides | rule-group-bypass | rule_slide_slide_resource_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides | route-public-sudo | /slides — Unauthenticated endpoint 'WebsiteSlides.slides_channel_home' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/<model("slide.channel"):channel>, /slides/<model("slide.channel"):channel>/page/<int:page>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>/page/<int:page>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>/page/<int:page> — Unauthenticated endpoint 'WebsiteSlides.channel' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/channel/join — Unauthenticated endpoint 'WebsiteSlides.slide_channel_join' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/<model("slide.slide"):slide> — Unauthenticated endpoint 'WebsiteSlides.slide_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/<int:slide_id>/get_image — Unauthenticated endpoint 'WebsiteSlides.slide_get_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/like — Unauthenticated endpoint 'WebsiteSlides.slide_like' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/quiz/submit — Unauthenticated endpoint 'WebsiteSlides.slide_quiz_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/embed/<int:slide_id> — Unauthenticated endpoint 'WebsiteSlides.slides_embed' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /mail/chatter_post — Unauthenticated endpoint 'SlidesPortalChatter.portal_chatter_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides_forum | rule-group-bypass | website_slides_forum_website_slides_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides_forum | rule-group-bypass | website_slides_forum_website_slides_officer_post — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides_forum | rule-group-bypass | website_slides_forum_website_slides_officer_tag — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_twitter | acl-global-read | access_website_twitter_tweet_public — Access rule grants read on 'website_twitter.model_website_twitter_tweet' to every user (portal/public included): no group is set |
| website_twitter | route-public-sudo | /website_twitter/get_favorites — Unauthenticated endpoint 'Twitter.get_tweets' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
Active Pull Requests 6
0 fresh 0 rotting 0 rotten
| Module | Repository | Title | Age | CI |
|---|---|---|---|---|
| account_bank_statement_import_online_stripe | OCA/bank-statement-import | [13.0][MIG] account_bank_statement_import_online_stripe #960 | — | no CI data |
| account_banking_reconciliation | OCA/account-reconcile | [13.0][MIG] account_banking_reconciliation #506 | — | no CI data |
| account_invoice_change_currency | OCA/account-invoicing | [13.0][MIG] account_invoice_change_currency #2057 | — | no CI data |
| base_force_record_noupdate | OCA/server-tools | [13.0][MIG] base_force_record_noupdate: Backport to 13.0 #2954 | — | no CI data |
| connector_magento-format-patch | OCA/connector-magento | [MIG][13.0] connector_magento #317 | — | no CI data |
| module_change_auto_install | OCA/server-tools | [13.0][MIG] backport of module_change_auto_install #2884 | — | no CI data |
Security Findings
Errors 186
| Module | Code | Message |
|---|---|---|
| base | acl-privilege-escalation | access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-global-write | access_ir_ui_view_custom_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_custom' to EVERY user (portal/public included): no group is set |
| base | acl-privilege-escalation | access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-global-write | access_report_layout — Access rule grants write/create/unlink on 'model_report_layout' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_template — Access rule grants write/create/unlink on 'model_custom_info_template' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_property — Access rule grants write/create/unlink on 'model_custom_info_property' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_value — Access rule grants write/create/unlink on 'model_custom_info_value' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_option — Access rule grants write/create/unlink on 'model_custom_info_option' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_category — Access rule grants write/create/unlink on 'model_custom_info_category' to EVERY user (portal/public included): no group is set |
| base_tier_validation | acl-global-write | access_tier_review — Access rule grants write/create/unlink on 'model_tier_review' to EVERY user (portal/public included): no group is set |
| bus | acl-public-write | access_bus_presence_portal — Access rule grants write/create/unlink on 'model_bus_presence' to the portal/public group 'base.group_portal' |
| calendar | rule-public-bypass | calendar_attendee_rule_my — Record rule with an always-true domain grants portal/public users access to every record of its model |
| cms_delete_content_example | acl-global-write | access_cms_delete_content_example — Access rule grants write/create/unlink on 'model_cms_delete_content_example' to EVERY user (portal/public included): no group is set |
| excel_import_export | acl-global-write | xlsx_template_user — Access rule grants write/create/unlink on 'model_xlsx_template' to EVERY user (portal/public included): no group is set |
| excel_import_export | acl-global-write | xlsx_template_export_user — Access rule grants write/create/unlink on 'model_xlsx_template_export' to EVERY user (portal/public included): no group is set |
| excel_import_export | acl-global-write | xlsx_template_import_user — Access rule grants write/create/unlink on 'model_xlsx_template_import' to EVERY user (portal/public included): no group is set |
| fieldservice_route | acl-public-write | access_fsm_route_dayroute_portal — Access rule grants write/create on 'model_fsm_route_dayroute' to the portal/public group 'base.group_portal' |
| fieldservice_stock | acl-public-write | access_stock_move_portal — Access rule grants write on 'stock.model_stock_move' to the portal/public group 'base.group_portal' |
| gamification | acl-public-write | goal_portal — Access rule grants write on 'gamification.model_gamification_goal' to the portal/public group 'base.group_portal' |
| gamification | acl-public-write | badge_user_portal — Access rule grants write/create on 'gamification.model_gamification_badge_user' to the portal/public group 'base.group_portal' |
| graphql_demo | route-user-csrf-off | /graphql/demo — HTTP endpoint 'GraphQLController.graphql' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user |
| helpdesk_mgmt | acl-public-write | access_helpdesk_ticket_stage_public — Access rule grants write on 'model_helpdesk_ticket_stage' to the portal/public group 'base.group_public' |
| hr_expense_portal | acl-public-write | access_hr_expense_portal — Access rule grants write on 'hr_expense.model_hr_expense' to the portal/public group 'base.group_portal' |
| hr_recruitment | acl-global-write | access_hr_applicant_category — Access rule grants write/create on 'model_hr_applicant_category' to EVERY user (portal/public included): no group is set |
| acl-public-write | access_mail_message_portal — Access rule grants write/create/unlink on 'model_mail_message' to the portal/public group 'base.group_portal' |
|
| acl-public-write | access_mail_followers_portal — Access rule grants write/create on 'model_mail_followers' to the portal/public group 'base.group_portal' |
|
| acl-public-write | access_mail_channel_partner_portal — Access rule grants write/create/unlink on 'model_mail_channel_partner' to the portal/public group 'base.group_portal' |
|
| partner_autocomplete | acl-public-write | access_partner_autocomplete_sync_portal — Access rule grants create on 'model_res_partner_autocomplete_sync' to the portal/public group 'base.group_portal' |
| payment | acl-public-write | payment_method_portal — Access rule grants write/create/unlink on 'model_payment_token' to the portal/public group 'base.group_portal' |
| purchase_invoice_plan | acl-global-write | access_purchase_invoice_plan — Access rule grants write/create/unlink on 'model_purchase_invoice_plan' to EVERY user (portal/public included): no group is set |
| rating | acl-public-write | access_rating_public — Access rule grants write/create on 'rating.model_rating_rating' to the portal/public group 'base.group_public' |
| rating | acl-public-write | access_rating_portal — Access rule grants write/create on 'rating.model_rating_rating' to the portal/public group 'base.group_portal' |
| report_wkhtmltopdf_param | acl-global-write | paperformat_parameter_access_employee — Access rule grants create on 'model_report_paperformat_parameter' to EVERY user (portal/public included): no group is set |
| sale_invoice_plan | acl-global-write | access_sale_invoice_plan — Access rule grants write/create/unlink on 'model_sale_invoice_plan' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_some_obj — Access rule grants write/create/unlink on 'model_test_access_right_some_obj' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_container — Access rule grants write/create/unlink on 'model_test_access_right_container' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_parent — Access rule grants write/create/unlink on 'model_test_access_right_parent' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_obj_categ — Access rule grants write/create/unlink on 'model_test_access_right_obj_categ' to EVERY user (portal/public included): no group is set |
| test_action_bindings | acl-global-write | access_tab_a — Access rule grants write/create/unlink on 'model_tab_a' to EVERY user (portal/public included): no group is set |
| test_action_bindings | acl-global-write | access_tab_b — Access rule grants write/create/unlink on 'model_tab_b' to EVERY user (portal/public included): no group is set |
| test_component | acl-global-write | access_test_component_collection — Access rule grants write/create/unlink on 'model_test_component_collection' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_test_backend — Access rule grants write/create/unlink on 'model_test_backend' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_connector_test_record — Access rule grants write/create/unlink on 'model_connector_test_record' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_connector_test_binding — Access rule grants write/create/unlink on 'model_connector_test_binding' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_no_inherits_binding — Access rule grants write/create/unlink on 'model_no_inherits_binding' to EVERY user (portal/public included): no group is set |
| test_convert | acl-global-write | access_test_convert_test_model — Access rule grants write/create/unlink on 'model_test_convert_test_model' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_converter_model — Access rule grants write/create/unlink on 'model_test_converter_test_model' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_test_converter_test_model_sub — Access rule grants write/create/unlink on 'model_test_converter_test_model_sub' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_test_converter_monetary — Access rule grants write/create/unlink on 'model_test_converter_monetary' to EVERY user (portal/public included): no group is set |
| test_exceptions | acl-global-write | access_test_exceptions_model — Access rule grants write/create/unlink on 'model_test_exceptions_model' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_boolean — Access rule grants write/create/unlink on 'model_export_boolean' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_float — Access rule grants write/create/unlink on 'model_export_float' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_decimal — Access rule grants write/create/unlink on 'model_export_decimal' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string_bounded — Access rule grants write/create/unlink on 'model_export_string_bounded' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string_required — Access rule grants write/create/unlink on 'model_export_string_required' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string — Access rule grants write/create/unlink on 'model_export_string' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_date — Access rule grants write/create/unlink on 'model_export_date' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_datetime — Access rule grants write/create/unlink on 'model_export_datetime' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_text — Access rule grants write/create/unlink on 'model_export_text' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection — Access rule grants write/create/unlink on 'model_export_selection' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection_function — Access rule grants write/create/unlink on 'model_export_selection_function' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2one — Access rule grants write/create/unlink on 'model_export_many2one' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many — Access rule grants write/create/unlink on 'model_export_one2many' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2many — Access rule grants write/create/unlink on 'model_export_many2many' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_function — Access rule grants write/create/unlink on 'model_export_function' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child — Access rule grants write/create/unlink on 'model_export_one2many_child' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_multiple — Access rule grants write/create/unlink on 'model_export_one2many_multiple' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_multiple_child — Access rule grants write/create/unlink on 'model_export_one2many_multiple_child' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child_1 — Access rule grants write/create/unlink on 'model_export_one2many_child_1' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child_2 — Access rule grants write/create/unlink on 'model_export_one2many_child_2' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2many_other — Access rule grants write/create/unlink on 'model_export_many2many_other' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection_withdefault — Access rule grants write/create/unlink on 'model_export_selection_withdefault' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_recursive — Access rule grants write/create/unlink on 'model_export_one2many_recursive' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_unique — Access rule grants write/create/unlink on 'model_export_unique' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_m2o_str — Access rule grants write/create/unlink on 'model_export_m2o_str' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_m2o_str_child — Access rule grants write/create/unlink on 'model_export_m2o_str_child' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_mother — Access rule grants write/create/unlink on 'model_test_inherit_mother' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_daughter — Access rule grants write/create/unlink on 'model_test_inherit_daughter' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_property — Access rule grants write/create/unlink on 'model_test_inherit_property' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_unit — Access rule grants write/create/unlink on 'model_test_unit' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_unit_line — Access rule grants write/create/unlink on 'model_test_unit_line' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_box — Access rule grants write/create/unlink on 'model_test_box' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_pallet — Access rule grants write/create/unlink on 'model_test_pallet' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_another_unit — Access rule grants write/create/unlink on 'model_test_another_unit' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_another_box — Access rule grants write/create/unlink on 'model_test_another_box' to EVERY user (portal/public included): no group is set |
| test_limits | acl-global-write | access_test_limits_model — Access rule grants write/create/unlink on 'model_test_limits_model' to EVERY user (portal/public included): no group is set |
| test_mail | acl-global-write | access_test_performance_mail — Access rule grants write/create/unlink on 'model_test_performance_mail' to EVERY user (portal/public included): no group is set |
| test_mail | acl-public-write | access_mail_test_portal — Access rule grants write on 'model_mail_test' to the portal/public group 'base.group_portal' |
| test_new_api | acl-global-write | access_category — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_category' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_discussion — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_discussion' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_message — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_message' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_emailmessage — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_emailmessage' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi_line — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi_line2 — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line2' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi_tag — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_tag' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_creativework_edition — Access rule grants write/create/unlink on 'model_test_new_api_creativework_edition' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_creativework_book — Access rule grants write/create/unlink on 'model_test_new_api_creativework_book' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_creativework_movie — Access rule grants write/create/unlink on 'model_test_new_api_creativework_movie' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_mixed — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_mixed' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_domain_bool — Access rule grants write/create/unlink on 'model_domain_bool' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_foo — Access rule grants write/create/unlink on 'model_test_new_api_foo' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_bar — Access rule grants write/create/unlink on 'model_test_new_api_bar' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_related — Access rule grants write/create/unlink on 'model_test_new_api_related' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_company — Access rule grants write/create/unlink on 'model_test_new_api_company' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_company_attr — Access rule grants write/create/unlink on 'model_test_new_api_company_attr' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_inverse — Access rule grants write/create/unlink on 'model_test_new_api_compute_inverse' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_protected — Access rule grants write/create/unlink on 'model_test_new_api_compute_protected' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_multi_compute_inverse — Access rule grants write/create/unlink on 'model_test_new_api_multi_compute_inverse' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_recursive — Access rule grants write/create/unlink on 'model_test_new_api_recursive' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_recursive_tree — Access rule grants write/create/unlink on 'model_test_new_api_recursive_tree' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_cascade — Access rule grants write/create/unlink on 'model_test_new_api_cascade' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_onchange — Access rule grants write/create/unlink on 'model_test_new_api_compute_onchange' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_one2many — Access rule grants write/create/unlink on 'model_test_new_api_one2many' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_one2many_line — Access rule grants write/create/unlink on 'model_test_new_api_one2many_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_binary_svg — Access rule grants write/create/unlink on 'model_test_new_api_binary_svg' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_base — Access rule grants write/create/unlink on 'model_test_new_api_monetary_base' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_related — Access rule grants write/create/unlink on 'model_test_new_api_monetary_related' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_custom — Access rule grants write/create/unlink on 'model_test_new_api_monetary_custom' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_inherits — Access rule grants write/create/unlink on 'model_test_new_api_monetary_inherits' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_field_with_caps — Access rule grants write/create/unlink on 'model_test_new_api_field_with_caps' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_req_m2o — Access rule grants write/create/unlink on 'model_test_new_api_req_m2o' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_selection — Access rule grants write/create/unlink on 'model_test_new_api_selection' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_attachment — Access rule grants write/create/unlink on 'model_test_new_api_attachment' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_attachment_host — Access rule grants write/create/unlink on 'model_test_new_api_attachment_host' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_image — Access rule grants write/create/unlink on 'model_test_new_api_model_image' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_a — Access rule grants write/create/unlink on 'model_test_new_api_model_a' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_b — Access rule grants write/create/unlink on 'model_test_new_api_model_b' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_parent — Access rule grants write/create/unlink on 'model_test_new_api_model_parent' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_child — Access rule grants write/create/unlink on 'model_test_new_api_model_child' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_child_nocheck — Access rule grants write/create/unlink on 'model_test_new_api_model_child_nocheck' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_display — Access rule grants write/create/unlink on 'model_test_new_api_display' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_active_field — Access rule grants write/create/unlink on 'model_test_new_api_model_active_field' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_many2one_reference — Access rule grants write/create/unlink on 'model_test_new_api_model_many2one_reference' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_inverse_m2o_ref — Access rule grants write/create/unlink on 'model_test_new_api_inverse_m2o_ref' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_binary — Access rule grants write/create/unlink on 'model_test_new_api_model_binary' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_child_m2o — Access rule grants write/create/unlink on 'model_test_new_api_model_child_m2o' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_parent_m2o — Access rule grants write/create/unlink on 'model_test_new_api_model_parent_m2o' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_order — Access rule grants write/create/unlink on 'model_test_new_api_monetary_order' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_order_line — Access rule grants write/create/unlink on 'model_test_new_api_monetary_order_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_move — Access rule grants write/create/unlink on 'model_test_new_api_move' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_move_line — Access rule grants write/create/unlink on 'model_test_new_api_move_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_order — Access rule grants write/create/unlink on 'model_test_new_api_order' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_order_line — Access rule grants write/create/unlink on 'model_test_new_api_order_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_shared_cache_compute_parent — Access rule grants write/create/unlink on 'model_test_new_api_model_shared_cache_compute_parent' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_model_shared_cache_compute_line — Access rule grants write/create/unlink on 'model_test_new_api_model_shared_cache_compute_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_container — Access rule grants write/create/unlink on 'model_test_new_api_compute_container' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_member — Access rule grants write/create/unlink on 'model_test_new_api_compute_member' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_trigger_left — Access rule grants write/create/unlink on 'model_test_new_api_trigger_left' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_trigger_middle — Access rule grants write/create/unlink on 'model_test_new_api_trigger_middle' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_trigger_right — Access rule grants write/create/unlink on 'model_test_new_api_trigger_right' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_base — Access rule grants write/create/unlink on 'model_test_performance_base' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_line — Access rule grants write/create/unlink on 'model_test_performance_line' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_tag — Access rule grants write/create/unlink on 'model_test_performance_tag' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_bacon — Access rule grants write/create/unlink on 'model_test_performance_bacon' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_eggs — Access rule grants write/create/unlink on 'model_test_performance_eggs' to EVERY user (portal/public included): no group is set |
| test_queue_job | acl-global-write | access_test_queue_job — Access rule grants write/create/unlink on 'model_test_queue_job' to EVERY user (portal/public included): no group is set |
| test_queue_job | acl-global-write | access_test_queue_channel — Access rule grants write/create/unlink on 'model_test_queue_channel' to EVERY user (portal/public included): no group is set |
| test_queue_job | acl-global-write | access_test_related_action — Access rule grants write/create/unlink on 'model_test_related_action' to EVERY user (portal/public included): no group is set |
| test_rpc | acl-global-write | access_test_rpc_model_a — Access rule grants write/create/unlink on 'model_test_rpc_model_a' to EVERY user (portal/public included): no group is set |
| test_rpc | acl-global-write | access_test_rpc_model_b — Access rule grants write/create/unlink on 'model_test_rpc_model_b' to EVERY user (portal/public included): no group is set |
| test_testing_utilities | acl-global-write | access_model_test_testing_utilities_onchange_count — Access rule grants write/create/unlink on 'model_test_testing_utilities_onchange_count' to EVERY user (portal/public included): no group is set |
| test_testing_utilities | acl-global-write | access_test_testing_utilities_onchange_count_sub — Access rule grants write/create/unlink on 'model_test_testing_utilities_onchange_count_sub' to EVERY user (portal/public included): no group is set |
| test_testing_utilities | acl-global-write | access_o2m_readonly_subfield_parent — Access rule grants write/create/unlink on 'model_o2m_readonly_subfield_parent' to EVERY user (portal/public included): no group is set |
| test_testing_utilities | acl-global-write | access_o2m_readonly_subfield_child — Access rule grants write/create/unlink on 'model_o2m_readonly_subfield_child' to EVERY user (portal/public included): no group is set |
| test_uninstall | acl-global-write | access_test_uninstall_model — Access rule grants write/create/unlink on 'model_test_uninstall_model' to EVERY user (portal/public included): no group is set |
| test_xlsx_export | acl-global-write | access_export_group_operator — Access rule grants write/create/unlink on 'model_export_group_operator' to EVERY user (portal/public included): no group is set |
| test_xlsx_export | acl-global-write | access_export_group_operator_one2many — Access rule grants write/create/unlink on 'model_export_group_operator_one2many' to EVERY user (portal/public included): no group is set |
| test_xlsx_export | acl-global-write | access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set |
| utm | acl-global-write | access_utm_campaign — Access rule grants create on 'model_utm_campaign' to EVERY user (portal/public included): no group is set |
| utm | acl-global-write | access_utm_medium — Access rule grants create on 'model_utm_medium' to EVERY user (portal/public included): no group is set |
| utm | acl-global-write | access_utm_source — Access rule grants create on 'model_utm_source' to EVERY user (portal/public included): no group is set |
| web_editor | acl-global-write | access_web_editor_converter_test — Access rule grants write/create/unlink on 'model_web_editor_converter_test' to EVERY user (portal/public included): no group is set |
| web_editor | acl-global-write | access_web_editor_converter_test_sub — Access rule grants write/create/unlink on 'model_web_editor_converter_test_sub' to EVERY user (portal/public included): no group is set |
| website | route-user-csrf-off | /website/reset_template — HTTP endpoint 'Website.reset_template' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user |
| website_crm_partner_assign | acl-public-write | partner_access_crm_lead — Access rule grants write on 'crm.model_crm_lead' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_post_portal — Access rule grants write/create/unlink on 'model_forum_post' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_post_vote_portal — Access rule grants write/create on 'model_forum_post_vote' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_tag_public — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_public' |
| website_forum | acl-public-write | access_forum_tag_portal — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_portal' |
| website_sale_wishlist | acl-public-write | access_product_wishlist_portal — Access rule grants write/create/unlink on 'model_product_wishlist' to the portal/public group 'base.group_portal' |
Warnings 511
| Module | Code | Message |
|---|---|---|
| account | rule-group-bypass | account_analytic_line_rule_billing_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account_brand | acl-global-read | res_partner_account_brand_access — Access rule grants read on 'model_res_partner_account_brand' to every user (portal/public included): no group is set |
| account_invoice_transmit_method | acl-global-read | access_transmit_method_read — Access rule grants read on 'model_transmit_method' to every user (portal/public included): no group is set |
| account_payment | route-public-sudo | /invoice/pay/<int:invoice_id>/form_tx — Unauthenticated endpoint 'PaymentPortal.invoice_pay_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| account_payment | route-public-sudo | /invoice/pay/<int:invoice_id>/s2s_token_tx — Unauthenticated endpoint 'PaymentPortal.invoice_pay_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_from_http_remote_user | route-auth-none | /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all |
| auth_oauth | route-public-sudo | /auth_oauth/signin — Unauthenticated endpoint 'OAuthController.signin' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_oauth | route-auth-none | /auth_oauth/signin — Endpoint 'OAuthController.signin' uses auth="none": it runs with no user/session at all |
| auth_oauth | route-auth-none | /auth_oauth/oea — Endpoint 'OAuthController.oea' uses auth="none": it runs with no user/session at all |
| auth_oauth_autologin | route-auth-none | /auth/auto_login_redirect_link — Endpoint 'OAuthAutoLogin.auto_login_redirect_link' uses auth="none": it runs with no user/session at all |
| auth_saml | route-public-sudo | /auth_saml/get_auth_request — Unauthenticated endpoint 'AuthSAMLController.get_auth_request' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_saml | route-auth-none | /auth_saml/get_auth_request — Endpoint 'AuthSAMLController.get_auth_request' uses auth="none": it runs with no user/session at all |
| auth_saml | route-public-csrf-off | /auth_saml/signin — Public HTTP endpoint 'AuthSAMLController.signin' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| auth_saml | route-public-sudo | /auth_saml/signin — Unauthenticated endpoint 'AuthSAMLController.signin' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_saml | route-auth-none | /auth_saml/signin — Endpoint 'AuthSAMLController.signin' uses auth="none": it runs with no user/session at all |
| auth_saml | route-public-csrf-off | /auth_saml/metadata — Public HTTP endpoint 'AuthSAMLController.saml_metadata' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| auth_saml | route-public-sudo | /auth_saml/metadata — Unauthenticated endpoint 'AuthSAMLController.saml_metadata' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_saml | route-auth-none | /auth_saml/metadata — Endpoint 'AuthSAMLController.saml_metadata' uses auth="none": it runs with no user/session at all |
| auth_signup | route-public-sudo | /web/signup — Unauthenticated endpoint 'AuthSignupHome.web_auth_signup' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_signup | route-public-sudo | /web/reset_password — Unauthenticated endpoint 'AuthSignupHome.web_auth_reset_password' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| base | acl-global-read | access_ir_property_group_user — Access rule grants read on 'model_ir_property' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_ui_view_group_user — Access rule grants read on 'model_ir_ui_view' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_company_group_user — Access rule grants read on 'model_res_company' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_partner_title_group_partner_manager — Access rule grants read on 'model_res_partner_title' to every user (portal/public included): no group is set |
| base | acl-global-write | access_res_users_log_all — Access rule grants create on 'model_res_users_log' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| base | acl-global-read | access_ir_actions_client — Access rule grants read on 'model_ir_actions_client' to every user (portal/public included): no group is set |
| base | acl-global-read | paperformat_access_portal — Access rule grants read on 'model_report_paperformat' to every user (portal/public included): no group is set |
| base | route-public-csrf-off | /xmlrpc/<service> — Public HTTP endpoint 'RPC.xmlrpc_1' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base | route-auth-none | /xmlrpc/<service> — Endpoint 'RPC.xmlrpc_1' uses auth="none": it runs with no user/session at all |
| base | route-public-csrf-off | /xmlrpc/2/<service> — Public HTTP endpoint 'RPC.xmlrpc_2' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base | route-auth-none | /xmlrpc/2/<service> — Endpoint 'RPC.xmlrpc_2' uses auth="none": it runs with no user/session at all |
| base | route-auth-none | /jsonrpc — Endpoint 'RPC.jsonrpc' uses auth="none": it runs with no user/session at all |
| base_automation | acl-global-read | access_base_automation — Access rule grants read on 'model_base_automation' to every user (portal/public included): no group is set |
| base_comment_template | acl-global-read | access_base_comment_template_user — Access rule grants read on 'model_base_comment_template' to every user (portal/public included): no group is set |
| base_ebill_payment_contract | acl-global-read | access_ebill_payment_contract_read — Access rule grants read on 'model_ebill_payment_contract' to every user (portal/public included): no group is set |
| base_gengo | route-public-csrf-off | /website/gengo_callback — Public HTTP endpoint 'website_gengo.gengo_callback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base_gengo | route-public-sudo | /website/gengo_callback — Unauthenticated endpoint 'website_gengo.gengo_callback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| base_import_module | route-public-csrf-off | /base_import_module/login_upload — Public HTTP endpoint 'ImportModule.login_upload' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base_import_module | route-auth-none | /base_import_module/login_upload — Endpoint 'ImportModule.login_upload' uses auth="none": it runs with no user/session at all |
| base_unece | acl-global-read | access_unece_code_list_read — Access rule grants read on 'model_unece_code_list' to every user (portal/public included): no group is set |
| board | acl-global-read | access_board_board all — Access rule grants read on 'model_board_board' to every user (portal/public included): no group is set |
| calendar | rule-group-bypass | calendar_event_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| connector_jira | route-auth-none | /connector_jira/webhooks/issue — Endpoint 'JiraWebhookController.webhook_issue' uses auth="none": it runs with no user/session at all |
| connector_jira | route-auth-none | /connector_jira/webhooks/worklog — Endpoint 'JiraWebhookController.webhook_worklog' uses auth="none": it runs with no user/session at all |
| crm | acl-global-read | access_crm_stage — Access rule grants read on 'model_crm_stage' to every user (portal/public included): no group is set |
| crm | rule-group-bypass | crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm | rule-group-bypass | crm_activity_report_rule_all_activities — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm_salesperson_planner | rule-group-bypass | all_salesperson_planner_visit — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm_salesperson_planner | rule-group-bypass | all_salesperson_planner_visit_template — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| delivery_local_pickup | route-public-sudo | /local_pickup/<int:picking_id> — Unauthenticated endpoint 'DeliveryLocalPickupController.public_local_pickup_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| dms | route-public-sudo | /my/dms/directory/<int:dms_directory_id> — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_directory' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| dms | route-public-sudo | /my/dms/file/<int:dms_file_id>/download — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_file_download' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| document_page_portal | rule-group-bypass | knowledge_user_document_page_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| event | acl-global-read | access_event_event_portal — Access rule grants read on 'model_event_event' to every user (portal/public included): no group is set |
| fieldservice | rule-group-bypass | fsm_order_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| github_connector | acl-global-read | access_github_analysis_rule_reader — Access rule grants read on 'model_github_analysis_rule' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_analysis_rule_group_reader — Access rule grants read on 'model_github_analysis_rule_group' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_organization_reader — Access rule grants read on 'model_github_organization' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_organization_serie_reader — Access rule grants read on 'model_github_organization_serie' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_repository_branch_rule_info_report_reader — Access rule grants read on 'model_github_repository_branch_rule_info_report' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_repository_reader — Access rule grants read on 'model_github_repository' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_repository_branch_reader — Access rule grants read on 'model_github_repository_branch' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_team_reader — Access rule grants read on 'model_github_team' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_team_partner_reader — Access rule grants read on 'model_github_team_partner' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_team_repository_reader — Access rule grants read on 'model_github_team_repository' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_author_reader — Access rule grants read on 'model_odoo_author' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_lib_bin_reader — Access rule grants read on 'model_odoo_lib_bin' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_lib_python_reader — Access rule grants read on 'model_odoo_lib_python' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_license_reader — Access rule grants read on 'model_odoo_license' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_module_reader — Access rule grants read on 'model_odoo_module' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_module_version_reader — Access rule grants read on 'model_odoo_module_version' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_module_version_rule_info_report_reader — Access rule grants read on 'model_odoo_module_version_rule_info_report' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_category_reader — Access rule grants read on 'model_odoo_category' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_manifest_key_reader — Access rule grants read on 'model_odoo_manifest_key' to every user (portal/public included): no group is set |
| google_account | route-auth-none | /google_account/authentication — Endpoint 'GoogleAuth.oauth2callback' uses auth="none": it runs with no user/session at all |
| helpdesk_mgmt | rule-group-bypass | helpdesk_ticket_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_attendance | rule-group-bypass | hr_attendance_rule_attendance_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_attendance_rfid | rule-group-bypass | hr_attendance_rfid_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_expense | rule-group-bypass | ir_rule_hr_expense_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_expense | rule-group-bypass | ir_rule_hr_expense_sheet_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | hr_leave_rule_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | hr_leave_allocation_rule_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | resource_leaves_base_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | resource_leaves_holidays_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_personal_equipment_request | rule-group-bypass | personal_equipment_request_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_personal_equipment_request | rule-group-bypass | personal_equipment_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_resume_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_resume_rule_employee_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_skill_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_skills | rule-group-bypass | hr_skill_rule_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| http_routing | route-public-sudo | /website/translations/<string:unique> — Unauthenticated endpoint 'Routing.get_website_translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| hw_drivers | route-auth-none | /hw_drivers/action — Endpoint 'StatusController.action' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-public-csrf-off | /hw_drivers/check_certificate — Public HTTP endpoint 'StatusController.check_certificate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_drivers | route-auth-none | /hw_drivers/check_certificate — Endpoint 'StatusController.check_certificate' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_drivers/event — Endpoint 'StatusController.event' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-public-csrf-off | /hw_drivers/box/connect — Public HTTP endpoint 'StatusController.connect_box' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_drivers | route-auth-none | /hw_drivers/box/connect — Endpoint 'StatusController.connect_box' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/scanner — Endpoint 'KeyboardUSBController.get_barcode' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/default_printer_action — Endpoint 'PrinterController.default_printer_action' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/scale_read — Endpoint 'ScaleReadOldRoute.scale_read' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/display_refresh — Endpoint 'DisplayController.display_refresh' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/customer_facing_display — Endpoint 'DisplayController.customer_facing_display' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/take_control — Endpoint 'DisplayController.take_control' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_proxy/test_ownership — Endpoint 'DisplayController.test_ownership' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /point_of_sale/get_serialized_order, /point_of_sale/get_serialized_order/<string:display_identifier> — Endpoint 'DisplayController.get_serialized_order' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /point_of_sale/display, /point_of_sale/display/<string:display_identifier> — Endpoint 'DisplayController.display' uses auth="none": it runs with no user/session at all |
| hw_escpos | route-auth-none | /hw_proxy/open_cashbox — Endpoint 'EscposProxy.open_cashbox' uses auth="none": it runs with no user/session at all |
| hw_escpos | route-auth-none | /hw_proxy/print_receipt — Endpoint 'EscposProxy.print_receipt' uses auth="none": it runs with no user/session at all |
| hw_escpos | route-auth-none | /hw_proxy/print_xml_receipt — Endpoint 'EscposProxy.print_xml_receipt' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | / — Endpoint 'IoTboxHomepage.index' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /list_drivers — Endpoint 'IoTboxHomepage.list_drivers' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /load_drivers — Endpoint 'IoTboxHomepage.load_drivers' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /list_credential — Endpoint 'IoTboxHomepage.list_credential' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /save_credential — Public HTTP endpoint 'IoTboxHomepage.save_credential' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /save_credential — Endpoint 'IoTboxHomepage.save_credential' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /clear_credential — Public HTTP endpoint 'IoTboxHomepage.clear_credential' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /clear_credential — Endpoint 'IoTboxHomepage.clear_credential' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /wifi — Endpoint 'IoTboxHomepage.wifi' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /wifi_connect — Public HTTP endpoint 'IoTboxHomepage.connect_to_wifi' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /wifi_connect — Endpoint 'IoTboxHomepage.connect_to_wifi' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /wifi_clear — Public HTTP endpoint 'IoTboxHomepage.clear_wifi_configuration' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /wifi_clear — Endpoint 'IoTboxHomepage.clear_wifi_configuration' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /server_clear — Public HTTP endpoint 'IoTboxHomepage.clear_server_configuration' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /server_clear — Endpoint 'IoTboxHomepage.clear_server_configuration' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /drivers_clear — Public HTTP endpoint 'IoTboxHomepage.clear_drivers_list' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /drivers_clear — Endpoint 'IoTboxHomepage.clear_drivers_list' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /server_connect — Public HTTP endpoint 'IoTboxHomepage.connect_to_server' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /server_connect — Endpoint 'IoTboxHomepage.connect_to_server' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /steps — Public HTTP endpoint 'IoTboxHomepage.step_by_step_configure_page' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /steps — Endpoint 'IoTboxHomepage.step_by_step_configure_page' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /step_configure — Public HTTP endpoint 'IoTboxHomepage.step_by_step_configure' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /step_configure — Endpoint 'IoTboxHomepage.step_by_step_configure' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /server — Endpoint 'IoTboxHomepage.server' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /remote_connect — Endpoint 'IoTboxHomepage.remote_connect' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /enable_ngrok — Public HTTP endpoint 'IoTboxHomepage.enable_ngrok' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /enable_ngrok — Endpoint 'IoTboxHomepage.enable_ngrok' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /six_payment_terminal — Public HTTP endpoint 'IoTboxHomepage.six_payment_terminal' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /six_payment_terminal — Endpoint 'IoTboxHomepage.six_payment_terminal' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /six_payment_terminal_add — Public HTTP endpoint 'IoTboxHomepage.add_six_payment_terminal' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /six_payment_terminal_add — Endpoint 'IoTboxHomepage.add_six_payment_terminal' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /six_payment_terminal_clear — Public HTTP endpoint 'IoTboxHomepage.clear_six_payment_terminal' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /six_payment_terminal_clear — Endpoint 'IoTboxHomepage.clear_six_payment_terminal' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/upgrade — Endpoint 'IoTboxHomepage.upgrade' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_upgrade — Endpoint 'IoTboxHomepage.perform_upgrade' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/get_version — Endpoint 'IoTboxHomepage.check_version' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_flashing_create_partition — Endpoint 'IoTboxHomepage.perform_flashing_create_partition' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_flashing_download_raspbian — Endpoint 'IoTboxHomepage.perform_flashing_download_raspbian' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_flashing_copy_raspbian — Endpoint 'IoTboxHomepage.perform_flashing_copy_raspbian' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/hello — Endpoint 'Proxy.hello' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/handshake — Endpoint 'Proxy.handshake' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/status — Endpoint 'Proxy.status_http' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/status_json — Endpoint 'Proxy.status_json' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/scan_item_success — Endpoint 'Proxy.scan_item_success' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/scan_item_error_unrecognized — Endpoint 'Proxy.scan_item_error_unrecognized' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/help_needed — Endpoint 'Proxy.help_needed' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/help_canceled — Endpoint 'Proxy.help_canceled' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/payment_request — Endpoint 'Proxy.payment_request' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/payment_status — Endpoint 'Proxy.payment_status' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/payment_cancel — Endpoint 'Proxy.payment_cancel' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/transaction_start — Endpoint 'Proxy.transaction_start' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/transaction_end — Endpoint 'Proxy.transaction_end' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/cashier_mode_activated — Endpoint 'Proxy.cashier_mode_activated' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/cashier_mode_deactivated — Endpoint 'Proxy.cashier_mode_deactivated' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/open_cashbox — Endpoint 'Proxy.open_cashbox' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/print_receipt — Endpoint 'Proxy.print_receipt' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/log — Endpoint 'Proxy.log' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/print_pdf_invoice — Endpoint 'Proxy.print_pdf_invoice' uses auth="none": it runs with no user/session at all |
| im_livechat | acl-global-read | access_livechat_channel — Access rule grants read on 'model_im_livechat_channel' to every user (portal/public included): no group is set |
| im_livechat | acl-global-read | access_livechat_channel_rule — Access rule grants read on 'model_im_livechat_channel_rule' to every user (portal/public included): no group is set |
| im_livechat | route-auth-none | /im_livechat/load_templates — Endpoint 'LivechatController.load_templates' uses auth="none": it runs with no user/session at all |
| im_livechat | route-public-sudo | /im_livechat/support/<int:channel_id> — Unauthenticated endpoint 'LivechatController.support_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/loader/<int:channel_id> — Unauthenticated endpoint 'LivechatController.loader' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/init — Unauthenticated endpoint 'LivechatController.livechat_init' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/get_session — Unauthenticated endpoint 'LivechatController.get_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/feedback — Unauthenticated endpoint 'LivechatController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/history — Unauthenticated endpoint 'LivechatController.history_pages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/notify_typing — Unauthenticated endpoint 'LivechatController.notify_typing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/email_livechat_transcript — Unauthenticated endpoint 'LivechatController.email_livechat_transcript' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| intrastat_product | acl-global-read | access_intrastat_unit_read — Access rule grants read on 'model_intrastat_unit' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_transaction_read — Access rule grants read on 'model_intrastat_transaction' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_transport_mode_read — Access rule grants read on 'model_intrastat_transport_mode' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_region_read — Access rule grants read on 'model_intrastat_region' to every user (portal/public included): no group is set |
| iot_input_oca | route-public-csrf-off | /iot/<serial>/action — Public HTTP endpoint 'CallIot.call_unauthorized_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_input_oca | route-public-sudo | /iot/<serial>/action — Unauthenticated endpoint 'CallIot.call_unauthorized_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| iot_input_oca | route-auth-none | /iot/<serial>/action — Endpoint 'CallIot.call_unauthorized_iot' uses auth="none": it runs with no user/session at all |
| iot_input_oca | route-public-csrf-off | /iot/<device_identification>/multi_input — Public HTTP endpoint 'CallIot.call_unauthorized_iot_multi_input' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_input_oca | route-public-sudo | /iot/<device_identification>/multi_input — Unauthenticated endpoint 'CallIot.call_unauthorized_iot_multi_input' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| iot_input_oca | route-auth-none | /iot/<device_identification>/multi_input — Endpoint 'CallIot.call_unauthorized_iot_multi_input' uses auth="none": it runs with no user/session at all |
| iot_input_oca | route-public-csrf-off | /iot/<serial>/check — Public HTTP endpoint 'CallIot.check_unauthorized_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_input_oca | route-public-sudo | /iot/<serial>/check — Unauthenticated endpoint 'CallIot.check_unauthorized_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| iot_input_oca | route-auth-none | /iot/<serial>/check — Endpoint 'CallIot.check_unauthorized_iot' uses auth="none": it runs with no user/session at all |
| iot_template_oca | route-public-csrf-off | /iot/<serial>/configure — Public HTTP endpoint 'CallIot.configure_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_template_oca | route-public-sudo | /iot/<serial>/configure — Unauthenticated endpoint 'CallIot.configure_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| iot_template_oca | route-auth-none | /iot/<serial>/configure — Endpoint 'CallIot.configure_iot' uses auth="none": it runs with no user/session at all |
| l10n_ee_reporting | acl-global-read | access_l10n_ee_reporting_kmd_inf — Access rule grants read on 'model_l10n_ee_reporting_kmd_inf' to every user (portal/public included): no group is set |
| l10n_ee_reporting | acl-global-read | access_l10n_ee_reporting_vies_declaration — Access rule grants read on 'model_l10n_ee_reporting_vies_declaration' to every user (portal/public included): no group is set |
| l10n_es_aeat_mod347 | route-public-sudo | /mod347/accept — Unauthenticated endpoint 'Mod347Controller.mod347_accept' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_es_aeat_mod347 | route-public-sudo | /mod347/reject — Unauthenticated endpoint 'Mod347Controller.mod347_reject' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_eu_service | acl-global-read | access_l10n_eu_service_service_tax_rate_user — Access rule grants read on 'model_l10n_eu_service_service_tax_rate' to every user (portal/public included): no group is set |
| l10n_in | acl-global-read | access_l10n_in_account_invoice_report — Access rule grants read on 'model_l10n_in_account_invoice_report' to every user (portal/public included): no group is set |
| l10n_in | acl-global-read | access_l10n_in_advances_payment_report — Access rule grants read on 'model_l10n_in_advances_payment_report' to every user (portal/public included): no group is set |
| l10n_in | acl-global-read | access_l10n_in_advances_payment_adjustment_report — Access rule grants read on 'model_l10n_in_advances_payment_adjustment_report' to every user (portal/public included): no group is set |
| l10n_in | acl-global-read | access_l10n_in_product_hsn_report — Access rule grants read on 'model_l10n_in_product_hsn_report' to every user (portal/public included): no group is set |
| l10n_in | acl-global-read | access_l10n_in_exempted_report — Access rule grants read on 'model_l10n_in_exempted_report' to every user (portal/public included): no group is set |
| letsencrypt | route-auth-none | /.well-known/acme-challenge/<filename> — Endpoint 'Letsencrypt.acme_challenge' uses auth="none": it runs with no user/session at all |
| link_tracker | route-public-sudo | /r/<string:code> — Unauthenticated endpoint 'LinkTracker.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| acl-global-write | access_mail_thread_all — Access rule grants write/create/unlink on 'model_mail_thread' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
|
| acl-global-write | access_publisher_warranty_contract_all — Access rule grants write/create/unlink on 'model_publisher_warranty_contract' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
|
| route-public-sudo | /mail/view — Unauthenticated endpoint 'MailController.mail_action_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/<string:res_model>/<int:res_id>/avatar/<int:partner_id> — Unauthenticated endpoint 'MailController.avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/chat_post — Unauthenticated endpoint 'MailChatController.mail_chat_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/chat_history — Unauthenticated endpoint 'MailChatController.mail_chat_history' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| mail_tracking | route-public-csrf-off | /mail/tracking/all/<string:db>, /mail/tracking/event/<string:db>/<string:event_type> — Public HTTP endpoint 'MailTrackingController.mail_tracking_event' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| mail_tracking | route-auth-none | /mail/tracking/all/<string:db>, /mail/tracking/event/<string:db>/<string:event_type> — Endpoint 'MailTrackingController.mail_tracking_event' uses auth="none": it runs with no user/session at all |
| mail_tracking | route-public-sudo | /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MailTrackingController.mail_tracking_open' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_tracking | route-auth-none | /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Endpoint 'MailTrackingController.mail_tracking_open' uses auth="none": it runs with no user/session at all |
| mail_tracking_mailgun | route-public-sudo | /mail/tracking/mailgun/all — Unauthenticated endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_tracking_mailgun | route-auth-none | /mail/tracking/mailgun/all — Endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' uses auth="none": it runs with no user/session at all |
| mass_mailing | route-public-sudo | /mail/mailing/<int:mailing_id>/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mail/mailing/unsubscribe — Unauthenticated endpoint 'MassMailController.unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mail/track/<int:mail_id>/blank.gif — Unauthenticated endpoint 'MassMailController.track_mail_open' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /r/<string:code>/m/<int:mailing_trace_id> — Unauthenticated endpoint 'MassMailController.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/blacklist/check — Unauthenticated endpoint 'MassMailController.blacklist_check' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/blacklist/add — Unauthenticated endpoint 'MassMailController.blacklist_add' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/blacklist/remove — Unauthenticated endpoint 'MassMailController.blacklist_remove' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mailing/feedback — Unauthenticated endpoint 'MassMailController.send_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing_sms | route-public-sudo | /sms/<int:mailing_id>/unsubscribe/<string:trace_code> — Unauthenticated endpoint 'MailingSMSController.blacklist_number' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing_sms | route-public-sudo | /r/<string:code>/s/<int:sms_sms_id> — Unauthenticated endpoint 'MailingSMSController.sms_short_link_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| membership | acl-global-read | access_membership_membership_line — Access rule grants read on 'model_membership_membership_line' to every user (portal/public included): no group is set |
| operating_unit | acl-global-read | access_account_operating_unit_user — Access rule grants read on 'model_operating_unit' to every user (portal/public included): no group is set |
| partner_external_map | acl-global-read | access_map_website_read — Access rule grants read on 'model_map_website' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation — Access rule grants read on 'model_res_partner_relation' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation_type — Access rule grants read on 'model_res_partner_relation_type' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation_type_selection — Access rule grants read on 'model_res_partner_relation_type_selection' to every user (portal/public included): no group is set |
| partner_stage | acl-global-read | access_partner_stage_read — Access rule grants read on 'model_res_partner_stage' to every user (portal/public included): no group is set |
| password_security | route-auth-none | /password_security/estimate — Endpoint 'PasswordSecurityHome.estimate' uses auth="none": it runs with no user/session at all |
| payment | route-public-sudo | /payment/process — Unauthenticated endpoint 'PaymentProcessing.payment_status_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /payment/process/poll — Unauthenticated endpoint 'PaymentProcessing.payment_status_poll' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /website_payment/pay — Unauthenticated endpoint 'WebsitePayment.pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /website_payment/transaction/<string:reference>/<string:amount>/<string:currency_id>, /website_payment/transaction/v2/<string:amount>/<string:currency_id>/<path:reference>, /website_payment/transaction/v2/<string:amount>/<string:currency_id>/<path:reference>/<int:partner_id> — Unauthenticated endpoint 'WebsitePayment.transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /website_payment/token/<string:reference>/<string:amount>/<string:currency_id>, /website_payment/token/v2/<string:amount>/<string:currency_id>/<path:reference>, /website_payment/token/v2/<string:amount>/<string:currency_id>/<path:reference>/<int:partner_id> — Unauthenticated endpoint 'WebsitePayment.payment_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /website_payment/confirm — Unauthenticated endpoint 'WebsitePayment.confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-csrf-off | /payment/adyen/return — Public HTTP endpoint 'AdyenController.adyen_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_adyen | route-public-sudo | /payment/adyen/return — Unauthenticated endpoint 'AdyenController.adyen_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-csrf-off | /payment/adyen/notification — Public HTTP endpoint 'AdyenController.adyen_notification' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_adyen | route-public-sudo | /payment/adyen/notification — Unauthenticated endpoint 'AdyenController.adyen_notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_alipay | route-public-csrf-off | /payment/alipay/notify — Public HTTP endpoint 'AlipayController.alipay_notify' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_authorize | route-public-csrf-off | /payment/authorize/return/, /payment/authorize/cancel/ — Public HTTP endpoint 'AuthorizeController.authorize_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_authorize | route-public-sudo | /payment/authorize/return/, /payment/authorize/cancel/ — Unauthenticated endpoint 'AuthorizeController.authorize_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_authorize | route-public-sudo | /payment/authorize/s2s/create_json_3ds — Unauthenticated endpoint 'AuthorizeController.authorize_s2s_create_json_3ds' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_buckaroo | route-public-csrf-off | /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Public HTTP endpoint 'BuckarooController.buckaroo_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_buckaroo | route-public-sudo | /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Unauthenticated endpoint 'BuckarooController.buckaroo_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ingenico | route-public-csrf-off | /payment/ogone/accept, /payment/ogone/test/accept, /payment/ogone/decline, /payment/ogone/test/decline, /payment/ogone/exception, /payment/ogone/test/exception, /payment/ogone/cancel, /payment/ogone/test/cancel — Public HTTP endpoint 'OgoneController.ogone_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_ingenico | route-public-sudo | /payment/ogone/accept, /payment/ogone/test/accept, /payment/ogone/decline, /payment/ogone/test/decline, /payment/ogone/exception, /payment/ogone/test/exception, /payment/ogone/cancel, /payment/ogone/test/cancel — Unauthenticated endpoint 'OgoneController.ogone_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ingenico | route-public-sudo | /payment/ogone/s2s/create_json_3ds — Unauthenticated endpoint 'OgoneController.ogone_s2s_create_json_3ds' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ingenico | route-public-csrf-off | /payment/ogone/s2s/create — Public HTTP endpoint 'OgoneController.ogone_s2s_create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_ingenico | route-public-sudo | /payment/ogone/s2s/create — Unauthenticated endpoint 'OgoneController.ogone_s2s_create' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ingenico | route-public-sudo | /payment/ogone/validate/accept, /payment/ogone/validate/decline, /payment/ogone/validate/exception — Unauthenticated endpoint 'OgoneController.ogone_validation_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ingenico | route-public-csrf-off | /payment/ogone/s2s/feedback — Public HTTP endpoint 'OgoneController.feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_ingenico | route-public-sudo | /payment/ogone/s2s/feedback — Unauthenticated endpoint 'OgoneController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_paypal | route-public-csrf-off | /payment/paypal/ipn/ — Public HTTP endpoint 'PaypalController.paypal_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_paypal | route-public-csrf-off | /payment/paypal/dpn — Public HTTP endpoint 'PaypalController.paypal_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_paypal | route-public-csrf-off | /payment/paypal/cancel — Public HTTP endpoint 'PaypalController.paypal_cancel' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_payulatam | route-public-csrf-off | /payment/payulatam/response — Public HTTP endpoint 'PayuLatamController.payulatam_response' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_payulatam | route-public-sudo | /payment/payulatam/response — Unauthenticated endpoint 'PayuLatamController.payulatam_response' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_payulatam | route-public-csrf-off | /payment/payulatam/webhook — Public HTTP endpoint 'PayuLatamController.payulatam_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_payulatam | route-public-sudo | /payment/payulatam/webhook — Unauthenticated endpoint 'PayuLatamController.payulatam_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_payumoney | route-public-csrf-off | /payment/payumoney/return, /payment/payumoney/cancel, /payment/payumoney/error — Public HTTP endpoint 'PayuMoneyController.payu_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_payumoney | route-public-sudo | /payment/payumoney/return, /payment/payumoney/cancel, /payment/payumoney/error — Unauthenticated endpoint 'PayuMoneyController.payu_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_redsys | route-public-csrf-off | /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Public HTTP endpoint 'RedsysController.redsys_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_redsys | route-public-sudo | /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Unauthenticated endpoint 'RedsysController.redsys_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_sips | route-public-csrf-off | /payment/sips/ipn/ — Public HTTP endpoint 'SipsController.sips_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_sips | route-public-csrf-off | /payment/sips/dpn — Public HTTP endpoint 'SipsController.sips_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_stripe | route-public-sudo | /payment/stripe/success, /payment/stripe/cancel — Unauthenticated endpoint 'StripeController.stripe_success' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe | route-public-sudo | /payment/stripe/s2s/process_payment_intent — Unauthenticated endpoint 'StripeController.stripe_s2s_process_payment_intent' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe_checkout_webhook | route-public-sudo | /payment/stripe/webhook — Unauthenticated endpoint 'StripeController.stripe_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_transfer | route-public-csrf-off | /payment/transfer/feedback — Public HTTP endpoint 'TransferController.transfer_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_transfer | route-public-sudo | /payment/transfer/feedback — Unauthenticated endpoint 'TransferController.transfer_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| point_of_sale | rule-group-bypass | rule_pos_bank_statement_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| point_of_sale | rule-group-bypass | rule_pos_bank_statement_line_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| point_of_sale | rule-group-bypass | rule_pos_cashbox_line_accountant — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| portal | route-public-sudo | /mail/chatter_fetch — Unauthenticated endpoint 'PortalChatter.portal_message_fetch' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| portal | route-public-sudo | /web — Unauthenticated endpoint 'Home.web_client' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| portal | route-auth-none | /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all |
| pos_adyen | route-public-sudo | /pos_adyen/notification — Unauthenticated endpoint 'PosAdyenController.notification' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_adyen | route-auth-none | /pos_adyen/notification — Endpoint 'PosAdyenController.notification' uses auth="none": it runs with no user/session at all |
| pos_mercury | acl-global-read | access_pos_mercury_mercury_transaction — Access rule grants read on 'model_pos_mercury_mercury_transaction' to every user (portal/public included): no group is set |
| privacy_consent | route-public-sudo | /privacy/consent/<any(accept,reject):choice>/<int:consent_id>/<token> — Unauthenticated endpoint 'ConsentController.consent' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| product_brand | acl-global-read | access_product_brand_public — Access rule grants read on 'model_product_brand' to every user (portal/public included): no group is set |
| product_harmonized_system | acl-global-read | access_hs_code_read — Access rule grants read on 'model_hs_code' to every user (portal/public included): no group is set |
| product_state | acl-global-read | access_product_state_public — Access rule grants read on 'model_product_state' to every user (portal/public included): no group is set |
| product_variant_configurator_manual_creation | acl-global-write | access_wizard_product_variant_configurator_manual_creation_all — Access rule grants write/create/unlink on 'model_wizard_product_variant_configurator_manual_creation' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| product_variant_configurator_manual_creation | acl-global-write | access_wizard_product_variant_configurator_manual_creation_line_all — Access rule grants write/create/unlink on 'model_wizard_product_variant_configurator_manual_creation_line' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| project | route-public-sudo | /project/rating — Unauthenticated endpoint 'RatingProject.index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| project | route-public-sudo | /project/rating/<int:project_id> — Unauthenticated endpoint 'RatingProject.page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| quality_control_oca | acl-global-read | access_manager_qc_trigger_product_template_line_user — Access rule grants read on 'model_qc_trigger_product_template_line' to every user (portal/public included): no group is set |
| quality_control_oca | acl-global-read | access_manager_qc_trigger_product_line_user — Access rule grants read on 'model_qc_trigger_product_line' to every user (portal/public included): no group is set |
| queue_job | route-auth-none | /queue_job/runjob — Endpoint 'RunJobController.runjob' uses auth="none": it runs with no user/session at all |
| rating | route-public-sudo | /rating/<string:token>/<int:rate> — Unauthenticated endpoint 'Rating.open_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| rating | route-public-sudo | /rating/<string:token>/<int:rate>/submit_feedback — Unauthenticated endpoint 'Rating.submit_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| report_substitute | acl-global-read | action_report_substitution_rule_user_access — Access rule grants read on 'model_ir_actions_report_substitution_rule' to every user (portal/public included): no group is set |
| rma | route-public-sudo | /my/rma/picking/pdf/<int:rma_id>/<int:picking_id> — Unauthenticated endpoint 'PortalRma.portal_my_rma_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| role_policy | acl-global-read | access_view_modifier_rule_group_user — Access rule grants read on 'model_view_modifier_rule' to every user (portal/public included): no group is set |
| role_policy | acl-global-read | access_view_type_attribute_group_user — Access rule grants read on 'model_view_type_attribute' to every user (portal/public included): no group is set |
| role_policy | acl-global-read | access_view_model_operation_group_user — Access rule grants read on 'model_view_model_operation' to every user (portal/public included): no group is set |
| role_policy | acl-global-read | access_model_method_execution_right_group_user — Access rule grants read on 'model_model_method_execution_right' to every user (portal/public included): no group is set |
| sale | rule-group-bypass | payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale | rule-group-bypass | payment_token_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale | rule-group-bypass | payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale | route-public-sudo | /my/orders/<int:order_id>/transaction/ — Unauthenticated endpoint 'CustomerPortal.payment_transaction_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sale | route-public-sudo | /my/orders/<int:order_id>/transaction/token — Unauthenticated endpoint 'CustomerPortal.payment_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sale_coupon_selection_wizard | route-public-sudo | /sale_coupon_selection_wizard/configure — Unauthenticated endpoint 'CouponSelectionWizardController.configure_promotion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sale_payment_mgmt | rule-group-bypass | account_payment_group_group_account_invoice_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale_stock | route-public-sudo | /my/picking/pdf/<int:picking_id> — Unauthenticated endpoint 'SaleStockPortal.portal_my_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sales_team | rule-group-bypass | crm_rule_all_salesteam — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| stock_measuring_device_zippcube | route-auth-none | /stock/zippcube/<string:zippcube_device_name>/measurement — Endpoint 'ZippcubeController.measurement' uses auth="none": it runs with no user/session at all |
| stock_vertical_lift | route-public-csrf-off | /vertical-lift — Public HTTP endpoint 'VerticalLiftController.vertical_lift' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| stock_vertical_lift | route-public-sudo | /vertical-lift — Unauthenticated endpoint 'VerticalLiftController.vertical_lift' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| storage_file | acl-global-read | access_storage_file_read_public — Access rule grants read on 'model_storage_file' to every user (portal/public included): no group is set |
| survey | rule-group-bypass | survey_survey_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | rule-group-bypass | survey_question_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | rule-group-bypass | survey_label_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | rule-group-bypass | survey_user_input_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | rule-group-bypass | survey_user_input_line_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | route-public-sudo | /survey/page/<string:survey_token>/<string:answer_token>/<int:page_id> — Unauthenticated endpoint 'Survey.survey_change_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| survey | route-public-sudo | /survey/submit/<string:survey_token>/<string:answer_token> — Unauthenticated endpoint 'Survey.survey_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| test_new_api | acl-global-write | access_decimal_precision_test_all — Access rule grants write/create/unlink on 'model_decimal_precision_test' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| test_read_group | acl-global-read | access_test_read_group_on_date — Access rule grants read on 'model_test_read_group_on_date' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_aggregate_boolean — Access rule grants read on 'model_test_read_group_aggregate_boolean' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_aggregate — Access rule grants read on 'model_test_read_group_aggregate' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_on_selection — Access rule grants read on 'model_test_read_group_on_selection' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_fill_temporal — Access rule grants read on 'model_test_read_group_fill_temporal' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_a — Access rule grants read on 'model_test_testing_utilities_a' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_readonly — Access rule grants read on 'model_test_testing_utilities_readonly' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_c — Access rule grants read on 'model_test_testing_utilities_c' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_d — Access rule grants read on 'model_test_testing_utilities_d' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_e — Access rule grants read on 'model_test_testing_utilities_e' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_f — Access rule grants read on 'model_test_testing_utilities_f' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_g — Access rule grants read on 'model_test_testing_utilities_g' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_m2o — Access rule grants read on 'model_test_testing_utilities_m2o' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_default — Access rule grants read on 'model_test_testing_utilities_default' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_parent — Access rule grants read on 'model_test_testing_utilities_parent' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_sub — Access rule grants read on 'model_test_testing_utilities_sub' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_sub2 — Access rule grants read on 'model_test_testing_utilities_sub2' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_sub3 — Access rule grants read on 'model_test_testing_utilities_sub3' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_recursive — Access rule grants read on 'model_test_testing_utilities_recursive' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_onchange_parent — Access rule grants read on 'model_test_testing_utilities_onchange_parent' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_onchange_line — Access rule grants read on 'model_test_testing_utilities_onchange_line' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_req_bool — Access rule grants read on 'model_test_testing_utilities_req_bool' to every user (portal/public included): no group is set |
| vault | route-public-sudo | /vault/inbox/<string:token> — Unauthenticated endpoint 'Controller.vault_inbox' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| vault_share | route-public-sudo | /vault/share/<string:token> — Unauthenticated endpoint 'Controller.vault_share' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web | route-auth-none | / — Endpoint 'Home.index' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/dbredirect — Endpoint 'Home.web_db_redirect' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/login — Endpoint 'Home.web_login' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/csslist — Endpoint 'WebClient.csslist' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/jslist — Endpoint 'WebClient.jslist' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/locale/<string:lang> — Endpoint 'WebClient.load_locale' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/qweb/<string:unique> — Endpoint 'WebClient.qweb' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/bootstrap_translations — Endpoint 'WebClient.bootstrap_translations' uses auth="none": it runs with no user/session at all |
| web | route-public-sudo | /web/webclient/translations/<string:unique> — Unauthenticated endpoint 'WebClient.translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web | route-auth-none | /web/webclient/version_info — Endpoint 'WebClient.version_info' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/tests/mobile — Endpoint 'WebClient.test_mobile_suite' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/benchmarks — Endpoint 'WebClient.benchmarks' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/database/selector — Endpoint 'Database.selector' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/database/manager — Endpoint 'Database.manager' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/create — Public HTTP endpoint 'Database.create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/create — Endpoint 'Database.create' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/duplicate — Public HTTP endpoint 'Database.duplicate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/duplicate — Endpoint 'Database.duplicate' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/drop — Public HTTP endpoint 'Database.drop' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/drop — Endpoint 'Database.drop' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/backup — Public HTTP endpoint 'Database.backup' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/backup — Endpoint 'Database.backup' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/restore — Public HTTP endpoint 'Database.restore' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/restore — Endpoint 'Database.restore' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/change_password — Public HTTP endpoint 'Database.change_password' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/change_password — Endpoint 'Database.change_password' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/database/list — Endpoint 'Database.list' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/get_session_info — Endpoint 'Session.get_session_info' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/authenticate — Endpoint 'Session.authenticate' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/get_lang_list — Endpoint 'Session.get_lang_list' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/logout — Endpoint 'Session.logout' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/binary/company_logo, /logo, /logo.png — Endpoint 'Binary.company_logo' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/pivot/check_xlwt — Endpoint 'TableExporter.check_xlwt' uses auth="none": it runs with no user/session at all |
| web_editor | route-auth-none | /web_editor/font_to_img/<icon>, /web_editor/font_to_img/<icon>/<color>, /web_editor/font_to_img/<icon>/<color>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<int:size>/<int:alpha> — Endpoint 'Web_Editor.export_icon_to_png' uses auth="none": it runs with no user/session at all |
| web_editor | route-public-sudo | /web_editor/public_render_template — Unauthenticated endpoint 'Web_Editor.public_render_template' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| web_tour | acl-global-read | access_web_tour_tour — Access rule grants read on 'model_web_tour_tour' to every user (portal/public included): no group is set |
| web_unsplash | route-public-sudo | /web_unsplash/get_app_id — Unauthenticated endpoint 'Web_Unsplash.get_unsplash_app_id' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | acl-global-read | access_website_public — Access rule grants read on 'website.model_website' to every user (portal/public included): no group is set |
| website | acl-global-read | access_website_menu — Access rule grants read on 'model_website_menu' to every user (portal/public included): no group is set |
| website | acl-global-read | access_website_page — Access rule grants read on 'model_website_page' to every user (portal/public included): no group is set |
| website | acl-global-read | access_seo_public — Access rule grants read on 'model_website_seo_metadata' to every user (portal/public included): no group is set |
| website | route-public-sudo | / — Unauthenticated endpoint 'Website.index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /sitemap.xml — Unauthenticated endpoint 'Website.sitemap_xml_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/info — Unauthenticated endpoint 'Website.website_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_apps_store | route-public-sudo | /shop/download_product_zip/<model("product.template"):product_tmpl>/<model("product.product"):product>/<string:google_captcha>, /shop/download_product_zip/<model("product.template"):product_tmpl>/<string:google_captcha> — Unauthenticated endpoint 'WebsiteSaleCustom.download_product_zip' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_blog | acl-global-read | blog_tag — Access rule grants read on 'model_blog_tag' to every user (portal/public included): no group is set |
| website_blog | route-public-sudo | /blog/<model("blog.blog", "[('website_id', 'in', (False, current_website_id))]"):blog>/post/<model("blog.post", "[('blog_id','=',blog[0])]"):blog_post> — Unauthenticated endpoint 'WebsiteBlog.blog_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_blog | route-public-sudo | /blog/<int:blog_id>/post/new — Unauthenticated endpoint 'WebsiteBlog.blog_post_create' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_crm | route-public-sudo | /website_form/<string:model_name> — Unauthenticated endpoint 'WebsiteForm.website_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_crm_partner_assign | route-public-sudo | /partners, /partners/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>, /partners/grade/<model("res.partner.grade"):grade>/page/<int:page>, /partners/country/<model("res.country"):country>, /partners/country/<model("res.country"):country>/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_crm_partner_assign | route-public-sudo | /partners/<partner_id> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_customer | acl-global-read | res_partner_tag_sale_manager — Access rule grants read on 'model_res_partner_tag' to every user (portal/public included): no group is set |
| website_customer | route-public-sudo | /customers, /customers/page/<int:page>, /customers/country/<model("res.country"):country>, /customers/country/<model("res.country"):country>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>, /customers/industry/<model("res.partner.industry"):industry>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCustomer.customers' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_customer | route-public-sudo | /customers/<partner_id> — Unauthenticated endpoint 'WebsiteCustomer.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event | acl-global-read | access_event_type_public — Access rule grants read on 'event.model_event_type' to every user (portal/public included): no group is set |
| website_event | route-public-sudo | /event/<model("event.event", "[('website_id', 'in', (False, current_website_id))]"):event>/register — Unauthenticated endpoint 'WebsiteEventController.event_register' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event | route-public-sudo | /event/<model("event.event", "[('website_id', 'in', (False, current_website_id))]"):event>/registration/confirm — Unauthenticated endpoint 'WebsiteEventController.registration_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_questions | acl-global-write | event_registration_answer_all — Access rule grants write/create/unlink on 'model_event_registration_answer' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| website_event_sale | acl-global-read | access_event_event_ticket_public — Access rule grants read on 'event_sale.model_event_event_ticket' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_tag_public — Access rule grants read on 'model_event_track_tag' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_location_public — Access rule grants read on 'model_event_track_location' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track__public — Access rule grants read on 'model_event_track' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_sponsor_type_public — Access rule grants read on 'model_event_sponsor_type' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_sponsor_public — Access rule grants read on 'model_event_sponsor' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_website_event_menu_public — Access rule grants read on 'model_website_event_menu' to every user (portal/public included): no group is set |
| website_event_track | route-public-sudo | /event/<model("event.event", "[('website_id', 'in', (False, current_website_id))]"):event>/track/<model("event.track", "[('event_id','=',event[0])]"):track> — Unauthenticated endpoint 'WebsiteEventTrackController.event_track_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track | route-public-sudo | /event/<model("event.event", "[('website_id', 'in', (False, current_website_id))]"):event>/track_proposal/post — Unauthenticated endpoint 'WebsiteEventTrackController.event_track_proposal_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_form | route-public-csrf-off | /website_form/<string:model_name> — Public HTTP endpoint 'WebsiteForm.website_form' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| website_form | route-public-sudo | /website_form/<string:model_name> — Unauthenticated endpoint 'WebsiteForm.website_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_form_recaptcha | route-public-sudo | /website/recaptcha/ — Unauthenticated endpoint 'WebsiteForm.recaptcha_public' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_form_recaptcha | route-public-sudo | /website/recaptcha/form_enabled/<string:model_name> — Unauthenticated endpoint 'WebsiteForm.has_website_form_access' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | acl-global-read | access_forum_forum — Access rule grants read on 'model_forum_forum' to every user (portal/public included): no group is set |
| website_forum | route-public-sudo | /forum/<model("forum.forum", "[('website_id', 'in', (False, current_website_id))]"):forum>/question/<model("forum.post", "[('forum_id','=',forum[0]),('parent_id','=',False),('can_view', '=', True)]"):question> — Unauthenticated endpoint 'WebsiteForum.question' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/partner/<int:partner_id> — Unauthenticated endpoint 'WebsiteForum.open_partner' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_google_map | route-public-sudo | /google_map — Unauthenticated endpoint 'GoogleMap.google_map' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_hr_recruitment | acl-global-read | access_hr_job_public — Access rule grants read on 'hr.model_hr_job' to every user (portal/public included): no group is set |
| website_hr_recruitment | rule-group-bypass | hr_job_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_hr_recruitment | route-public-sudo | /jobs, /jobs/country/<model("res.country"):country>, /jobs/department/<model("hr.department"):department>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>, /jobs/office/<int:office_id>, /jobs/country/<model("res.country"):country>/office/<int:office_id>, /jobs/department/<model("hr.department"):department>/office/<int:office_id>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>/office/<int:office_id> — Unauthenticated endpoint 'WebsiteHrRecruitment.jobs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_livechat | acl-global-read | access_im_livechat_channel_public — Access rule grants read on 'im_livechat.model_im_livechat_channel' to every user (portal/public included): no group is set |
| website_livechat | route-public-sudo | /livechat/channel/<model("im_livechat.channel"):channel> — Unauthenticated endpoint 'WebsiteLivechat.channel_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_livechat | route-public-sudo | /im_livechat/visitor_leave_session — Unauthenticated endpoint 'WebsiteLivechat.visitor_leave_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_livechat | route-public-sudo | /im_livechat/close_empty_livechat — Unauthenticated endpoint 'WebsiteLivechat.close_empty_livechat' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail | route-public-sudo | /website_mail/follow — Unauthenticated endpoint 'WebsiteMail.website_message_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail | route-public-sudo | /website_mail/is_follower — Unauthenticated endpoint 'WebsiteMail.is_follower' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_channel | route-public-sudo | /groups — Unauthenticated endpoint 'MailGroup.view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_channel | route-public-sudo | /groups/is_member — Unauthenticated endpoint 'MailGroup.is_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_channel | route-public-sudo | /groups/subscription — Unauthenticated endpoint 'MailGroup.subscription' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_channel | route-public-sudo | /groups/subscribe/<model('mail.channel'):channel>/<int:partner_id>/<string:token> — Unauthenticated endpoint 'MailGroup.confirm_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_channel | route-public-sudo | /groups/unsubscribe/<model('mail.channel'):channel>/<int:partner_id>/<string:token> — Unauthenticated endpoint 'MailGroup.confirm_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /website_mass_mailing/is_subscriber — Unauthenticated endpoint 'MassMailController.is_subscriber' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /website_mass_mailing/subscribe — Unauthenticated endpoint 'MassMailController.subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /website_mass_mailing/get_content — Unauthenticated endpoint 'MassMailController.get_mass_mailing_content' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_membership | route-public-sudo | /members, /members/page/<int:page>, /members/association/<membership_id>, /members/association/<membership_id>/page/<int:page>, /members/country/<int:country_id>, /members/country/<country_name>-<int:country_id>, /members/country/<int:country_id>/page/<int:page>, /members/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<country_name>-<int:country_id>, /members/association/<membership_id>/country/<int:country_id>, /members/association/<membership_id>/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteMembership.members' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_membership | route-public-sudo | /members/<partner_id> — Unauthenticated endpoint 'WebsiteMembership.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_oca_integrator | acl-global-read | access_sponsorship_line — Access rule grants read on 'model_sponsorship_line' to every user (portal/public included): no group is set |
| website_oca_integrator | acl-global-read | access_contributor_module_reader — Access rule grants read on 'model_contributor_module_line' to every user (portal/public included): no group is set |
| website_oca_integrator | route-public-sudo | /integrators, /integrators/page/<int:page>, /integrators/country/<model("res.country"):country>, /integrators/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteIntegrator.integrators' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_oca_integrator | route-public-sudo | /integrators/<integrator_id> — Unauthenticated endpoint 'WebsiteIntegrator.integrators_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_oca_integrator | route-public-sudo | /integrators/<integrator_id>/contributors, /integrators/<integrator_id>/contributors/page/<int:page>, /integrators/<integrator_id>/contributors/country/<int:country_id>, /integrators/<integrator_id>/contributors/country/<int:country_id>/page/<int:page>, /integrators/<integrator_id>/contributors/country/<country_name>-<int:country_id>, /integrators/<integrator_id>/contributors/country/<country_name>-<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteIntegrator.integrator_contributors' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_oca_psc_team | route-public-sudo | /psc-teams — Unauthenticated endpoint 'WebsitePscTeam.psc_teams' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_oca_psc_team | route-public-sudo | /psc-teams/<project_id> — Unauthenticated endpoint 'WebsitePscTeam.psc_team_project_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_partner | route-public-sudo | /partners/<partner_id> — Unauthenticated endpoint 'WebsitePartnerPage.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_profile | route-public-sudo | /profile/avatar/<int:user_id> — Unauthenticated endpoint 'WebsiteProfile.get_user_profile_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_profile | route-public-sudo | /profile/ranks_badges — Unauthenticated endpoint 'WebsiteProfile.view_ranks_badges' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_profile | route-public-sudo | /profile/users, /profile/users/page/<int:page> — Unauthenticated endpoint 'WebsiteProfile.view_all_users_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_profile | route-public-sudo | /profile/validate_email — Unauthenticated endpoint 'WebsiteProfile.validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | acl-global-read | access_product_product_public — Access rule grants read on 'product.model_product_product' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_template_public — Access rule grants read on 'product.model_product_template' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_category_public — Access rule grants read on 'product.model_product_category' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_public_category_public — Access rule grants read on 'model_product_public_category' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_pricelist_public — Access rule grants read on 'product.model_product_pricelist' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_pricelist_item_public — Access rule grants read on 'product.model_product_pricelist_item' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_style — Access rule grants read on 'website_sale.model_product_style' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_supplierinfo — Access rule grants read on 'product.model_product_supplierinfo' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_public — Access rule grants read on 'product.model_product_attribute' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_value_public — Access rule grants read on 'product.model_product_attribute_value' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_product_attribute — Access rule grants read on 'product.model_product_template_attribute_value' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_product_attribute_custom_value — Access rule grants read on 'sale.model_product_attribute_custom_value' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_template_attribute_exclusion — Access rule grants read on 'product.model_product_template_attribute_exclusion' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_template_attribute_line_public — Access rule grants read on 'product.model_product_template_attribute_line' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_image_public — Access rule grants read on 'model_product_image' to every user (portal/public included): no group is set |
| website_sale | route-public-sudo | /shop/pricelist — Unauthenticated endpoint 'WebsiteSale.pricelist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/cart — Unauthenticated endpoint 'WebsiteSale.cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-csrf-off | /shop/cart/update — Public HTTP endpoint 'WebsiteSale.cart_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| website_sale | route-public-sudo | /shop/address — Unauthenticated endpoint 'WebsiteSale.address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/checkout — Unauthenticated endpoint 'WebsiteSale.checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/payment/transaction/, /shop/payment/transaction/<int:so_id>, /shop/payment/transaction/<int:so_id>/<string:access_token> — Unauthenticated endpoint 'WebsiteSale.payment_transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/payment/token — Unauthenticated endpoint 'WebsiteSale.payment_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/payment/get_status/<int:sale_order_id> — Unauthenticated endpoint 'WebsiteSale.payment_get_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/payment/validate — Unauthenticated endpoint 'WebsiteSale.payment_validate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/confirmation — Unauthenticated endpoint 'WebsiteSale.payment_confirmation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/print — Unauthenticated endpoint 'WebsiteSale.print_saleorder' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/tracking_last_order — Unauthenticated endpoint 'WebsiteSale.tracking_cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/products/recently_viewed_delete — Unauthenticated endpoint 'WebsiteSale.products_recently_viewed_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_comparison | acl-global-read | access_product_attribute_category_public — Access rule grants read on 'model_product_attribute_category' to every user (portal/public included): no group is set |
| website_sale_coupon_page | route-public-sudo | /promotions — Unauthenticated endpoint 'WebsiteSale.promotion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_coupon_selection_wizard | route-public-sudo | /promotions/<int:program_id>/apply — Unauthenticated endpoint 'WebsiteSaleCouponWizard.promotion_program_apply' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_delivery | route-public-sudo | /shop/carrier_rate_shipment — Unauthenticated endpoint 'WebsiteSaleDelivery.cart_carrier_rate_shipment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_digital | route-public-sudo | /my/orders/<int:order_id> — Unauthenticated endpoint 'WebsiteSaleDigital.portal_order_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_digital | route-public-sudo | /my/download — Unauthenticated endpoint 'WebsiteSaleDigital.download_attachment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_product_assortment | route-public-sudo | /sale/get_info_assortment_preview — Unauthenticated endpoint 'WebsiteSaleVariantController.get_info_assortment_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_product_brand | route-public-sudo | /page/product_brands — Unauthenticated endpoint 'WebsiteSale.product_brands' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_product_minimal_price | route-public-sudo | /sale/get_combination_info_minimal_price — Unauthenticated endpoint 'WebsiteSaleVariantController.get_combination_info_minimal_price' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_resource_booking | route-public-sudo | /shop/booking/<int:index>/confirm — Unauthenticated endpoint 'WebsiteSale.booking_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_stock_list_preview | route-public-sudo | /sale/get_combination_info_stock_preview — Unauthenticated endpoint 'WebsiteSaleVariantController.get_combination_info_stock_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_wishlist | route-public-sudo | /shop/wishlist/add — Unauthenticated endpoint 'WebsiteSaleWishlist.add_to_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_wishlist | route-public-sudo | /shop/wishlist/remove/<model("product.wishlist"):wish> — Unauthenticated endpoint 'WebsiteSaleWishlist.rm_from_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | rule-group-bypass | rule_slide_channel_website — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides | rule-group-bypass | rule_slide_slide_website — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_slides | route-public-sudo | /slides — Unauthenticated endpoint 'WebsiteSlides.slides_channel_home' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/<model("slide.channel"):channel>, /slides/<model("slide.channel"):channel>/page/<int:page>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>/page/<int:page>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>/page/<int:page> — Unauthenticated endpoint 'WebsiteSlides.channel' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/channel/join — Unauthenticated endpoint 'WebsiteSlides.slide_channel_join' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/<model("slide.slide", "[('website_id', 'in', (False, current_website_id))]"):slide> — Unauthenticated endpoint 'WebsiteSlides.slide_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/<int:slide_id>/get_image — Unauthenticated endpoint 'WebsiteSlides.slide_get_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/like — Unauthenticated endpoint 'WebsiteSlides.slide_like' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/quiz/submit — Unauthenticated endpoint 'WebsiteSlides.slide_quiz_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/embed/<int:slide_id> — Unauthenticated endpoint 'WebsiteSlides.slides_embed' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /mail/chatter_post — Unauthenticated endpoint 'SlidesPortalChatter.portal_chatter_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_twitter | acl-global-read | access_website_twitter_tweet_public — Access rule grants read on 'website_twitter.model_website_twitter_tweet' to every user (portal/public included): no group is set |
Active Pull Requests 7
0 fresh 0 rotting 0 rotten
| Module | Repository | Title | Age | CI |
|---|---|---|---|---|
| account_invoice_ubl_peppol-backport | OCA/edi | [12.0][MIG] account_invoice_ubl_peppol: backport to 12.0 #1216 | — | no CI data |
| base_dav | OCA/server-backend | [12.0][MIG] base_dav: migration to 12.0 #226 | — | no CI data |
| base_import_odoo | OCA/server-tools | [MIG][12.0] base_import_odoo #3005 | — | no CI data |
| connector-odoo2odoo | OCA/connector-odoo2odoo | [WIP][12.0][MIG] connector odoo2odoo #11 | — | no CI data |
| dnspod | OCA/l10n-china | [12.0][MIG][WIP] Migrate DNSPod Connector from 8.0 to 12.0 #50 | — | no CI data |
| privacy_partner_to_be_forgotten | OCA/data-protection | [12.0][MIG] privacy_partner_to_be_forgotten #93 | — | no CI data |
| tracking_manager | OCA/server-tools | [12.0][BACKPORT] tracking_manager #2973 | — | no CI data |
Security Findings
Errors 155
| Module | Code | Message |
|---|---|---|
| auth_u2f | acl-public-write | access_u2f_device_portal — Access rule grants write/create/unlink on 'model_u2f_device' to the portal/public group 'base.group_portal' |
| base | acl-privilege-escalation | access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-global-write | access_ir_ui_view_custom_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_custom' to EVERY user (portal/public included): no group is set |
| base | acl-privilege-escalation | access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions |
| base_custom_info | acl-global-write | access_template — Access rule grants write/create/unlink on 'model_custom_info_template' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_property — Access rule grants write/create/unlink on 'model_custom_info_property' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_value — Access rule grants write/create/unlink on 'model_custom_info_value' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_option — Access rule grants write/create/unlink on 'model_custom_info_option' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_category — Access rule grants write/create/unlink on 'model_custom_info_category' to EVERY user (portal/public included): no group is set |
| base_tier_validation | acl-global-write | access_tier_review — Access rule grants write/create/unlink on 'model_tier_review' to EVERY user (portal/public included): no group is set |
| bi_view_editor | acl-global-write | access_bve_view_everyone — Access rule grants write/create/unlink on 'bi_view_editor.model_bve_view' to EVERY user (portal/public included): no group is set |
| bi_view_editor | acl-global-write | access_bve_view_line — Access rule grants write/create/unlink on 'model_bve_view_line' to EVERY user (portal/public included): no group is set |
| bus | acl-public-write | access_bus_presence_portal — Access rule grants write/create/unlink on 'model_bus_presence' to the portal/public group 'base.group_portal' |
| calendar | rule-public-bypass | calendar_attendee_rule_my — Record rule with an always-true domain grants portal/public users access to every record of its model |
| document_url | acl-global-write | access_ir_attachment_add_url — Access rule grants write/create/unlink on 'model_ir_attachment_add_url' to EVERY user (portal/public included): no group is set |
| excel_import_export | acl-global-write | xlsx_template_user — Access rule grants write/create/unlink on 'model_xlsx_template' to EVERY user (portal/public included): no group is set |
| excel_import_export | acl-global-write | xlsx_template_export_user — Access rule grants write/create/unlink on 'model_xlsx_template_export' to EVERY user (portal/public included): no group is set |
| excel_import_export | acl-global-write | xlsx_template_import_user — Access rule grants write/create/unlink on 'model_xlsx_template_import' to EVERY user (portal/public included): no group is set |
| fieldservice | acl-public-write | access_fsm_order_portal — Access rule grants write on 'model_fsm_order' to the portal/public group 'base.group_portal' |
| fieldservice_route | acl-public-write | access_fsm_route_dayroute_portal — Access rule grants write/create on 'model_fsm_route_dayroute' to the portal/public group 'base.group_portal' |
| fieldservice_stock | acl-public-write | access_stock_move_portal — Access rule grants write on 'stock.model_stock_move' to the portal/public group 'base.group_portal' |
| gamification | acl-public-write | goal_portal — Access rule grants write on 'gamification.model_gamification_goal' to the portal/public group 'base.group_portal' |
| gamification | acl-public-write | badge_user_portal — Access rule grants write/create on 'gamification.model_gamification_badge_user' to the portal/public group 'base.group_portal' |
| graphql_demo | route-user-csrf-off | /graphql/demo — HTTP endpoint 'GraphQLController.graphql' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user |
| helpdesk_mgmt | acl-public-write | access_helpdesk_ticket_stage_public — Access rule grants write on 'model_helpdesk_ticket_stage' to the portal/public group 'base.group_public' |
| hr_recruitment | acl-global-write | access_hr_applicant_category — Access rule grants write/create on 'model_hr_applicant_category' to EVERY user (portal/public included): no group is set |
| l10n_br_hr | acl-global-write | access_hr_employee_dependent — Access rule grants write/create/unlink on 'model_hr_employee_dependent' to EVERY user (portal/public included): no group is set |
| l10n_cl_sii_activity | acl-global-write | edit_sii_activity_manager — Access rule grants write/create/unlink on 'model_sii_activity' to EVERY user (portal/public included): no group is set |
| l10n_th_vendor_tax_invoice | acl-global-write | access_account_payment_tax — Access rule grants write/create/unlink on 'model_account_payment_tax' to EVERY user (portal/public included): no group is set |
| acl-public-write | access_mail_message_portal — Access rule grants write/create/unlink on 'model_mail_message' to the portal/public group 'base.group_portal' |
|
| acl-public-write | access_mail_mail_portal — Access rule grants write/create on 'model_mail_mail' to the portal/public group 'base.group_portal' |
|
| acl-public-write | access_mail_followers_portal — Access rule grants write/create on 'model_mail_followers' to the portal/public group 'base.group_portal' |
|
| acl-public-write | access_mail_channel_partner_portal — Access rule grants write/create/unlink on 'model_mail_channel_partner' to the portal/public group 'base.group_portal' |
|
| partner_autocomplete | acl-public-write | access_partner_autocomplete_sync_portal — Access rule grants create on 'model_res_partner_autocomplete_sync' to the portal/public group 'base.group_portal' |
| payment | acl-public-write | payment_method_portal — Access rule grants write/create/unlink on 'model_payment_token' to the portal/public group 'base.group_portal' |
| purchase_invoice_plan | acl-global-write | access_purchase_invoice_plan — Access rule grants write/create/unlink on 'model_purchase_invoice_plan' to EVERY user (portal/public included): no group is set |
| purchase_work_acceptance_evaluation | acl-global-write | access_work_acceptance_evaluation_result — Access rule grants write/create/unlink on 'model_work_acceptance_evaluation_result' to EVERY user (portal/public included): no group is set |
| rating | acl-public-write | access_rating_public — Access rule grants write/create on 'rating.model_rating_rating' to the portal/public group 'base.group_public' |
| rating | acl-public-write | access_rating_portal — Access rule grants write/create on 'rating.model_rating_rating' to the portal/public group 'base.group_portal' |
| report_wkhtmltopdf_param | acl-global-write | paperformat_parameter_access_employee — Access rule grants create on 'model_report_paperformat_parameter' to EVERY user (portal/public included): no group is set |
| sale_invoice_plan | acl-global-write | access_sale_invoice_plan — Access rule grants write/create/unlink on 'model_sale_invoice_plan' to EVERY user (portal/public included): no group is set |
| stock_scanner | acl-global-write | scanner_hardware_user — Access rule grants write on 'stock_scanner.model_scanner_hardware' to EVERY user (portal/public included): no group is set |
| stock_scanner | acl-global-write | scanner_hardware_step_history_user — Access rule grants write/create/unlink on 'stock_scanner.model_scanner_hardware_step_history' to EVERY user (portal/public included): no group is set |
| survey | acl-global-write | access_survey_user_input_public — Access rule grants write/create on 'model_survey_user_input' to EVERY user (portal/public included): no group is set |
| survey | acl-global-write | access_survey_user_input_line_public — Access rule grants write/create on 'model_survey_user_input_line' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_some_obj — Access rule grants write/create/unlink on 'model_test_access_right_some_obj' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_container — Access rule grants write/create/unlink on 'model_test_access_right_container' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_obj_categ — Access rule grants write/create/unlink on 'model_test_access_right_obj_categ' to EVERY user (portal/public included): no group is set |
| test_component | acl-global-write | access_test_component_collection — Access rule grants write/create/unlink on 'model_test_component_collection' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_test_backend — Access rule grants write/create/unlink on 'model_test_backend' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_connector_test_record — Access rule grants write/create/unlink on 'model_connector_test_record' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_connector_test_binding — Access rule grants write/create/unlink on 'model_connector_test_binding' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_no_inherits_binding — Access rule grants write/create/unlink on 'model_no_inherits_binding' to EVERY user (portal/public included): no group is set |
| test_convert | acl-global-write | access_test_convert_test_model — Access rule grants write/create/unlink on 'model_test_convert_test_model' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_converter_model — Access rule grants write/create/unlink on 'model_test_converter_test_model' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_test_converter_test_model_sub — Access rule grants write/create/unlink on 'model_test_converter_test_model_sub' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_test_converter_monetary — Access rule grants write/create/unlink on 'model_test_converter_monetary' to EVERY user (portal/public included): no group is set |
| test_exceptions | acl-global-write | access_test_exceptions_model — Access rule grants write/create/unlink on 'model_test_exceptions_model' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_boolean — Access rule grants write/create/unlink on 'model_export_boolean' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_float — Access rule grants write/create/unlink on 'model_export_float' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_decimal — Access rule grants write/create/unlink on 'model_export_decimal' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string_bounded — Access rule grants write/create/unlink on 'model_export_string_bounded' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string_required — Access rule grants write/create/unlink on 'model_export_string_required' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string — Access rule grants write/create/unlink on 'model_export_string' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_date — Access rule grants write/create/unlink on 'model_export_date' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_datetime — Access rule grants write/create/unlink on 'model_export_datetime' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_text — Access rule grants write/create/unlink on 'model_export_text' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection — Access rule grants write/create/unlink on 'model_export_selection' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection_function — Access rule grants write/create/unlink on 'model_export_selection_function' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2one — Access rule grants write/create/unlink on 'model_export_many2one' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many — Access rule grants write/create/unlink on 'model_export_one2many' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2many — Access rule grants write/create/unlink on 'model_export_many2many' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_function — Access rule grants write/create/unlink on 'model_export_function' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child — Access rule grants write/create/unlink on 'model_export_one2many_child' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_multiple — Access rule grants write/create/unlink on 'model_export_one2many_multiple' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_multiple_child — Access rule grants write/create/unlink on 'model_export_one2many_multiple_child' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child_1 — Access rule grants write/create/unlink on 'model_export_one2many_child_1' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child_2 — Access rule grants write/create/unlink on 'model_export_one2many_child_2' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2many_other — Access rule grants write/create/unlink on 'model_export_many2many_other' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection_withdefault — Access rule grants write/create/unlink on 'model_export_selection_withdefault' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_recursive — Access rule grants write/create/unlink on 'model_export_one2many_recursive' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_unique — Access rule grants write/create/unlink on 'model_export_unique' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_m2o_str — Access rule grants write/create/unlink on 'model_export_m2o_str' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_m2o_str_child — Access rule grants write/create/unlink on 'model_export_m2o_str_child' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_mother — Access rule grants write/create/unlink on 'model_test_inherit_mother' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_daughter — Access rule grants write/create/unlink on 'model_test_inherit_daughter' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_property — Access rule grants write/create/unlink on 'model_test_inherit_property' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_unit — Access rule grants write/create/unlink on 'model_test_unit' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_box — Access rule grants write/create/unlink on 'model_test_box' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_pallet — Access rule grants write/create/unlink on 'model_test_pallet' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_another_unit — Access rule grants write/create/unlink on 'model_test_another_unit' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_another_box — Access rule grants write/create/unlink on 'model_test_another_box' to EVERY user (portal/public included): no group is set |
| test_limits | acl-global-write | access_test_limits_model — Access rule grants write/create/unlink on 'model_test_limits_model' to EVERY user (portal/public included): no group is set |
| test_mail | acl-global-write | access_test_performance_mail — Access rule grants write/create/unlink on 'model_test_performance_mail' to EVERY user (portal/public included): no group is set |
| test_mail | acl-public-write | access_mail_test_portal — Access rule grants write on 'model_mail_test' to the portal/public group 'base.group_portal' |
| test_new_api | acl-global-write | access_category — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_category' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_discussion — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_discussion' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_message — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_message' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_emailmessage — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_emailmessage' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi_line — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi_tag — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_tag' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_creativework_edition — Access rule grants write/create/unlink on 'model_test_new_api_creativework_edition' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_creativework_book — Access rule grants write/create/unlink on 'model_test_new_api_creativework_book' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_creativework_movie — Access rule grants write/create/unlink on 'model_test_new_api_creativework_movie' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_mixed — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_mixed' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_domain_bool — Access rule grants write/create/unlink on 'model_domain_bool' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_foo — Access rule grants write/create/unlink on 'model_test_new_api_foo' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_bar — Access rule grants write/create/unlink on 'model_test_new_api_bar' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_related — Access rule grants write/create/unlink on 'model_test_new_api_related' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_company — Access rule grants write/create/unlink on 'model_test_new_api_company' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_company_attr — Access rule grants write/create/unlink on 'model_test_new_api_company_attr' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_inverse — Access rule grants write/create/unlink on 'model_test_new_api_compute_inverse' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_protected — Access rule grants write/create/unlink on 'model_test_new_api_compute_protected' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_multi_compute_inverse — Access rule grants write/create/unlink on 'model_test_new_api_multi_compute_inverse' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_recursive — Access rule grants write/create/unlink on 'model_test_new_api_recursive' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_cascade — Access rule grants write/create/unlink on 'model_test_new_api_cascade' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_binary_svg — Access rule grants write/create/unlink on 'model_test_new_api_binary_svg' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_base — Access rule grants write/create/unlink on 'model_test_new_api_monetary_base' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_related — Access rule grants write/create/unlink on 'model_test_new_api_monetary_related' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_custom — Access rule grants write/create/unlink on 'model_test_new_api_monetary_custom' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_monetary_inherits — Access rule grants write/create/unlink on 'model_test_new_api_monetary_inherits' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_field_with_caps — Access rule grants write/create/unlink on 'model_test_new_api_field_with_caps' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_base — Access rule grants write/create/unlink on 'model_test_performance_base' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_line — Access rule grants write/create/unlink on 'model_test_performance_line' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_tag — Access rule grants write/create/unlink on 'model_test_performance_tag' to EVERY user (portal/public included): no group is set |
| test_queue_job | acl-global-write | access_test_queue_job — Access rule grants write/create/unlink on 'model_test_queue_job' to EVERY user (portal/public included): no group is set |
| test_queue_job | acl-global-write | access_test_queue_channel — Access rule grants write/create/unlink on 'model_test_queue_channel' to EVERY user (portal/public included): no group is set |
| test_queue_job | acl-global-write | access_test_related_action — Access rule grants write/create/unlink on 'model_test_related_action' to EVERY user (portal/public included): no group is set |
| test_rpc | acl-global-write | access_test_rpc_model_a — Access rule grants write/create/unlink on 'model_test_rpc_model_a' to EVERY user (portal/public included): no group is set |
| test_rpc | acl-global-write | access_test_rpc_model_b — Access rule grants write/create/unlink on 'model_test_rpc_model_b' to EVERY user (portal/public included): no group is set |
| test_testing_utilities | acl-global-write | access_model_test_testing_utilities_onchange_count — Access rule grants write/create/unlink on 'model_test_testing_utilities_onchange_count' to EVERY user (portal/public included): no group is set |
| test_testing_utilities | acl-global-write | access_test_testing_utilities_onchange_count_sub — Access rule grants write/create/unlink on 'model_test_testing_utilities_onchange_count_sub' to EVERY user (portal/public included): no group is set |
| test_testing_utilities | acl-global-write | access_o2m_readonly_subfield_parent — Access rule grants write/create/unlink on 'model_o2m_readonly_subfield_parent' to EVERY user (portal/public included): no group is set |
| test_testing_utilities | acl-global-write | access_o2m_readonly_subfield_child — Access rule grants write/create/unlink on 'model_o2m_readonly_subfield_child' to EVERY user (portal/public included): no group is set |
| test_uninstall | acl-global-write | access_test_uninstall_model — Access rule grants write/create/unlink on 'model_test_uninstall_model' to EVERY user (portal/public included): no group is set |
| utm | acl-global-write | access_utm_campaign — Access rule grants create on 'model_utm_campaign' to EVERY user (portal/public included): no group is set |
| utm | acl-global-write | access_utm_medium — Access rule grants create on 'model_utm_medium' to EVERY user (portal/public included): no group is set |
| utm | acl-global-write | access_utm_source — Access rule grants create on 'model_utm_source' to EVERY user (portal/public included): no group is set |
| web | acl-global-write | access_report_layout — Access rule grants write/create/unlink on 'model_report_layout' to EVERY user (portal/public included): no group is set |
| web_editor | acl-global-write | access_web_editor_converter_test — Access rule grants write/create/unlink on 'model_web_editor_converter_test' to EVERY user (portal/public included): no group is set |
| web_editor | acl-global-write | access_web_editor_converter_test_sub — Access rule grants write/create/unlink on 'model_web_editor_converter_test_sub' to EVERY user (portal/public included): no group is set |
| website | route-user-csrf-off | /website/reset_templates — HTTP endpoint 'Website.reset_template' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user |
| website_crm_partner_assign | acl-public-write | partner_access_crm_lead — Access rule grants write on 'crm.model_crm_lead' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_post_portal — Access rule grants write/create/unlink on 'model_forum_post' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_post_vote_portal — Access rule grants write/create on 'model_forum_post_vote' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_tag_public — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_public' |
| website_forum | acl-public-write | access_forum_tag_portal — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_portal' |
| website_portal_contact | acl-public-write | access_partners — Access rule grants write/create on 'base.model_res_partner' to the portal/public group 'base.group_portal' |
| website_sale_wishlist | acl-public-write | access_product_wishlist_portal — Access rule grants write/create/unlink on 'model_product_wishlist' to the portal/public group 'base.group_portal' |
Warnings 522
| Module | Code | Message |
|---|---|---|
| account | rule-group-bypass | account_analytic_line_rule_billing_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account_bill_line_distribution | rule-group-bypass | res_company_accounting_billing_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account_brand | acl-global-read | res_partner_account_brand_access — Access rule grants read on 'model_res_partner_account_brand' to every user (portal/public included): no group is set |
| account_consolidation | acl-global-read | access_company_consolidation_profile — Access rule grants read on 'model_company_consolidation_profile' to every user (portal/public included): no group is set |
| account_invoice_transmit_method | acl-global-read | access_transmit_method_read — Access rule grants read on 'model_transmit_method' to every user (portal/public included): no group is set |
| account_move_multi_company | rule-group-bypass | res_company_accounting_billing_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| account_payment | route-public-sudo | /invoice/pay/<int:invoice_id>/form_tx — Unauthenticated endpoint 'PaymentPortal.invoice_pay_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| account_payment | route-public-sudo | /invoice/pay/<int:invoice_id>/s2s_token_tx — Unauthenticated endpoint 'PaymentPortal.invoice_pay_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| attachment_queue | acl-global-read | access_attachment_queue_user — Access rule grants read on 'model_attachment_queue' to every user (portal/public included): no group is set |
| auth_from_http_remote_user | route-auth-none | /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all |
| auth_oauth | route-public-sudo | /auth_oauth/signin — Unauthenticated endpoint 'OAuthController.signin' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_oauth | route-auth-none | /auth_oauth/signin — Endpoint 'OAuthController.signin' uses auth="none": it runs with no user/session at all |
| auth_oauth | route-auth-none | /auth_oauth/oea — Endpoint 'OAuthController.oea' uses auth="none": it runs with no user/session at all |
| auth_saml | route-public-sudo | /auth_saml/get_auth_request — Unauthenticated endpoint 'AuthSAMLController.get_auth_request' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_saml | route-auth-none | /auth_saml/get_auth_request — Endpoint 'AuthSAMLController.get_auth_request' uses auth="none": it runs with no user/session at all |
| auth_saml | route-public-csrf-off | /auth_saml/signin — Public HTTP endpoint 'AuthSAMLController.signin' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| auth_saml | route-public-sudo | /auth_saml/signin — Unauthenticated endpoint 'AuthSAMLController.signin' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_saml | route-auth-none | /auth_saml/signin — Endpoint 'AuthSAMLController.signin' uses auth="none": it runs with no user/session at all |
| auth_signup | route-public-sudo | /web/signup — Unauthenticated endpoint 'AuthSignupHome.web_auth_signup' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_signup | route-public-sudo | /web/reset_password — Unauthenticated endpoint 'AuthSignupHome.web_auth_reset_password' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_totp | route-public-sudo | /auth_totp/login — Unauthenticated endpoint 'AuthTotp.mfa_login_post' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_totp | route-auth-none | /auth_totp/login — Endpoint 'AuthTotp.mfa_login_post' uses auth="none": it runs with no user/session at all |
| auth_u2f | route-public-sudo | /web/u2f/login — Unauthenticated endpoint 'AuthU2FController.u2f_login' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_u2f | route-auth-none | /web/u2f/login — Endpoint 'AuthU2FController.u2f_login' uses auth="none": it runs with no user/session at all |
| base | acl-global-read | access_ir_property_group_user — Access rule grants read on 'model_ir_property' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_ui_view_group_user — Access rule grants read on 'model_ir_ui_view' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_company_group_user — Access rule grants read on 'model_res_company' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_partner_title_group_partner_manager — Access rule grants read on 'model_res_partner_title' to every user (portal/public included): no group is set |
| base | acl-global-write | access_res_users_log_all — Access rule grants create on 'model_res_users_log' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| base | acl-global-read | access_ir_actions_client — Access rule grants read on 'model_ir_actions_client' to every user (portal/public included): no group is set |
| base | acl-global-read | paperformat_access_portal — Access rule grants read on 'model_report_paperformat' to every user (portal/public included): no group is set |
| base | route-public-csrf-off | /xmlrpc/<service> — Public HTTP endpoint 'RPC.xmlrpc_1' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base | route-auth-none | /xmlrpc/<service> — Endpoint 'RPC.xmlrpc_1' uses auth="none": it runs with no user/session at all |
| base | route-public-csrf-off | /xmlrpc/2/<service> — Public HTTP endpoint 'RPC.xmlrpc_2' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base | route-auth-none | /xmlrpc/2/<service> — Endpoint 'RPC.xmlrpc_2' uses auth="none": it runs with no user/session at all |
| base | route-auth-none | /jsonrpc — Endpoint 'RPC.jsonrpc' uses auth="none": it runs with no user/session at all |
| base_automation | acl-global-read | access_base_automation — Access rule grants read on 'model_base_automation' to every user (portal/public included): no group is set |
| base_gengo | route-public-csrf-off | /website/gengo_callback — Public HTTP endpoint 'website_gengo.gengo_callback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base_gengo | route-public-sudo | /website/gengo_callback — Unauthenticated endpoint 'website_gengo.gengo_callback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| base_gengo | route-auth-none | /website/gengo_callback — Endpoint 'website_gengo.gengo_callback' uses auth="none": it runs with no user/session at all |
| base_import_module | route-public-csrf-off | /base_import_module/login_upload — Public HTTP endpoint 'ImportModule.login_upload' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base_import_module | route-auth-none | /base_import_module/login_upload — Endpoint 'ImportModule.login_upload' uses auth="none": it runs with no user/session at all |
| base_sms_client | acl-global-read | access_sms_gateway_global — Access rule grants read on 'model_sms_gateway' to every user (portal/public included): no group is set |
| base_sms_client | acl-global-read | access_sms_sms_global — Access rule grants read on 'model_sms_sms' to every user (portal/public included): no group is set |
| base_unece | acl-global-read | access_unece_code_list_read — Access rule grants read on 'model_unece_code_list' to every user (portal/public included): no group is set |
| board | acl-global-read | access_board_board all — Access rule grants read on 'model_board_board' to every user (portal/public included): no group is set |
| calendar | rule-group-bypass | calendar_event_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| connector_jira | route-auth-none | /connector_jira/webhooks/issue — Endpoint 'JiraWebhookController.webhook_issue' uses auth="none": it runs with no user/session at all |
| connector_jira | route-auth-none | /connector_jira/webhooks/worklog — Endpoint 'JiraWebhookController.webhook_worklog' uses auth="none": it runs with no user/session at all |
| connector_jira_tempo_project_role | route-auth-none | /connector_jira/assignments — Endpoint 'ProjectAssignmentTempo.get_assignments' uses auth="none": it runs with no user/session at all |
| cooperator_website | route-public-sudo | /subscription/get_share_product — Unauthenticated endpoint 'WebsiteSubscription.get_share_product' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| cooperator_website | route-public-sudo | /subscription/subscribe_share — Unauthenticated endpoint 'WebsiteSubscription.share_subscription' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| crm | acl-global-read | access_crm_stage — Access rule grants read on 'model_crm_stage' to every user (portal/public included): no group is set |
| crm | rule-group-bypass | crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm | rule-group-bypass | crm_activity_report_rule_all_activities — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm_phone | rule-group-bypass | all_crm_phonecall_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| decimal_precision | acl-global-write | access_decimal_precision_test_all — Access rule grants write/create/unlink on 'model_decimal_precision_test' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| delivery_carrier_label_paazl | route-public-sudo | /_paazl/push_api/v1 — Unauthenticated endpoint 'PaazlController.push_api' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| delivery_carrier_label_paazl | route-auth-none | /_paazl/push_api/v1 — Endpoint 'PaazlController.push_api' uses auth="none": it runs with no user/session at all |
| dms | route-public-sudo | /my/dms/directory/<int:dms_directory_id> — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_directory' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| document_page_portal | rule-group-bypass | knowledge_user_document_page_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| event | acl-global-read | access_event_event_portal — Access rule grants read on 'model_event_event' to every user (portal/public included): no group is set |
| fieldservice | rule-group-bypass | fsm_order_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| fieldservice_account_analytic | rule-group-bypass | analytic_account_fsm_dispatcher — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| github_connector | acl-global-read | access_github_organization_reader — Access rule grants read on 'model_github_organization' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_organization_serie_reader — Access rule grants read on 'model_github_organization_serie' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_repository_reader — Access rule grants read on 'model_github_repository' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_repository_branch_reader — Access rule grants read on 'model_github_repository_branch' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_team_reader — Access rule grants read on 'model_github_team' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_team_partner_reader — Access rule grants read on 'model_github_team_partner' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_team_repository_reader — Access rule grants read on 'model_github_team_repository' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_author_reader — Access rule grants read on 'model_odoo_author' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_lib_bin_reader — Access rule grants read on 'model_odoo_lib_bin' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_lib_python_reader — Access rule grants read on 'model_odoo_lib_python' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_license_reader — Access rule grants read on 'model_odoo_license' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_module_reader — Access rule grants read on 'model_odoo_module' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_module_version_reader — Access rule grants read on 'model_odoo_module_version' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_category_reader — Access rule grants read on 'model_odoo_category' to every user (portal/public included): no group is set |
| google_account | route-auth-none | /google_account/authentication — Endpoint 'GoogleAuth.oauth2callback' uses auth="none": it runs with no user/session at all |
| helpdesk_mgmt | rule-group-bypass | helpdesk_ticket_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_attendance | rule-group-bypass | hr_attendance_rule_attendance_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_attendance_rfid | rule-group-bypass | hr_attendance_rfid_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_employee_ppe | rule-group-bypass | hr_employee_ppe_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_experience | rule-group-bypass | hr_curriculum_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_experience | rule-group-bypass | hr_academic_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_experience | rule-group-bypass | hr_experience_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_experience | rule-group-bypass | hr_certification_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | hr_leave_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | hr_leave_rule_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | hr_leave_allocation_rule_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | resource_leaves_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays_accrual_advanced | rule-group-bypass | hr_leave_allocation_accruement_rule_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_personal_equipment_request | rule-group-bypass | personal_equipment_request_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_personal_equipment_request | rule-group-bypass | personal_equipment_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| http_routing | route-public-sudo | /website/translations — Unauthenticated endpoint 'Routing.get_website_translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| hw_blackbox_be | route-auth-none | /hw_proxy/request_blackbox/ — Endpoint 'BlackboxDriver.request_blackbox' uses auth="none": it runs with no user/session at all |
| hw_blackbox_be | route-auth-none | /hw_proxy/request_serial/ — Endpoint 'BlackboxDriver.request_serial' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_drivers/action — Endpoint 'StatusController.action' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-public-csrf-off | /hw_drivers/check_certificate — Public HTTP endpoint 'StatusController.check_certificate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_drivers | route-auth-none | /hw_drivers/check_certificate — Endpoint 'StatusController.check_certificate' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-auth-none | /hw_drivers/event — Endpoint 'StatusController.event' uses auth="none": it runs with no user/session at all |
| hw_drivers | route-public-csrf-off | /hw_drivers/box/connect — Public HTTP endpoint 'StatusController.connect_box' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_drivers | route-auth-none | /hw_drivers/box/connect — Endpoint 'StatusController.connect_box' uses auth="none": it runs with no user/session at all |
| hw_escpos | route-auth-none | /hw_proxy/open_cashbox — Endpoint 'EscposProxy.open_cashbox' uses auth="none": it runs with no user/session at all |
| hw_escpos | route-auth-none | /hw_proxy/print_receipt — Endpoint 'EscposProxy.print_receipt' uses auth="none": it runs with no user/session at all |
| hw_escpos | route-auth-none | /hw_proxy/print_xml_receipt — Endpoint 'EscposProxy.print_xml_receipt' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | / — Endpoint 'IoTboxHomepage.index' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /list_drivers — Endpoint 'IoTboxHomepage.list_drivers' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /load_drivers — Endpoint 'IoTboxHomepage.load_drivers' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /list_credential — Endpoint 'IoTboxHomepage.list_credential' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /save_credential — Public HTTP endpoint 'IoTboxHomepage.save_credential' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /save_credential — Endpoint 'IoTboxHomepage.save_credential' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /clear_credential — Public HTTP endpoint 'IoTboxHomepage.clear_credential' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /clear_credential — Endpoint 'IoTboxHomepage.clear_credential' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /wifi — Endpoint 'IoTboxHomepage.wifi' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /wifi_connect — Public HTTP endpoint 'IoTboxHomepage.connect_to_wifi' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /wifi_connect — Endpoint 'IoTboxHomepage.connect_to_wifi' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /wifi_clear — Public HTTP endpoint 'IoTboxHomepage.clear_wifi_configuration' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /wifi_clear — Endpoint 'IoTboxHomepage.clear_wifi_configuration' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /server_clear — Public HTTP endpoint 'IoTboxHomepage.clear_server_configuration' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /server_clear — Endpoint 'IoTboxHomepage.clear_server_configuration' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /drivers_clear — Public HTTP endpoint 'IoTboxHomepage.clear_drivers_list' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /drivers_clear — Endpoint 'IoTboxHomepage.clear_drivers_list' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /server_connect — Public HTTP endpoint 'IoTboxHomepage.connect_to_server' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /server_connect — Endpoint 'IoTboxHomepage.connect_to_server' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /steps — Public HTTP endpoint 'IoTboxHomepage.step_by_step_configure_page' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /steps — Endpoint 'IoTboxHomepage.step_by_step_configure_page' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /step_configure — Public HTTP endpoint 'IoTboxHomepage.step_by_step_configure' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /step_configure — Endpoint 'IoTboxHomepage.step_by_step_configure' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /server — Endpoint 'IoTboxHomepage.server' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /remote_connect — Endpoint 'IoTboxHomepage.remote_connect' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /enable_ngrok — Public HTTP endpoint 'IoTboxHomepage.enable_ngrok' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /enable_ngrok — Endpoint 'IoTboxHomepage.enable_ngrok' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/upgrade — Endpoint 'IoTboxHomepage.upgrade' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_upgrade — Endpoint 'IoTboxHomepage.perform_upgrade' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/get_version — Endpoint 'IoTboxHomepage.check_version' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_flashing_create_partition — Endpoint 'IoTboxHomepage.perform_flashing_create_partition' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_flashing_download_raspbian — Endpoint 'IoTboxHomepage.perform_flashing_download_raspbian' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /hw_proxy/perform_flashing_copy_raspbian — Endpoint 'IoTboxHomepage.perform_flashing_copy_raspbian' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/hello — Endpoint 'Proxy.hello' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/handshake — Endpoint 'Proxy.handshake' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/status — Endpoint 'Proxy.status_http' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/status_json — Endpoint 'Proxy.status_json' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/scan_item_success — Endpoint 'Proxy.scan_item_success' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/scan_item_error_unrecognized — Endpoint 'Proxy.scan_item_error_unrecognized' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/help_needed — Endpoint 'Proxy.help_needed' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/help_canceled — Endpoint 'Proxy.help_canceled' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/payment_request — Endpoint 'Proxy.payment_request' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/payment_status — Endpoint 'Proxy.payment_status' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/payment_cancel — Endpoint 'Proxy.payment_cancel' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/transaction_start — Endpoint 'Proxy.transaction_start' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/transaction_end — Endpoint 'Proxy.transaction_end' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/cashier_mode_activated — Endpoint 'Proxy.cashier_mode_activated' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/cashier_mode_deactivated — Endpoint 'Proxy.cashier_mode_deactivated' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/open_cashbox — Endpoint 'Proxy.open_cashbox' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/print_receipt — Endpoint 'Proxy.print_receipt' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/log — Endpoint 'Proxy.log' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/print_pdf_invoice — Endpoint 'Proxy.print_pdf_invoice' uses auth="none": it runs with no user/session at all |
| hw_telium_payment_terminal | route-auth-none | /hw_proxy/payment_terminal_transaction_start — Endpoint 'TeliumPaymentTerminalProxy.payment_terminal_transaction_start' uses auth="none": it runs with no user/session at all |
| im_livechat | acl-global-read | access_livechat_channel — Access rule grants read on 'model_im_livechat_channel' to every user (portal/public included): no group is set |
| im_livechat | acl-global-read | access_livechat_channel_rule — Access rule grants read on 'model_im_livechat_channel_rule' to every user (portal/public included): no group is set |
| im_livechat | route-auth-none | /im_livechat/external_lib.<any(css,js):ext> — Endpoint 'LivechatController.livechat_lib' uses auth="none": it runs with no user/session at all |
| im_livechat | route-public-sudo | /im_livechat/support/<int:channel_id> — Unauthenticated endpoint 'LivechatController.support_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/loader/<int:channel_id> — Unauthenticated endpoint 'LivechatController.loader' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/init — Unauthenticated endpoint 'LivechatController.livechat_init' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/feedback — Unauthenticated endpoint 'LivechatController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/history — Unauthenticated endpoint 'LivechatController.history_pages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/notify_typing — Unauthenticated endpoint 'LivechatController.notify_typing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| intrastat_product | acl-global-read | access_intrastat_unit_read — Access rule grants read on 'model_intrastat_unit' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_transaction_read — Access rule grants read on 'model_intrastat_transaction' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_transport_mode_read — Access rule grants read on 'model_intrastat_transport_mode' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_region_read — Access rule grants read on 'model_intrastat_region' to every user (portal/public included): no group is set |
| iot_input | route-public-csrf-off | /iot/<serial>/action — Public HTTP endpoint 'CallIot.call_unauthorized_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_input | route-public-sudo | /iot/<serial>/action — Unauthenticated endpoint 'CallIot.call_unauthorized_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| iot_input | route-auth-none | /iot/<serial>/action — Endpoint 'CallIot.call_unauthorized_iot' uses auth="none": it runs with no user/session at all |
| iot_input | route-public-csrf-off | /iot/<device_identification>/multi_input — Public HTTP endpoint 'CallIot.call_unauthorized_iot_multi_input' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_input | route-public-sudo | /iot/<device_identification>/multi_input — Unauthenticated endpoint 'CallIot.call_unauthorized_iot_multi_input' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| iot_input | route-auth-none | /iot/<device_identification>/multi_input — Endpoint 'CallIot.call_unauthorized_iot_multi_input' uses auth="none": it runs with no user/session at all |
| iot_input | route-public-csrf-off | /iot/<serial>/check — Public HTTP endpoint 'CallIot.check_unauthorized_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_input | route-public-sudo | /iot/<serial>/check — Unauthenticated endpoint 'CallIot.check_unauthorized_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| iot_input | route-auth-none | /iot/<serial>/check — Endpoint 'CallIot.check_unauthorized_iot' uses auth="none": it runs with no user/session at all |
| iot_template_oca | route-public-csrf-off | /iot/<serial>/configure — Public HTTP endpoint 'CallIot.configure_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| iot_template_oca | route-public-sudo | /iot/<serial>/configure — Unauthenticated endpoint 'CallIot.configure_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| iot_template_oca | route-auth-none | /iot/<serial>/configure — Endpoint 'CallIot.configure_iot' uses auth="none": it runs with no user/session at all |
| l10n_br_hr | acl-global-read | access_hr_deficiency — Access rule grants read on 'model_hr_deficiency' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_identity_type — Access rule grants read on 'model_hr_identity_type' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_civil_certificate_type — Access rule grants read on 'model_hr_civil_certificate_type' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_dependent_type — Access rule grants read on 'model_hr_dependent_type' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_ethnicity — Access rule grants read on 'model_hr_ethnicity' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_educational_attainment — Access rule grants read on 'model_hr_educational_attainment' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_admission_type — Access rule grants read on 'model_hr_contract_admission_type' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_labor_bond_type — Access rule grants read on 'model_hr_contract_labor_bond_type' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_labor_regime — Access rule grants read on 'model_hr_contract_labor_regime' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_salary_unit — Access rule grants read on 'model_hr_contract_salary_unit' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_resignation_cause — Access rule grants read on 'model_hr_contract_resignation_cause' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_notice_termination — Access rule grants read on 'model_hr_contract_notice_termination' to every user (portal/public included): no group is set |
| l10n_br_website_sale | route-public-sudo | /shop/address — Unauthenticated endpoint 'L10nBrWebsiteSale.address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_br_website_sale | route-public-sudo | /l10n_br/zip_search_public — Unauthenticated endpoint 'L10nBrWebsiteSale.zip_search' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_cl_sii_activity | acl-global-read | access_sii_activity_user — Access rule grants read on 'model_sii_activity' to every user (portal/public included): no group is set |
| l10n_cl_sii_folio | acl-global-read | access_journal_document_user — Access rule grants read on 'model_account_journal_document' to every user (portal/public included): no group is set |
| l10n_cl_sii_reference | acl-global-read | access_sii_responsibility_user — Access rule grants read on 'model_sii_responsibility' to every user (portal/public included): no group is set |
| l10n_cl_sii_reference | acl-global-read | access_sii_document_type_user — Access rule grants read on 'model_sii_document_type' to every user (portal/public included): no group is set |
| l10n_cl_sii_reference | acl-global-read | access_sii_concept_type_user — Access rule grants read on 'model_sii_concept_type' to every user (portal/public included): no group is set |
| l10n_cl_sii_reference | acl-global-read | access_sii_document_class_user — Access rule grants read on 'model_sii_document_class' to every user (portal/public included): no group is set |
| l10n_cl_sii_reference | acl-global-read | access_sii_document_letter_user — Access rule grants read on 'model_sii_document_letter' to every user (portal/public included): no group is set |
| l10n_cl_sii_reference | acl-global-read | access_sii_optional_type_user — Access rule grants read on 'model_sii_optional_type' to every user (portal/public included): no group is set |
| l10n_cl_sii_reference | acl-global-read | access_sii_reference_user — Access rule grants read on 'model_sii_reference' to every user (portal/public included): no group is set |
| l10n_ee_reporting | acl-global-read | access_l10n_ee_reporting_kmd_inf — Access rule grants read on 'model_l10n_ee_reporting_kmd_inf' to every user (portal/public included): no group is set |
| l10n_ee_reporting | acl-global-read | access_l10n_ee_reporting_vies_declaration — Access rule grants read on 'model_l10n_ee_reporting_vies_declaration' to every user (portal/public included): no group is set |
| l10n_es_aeat_mod347 | route-public-sudo | /mod347/accept — Unauthenticated endpoint 'Mod347Controller.mod347_accept' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_es_aeat_mod347 | route-public-sudo | /mod347/reject — Unauthenticated endpoint 'Mod347Controller.mod347_reject' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_eu_service | acl-global-read | access_l10n_eu_service_service_tax_rate_user — Access rule grants read on 'model_l10n_eu_service_service_tax_rate' to every user (portal/public included): no group is set |
| l10n_it_account_tax_kind | acl-global-read | access_account_tax_kind_user — Access rule grants read on 'model_account_tax_kind' to every user (portal/public included): no group is set |
| l10n_nl_country_states | acl-global-read | access_res_country_state_nl_zip — Access rule grants read on 'model_res_country_state_nl_zip' to every user (portal/public included): no group is set |
| l10n_th_account_report | acl-global-read | access_account_vat_report — Access rule grants read on 'model_account_vat_report' to every user (portal/public included): no group is set |
| letsencrypt | route-auth-none | /.well-known/acme-challenge/<filename> — Endpoint 'Letsencrypt.acme_challenge' uses auth="none": it runs with no user/session at all |
| link_tracker | route-auth-none | /r/<string:code> — Endpoint 'LinkTracker.full_url_redirect' uses auth="none": it runs with no user/session at all |
| acl-global-write | access_mail_thread_all — Access rule grants write/create/unlink on 'model_mail_thread' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
|
| acl-global-write | access_publisher_warranty_contract_all — Access rule grants write/create/unlink on 'model_publisher_warranty_contract' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
|
| route-public-sudo | /mail/view — Unauthenticated endpoint 'MailController.mail_action_view' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-auth-none | /mail/view — Endpoint 'MailController.mail_action_view' uses auth="none": it runs with no user/session at all |
|
| route-public-sudo | /mail/<string:res_model>/<int:res_id>/avatar/<int:partner_id> — Unauthenticated endpoint 'MailController.avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/chat_post — Unauthenticated endpoint 'MailChatController.mail_chat_post' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-auth-none | /mail/chat_post — Endpoint 'MailChatController.mail_chat_post' uses auth="none": it runs with no user/session at all |
|
| route-public-sudo | /mail/chat_history — Unauthenticated endpoint 'MailChatController.mail_chat_history' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-auth-none | /mail/chat_history — Endpoint 'MailChatController.mail_chat_history' uses auth="none": it runs with no user/session at all |
|
| mail_tracking | route-public-csrf-off | /mail/tracking/all/<string:db>, /mail/tracking/event/<string:db>/<string:event_type> — Public HTTP endpoint 'MailTrackingController.mail_tracking_event' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| mail_tracking | route-auth-none | /mail/tracking/all/<string:db>, /mail/tracking/event/<string:db>/<string:event_type> — Endpoint 'MailTrackingController.mail_tracking_event' uses auth="none": it runs with no user/session at all |
| mail_tracking | route-auth-none | /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Endpoint 'MailTrackingController.mail_tracking_open' uses auth="none": it runs with no user/session at all |
| mail_tracking_mailgun | route-public-sudo | /mail/tracking/mailgun/all — Unauthenticated endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| mail_tracking_mailgun | route-auth-none | /mail/tracking/mailgun/all — Endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' uses auth="none": it runs with no user/session at all |
| mass_mailing | route-public-sudo | /mail/mailing/<int:mailing_id>/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mail/mailing/unsubscribe — Unauthenticated endpoint 'MassMailController.unsubscribe' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-auth-none | /mail/mailing/unsubscribe — Endpoint 'MassMailController.unsubscribe' uses auth="none": it runs with no user/session at all |
| mass_mailing | route-public-sudo | /mail/track/<int:mail_id>/blank.gif — Unauthenticated endpoint 'MassMailController.track_mail_open' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-auth-none | /mail/track/<int:mail_id>/blank.gif — Endpoint 'MassMailController.track_mail_open' uses auth="none": it runs with no user/session at all |
| mass_mailing | route-auth-none | /r/<string:code>/m/<int:stat_id> — Endpoint 'MassMailController.full_url_redirect' uses auth="none": it runs with no user/session at all |
| mass_mailing | route-public-sudo | /mailing/blacklist/check — Unauthenticated endpoint 'MassMailController.blacklist_check' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-auth-none | /mailing/blacklist/check — Endpoint 'MassMailController.blacklist_check' uses auth="none": it runs with no user/session at all |
| mass_mailing | route-public-sudo | /mailing/blacklist/add — Unauthenticated endpoint 'MassMailController.blacklist_add' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-auth-none | /mailing/blacklist/add — Endpoint 'MassMailController.blacklist_add' uses auth="none": it runs with no user/session at all |
| mass_mailing | route-public-sudo | /mailing/blacklist/remove — Unauthenticated endpoint 'MassMailController.blacklist_remove' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-auth-none | /mailing/blacklist/remove — Endpoint 'MassMailController.blacklist_remove' uses auth="none": it runs with no user/session at all |
| mass_mailing | route-public-sudo | /mailing/feedback — Unauthenticated endpoint 'MassMailController.send_feedback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-auth-none | /mailing/feedback — Endpoint 'MassMailController.send_feedback' uses auth="none": it runs with no user/session at all |
| membership | acl-global-read | access_membership_membership_line — Access rule grants read on 'model_membership_membership_line' to every user (portal/public included): no group is set |
| operating_unit | acl-global-read | access_account_operating_unit_user — Access rule grants read on 'model_operating_unit' to every user (portal/public included): no group is set |
| partner_external_map | acl-global-read | access_map_website_read — Access rule grants read on 'model_map_website' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation — Access rule grants read on 'model_res_partner_relation' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation_type — Access rule grants read on 'model_res_partner_relation_type' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation_type_selection — Access rule grants read on 'model_res_partner_relation_type_selection' to every user (portal/public included): no group is set |
| partner_multi_relation_tabs | acl-global-read | read_res_partner_tab — Access rule grants read on 'model_res_partner_tab' to every user (portal/public included): no group is set |
| partner_stage | acl-global-read | access_partner_stage_read — Access rule grants read on 'model_res_partner_stage' to every user (portal/public included): no group is set |
| password_security | route-auth-none | /password_security/estimate — Endpoint 'PasswordSecurityHome.estimate' uses auth="none": it runs with no user/session at all |
| payment | route-public-sudo | /payment/process — Unauthenticated endpoint 'PaymentProcessing.payment_status_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /payment/process/poll — Unauthenticated endpoint 'PaymentProcessing.payment_status_poll' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /website_payment/pay — Unauthenticated endpoint 'WebsitePayment.pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /website_payment/transaction/<string:reference>/<string:amount>/<string:currency_id>, /website_payment/transaction/v2/<string:amount>/<string:currency_id>/<path:reference> — Unauthenticated endpoint 'WebsitePayment.transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /website_payment/token/<string:reference>/<string:amount>/<string:currency_id>, /website_payment/token/v2/<string:amount>/<string:currency_id>/<path:reference> — Unauthenticated endpoint 'WebsitePayment.payment_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-csrf-off | /payment/adyen/return — Public HTTP endpoint 'AdyenController.adyen_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_adyen | route-public-sudo | /payment/adyen/return — Unauthenticated endpoint 'AdyenController.adyen_return' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-auth-none | /payment/adyen/return — Endpoint 'AdyenController.adyen_return' uses auth="none": it runs with no user/session at all |
| payment_adyen | route-public-csrf-off | /payment/adyen/notification — Public HTTP endpoint 'AdyenController.adyen_notification' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_adyen | route-public-sudo | /payment/adyen/notification — Unauthenticated endpoint 'AdyenController.adyen_notification' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-auth-none | /payment/adyen/notification — Endpoint 'AdyenController.adyen_notification' uses auth="none": it runs with no user/session at all |
| payment_authorize | route-public-csrf-off | /payment/authorize/return/, /payment/authorize/cancel/ — Public HTTP endpoint 'AuthorizeController.authorize_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_authorize | route-public-sudo | /payment/authorize/return/, /payment/authorize/cancel/ — Unauthenticated endpoint 'AuthorizeController.authorize_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_authorize | route-public-sudo | /payment/authorize/s2s/create_json_3ds — Unauthenticated endpoint 'AuthorizeController.authorize_s2s_create_json_3ds' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_buckaroo | route-public-csrf-off | /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Public HTTP endpoint 'BuckarooController.buckaroo_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_buckaroo | route-public-sudo | /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Unauthenticated endpoint 'BuckarooController.buckaroo_return' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_buckaroo | route-auth-none | /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Endpoint 'BuckarooController.buckaroo_return' uses auth="none": it runs with no user/session at all |
| payment_cielo | route-public-sudo | /payment/cielo/create_charge — Unauthenticated endpoint 'CieloController.cielo_create_charge' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ogone | route-public-sudo | /payment/ogone/accept, /payment/ogone/test/accept, /payment/ogone/decline, /payment/ogone/test/decline, /payment/ogone/exception, /payment/ogone/test/exception, /payment/ogone/cancel, /payment/ogone/test/cancel — Unauthenticated endpoint 'OgoneController.ogone_form_feedback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ogone | route-auth-none | /payment/ogone/accept, /payment/ogone/test/accept, /payment/ogone/decline, /payment/ogone/test/decline, /payment/ogone/exception, /payment/ogone/test/exception, /payment/ogone/cancel, /payment/ogone/test/cancel — Endpoint 'OgoneController.ogone_form_feedback' uses auth="none": it runs with no user/session at all |
| payment_ogone | route-public-sudo | /payment/ogone/s2s/create_json_3ds — Unauthenticated endpoint 'OgoneController.ogone_s2s_create_json_3ds' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ogone | route-public-csrf-off | /payment/ogone/s2s/create — Public HTTP endpoint 'OgoneController.ogone_s2s_create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_ogone | route-public-sudo | /payment/ogone/s2s/create — Unauthenticated endpoint 'OgoneController.ogone_s2s_create' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ogone | route-public-sudo | /payment/ogone/validate/accept, /payment/ogone/validate/decline, /payment/ogone/validate/exception — Unauthenticated endpoint 'OgoneController.ogone_validation_form_feedback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ogone | route-auth-none | /payment/ogone/validate/accept, /payment/ogone/validate/decline, /payment/ogone/validate/exception — Endpoint 'OgoneController.ogone_validation_form_feedback' uses auth="none": it runs with no user/session at all |
| payment_ogone | route-public-csrf-off | /payment/ogone/s2s/feedback — Public HTTP endpoint 'OgoneController.feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_ogone | route-public-sudo | /payment/ogone/s2s/feedback — Unauthenticated endpoint 'OgoneController.feedback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ogone | route-auth-none | /payment/ogone/s2s/feedback — Endpoint 'OgoneController.feedback' uses auth="none": it runs with no user/session at all |
| payment_paypal | route-public-csrf-off | /payment/paypal/ipn/ — Public HTTP endpoint 'PaypalController.paypal_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_paypal | route-auth-none | /payment/paypal/ipn/ — Endpoint 'PaypalController.paypal_ipn' uses auth="none": it runs with no user/session at all |
| payment_paypal | route-public-csrf-off | /payment/paypal/dpn — Public HTTP endpoint 'PaypalController.paypal_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_paypal | route-auth-none | /payment/paypal/dpn — Endpoint 'PaypalController.paypal_dpn' uses auth="none": it runs with no user/session at all |
| payment_paypal | route-public-csrf-off | /payment/paypal/cancel — Public HTTP endpoint 'PaypalController.paypal_cancel' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_paypal | route-auth-none | /payment/paypal/cancel — Endpoint 'PaypalController.paypal_cancel' uses auth="none": it runs with no user/session at all |
| payment_payumoney | route-public-csrf-off | /payment/payumoney/return, /payment/payumoney/cancel, /payment/payumoney/error — Public HTTP endpoint 'PayuMoneyController.payu_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_payumoney | route-public-sudo | /payment/payumoney/return, /payment/payumoney/cancel, /payment/payumoney/error — Unauthenticated endpoint 'PayuMoneyController.payu_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_redsys | route-public-csrf-off | /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Public HTTP endpoint 'RedsysController.redsys_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_redsys | route-public-sudo | /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Unauthenticated endpoint 'RedsysController.redsys_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_sips | route-public-csrf-off | /payment/sips/ipn/ — Public HTTP endpoint 'SipsController.sips_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_sips | route-auth-none | /payment/sips/ipn/ — Endpoint 'SipsController.sips_ipn' uses auth="none": it runs with no user/session at all |
| payment_sips | route-public-csrf-off | /payment/sips/dpn — Public HTTP endpoint 'SipsController.sips_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_sips | route-auth-none | /payment/sips/dpn — Endpoint 'SipsController.sips_dpn' uses auth="none": it runs with no user/session at all |
| payment_stripe | route-public-sudo | /payment/stripe/create_charge — Unauthenticated endpoint 'StripeController.stripe_create_charge' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe_checkout_webhook | route-public-sudo | /payment/stripe/webhook — Unauthenticated endpoint 'StripeController.stripe_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe_sca | route-public-sudo | /payment/stripe/success, /payment/stripe/cancel — Unauthenticated endpoint 'StripeControllerSCA.stripe_success' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe_sca | route-public-sudo | /payment/stripe/s2s/process_payment_intent — Unauthenticated endpoint 'StripeControllerSCA.stripe_s2s_process_payment_intent' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_transfer | route-public-csrf-off | /payment/transfer/feedback — Public HTTP endpoint 'OgoneController.transfer_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_transfer | route-public-sudo | /payment/transfer/feedback — Unauthenticated endpoint 'OgoneController.transfer_form_feedback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_transfer | route-auth-none | /payment/transfer/feedback — Endpoint 'OgoneController.transfer_form_feedback' uses auth="none": it runs with no user/session at all |
| point_of_sale | rule-group-bypass | rule_pos_bank_statement_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| point_of_sale | rule-group-bypass | rule_pos_bank_statement_line_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| point_of_sale | rule-group-bypass | rule_pos_cashbox_line_accountant — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| portal | route-public-sudo | /mail/chatter_fetch — Unauthenticated endpoint 'PortalChatter.portal_message_fetch' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_mercury | acl-global-read | access_pos_mercury_mercury_transaction — Access rule grants read on 'model_pos_mercury_mercury_transaction' to every user (portal/public included): no group is set |
| privacy_consent | route-public-sudo | /privacy/consent/<any(accept,reject):choice>/<int:consent_id>/<token> — Unauthenticated endpoint 'ConsentController.consent' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| privacy_consent | route-auth-none | /privacy/consent/<any(accept,reject):choice>/<int:consent_id>/<token> — Endpoint 'ConsentController.consent' uses auth="none": it runs with no user/session at all |
| product_brand | acl-global-read | access_product_brand_public — Access rule grants read on 'model_product_brand' to every user (portal/public included): no group is set |
| product_equivalent_category | acl-global-read | access_product_equivalent_category_user — Access rule grants read on 'model_product_equivalent_category' to every user (portal/public included): no group is set |
| product_harmonized_system | acl-global-read | access_hs_code_read — Access rule grants read on 'model_hs_code' to every user (portal/public included): no group is set |
| product_state | acl-global-read | access_product_state_public — Access rule grants read on 'model_product_state' to every user (portal/public included): no group is set |
| project | route-public-sudo | /project/rating — Unauthenticated endpoint 'RatingProject.index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| project | route-public-sudo | /project/rating/<int:project_id> — Unauthenticated endpoint 'RatingProject.page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| purchase_work_acceptance_evaluation | acl-global-read | access_work_acceptance_evaluation_report — Access rule grants read on 'model_work_acceptance_evaluation_report' to every user (portal/public included): no group is set |
| quality_control | acl-global-read | access_manager_qc_trigger_product_template_line_user — Access rule grants read on 'quality_control.model_qc_trigger_product_template_line' to every user (portal/public included): no group is set |
| quality_control | acl-global-read | access_manager_qc_trigger_product_line_user — Access rule grants read on 'quality_control.model_qc_trigger_product_line' to every user (portal/public included): no group is set |
| queue_job | route-auth-none | /queue_job/session — Endpoint 'RunJobController.session' uses auth="none": it runs with no user/session at all |
| queue_job | route-auth-none | /queue_job/runjob — Endpoint 'RunJobController.runjob' uses auth="none": it runs with no user/session at all |
| rating | route-public-sudo | /rating/<string:token>/<int:rate> — Unauthenticated endpoint 'Rating.open_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| rating | route-public-sudo | /rating/<string:token>/<int:rate>/submit_feedback — Unauthenticated endpoint 'Rating.submit_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| report_substitute | acl-global-read | action_report_substitution_rule_user_access — Access rule grants read on 'model_ir_actions_report_substitution_rule' to every user (portal/public included): no group is set |
| res_company_category | acl-global-read | access_res_company_category_user — Access rule grants read on 'model_res_company_category' to every user (portal/public included): no group is set |
| rma | route-public-sudo | /my/rma/picking/pdf/<int:rma_id>/<int:picking_id> — Unauthenticated endpoint 'PortalRma.portal_my_rma_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sale | rule-group-bypass | payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale | rule-group-bypass | payment_token_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale | route-public-sudo | /my/orders/<int:order_id>/transaction/ — Unauthenticated endpoint 'CustomerPortal.payment_transaction_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sale | route-public-sudo | /my/orders/<int:order_id>/transaction/token — Unauthenticated endpoint 'CustomerPortal.payment_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sale_multi_operating_unit | rule-group-bypass | operating_unit_sale_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| sale_stock | route-public-sudo | /my/picking/pdf/<int:picking_id> — Unauthenticated endpoint 'SaleStockPortal.portal_my_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| stock_scanner | acl-global-read | scanner_scenario_user — Access rule grants read on 'stock_scanner.model_scanner_scenario' to every user (portal/public included): no group is set |
| stock_scanner | acl-global-read | scanner_scenario_step_user — Access rule grants read on 'stock_scanner.model_scanner_scenario_step' to every user (portal/public included): no group is set |
| stock_scanner | acl-global-read | scanner_scenario_transition_user — Access rule grants read on 'stock_scanner.model_scanner_scenario_transition' to every user (portal/public included): no group is set |
| stock_scanner | rule-group-bypass | scanner_hardware_access_group_sentinel — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| storage_file | acl-global-read | access_storage_file_read_public — Access rule grants read on 'model_storage_file' to every user (portal/public included): no group is set |
| survey | acl-global-read | access_survey_public — Access rule grants read on 'model_survey_survey' to every user (portal/public included): no group is set |
| survey | acl-global-read | access_survey_page_public — Access rule grants read on 'model_survey_page' to every user (portal/public included): no group is set |
| survey | acl-global-read | access_survey_question_public — Access rule grants read on 'model_survey_question' to every user (portal/public included): no group is set |
| survey | acl-global-read | access_survey_label_public — Access rule grants read on 'model_survey_label' to every user (portal/public included): no group is set |
| survey | acl-global-read | access_survey_stage_public — Access rule grants read on 'model_survey_stage' to every user (portal/public included): no group is set |
| survey | route-public-sudo | /survey/start/<model("survey.survey"):survey>, /survey/start/<model("survey.survey"):survey>/<string:token> — Unauthenticated endpoint 'Survey.start_survey' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| survey | route-public-sudo | /survey/fill/<model("survey.survey"):survey>/<string:token>, /survey/fill/<model("survey.survey"):survey>/<string:token>/<string:prev> — Unauthenticated endpoint 'Survey.fill_survey' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| survey | route-public-sudo | /survey/prefill/<model("survey.survey"):survey>/<string:token>, /survey/prefill/<model("survey.survey"):survey>/<string:token>/<model("survey.page"):page> — Unauthenticated endpoint 'Survey.prefill' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| survey | route-public-sudo | /survey/scores/<model("survey.survey"):survey>/<string:token> — Unauthenticated endpoint 'Survey.get_scores' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| survey | route-public-sudo | /survey/submit/<model("survey.survey"):survey> — Unauthenticated endpoint 'Survey.submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| test_read_group | acl-global-read | access_test_read_group_on_date — Access rule grants read on 'model_test_read_group_on_date' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_aggregate_boolean — Access rule grants read on 'model_test_read_group_aggregate_boolean' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_aggregate — Access rule grants read on 'model_test_read_group_aggregate' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_on_selection — Access rule grants read on 'model_test_read_group_on_selection' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_fill_temporal — Access rule grants read on 'model_test_read_group_fill_temporal' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_a — Access rule grants read on 'model_test_testing_utilities_a' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_readonly — Access rule grants read on 'model_test_testing_utilities_readonly' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_c — Access rule grants read on 'model_test_testing_utilities_c' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_d — Access rule grants read on 'model_test_testing_utilities_d' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_e — Access rule grants read on 'model_test_testing_utilities_e' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_f — Access rule grants read on 'model_test_testing_utilities_f' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_g — Access rule grants read on 'model_test_testing_utilities_g' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_m2o — Access rule grants read on 'model_test_testing_utilities_m2o' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_default — Access rule grants read on 'model_test_testing_utilities_default' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_parent — Access rule grants read on 'model_test_testing_utilities_parent' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_sub — Access rule grants read on 'model_test_testing_utilities_sub' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_sub2 — Access rule grants read on 'model_test_testing_utilities_sub2' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_sub3 — Access rule grants read on 'model_test_testing_utilities_sub3' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_recursive — Access rule grants read on 'model_test_testing_utilities_recursive' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_onchange_parent — Access rule grants read on 'model_test_testing_utilities_onchange_parent' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_onchange_line — Access rule grants read on 'model_test_testing_utilities_onchange_line' to every user (portal/public included): no group is set |
| test_testing_utilities | acl-global-read | access_test_testing_utilities_req_bool — Access rule grants read on 'model_test_testing_utilities_req_bool' to every user (portal/public included): no group is set |
| web | route-auth-none | / — Endpoint 'Home.index' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/dbredirect — Endpoint 'Home.web_db_redirect' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/login — Endpoint 'Home.web_login' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/csslist — Endpoint 'WebClient.csslist' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/jslist — Endpoint 'WebClient.jslist' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/locale/<string:lang> — Endpoint 'WebClient.load_locale' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/qweb — Endpoint 'WebClient.qweb' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/bootstrap_translations — Endpoint 'WebClient.bootstrap_translations' uses auth="none": it runs with no user/session at all |
| web | route-public-sudo | /web/webclient/translations — Unauthenticated endpoint 'WebClient.translations' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| web | route-auth-none | /web/webclient/translations — Endpoint 'WebClient.translations' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/version_info — Endpoint 'WebClient.version_info' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/tests/mobile — Endpoint 'WebClient.test_mobile_suite' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/benchmarks — Endpoint 'WebClient.benchmarks' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/proxy/load — Endpoint 'Proxy.load' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/database/selector — Endpoint 'Database.selector' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/database/manager — Endpoint 'Database.manager' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/create — Public HTTP endpoint 'Database.create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/create — Endpoint 'Database.create' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/duplicate — Public HTTP endpoint 'Database.duplicate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/duplicate — Endpoint 'Database.duplicate' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/drop — Public HTTP endpoint 'Database.drop' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/drop — Endpoint 'Database.drop' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/backup — Public HTTP endpoint 'Database.backup' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/backup — Endpoint 'Database.backup' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/restore — Public HTTP endpoint 'Database.restore' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/restore — Endpoint 'Database.restore' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/change_password — Public HTTP endpoint 'Database.change_password' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/change_password — Endpoint 'Database.change_password' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/database/list — Endpoint 'Database.list' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/get_session_info — Endpoint 'Session.get_session_info' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/authenticate — Endpoint 'Session.authenticate' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/get_lang_list — Endpoint 'Session.get_lang_list' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/logout — Endpoint 'Session.logout' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/binary/company_logo, /logo, /logo.png — Endpoint 'Binary.company_logo' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/pivot/check_xlwt — Endpoint 'TableExporter.check_xlwt' uses auth="none": it runs with no user/session at all |
| web_editor | route-auth-none | /web_editor/font_to_img/<icon>, /web_editor/font_to_img/<icon>/<color>, /web_editor/font_to_img/<icon>/<color>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<int:size>/<int:alpha> — Endpoint 'Web_Editor.export_icon_to_png' uses auth="none": it runs with no user/session at all |
| web_favicon | route-public-sudo | /web_favicon/favicon — Unauthenticated endpoint 'WebFavicon.icon' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| web_favicon | route-auth-none | /web_favicon/favicon — Endpoint 'WebFavicon.icon' uses auth="none": it runs with no user/session at all |
| web_no_crawler | route-auth-none | /robots.txt — Endpoint 'Main.robots' uses auth="none": it runs with no user/session at all |
| web_tour | acl-global-read | access_web_tour_tour — Access rule grants read on 'model_web_tour_tour' to every user (portal/public included): no group is set |
| web_unsplash | route-public-sudo | /web_unsplash/get_app_id — Unauthenticated endpoint 'Web_Unsplash.get_unsplash_app_id' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| webservice | route-public-csrf-off | /webservice/<int:backend_id>/oauth2/redirect — Public HTTP endpoint 'OAuth2Controller.redirect' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| webservice | route-public-sudo | /webservice/<int:backend_id>/oauth2/redirect — Unauthenticated endpoint 'OAuth2Controller.redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | acl-global-read | access_website_public — Access rule grants read on 'website.model_website' to every user (portal/public included): no group is set |
| website | acl-global-read | access_website_menu — Access rule grants read on 'model_website_menu' to every user (portal/public included): no group is set |
| website | acl-global-read | access_website_redirect — Access rule grants read on 'model_website_redirect' to every user (portal/public included): no group is set |
| website | acl-global-read | access_website_page — Access rule grants read on 'model_website_page' to every user (portal/public included): no group is set |
| website | acl-global-read | access_seo_public — Access rule grants read on 'model_website_seo_metadata' to every user (portal/public included): no group is set |
| website | route-public-sudo | / — Unauthenticated endpoint 'Website.index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /sitemap.xml — Unauthenticated endpoint 'Website.sitemap_xml_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/info — Unauthenticated endpoint 'Website.website_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_apps_store | route-public-sudo | /shop/download_product_zip/<model("product.template"):product_tmpl>/<model("product.product"):product>/<string:google_captcha>, /shop/download_product_zip/<model("product.template"):product_tmpl>/<string:google_captcha> — Unauthenticated endpoint 'WebsiteSaleCustom.download_product_zip' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_blog | acl-global-read | blog_tag — Access rule grants read on 'model_blog_tag' to every user (portal/public included): no group is set |
| website_blog | route-public-sudo | /blog/<model("blog.blog", "[('website_id', 'in', (False, current_website_id))]"):blog>/feed — Unauthenticated endpoint 'WebsiteBlog.blog_feed' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_blog | route-public-sudo | /blog/<model("blog.blog", "[('website_id', 'in', (False, current_website_id))]"):blog>/post/<model("blog.post", "[('blog_id','=',blog[0])]"):blog_post> — Unauthenticated endpoint 'WebsiteBlog.blog_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_blog | route-public-sudo | /blog/<int:blog_id>/post/new — Unauthenticated endpoint 'WebsiteBlog.blog_post_create' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_crm_partner_assign | route-public-sudo | /partners, /partners/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>, /partners/grade/<model("res.partner.grade"):grade>/page/<int:page>, /partners/country/<model("res.country"):country>, /partners/country/<model("res.country"):country>/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_crm_partner_assign | route-public-sudo | /partners/<partner_id> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_crm_phone_validation | route-public-sudo | /website_form/<string:model_name> — Unauthenticated endpoint 'WebsiteForm.website_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_customer | acl-global-read | res_partner_tag_sale_manager — Access rule grants read on 'model_res_partner_tag' to every user (portal/public included): no group is set |
| website_customer | route-public-sudo | /customers, /customers/page/<int:page>, /customers/country/<model("res.country"):country>, /customers/country/<model("res.country"):country>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>, /customers/industry/<model("res.partner.industry"):industry>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCustomer.customers' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_customer | route-public-sudo | /customers/<partner_id> — Unauthenticated endpoint 'WebsiteCustomer.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event | acl-global-read | access_event_type_public — Access rule grants read on 'event.model_event_type' to every user (portal/public included): no group is set |
| website_event | route-public-sudo | /event/<model("event.event", "[('website_id', 'in', (False, current_website_id))]"):event>/register — Unauthenticated endpoint 'WebsiteEventController.event_register' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event | route-public-sudo | /event/<model("event.event", "[('website_id', 'in', (False, current_website_id))]"):event>/registration/confirm — Unauthenticated endpoint 'WebsiteEventController.registration_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_filter_organizer | route-public-sudo | /event, /event/page/<int:page> — Unauthenticated endpoint 'WebsiteEventOrganizer.events' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_questions | acl-global-write | event_registration_answer_all — Access rule grants write/create/unlink on 'model_event_registration_answer' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| website_event_sale | acl-global-read | access_event_event_ticket_public — Access rule grants read on 'event_sale.model_event_event_ticket' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_tag_public — Access rule grants read on 'model_event_track_tag' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_location_public — Access rule grants read on 'model_event_track_location' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track__public — Access rule grants read on 'model_event_track' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_sponsor_type_public — Access rule grants read on 'model_event_sponsor_type' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_sponsor_public — Access rule grants read on 'model_event_sponsor' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_website_event_menu_public — Access rule grants read on 'model_website_event_menu' to every user (portal/public included): no group is set |
| website_event_track | route-public-sudo | /event/<model("event.event", "[('website_id', 'in', (False, current_website_id))]"):event>/track/<model("event.track", "[('event_id','=',event[0])]"):track> — Unauthenticated endpoint 'WebsiteEventTrackController.event_track_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track | route-public-sudo | /event/<model("event.event", "[('website_id', 'in', (False, current_website_id))]"):event>/track_proposal/post — Unauthenticated endpoint 'WebsiteEventTrackController.event_track_proposal_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_form | route-public-csrf-off | /website_form/<string:model_name> — Public HTTP endpoint 'WebsiteForm.website_form' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| website_form | route-public-sudo | /website_form/<string:model_name> — Unauthenticated endpoint 'WebsiteForm.website_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_form_recaptcha | route-public-sudo | /website/recaptcha/ — Unauthenticated endpoint 'WebsiteForm.recaptcha_public' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | acl-global-read | access_forum_forum — Access rule grants read on 'model_forum_forum' to every user (portal/public included): no group is set |
| website_forum | route-public-sudo | /forum/validate_email — Unauthenticated endpoint 'WebsiteForum.validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum", "[('website_id', 'in', (False, current_website_id))]"):forum>/question/<model("forum.post", "[('forum_id','=',forum[0]),('parent_id','=',False),('can_view', '=', True)]"):question> — Unauthenticated endpoint 'WebsiteForum.question' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum", "[('website_id', 'in', (False, current_website_id))]"):forum>/users, /forum/<model("forum.forum"):forum>/users/page/<int:page> — Unauthenticated endpoint 'WebsiteForum.users' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/partner/<int:partner_id> — Unauthenticated endpoint 'WebsiteForum.open_partner' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/user/<int:user_id> — Unauthenticated endpoint 'WebsiteForum.open_user' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum", "[('website_id', 'in', (False, current_website_id))]"):forum>/badge — Unauthenticated endpoint 'WebsiteForum.badges' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_google_map | route-public-sudo | /google_map — Unauthenticated endpoint 'GoogleMap.google_map' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_hr_recruitment | acl-global-read | access_hr_job_public — Access rule grants read on 'hr.model_hr_job' to every user (portal/public included): no group is set |
| website_hr_recruitment | rule-group-bypass | hr_job_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_hr_recruitment | route-public-sudo | /jobs, /jobs/country/<model("res.country"):country>, /jobs/department/<model("hr.department"):department>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>, /jobs/office/<int:office_id>, /jobs/country/<model("res.country"):country>/office/<int:office_id>, /jobs/department/<model("hr.department"):department>/office/<int:office_id>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>/office/<int:office_id> — Unauthenticated endpoint 'WebsiteHrRecruitment.jobs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_livechat | acl-global-read | access_im_livechat_channel_public — Access rule grants read on 'im_livechat.model_im_livechat_channel' to every user (portal/public included): no group is set |
| website_livechat | route-public-sudo | /livechat/channel/<model("im_livechat.channel"):channel> — Unauthenticated endpoint 'WebsiteLivechat.channel_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail | route-public-sudo | /website_mail/follow — Unauthenticated endpoint 'WebsiteMail.website_message_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail | route-public-sudo | /website_mail/is_follower — Unauthenticated endpoint 'WebsiteMail.is_follower' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_channel | route-public-sudo | /groups — Unauthenticated endpoint 'MailGroup.view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_channel | route-public-sudo | /groups/is_member — Unauthenticated endpoint 'MailGroup.is_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_channel | route-public-sudo | /groups/subscription — Unauthenticated endpoint 'MailGroup.subscription' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_channel | route-public-sudo | /groups/subscribe/<model('mail.channel'):channel>/<int:partner_id>/<string:token> — Unauthenticated endpoint 'MailGroup.confirm_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_channel | route-public-sudo | /groups/unsubscribe/<model('mail.channel'):channel>/<int:partner_id>/<string:token> — Unauthenticated endpoint 'MailGroup.confirm_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /website_mass_mailing/is_subscriber — Unauthenticated endpoint 'MassMailController.is_subscriber' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /website_mass_mailing/subscribe — Unauthenticated endpoint 'MassMailController.subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /website_mass_mailing/get_content — Unauthenticated endpoint 'MassMailController.get_mass_mailing_content' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_membership | route-public-sudo | /members, /members/page/<int:page>, /members/association/<membership_id>, /members/association/<membership_id>/page/<int:page>, /members/country/<int:country_id>, /members/country/<country_name>-<int:country_id>, /members/country/<int:country_id>/page/<int:page>, /members/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<country_name>-<int:country_id>, /members/association/<membership_id>/country/<int:country_id>, /members/association/<membership_id>/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteMembership.members' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_membership | route-public-sudo | /members/<partner_id> — Unauthenticated endpoint 'WebsiteMembership.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_oca_integrator | acl-global-read | access_sponsorship_line — Access rule grants read on 'model_sponsorship_line' to every user (portal/public included): no group is set |
| website_oca_integrator | acl-global-read | access_contributor_module_reader — Access rule grants read on 'model_contributor_module_line' to every user (portal/public included): no group is set |
| website_oca_integrator | route-public-sudo | /integrators, /integrators/page/<int:page>, /integrators/country/<model("res.country"):country>, /integrators/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteIntegrator.integrators' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_oca_integrator | route-public-sudo | /integrators/<integrator_id> — Unauthenticated endpoint 'WebsiteIntegrator.integrators_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_oca_integrator | route-public-sudo | /integrators/<integrator_id>/contributors, /integrators/<integrator_id>/contributors/page/<int:page>, /integrators/<integrator_id>/contributors/country/<int:country_id>, /integrators/<integrator_id>/contributors/country/<int:country_id>/page/<int:page>, /integrators/<integrator_id>/contributors/country/<country_name>-<int:country_id>, /integrators/<integrator_id>/contributors/country/<country_name>-<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteIntegrator.integrator_contributors' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_oca_psc_team | route-public-sudo | /psc-teams — Unauthenticated endpoint 'WebsitePscTeam.psc_teams' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_oca_psc_team | route-public-sudo | /psc-teams/<project_id> — Unauthenticated endpoint 'WebsitePscTeam.psc_team_project_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_partner | route-public-sudo | /partners/<partner_id> — Unauthenticated endpoint 'WebsitePartnerPage.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | acl-global-read | access_product_product_public — Access rule grants read on 'product.model_product_product' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_template_public — Access rule grants read on 'product.model_product_template' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_category_public — Access rule grants read on 'product.model_product_category' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_public_category_public — Access rule grants read on 'model_product_public_category' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_pricelist_public — Access rule grants read on 'product.model_product_pricelist' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_pricelist_item_public — Access rule grants read on 'product.model_product_pricelist_item' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_style — Access rule grants read on 'website_sale.model_product_style' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_supplierinfo — Access rule grants read on 'product.model_product_supplierinfo' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_public — Access rule grants read on 'product.model_product_attribute' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_value_public — Access rule grants read on 'product.model_product_attribute_value' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_product_attribute — Access rule grants read on 'product.model_product_template_attribute_value' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_product_attribute_custom_value — Access rule grants read on 'sale.model_product_attribute_custom_value' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_template_attribute_exclusion — Access rule grants read on 'product.model_product_template_attribute_exclusion' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_template_attribute_line_public — Access rule grants read on 'product.model_product_template_attribute_line' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_image_public — Access rule grants read on 'model_product_image' to every user (portal/public included): no group is set |
| website_sale | rule-group-bypass | payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_sale | route-public-sudo | /website_form/shop.sale.order — Unauthenticated endpoint 'WebsiteSaleForm.website_form_saleorder' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/pricelist — Unauthenticated endpoint 'WebsiteSale.pricelist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/cart — Unauthenticated endpoint 'WebsiteSale.cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-csrf-off | /shop/cart/update — Public HTTP endpoint 'WebsiteSale.cart_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| website_sale | route-public-sudo | /shop/address — Unauthenticated endpoint 'WebsiteSale.address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/checkout — Unauthenticated endpoint 'WebsiteSale.checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/payment/transaction/, /shop/payment/transaction/<int:so_id>, /shop/payment/transaction/<int:so_id>/<string:access_token> — Unauthenticated endpoint 'WebsiteSale.payment_transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/payment/token — Unauthenticated endpoint 'WebsiteSale.payment_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/payment/get_status/<int:sale_order_id> — Unauthenticated endpoint 'WebsiteSale.payment_get_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/payment/validate — Unauthenticated endpoint 'WebsiteSale.payment_validate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/confirmation — Unauthenticated endpoint 'WebsiteSale.payment_confirmation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/print — Unauthenticated endpoint 'WebsiteSale.print_saleorder' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/tracking_last_order — Unauthenticated endpoint 'WebsiteSale.tracking_cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_charge_payment_fee | route-public-sudo | /shop/payment — Unauthenticated endpoint 'WebsiteSaleFee.payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_comparison | acl-global-read | access_product_attribute_category_public — Access rule grants read on 'model_product_attribute_category' to every user (portal/public included): no group is set |
| website_sale_digital | route-public-sudo | /my/orders/<int:order_id> — Unauthenticated endpoint 'WebsiteSaleDigital.portal_order_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_digital | route-public-sudo | /my/download — Unauthenticated endpoint 'WebsiteSaleDigital.download_attachment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_product_brand | route-public-sudo | /page/product_brands — Unauthenticated endpoint 'WebsiteSale.product_brands' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_resource_booking | route-public-sudo | /shop/booking/<int:index>/confirm — Unauthenticated endpoint 'WebsiteSale.booking_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_wishlist | route-public-sudo | /shop/wishlist/add — Unauthenticated endpoint 'WebsiteSaleWishlist.add_to_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_wishlist | route-public-sudo | /shop/wishlist/remove/<model("product.wishlist"):wish> — Unauthenticated endpoint 'WebsiteSaleWishlist.rm_from_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/<model("slide.slide"):slide>/download — Unauthenticated endpoint 'WebsiteSlides.slide_download' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/embed/<int:slide_id> — Unauthenticated endpoint 'WebsiteSlides.slides_embed' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_twitter | acl-global-read | access_website_twitter_tweet_public — Access rule grants read on 'website_twitter.model_website_twitter_tweet' to every user (portal/public included): no group is set |
Active Pull Requests 7
0 fresh 0 rotting 0 rotten
| Module | Repository | Title | Age | CI |
|---|---|---|---|---|
| airport | OCA/vertical-travel | [MIG] airport: Migration to 11.0 #56 | — | no CI data |
| connector_magento | OCA/connector-magento | [11.0] [MIG] connector_magento #274 | — | no CI data |
| connector_woocommerce | OCA/connector-woocommerce | [11.0] [MIG] connector_woocommerce #41 | — | no CI data |
| mrp_subcontracting | OCA/manufacture | [11.0] [mig] mrp subcontracting #1721 | — | no CI data |
| mrp_subcontracting_purchase_link | OCA/manufacture | 11.0 mig mrp subcontracting purchase link #1722 | — | no CI data |
| product-packaging-type | OCA/product-attribute | [MIG]11.0 mig product packaging type #2174 | — | no CI data |
| transportation | OCA/vertical-travel | [MIG] transportation: Migration to 11.0 #55 | — | no CI data |
Security Findings
Errors 130
| Module | Code | Message |
|---|---|---|
| anonymization | acl-global-write | access_ir_model_fields_anonymization_migration_fix — Access rule grants write/create/unlink on 'model_ir_model_fields_anonymization_migration_fix' to EVERY user (portal/public included): no group is set |
| auth_u2f | acl-public-write | access_u2f_device_portal — Access rule grants write/create/unlink on 'model_u2f_device' to the portal/public group 'base.group_portal' |
| base | acl-privilege-escalation | access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-global-write | access_ir_ui_view_custom_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_custom' to EVERY user (portal/public included): no group is set |
| base | acl-privilege-escalation | access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions |
| base_tier_validation | acl-global-write | access_tier_review — Access rule grants write/create/unlink on 'model_tier_review' to EVERY user (portal/public included): no group is set |
| bi_view_editor | acl-global-write | access_bve_view_everyone — Access rule grants write/create/unlink on 'bi_view_editor.model_bve_view' to EVERY user (portal/public included): no group is set |
| bus | acl-public-write | access_bus_presence_portal — Access rule grants write/create/unlink on 'model_bus_presence' to the portal/public group 'base.group_portal' |
| calendar | rule-public-bypass | calendar_attendee_rule_my — Record rule with an always-true domain grants portal/public users access to every record of its model |
| cms_delete_content_example | acl-global-write | access_cms_delete_content_example — Access rule grants write/create/unlink on 'model_cms_delete_content_example' to EVERY user (portal/public included): no group is set |
| cms_notification | acl-public-write | portal_users_can_write_users — Access rule grants write on 'base.model_res_users' to the portal/public group 'base.group_portal' |
| cms_notification | acl-privilege-escalation | portal_users_can_write_users — Access rule grants write on security model 'base.model_res_users' to group 'base.group_portal': members can escalate their own permissions |
| cms_toolbar_example | acl-global-write | access_cms_toolbar_content_example — Access rule grants write/create/unlink on 'model_cms_toolbar_content_example' to EVERY user (portal/public included): no group is set |
| document_url | acl-global-write | access_ir_attachment_add_url — Access rule grants write/create/unlink on 'model_ir_attachment_add_url' to EVERY user (portal/public included): no group is set |
| gamification | acl-public-write | goal_portal — Access rule grants write on 'gamification.model_gamification_goal' to the portal/public group 'base.group_portal' |
| gamification | acl-public-write | badge_user_portal — Access rule grants write/create on 'gamification.model_gamification_badge_user' to the portal/public group 'base.group_portal' |
| helpdesk_mgmt | acl-public-write | access_helpdesk_ticket_stage_public — Access rule grants write on 'model_helpdesk_ticket_stage' to the portal/public group 'base.group_public' |
| hr_recruitment | acl-global-write | access_hr_applicant_category — Access rule grants write/create on 'model_hr_applicant_category' to EVERY user (portal/public included): no group is set |
| acl-public-write | access_mail_message_portal — Access rule grants write/create/unlink on 'model_mail_message' to the portal/public group 'base.group_portal' |
|
| acl-public-write | access_mail_mail_portal — Access rule grants write/create on 'model_mail_mail' to the portal/public group 'base.group_portal' |
|
| acl-public-write | access_mail_followers_portal — Access rule grants write/create on 'model_mail_followers' to the portal/public group 'base.group_portal' |
|
| acl-public-write | access_mail_channel_partner_portal — Access rule grants write/create/unlink on 'model_mail_channel_partner' to the portal/public group 'base.group_portal' |
|
| acl-public-write | access_mail_test_portal — Access rule grants write on 'model_mail_test' to the portal/public group 'base.group_portal' |
|
| mail_digest | acl-public-write | access_user_notification_conf_portal — Access rule grants write/create/unlink on 'model_user_notification_conf' to the portal/public group 'base.group_portal' |
| payment | acl-public-write | payment_method_portal — Access rule grants write/create/unlink on 'model_payment_token' to the portal/public group 'base.group_portal' |
| rating | acl-public-write | access_rating_public — Access rule grants write/create on 'rating.model_rating_rating' to the portal/public group 'base.group_public' |
| rating | acl-public-write | access_rating_portal — Access rule grants write/create on 'rating.model_rating_rating' to the portal/public group 'base.group_portal' |
| report_wkhtmltopdf_param | acl-global-write | paperformat_parameter_access_employee — Access rule grants create on 'model_report_paperformat_parameter' to EVERY user (portal/public included): no group is set |
| stock_scanner | acl-global-write | scanner_hardware_user — Access rule grants write on 'stock_scanner.model_scanner_hardware' to EVERY user (portal/public included): no group is set |
| stock_scanner | acl-global-write | scanner_hardware_step_history_user — Access rule grants write/create/unlink on 'stock_scanner.model_scanner_hardware_step_history' to EVERY user (portal/public included): no group is set |
| survey | acl-global-write | access_survey_user_input_public — Access rule grants write/create on 'model_survey_user_input' to EVERY user (portal/public included): no group is set |
| survey | acl-global-write | access_survey_user_input_line_public — Access rule grants write/create on 'model_survey_user_input_line' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_some_obj — Access rule grants write/create/unlink on 'model_test_access_right_some_obj' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_container — Access rule grants write/create/unlink on 'model_test_access_right_container' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_obj_categ — Access rule grants write/create/unlink on 'model_test_access_right_obj_categ' to EVERY user (portal/public included): no group is set |
| test_component | acl-global-write | access_test_component_collection — Access rule grants write/create/unlink on 'model_test_component_collection' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_test_backend — Access rule grants write/create/unlink on 'model_test_backend' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_connector_test_record — Access rule grants write/create/unlink on 'model_connector_test_record' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_connector_test_binding — Access rule grants write/create/unlink on 'model_connector_test_binding' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_no_inherits_binding — Access rule grants write/create/unlink on 'model_no_inherits_binding' to EVERY user (portal/public included): no group is set |
| test_convert | acl-global-write | access_test_convert_test_model — Access rule grants write/create/unlink on 'model_test_convert_test_model' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_converter_model — Access rule grants write/create/unlink on 'model_test_converter_test_model' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_test_converter_test_model_sub — Access rule grants write/create/unlink on 'model_test_converter_test_model_sub' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_test_converter_monetary — Access rule grants write/create/unlink on 'model_test_converter_monetary' to EVERY user (portal/public included): no group is set |
| test_documentation_examples | acl-global-write | access_inheritance_0 — Access rule grants write/create/unlink on 'model_inheritance_0' to EVERY user (portal/public included): no group is set |
| test_documentation_examples | acl-global-write | access_inheritance_1 — Access rule grants write/create/unlink on 'model_inheritance_1' to EVERY user (portal/public included): no group is set |
| test_documentation_examples | acl-global-write | access_extension_0 — Access rule grants write/create/unlink on 'model_extension_0' to EVERY user (portal/public included): no group is set |
| test_documentation_examples | acl-global-write | access_delegation_child0 — Access rule grants write/create/unlink on 'model_delegation_child0' to EVERY user (portal/public included): no group is set |
| test_documentation_examples | acl-global-write | access_delegation_child1 — Access rule grants write/create/unlink on 'model_delegation_child1' to EVERY user (portal/public included): no group is set |
| test_documentation_examples | acl-global-write | access_delegation_parent — Access rule grants write/create/unlink on 'model_delegation_parent' to EVERY user (portal/public included): no group is set |
| test_exceptions | acl-global-write | access_test_exceptions_model — Access rule grants write/create/unlink on 'model_test_exceptions_model' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_boolean — Access rule grants write/create/unlink on 'model_export_boolean' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_float — Access rule grants write/create/unlink on 'model_export_float' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_decimal — Access rule grants write/create/unlink on 'model_export_decimal' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string_bounded — Access rule grants write/create/unlink on 'model_export_string_bounded' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string_required — Access rule grants write/create/unlink on 'model_export_string_required' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string — Access rule grants write/create/unlink on 'model_export_string' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_date — Access rule grants write/create/unlink on 'model_export_date' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_datetime — Access rule grants write/create/unlink on 'model_export_datetime' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_text — Access rule grants write/create/unlink on 'model_export_text' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection — Access rule grants write/create/unlink on 'model_export_selection' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection_function — Access rule grants write/create/unlink on 'model_export_selection_function' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2one — Access rule grants write/create/unlink on 'model_export_many2one' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many — Access rule grants write/create/unlink on 'model_export_one2many' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2many — Access rule grants write/create/unlink on 'model_export_many2many' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_function — Access rule grants write/create/unlink on 'model_export_function' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child — Access rule grants write/create/unlink on 'model_export_one2many_child' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_multiple — Access rule grants write/create/unlink on 'model_export_one2many_multiple' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_multiple_child — Access rule grants write/create/unlink on 'model_export_one2many_multiple_child' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child_1 — Access rule grants write/create/unlink on 'model_export_one2many_child_1' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child_2 — Access rule grants write/create/unlink on 'model_export_one2many_child_2' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2many_other — Access rule grants write/create/unlink on 'model_export_many2many_other' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection_withdefault — Access rule grants write/create/unlink on 'model_export_selection_withdefault' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_recursive — Access rule grants write/create/unlink on 'model_export_one2many_recursive' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_unique — Access rule grants write/create/unlink on 'model_export_unique' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_mother — Access rule grants write/create/unlink on 'model_test_inherit_mother' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_daughter — Access rule grants write/create/unlink on 'model_test_inherit_daughter' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_property — Access rule grants write/create/unlink on 'model_test_inherit_property' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_unit — Access rule grants write/create/unlink on 'model_test_unit' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_box — Access rule grants write/create/unlink on 'model_test_box' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_pallet — Access rule grants write/create/unlink on 'model_test_pallet' to EVERY user (portal/public included): no group is set |
| test_limits | acl-global-write | access_test_limits_model — Access rule grants write/create/unlink on 'model_test_limits_model' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_category — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_category' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_discussion — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_discussion' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_message — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_message' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_emailmessage — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_emailmessage' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi_line — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi_tag — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_tag' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_creativework_edition — Access rule grants write/create/unlink on 'model_test_new_api_creativework_edition' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_creativework_book — Access rule grants write/create/unlink on 'model_test_new_api_creativework_book' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_creativework_movie — Access rule grants write/create/unlink on 'model_test_new_api_creativework_movie' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_mixed — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_mixed' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_domain_bool — Access rule grants write/create/unlink on 'model_domain_bool' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_foo — Access rule grants write/create/unlink on 'model_test_new_api_foo' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_bar — Access rule grants write/create/unlink on 'model_test_new_api_bar' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_related — Access rule grants write/create/unlink on 'model_test_new_api_related' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_company — Access rule grants write/create/unlink on 'model_test_new_api_company' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_company_attr — Access rule grants write/create/unlink on 'model_test_new_api_company_attr' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_inverse — Access rule grants write/create/unlink on 'model_test_new_api_compute_inverse' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_protected — Access rule grants write/create/unlink on 'model_test_new_api_compute_protected' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_recursive — Access rule grants write/create/unlink on 'model_test_new_api_recursive' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_cascade — Access rule grants write/create/unlink on 'model_test_new_api_cascade' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_base — Access rule grants write/create/unlink on 'model_test_performance_base' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_line — Access rule grants write/create/unlink on 'model_test_performance_line' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_tag — Access rule grants write/create/unlink on 'model_test_performance_tag' to EVERY user (portal/public included): no group is set |
| test_performance | acl-global-write | access_test_performance_mail — Access rule grants write/create/unlink on 'model_test_performance_mail' to EVERY user (portal/public included): no group is set |
| test_queue_job | acl-global-write | access_test_queue_job — Access rule grants write/create/unlink on 'model_test_queue_job' to EVERY user (portal/public included): no group is set |
| test_queue_job | acl-global-write | access_test_queue_channel — Access rule grants write/create/unlink on 'model_test_queue_channel' to EVERY user (portal/public included): no group is set |
| test_queue_job | acl-global-write | access_test_related_action — Access rule grants write/create/unlink on 'model_test_related_action' to EVERY user (portal/public included): no group is set |
| test_rpc | acl-global-write | access_test_rpc_model_a — Access rule grants write/create/unlink on 'model_test_rpc_model_a' to EVERY user (portal/public included): no group is set |
| test_rpc | acl-global-write | access_test_rpc_model_b — Access rule grants write/create/unlink on 'model_test_rpc_model_b' to EVERY user (portal/public included): no group is set |
| test_uninstall | acl-global-write | access_test_uninstall_model — Access rule grants write/create/unlink on 'model_test_uninstall_model' to EVERY user (portal/public included): no group is set |
| utm | acl-global-write | access_utm_campaign — Access rule grants create on 'model_utm_campaign' to EVERY user (portal/public included): no group is set |
| utm | acl-global-write | access_utm_medium — Access rule grants create on 'model_utm_medium' to EVERY user (portal/public included): no group is set |
| utm | acl-global-write | access_utm_source — Access rule grants create on 'model_utm_source' to EVERY user (portal/public included): no group is set |
| web_editor | acl-global-write | access_web_editor_converter_test — Access rule grants write/create/unlink on 'model_web_editor_converter_test' to EVERY user (portal/public included): no group is set |
| web_editor | acl-global-write | access_web_editor_converter_test_sub — Access rule grants write/create/unlink on 'model_web_editor_converter_test_sub' to EVERY user (portal/public included): no group is set |
| website_crm_partner_assign | acl-public-write | partner_access_crm_lead — Access rule grants write on 'crm.model_crm_lead' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_post_portal — Access rule grants write/create/unlink on 'model_forum_post' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_post_vote_portal — Access rule grants write/create on 'model_forum_post_vote' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_tag_public — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_public' |
| website_forum | acl-public-write | access_forum_tag_portal — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_portal' |
| website_sale_wishlist | acl-public-write | access_product_wishlist_public — Access rule grants write/create/unlink on 'model_product_wishlist' to the portal/public group 'base.group_public' |
| website_sale_wishlist | acl-public-write | access_product_wishlist_portal — Access rule grants write/create/unlink on 'model_product_wishlist' to the portal/public group 'base.group_portal' |
Warnings 435
| Module | Code | Message |
|---|---|---|
| account | route-public-sudo | /my/invoices/pdf/<int:invoice_id> — Unauthenticated endpoint 'PortalAccount.portal_my_invoice_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| account_consolidation | acl-global-read | access_company_consolidation_profile — Access rule grants read on 'model_company_consolidation_profile' to every user (portal/public included): no group is set |
| account_invoice_transmit_method | acl-global-read | access_transmit_method_read — Access rule grants read on 'model_transmit_method' to every user (portal/public included): no group is set |
| account_payment | route-public-sudo | /invoice/pay/<int:invoice_id>/form_tx — Unauthenticated endpoint 'PaymentPortal.invoice_pay_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| account_payment | route-public-sudo | /invoice/pay/<int:invoice_id>/s2s_token_tx — Unauthenticated endpoint 'PaymentPortal.invoice_pay_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| account_payment | route-public-sudo | /invoice/pay/<int:invoice_id>/s2s_json_token_tx — Unauthenticated endpoint 'PaymentPortal.invoice_pay_token_json' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| anonymization | acl-global-read | access_ir_model_fields_anonymization_user — Access rule grants read on 'model_ir_model_fields_anonymization' to every user (portal/public included): no group is set |
| anonymization | acl-global-read | access_ir_model_fields_anonymization_history_user — Access rule grants read on 'model_ir_model_fields_anonymization_history' to every user (portal/public included): no group is set |
| attachment_base_synchronize | acl-global-read | access_attachment_metadata_user — Access rule grants read on 'model_ir_attachment_metadata' to every user (portal/public included): no group is set |
| auth_from_http_remote_user | route-auth-none | /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all |
| auth_oauth | route-public-sudo | /auth_oauth/signin — Unauthenticated endpoint 'OAuthController.signin' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_oauth | route-auth-none | /auth_oauth/signin — Endpoint 'OAuthController.signin' uses auth="none": it runs with no user/session at all |
| auth_oauth | route-auth-none | /auth_oauth/oea — Endpoint 'OAuthController.oea' uses auth="none": it runs with no user/session at all |
| auth_saml | route-public-sudo | /auth_saml/get_auth_request — Unauthenticated endpoint 'AuthSAMLController.get_auth_request' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_saml | route-auth-none | /auth_saml/get_auth_request — Endpoint 'AuthSAMLController.get_auth_request' uses auth="none": it runs with no user/session at all |
| auth_saml | route-public-csrf-off | /auth_saml/signin — Public HTTP endpoint 'AuthSAMLController.signin' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| auth_saml | route-public-sudo | /auth_saml/signin — Unauthenticated endpoint 'AuthSAMLController.signin' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_saml | route-auth-none | /auth_saml/signin — Endpoint 'AuthSAMLController.signin' uses auth="none": it runs with no user/session at all |
| auth_saml_create_user | acl-global-read | access_auth_saml_create_user_auth_saml_create_user — Access rule grants read on 'model_auth_saml_create_user_auth_saml_create_user' to every user (portal/public included): no group is set |
| auth_signup | route-public-sudo | /web/signup — Unauthenticated endpoint 'AuthSignupHome.web_auth_signup' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_signup | route-public-sudo | /web/reset_password — Unauthenticated endpoint 'AuthSignupHome.web_auth_reset_password' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_totp | route-public-sudo | /auth_totp/login — Unauthenticated endpoint 'AuthTotp.mfa_login_post' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_totp | route-auth-none | /auth_totp/login — Endpoint 'AuthTotp.mfa_login_post' uses auth="none": it runs with no user/session at all |
| auth_u2f | route-public-sudo | /web/u2f/login — Unauthenticated endpoint 'AuthU2FController.u2f_login' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_u2f | route-auth-none | /web/u2f/login — Endpoint 'AuthU2FController.u2f_login' uses auth="none": it runs with no user/session at all |
| base | acl-global-read | access_ir_property_group_user — Access rule grants read on 'model_ir_property' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_ui_view_group_user — Access rule grants read on 'model_ir_ui_view' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_company_group_user — Access rule grants read on 'model_res_company' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_partner_title_group_partner_manager — Access rule grants read on 'model_res_partner_title' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_request_link_group_user — Access rule grants read on 'model_res_request_link' to every user (portal/public included): no group is set |
| base | acl-global-write | access_res_users_log_all — Access rule grants create on 'model_res_users_log' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| base | acl-global-read | access_ir_actions_client — Access rule grants read on 'model_ir_actions_client' to every user (portal/public included): no group is set |
| base | acl-global-read | paperformat_access_portal — Access rule grants read on 'model_report_paperformat' to every user (portal/public included): no group is set |
| base_automation | acl-global-read | access_base_automation — Access rule grants read on 'model_base_automation' to every user (portal/public included): no group is set |
| base_dav | route-public-csrf-off | /.well-known/carddav, /.well-known/caldav, /.well-known/webdav — Public HTTP endpoint 'Main.handle_well_known_request' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base_dav | route-auth-none | /.well-known/carddav, /.well-known/caldav, /.well-known/webdav — Endpoint 'Main.handle_well_known_request' uses auth="none": it runs with no user/session at all |
| base_dav | route-public-csrf-off | Main.handle_dav_request — Public HTTP endpoint 'Main.handle_dav_request' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base_dav | route-auth-none | Main.handle_dav_request — Endpoint 'Main.handle_dav_request' uses auth="none": it runs with no user/session at all |
| base_gengo | route-public-csrf-off | /website/gengo_callback — Public HTTP endpoint 'website_gengo.gengo_callback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base_gengo | route-public-sudo | /website/gengo_callback — Unauthenticated endpoint 'website_gengo.gengo_callback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| base_gengo | route-auth-none | /website/gengo_callback — Endpoint 'website_gengo.gengo_callback' uses auth="none": it runs with no user/session at all |
| base_import_module | route-public-csrf-off | /base_import_module/login — Public HTTP endpoint 'ImportModule.login' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base_import_module | route-auth-none | /base_import_module/login — Endpoint 'ImportModule.login' uses auth="none": it runs with no user/session at all |
| base_sms_client | acl-global-read | access_sms_gateway_global — Access rule grants read on 'model_sms_gateway' to every user (portal/public included): no group is set |
| base_sms_client | acl-global-read | access_sms_sms_global — Access rule grants read on 'model_sms_sms' to every user (portal/public included): no group is set |
| base_unece | acl-global-read | access_unece_code_list_read — Access rule grants read on 'model_unece_code_list' to every user (portal/public included): no group is set |
| board | acl-global-read | access_board_board all — Access rule grants read on 'model_board_board' to every user (portal/public included): no group is set |
| business_requirement | route-public-sudo | /my/business_requirement/pdf/<int:br_id> — Unauthenticated endpoint 'CustomerPortal.portal_br_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| calendar | rule-group-bypass | calendar_event_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| connector_jira | route-auth-none | /connector_jira/webhooks/issue — Endpoint 'JiraWebhookController.webhook_issue' uses auth="none": it runs with no user/session at all |
| connector_jira | route-auth-none | /connector_jira/webhooks/worklog — Endpoint 'JiraWebhookController.webhook_worklog' uses auth="none": it runs with no user/session at all |
| crm | acl-global-read | access_crm_stage — Access rule grants read on 'model_crm_stage' to every user (portal/public included): no group is set |
| crm | rule-group-bypass | crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm | rule-group-bypass | crm_rule_all_lead_report — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm | rule-group-bypass | crm_activity_report_rule_all_activities — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm_phone | rule-group-bypass | all_crm_phonecall_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| decimal_precision | acl-global-write | access_decimal_precision_test_all — Access rule grants write/create/unlink on 'model_decimal_precision_test' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| easy_switch_user | route-auth-none | /easy_switch_user/switch — Endpoint 'SwitchController.switch' uses auth="none": it runs with no user/session at all |
| event | acl-global-read | access_event_event_portal — Access rule grants read on 'model_event_event' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_organization_reader — Access rule grants read on 'model_github_organization' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_organization_serie_reader — Access rule grants read on 'model_github_organization_serie' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_repository_reader — Access rule grants read on 'model_github_repository' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_repository_branch_reader — Access rule grants read on 'model_github_repository_branch' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_team_reader — Access rule grants read on 'model_github_team' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_team_partner_reader — Access rule grants read on 'model_github_team_partner' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_team_repository_reader — Access rule grants read on 'model_github_team_repository' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_author_reader — Access rule grants read on 'model_odoo_author' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_lib_bin_reader — Access rule grants read on 'model_odoo_lib_bin' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_lib_python_reader — Access rule grants read on 'model_odoo_lib_python' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_license_reader — Access rule grants read on 'model_odoo_license' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_module_reader — Access rule grants read on 'model_odoo_module' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_module_version_reader — Access rule grants read on 'model_odoo_module_version' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_category_reader — Access rule grants read on 'model_odoo_category' to every user (portal/public included): no group is set |
| google_account | route-auth-none | /google_account/authentication — Endpoint 'GoogleAuth.oauth2callback' uses auth="none": it runs with no user/session at all |
| helpdesk_mgmt | rule-group-bypass | helpdesk_ticket_personal_rule_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_attendance | rule-group-bypass | hr_attendance_rule_attendance_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_experience | rule-group-bypass | hr_curriculum_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_experience | rule-group-bypass | hr_academic_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_experience | rule-group-bypass | hr_experience_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_experience | rule-group-bypass | hr_certification_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | resource_leaves_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| http_routing | route-public-sudo | /website/translations — Unauthenticated endpoint 'Routing.get_website_translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| hw_blackbox_be | route-auth-none | /hw_proxy/request_blackbox/ — Endpoint 'BlackboxDriver.request_blackbox' uses auth="none": it runs with no user/session at all |
| hw_blackbox_be | route-auth-none | /hw_proxy/request_serial/ — Endpoint 'BlackboxDriver.request_serial' uses auth="none": it runs with no user/session at all |
| hw_escpos | route-auth-none | /hw_proxy/open_cashbox — Endpoint 'EscposProxy.open_cashbox' uses auth="none": it runs with no user/session at all |
| hw_escpos | route-auth-none | /hw_proxy/print_receipt — Endpoint 'EscposProxy.print_receipt' uses auth="none": it runs with no user/session at all |
| hw_escpos | route-auth-none | /hw_proxy/print_xml_receipt — Endpoint 'EscposProxy.print_xml_receipt' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | / — Endpoint 'PosboxHomepage.index' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /wifi — Endpoint 'PosboxHomepage.wifi' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /wifi_connect — Public HTTP endpoint 'PosboxHomepage.connect_to_wifi' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /wifi_connect — Endpoint 'PosboxHomepage.connect_to_wifi' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /wifi_clear — Public HTTP endpoint 'PosboxHomepage.clear_wifi_configuration' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /wifi_clear — Endpoint 'PosboxHomepage.clear_wifi_configuration' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /remote_connect — Endpoint 'PosboxHomepage.remote_connect' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-public-csrf-off | /enable_ngrok — Public HTTP endpoint 'PosboxHomepage.enable_ngrok' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| hw_posbox_homepage | route-auth-none | /enable_ngrok — Endpoint 'PosboxHomepage.enable_ngrok' uses auth="none": it runs with no user/session at all |
| hw_posbox_upgrade | route-auth-none | /hw_proxy/upgrade — Endpoint 'PosboxUpgrader.upgrade' uses auth="none": it runs with no user/session at all |
| hw_posbox_upgrade | route-auth-none | /hw_proxy/perform_upgrade — Endpoint 'PosboxUpgrader.perform_upgrade' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/hello — Endpoint 'Proxy.hello' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/handshake — Endpoint 'Proxy.handshake' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/status — Endpoint 'Proxy.status_http' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/status_json — Endpoint 'Proxy.status_json' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/scan_item_success — Endpoint 'Proxy.scan_item_success' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/scan_item_error_unrecognized — Endpoint 'Proxy.scan_item_error_unrecognized' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/help_needed — Endpoint 'Proxy.help_needed' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/help_canceled — Endpoint 'Proxy.help_canceled' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/payment_request — Endpoint 'Proxy.payment_request' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/payment_status — Endpoint 'Proxy.payment_status' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/payment_cancel — Endpoint 'Proxy.payment_cancel' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/transaction_start — Endpoint 'Proxy.transaction_start' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/transaction_end — Endpoint 'Proxy.transaction_end' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/cashier_mode_activated — Endpoint 'Proxy.cashier_mode_activated' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/cashier_mode_deactivated — Endpoint 'Proxy.cashier_mode_deactivated' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/open_cashbox — Endpoint 'Proxy.open_cashbox' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/print_receipt — Endpoint 'Proxy.print_receipt' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/is_scanner_connected — Endpoint 'Proxy.is_scanner_connected' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/scanner — Endpoint 'Proxy.scanner' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/log — Endpoint 'Proxy.log' uses auth="none": it runs with no user/session at all |
| hw_proxy | route-auth-none | /hw_proxy/print_pdf_invoice — Endpoint 'Proxy.print_pdf_invoice' uses auth="none": it runs with no user/session at all |
| hw_scale | route-auth-none | /hw_proxy/scale_read/ — Endpoint 'ScaleDriver.scale_read' uses auth="none": it runs with no user/session at all |
| hw_scale | route-auth-none | /hw_proxy/scale_zero/ — Endpoint 'ScaleDriver.scale_zero' uses auth="none": it runs with no user/session at all |
| hw_scale | route-auth-none | /hw_proxy/scale_tare/ — Endpoint 'ScaleDriver.scale_tare' uses auth="none": it runs with no user/session at all |
| hw_scale | route-auth-none | /hw_proxy/scale_clear_tare/ — Endpoint 'ScaleDriver.scale_clear_tare' uses auth="none": it runs with no user/session at all |
| hw_scanner | route-auth-none | /hw_proxy/scanner — Endpoint 'ScannerDriver.scanner' uses auth="none": it runs with no user/session at all |
| hw_screen | route-auth-none | /hw_proxy/display_refresh — Endpoint 'HardwareScreen.display_refresh' uses auth="none": it runs with no user/session at all |
| hw_screen | route-auth-none | /hw_proxy/customer_facing_display — Endpoint 'HardwareScreen.update_user_facing_display' uses auth="none": it runs with no user/session at all |
| hw_screen | route-auth-none | /hw_proxy/take_control — Endpoint 'HardwareScreen.take_control' uses auth="none": it runs with no user/session at all |
| hw_screen | route-auth-none | /hw_proxy/test_ownership — Endpoint 'HardwareScreen.test_ownership' uses auth="none": it runs with no user/session at all |
| hw_screen | route-auth-none | /point_of_sale/display — Endpoint 'HardwareScreen.render_main_display' uses auth="none": it runs with no user/session at all |
| hw_screen | route-auth-none | /point_of_sale/get_serialized_order — Endpoint 'HardwareScreen.get_serialized_order' uses auth="none": it runs with no user/session at all |
| im_livechat | acl-global-read | access_livechat_channel — Access rule grants read on 'model_im_livechat_channel' to every user (portal/public included): no group is set |
| im_livechat | acl-global-read | access_livechat_channel_rule — Access rule grants read on 'model_im_livechat_channel_rule' to every user (portal/public included): no group is set |
| im_livechat | route-auth-none | /im_livechat/external_lib.<any(css,js):ext> — Endpoint 'LivechatController.livechat_lib' uses auth="none": it runs with no user/session at all |
| im_livechat | route-public-sudo | /im_livechat/support/<int:channel_id> — Unauthenticated endpoint 'LivechatController.support_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/loader/<int:channel_id> — Unauthenticated endpoint 'LivechatController.loader' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/init — Unauthenticated endpoint 'LivechatController.livechat_init' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/feedback — Unauthenticated endpoint 'LivechatController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/history — Unauthenticated endpoint 'LivechatController.history_pages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| intrastat_product | acl-global-read | access_intrastat_unit_read — Access rule grants read on 'model_intrastat_unit' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_transaction_read — Access rule grants read on 'model_intrastat_transaction' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_transport_mode_read — Access rule grants read on 'model_intrastat_transport_mode' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_region_read — Access rule grants read on 'model_intrastat_region' to every user (portal/public included): no group is set |
| keychain | acl-global-read | access_keychain_account — Access rule grants read on 'model_keychain_account' to every user (portal/public included): no group is set |
| l10n_be_intrastat | acl-global-read | access_l10n_be_intrastat_transaction — Access rule grants read on 'model_l10n_be_intrastat_transaction' to every user (portal/public included): no group is set |
| l10n_be_intrastat | acl-global-read | access_l10n_be_intrastat_transport_mode — Access rule grants read on 'model_l10n_be_intrastat_transport_mode' to every user (portal/public included): no group is set |
| l10n_be_intrastat | acl-global-read | access_l10n_be_intrastat_region — Access rule grants read on 'model_l10n_be_intrastat_region' to every user (portal/public included): no group is set |
| l10n_es_aeat_mod347 | route-public-sudo | /mod347/accept — Unauthenticated endpoint 'Mod347Controller.mod347_accept' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_es_aeat_mod347 | route-public-sudo | /mod347/reject — Unauthenticated endpoint 'Mod347Controller.mod347_reject' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_eu_service | acl-global-read | access_l10n_eu_service_service_tax_rate — Access rule grants read on 'model_l10n_eu_service_service_tax_rate' to every user (portal/public included): no group is set |
| l10n_it_account_tax_kind | acl-global-read | access_account_tax_kind_user — Access rule grants read on 'model_account_tax_kind' to every user (portal/public included): no group is set |
| l10n_nl_country_states | acl-global-read | access_res_country_state_nl_zip — Access rule grants read on 'model_res_country_state_nl_zip' to every user (portal/public included): no group is set |
| letsencrypt | route-auth-none | /.well-known/acme-challenge/<filename> — Endpoint 'Letsencrypt.acme_challenge' uses auth="none": it runs with no user/session at all |
| link_tracker | route-auth-none | /r/<string:code> — Endpoint 'LinkTracker.full_url_redirect' uses auth="none": it runs with no user/session at all |
| acl-global-write | access_mail_thread_all — Access rule grants write/create/unlink on 'model_mail_thread' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
|
| acl-global-write | access_publisher_warranty_contract_all — Access rule grants write/create/unlink on 'model_publisher_warranty_contract' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
|
| route-public-sudo | /mail/view — Unauthenticated endpoint 'MailController.mail_action_view' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-auth-none | /mail/view — Endpoint 'MailController.mail_action_view' uses auth="none": it runs with no user/session at all |
|
| route-public-sudo | /mail/<string:res_model>/<int:res_id>/avatar/<int:partner_id> — Unauthenticated endpoint 'MailController.avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/chat_post — Unauthenticated endpoint 'MailChatController.mail_chat_post' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-auth-none | /mail/chat_post — Endpoint 'MailChatController.mail_chat_post' uses auth="none": it runs with no user/session at all |
|
| route-public-sudo | /mail/chat_history — Unauthenticated endpoint 'MailChatController.mail_chat_history' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-auth-none | /mail/chat_history — Endpoint 'MailChatController.mail_chat_history' uses auth="none": it runs with no user/session at all |
|
| mail_template_attachment_i18n | acl-global-read | access_attachment_language_everyone — Access rule grants read on 'model_ir_attachment_language' to every user (portal/public included): no group is set |
| mail_tracking | route-public-csrf-off | /mail/tracking/all/<string:db> — Public HTTP endpoint 'MailTrackingController.mail_tracking_all' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| mail_tracking | route-auth-none | /mail/tracking/all/<string:db> — Endpoint 'MailTrackingController.mail_tracking_all' uses auth="none": it runs with no user/session at all |
| mail_tracking | route-public-csrf-off | /mail/tracking/event/<string:db>/<string:event_type> — Public HTTP endpoint 'MailTrackingController.mail_tracking_event' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| mail_tracking | route-auth-none | /mail/tracking/event/<string:db>/<string:event_type> — Endpoint 'MailTrackingController.mail_tracking_event' uses auth="none": it runs with no user/session at all |
| mail_tracking | route-auth-none | /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif — Endpoint 'MailTrackingController.mail_tracking_open' uses auth="none": it runs with no user/session at all |
| mass_mailing | route-public-sudo | /mail/mailing/<int:mailing_id>/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mail/track/<int:mail_id>/blank.gif — Unauthenticated endpoint 'MassMailController.track_mail_open' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-auth-none | /mail/track/<int:mail_id>/blank.gif — Endpoint 'MassMailController.track_mail_open' uses auth="none": it runs with no user/session at all |
| mass_mailing | route-auth-none | /r/<string:code>/m/<int:stat_id> — Endpoint 'MassMailController.full_url_redirect' uses auth="none": it runs with no user/session at all |
| membership | acl-global-read | access_membership_membership_line — Access rule grants read on 'model_membership_membership_line' to every user (portal/public included): no group is set |
| mobile_app_picking | route-auth-none | /mobile_app_picking — Endpoint 'Home.index' uses auth="none": it runs with no user/session at all |
| operating_unit | acl-global-read | access_account_operating_unit_user — Access rule grants read on 'model_operating_unit' to every user (portal/public included): no group is set |
| partner_external_map | acl-global-read | access_map_website_read — Access rule grants read on 'model_map_website' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation — Access rule grants read on 'model_res_partner_relation' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation_type — Access rule grants read on 'model_res_partner_relation_type' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation_type_selection — Access rule grants read on 'model_res_partner_relation_type_selection' to every user (portal/public included): no group is set |
| partner_multi_relation_tabs | acl-global-read | read_res_partner_tab — Access rule grants read on 'model_res_partner_tab' to every user (portal/public included): no group is set |
| payment | route-public-sudo | /website_payment/pay — Unauthenticated endpoint 'WebsitePayment.pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /website_payment/transaction/<string:reference>/<string:amount>/<string:currency_id>, /website_payment/transaction/v2/<string:amount>/<string:currency_id>/<path:reference> — Unauthenticated endpoint 'WebsitePayment.transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /website_payment/token/<string:reference>/<string:amount>/<string:currency_id>, /website_payment/token/v2/<string:amount>/<string:currency_id>/<path:reference> — Unauthenticated endpoint 'WebsitePayment.payment_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment | route-public-sudo | /website_payment/json_token/<string:reference>/<string:amount>/<string:currency_id>, /website_payment/json_token/v2/<string:amount>/<string:currency_id>/<path:reference> — Unauthenticated endpoint 'WebsitePayment.payment_token_json' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-public-csrf-off | /payment/adyen/return — Public HTTP endpoint 'AdyenController.adyen_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_adyen | route-public-sudo | /payment/adyen/return — Unauthenticated endpoint 'AdyenController.adyen_return' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-auth-none | /payment/adyen/return — Endpoint 'AdyenController.adyen_return' uses auth="none": it runs with no user/session at all |
| payment_adyen | route-public-csrf-off | /payment/adyen/notification — Public HTTP endpoint 'AdyenController.adyen_notification' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_adyen | route-public-sudo | /payment/adyen/notification — Unauthenticated endpoint 'AdyenController.adyen_notification' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-auth-none | /payment/adyen/notification — Endpoint 'AdyenController.adyen_notification' uses auth="none": it runs with no user/session at all |
| payment_authorize | route-public-csrf-off | /payment/authorize/return/, /payment/authorize/cancel/ — Public HTTP endpoint 'AuthorizeController.authorize_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_authorize | route-public-sudo | /payment/authorize/return/, /payment/authorize/cancel/ — Unauthenticated endpoint 'AuthorizeController.authorize_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_authorize | route-public-sudo | /payment/authorize/s2s/create_json_3ds — Unauthenticated endpoint 'AuthorizeController.authorize_s2s_create_json_3ds' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_buckaroo | route-public-csrf-off | /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Public HTTP endpoint 'BuckarooController.buckaroo_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_buckaroo | route-public-sudo | /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Unauthenticated endpoint 'BuckarooController.buckaroo_return' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_buckaroo | route-auth-none | /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Endpoint 'BuckarooController.buckaroo_return' uses auth="none": it runs with no user/session at all |
| payment_ogone | route-public-sudo | /payment/ogone/accept, /payment/ogone/test/accept, /payment/ogone/decline, /payment/ogone/test/decline, /payment/ogone/exception, /payment/ogone/test/exception, /payment/ogone/cancel, /payment/ogone/test/cancel — Unauthenticated endpoint 'OgoneController.ogone_form_feedback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ogone | route-auth-none | /payment/ogone/accept, /payment/ogone/test/accept, /payment/ogone/decline, /payment/ogone/test/decline, /payment/ogone/exception, /payment/ogone/test/exception, /payment/ogone/cancel, /payment/ogone/test/cancel — Endpoint 'OgoneController.ogone_form_feedback' uses auth="none": it runs with no user/session at all |
| payment_ogone | route-public-sudo | /payment/ogone/s2s/create_json_3ds — Unauthenticated endpoint 'OgoneController.ogone_s2s_create_json_3ds' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ogone | route-public-csrf-off | /payment/ogone/s2s/create — Public HTTP endpoint 'OgoneController.ogone_s2s_create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_ogone | route-public-sudo | /payment/ogone/s2s/create — Unauthenticated endpoint 'OgoneController.ogone_s2s_create' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ogone | route-public-sudo | /payment/ogone/validate/accept, /payment/ogone/validate/decline, /payment/ogone/validate/exception — Unauthenticated endpoint 'OgoneController.ogone_validation_form_feedback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ogone | route-auth-none | /payment/ogone/validate/accept, /payment/ogone/validate/decline, /payment/ogone/validate/exception — Endpoint 'OgoneController.ogone_validation_form_feedback' uses auth="none": it runs with no user/session at all |
| payment_ogone | route-public-csrf-off | /payment/ogone/s2s/feedback — Public HTTP endpoint 'OgoneController.feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_ogone | route-public-sudo | /payment/ogone/s2s/feedback — Unauthenticated endpoint 'OgoneController.feedback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_ogone | route-auth-none | /payment/ogone/s2s/feedback — Endpoint 'OgoneController.feedback' uses auth="none": it runs with no user/session at all |
| payment_paypal | route-public-csrf-off | /payment/paypal/ipn/ — Public HTTP endpoint 'PaypalController.paypal_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_paypal | route-auth-none | /payment/paypal/ipn/ — Endpoint 'PaypalController.paypal_ipn' uses auth="none": it runs with no user/session at all |
| payment_paypal | route-public-csrf-off | /payment/paypal/dpn — Public HTTP endpoint 'PaypalController.paypal_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_paypal | route-auth-none | /payment/paypal/dpn — Endpoint 'PaypalController.paypal_dpn' uses auth="none": it runs with no user/session at all |
| payment_paypal | route-public-csrf-off | /payment/paypal/cancel — Public HTTP endpoint 'PaypalController.paypal_cancel' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_paypal | route-auth-none | /payment/paypal/cancel — Endpoint 'PaypalController.paypal_cancel' uses auth="none": it runs with no user/session at all |
| payment_payumoney | route-public-csrf-off | /payment/payumoney/return, /payment/payumoney/cancel, /payment/payumoney/error — Public HTTP endpoint 'PayuMoneyController.payu_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_payumoney | route-public-sudo | /payment/payumoney/return, /payment/payumoney/cancel, /payment/payumoney/error — Unauthenticated endpoint 'PayuMoneyController.payu_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_redsys | route-public-csrf-off | /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Public HTTP endpoint 'RedsysController.redsys_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_redsys | route-public-sudo | /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Unauthenticated endpoint 'RedsysController.redsys_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_redsys | route-public-sudo | /payment/redsys/result/<page> — Unauthenticated endpoint 'RedsysController.redsys_result' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_sips | route-public-csrf-off | /payment/sips/ipn/ — Public HTTP endpoint 'SipsController.sips_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_sips | route-auth-none | /payment/sips/ipn/ — Endpoint 'SipsController.sips_ipn' uses auth="none": it runs with no user/session at all |
| payment_sips | route-public-csrf-off | /payment/sips/dpn — Public HTTP endpoint 'SipsController.sips_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_sips | route-auth-none | /payment/sips/dpn — Endpoint 'SipsController.sips_dpn' uses auth="none": it runs with no user/session at all |
| payment_stripe | route-public-sudo | /payment/stripe/create_charge — Unauthenticated endpoint 'StripeController.stripe_create_charge' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe_sca | route-public-sudo | /payment/stripe/success, /payment/stripe/cancel — Unauthenticated endpoint 'StripeControllerSCA.stripe_success' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe_sca | route-public-sudo | /payment/stripe/s2s/process_payment_intent — Unauthenticated endpoint 'StripeControllerSCA.stripe_s2s_confirm_payment_intent' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_transfer | route-public-csrf-off | /payment/transfer/feedback — Public HTTP endpoint 'OgoneController.transfer_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_transfer | route-public-sudo | /payment/transfer/feedback — Unauthenticated endpoint 'OgoneController.transfer_form_feedback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_transfer | route-auth-none | /payment/transfer/feedback — Endpoint 'OgoneController.transfer_form_feedback' uses auth="none": it runs with no user/session at all |
| point_of_sale | rule-group-bypass | rule_pos_bank_statement_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| point_of_sale | rule-group-bypass | rule_pos_bank_statement_line_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| point_of_sale | rule-group-bypass | rule_pos_cashbox_line_accountant — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| portal | route-public-sudo | /mail/chatter_fetch — Unauthenticated endpoint 'PortalChatter.portal_message_fetch' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| pos_mercury | acl-global-read | access_pos_mercury_mercury_transaction — Access rule grants read on 'model_pos_mercury_mercury_transaction' to every user (portal/public included): no group is set |
| privacy_consent | route-public-sudo | /privacy/consent/<any(accept,reject):choice>/<int:consent_id>/<token> — Unauthenticated endpoint 'ConsentController.consent' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| privacy_consent | route-auth-none | /privacy/consent/<any(accept,reject):choice>/<int:consent_id>/<token> — Endpoint 'ConsentController.consent' uses auth="none": it runs with no user/session at all |
| product_brand | acl-global-read | access_product_brand_public — Access rule grants read on 'model_product_brand' to every user (portal/public included): no group is set |
| product_harmonized_system | acl-global-read | access_hs_code_read — Access rule grants read on 'model_hs_code' to every user (portal/public included): no group is set |
| quality_control | acl-global-read | access_manager_qc_trigger_product_template_line_user — Access rule grants read on 'quality_control.model_qc_trigger_product_template_line' to every user (portal/public included): no group is set |
| quality_control | acl-global-read | access_manager_qc_trigger_product_line_user — Access rule grants read on 'quality_control.model_qc_trigger_product_line' to every user (portal/public included): no group is set |
| queue_job | route-auth-none | /queue_job/session — Endpoint 'RunJobController.session' uses auth="none": it runs with no user/session at all |
| queue_job | route-auth-none | /queue_job/runjob — Endpoint 'RunJobController.runjob' uses auth="none": it runs with no user/session at all |
| rating | route-public-sudo | /rating/<string:token>/<int:rate> — Unauthenticated endpoint 'Rating.open_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| rating | route-public-sudo | /rating/<string:token>/<int:rate>/submit_feedback — Unauthenticated endpoint 'Rating.submit_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| runbot_buildout | route-public-csrf-off | /runbot/build/<model('runbot.build'):build>/rerun_buildout — Public HTTP endpoint 'Runbot.build_rerun_buildout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| runbot_buildout | route-public-sudo | /runbot/build/<model('runbot.build'):build>/rerun_buildout — Unauthenticated endpoint 'Runbot.build_rerun_buildout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| runbot_gitlab | route-public-sudo | /runbot/hook_gitlab/<int:repo_id>, /runbot/hook_gitlab/org — Unauthenticated endpoint 'RunbotCIController.hook_gitlab' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sale | route-public-sudo | /my/orders/pdf/<int:order_id> — Unauthenticated endpoint 'CustomerPortal.portal_order_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sale_payment | route-public-sudo | /pay/sale/<int:order_id>/form_tx — Unauthenticated endpoint 'PaymentPortal.sale_pay_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sale_payment | route-public-sudo | /pay/sale/<int:order_id>/s2s_token_tx — Unauthenticated endpoint 'PaymentPortal.sale_pay_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sale_payment | route-public-sudo | /pay/sale/<int:order_id>/s2s_json_token_tx — Unauthenticated endpoint 'PaymentPortal.sale_pay_token_json' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| sale_timesheet | rule-group-bypass | account_analytic_line_rule_billing_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| stock_request | rule-group-bypass | stock_request_user_inventory_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| stock_request | rule-group-bypass | stock_request_order_user_inventory_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| stock_scanner | acl-global-read | scanner_scenario_user — Access rule grants read on 'stock_scanner.model_scanner_scenario' to every user (portal/public included): no group is set |
| stock_scanner | acl-global-read | scanner_scenario_step_user — Access rule grants read on 'stock_scanner.model_scanner_scenario_step' to every user (portal/public included): no group is set |
| stock_scanner | acl-global-read | scanner_scenario_transition_user — Access rule grants read on 'stock_scanner.model_scanner_scenario_transition' to every user (portal/public included): no group is set |
| stock_scanner | rule-group-bypass | scanner_hardware_access_group_sentinel — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| survey | acl-global-read | access_survey_public — Access rule grants read on 'model_survey_survey' to every user (portal/public included): no group is set |
| survey | acl-global-read | access_survey_page_public — Access rule grants read on 'model_survey_page' to every user (portal/public included): no group is set |
| survey | acl-global-read | access_survey_question_public — Access rule grants read on 'model_survey_question' to every user (portal/public included): no group is set |
| survey | acl-global-read | access_survey_label_public — Access rule grants read on 'model_survey_label' to every user (portal/public included): no group is set |
| survey | acl-global-read | access_survey_stage_public — Access rule grants read on 'model_survey_stage' to every user (portal/public included): no group is set |
| survey | route-public-sudo | /survey/start/<model("survey.survey"):survey>, /survey/start/<model("survey.survey"):survey>/<string:token> — Unauthenticated endpoint 'WebsiteSurvey.start_survey' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| survey | route-public-sudo | /survey/fill/<model("survey.survey"):survey>/<string:token>, /survey/fill/<model("survey.survey"):survey>/<string:token>/<string:prev> — Unauthenticated endpoint 'WebsiteSurvey.fill_survey' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| survey | route-public-sudo | /survey/prefill/<model("survey.survey"):survey>/<string:token>, /survey/prefill/<model("survey.survey"):survey>/<string:token>/<model("survey.page"):page> — Unauthenticated endpoint 'WebsiteSurvey.prefill' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| survey | route-public-sudo | /survey/scores/<model("survey.survey"):survey>/<string:token> — Unauthenticated endpoint 'WebsiteSurvey.get_scores' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| survey | route-public-sudo | /survey/submit/<model("survey.survey"):survey> — Unauthenticated endpoint 'WebsiteSurvey.submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| test_read_group | acl-global-read | access_test_read_group_on_date — Access rule grants read on 'model_test_read_group_on_date' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_aggregate_boolean — Access rule grants read on 'model_test_read_group_aggregate_boolean' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_on_selection — Access rule grants read on 'model_test_read_group_on_selection' to every user (portal/public included): no group is set |
| test_server_environment | acl-global-read | access_server_env_test — Access rule grants read on 'model_server_env_test' to every user (portal/public included): no group is set |
| test_server_environment | acl-global-read | access_server_env_test2 — Access rule grants read on 'model_server_env_test2' to every user (portal/public included): no group is set |
| test_server_environment | acl-global-read | access_server_env_test_inherits1 — Access rule grants read on 'model_server_env_test_inherits1' to every user (portal/public included): no group is set |
| test_server_environment | acl-global-read | access_server_env_test_inherits2 — Access rule grants read on 'model_server_env_test_inherits2' to every user (portal/public included): no group is set |
| web | route-auth-none | / — Endpoint 'Home.index' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/dbredirect — Endpoint 'Home.web_db_redirect' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/login — Endpoint 'Home.web_login' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/csslist — Endpoint 'WebClient.csslist' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/jslist — Endpoint 'WebClient.jslist' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/locale/<string:lang> — Endpoint 'WebClient.load_locale' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/qweb — Endpoint 'WebClient.qweb' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/bootstrap_translations — Endpoint 'WebClient.bootstrap_translations' uses auth="none": it runs with no user/session at all |
| web | route-public-sudo | /web/webclient/translations — Unauthenticated endpoint 'WebClient.translations' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| web | route-auth-none | /web/webclient/translations — Endpoint 'WebClient.translations' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/webclient/version_info — Endpoint 'WebClient.version_info' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/tests/mobile — Endpoint 'WebClient.test_mobile_suite' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/benchmarks — Endpoint 'WebClient.benchmarks' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/proxy/load — Endpoint 'Proxy.load' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/database/selector — Endpoint 'Database.selector' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/database/manager — Endpoint 'Database.manager' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/create — Public HTTP endpoint 'Database.create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/create — Endpoint 'Database.create' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/duplicate — Public HTTP endpoint 'Database.duplicate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/duplicate — Endpoint 'Database.duplicate' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/drop — Public HTTP endpoint 'Database.drop' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/drop — Endpoint 'Database.drop' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/backup — Public HTTP endpoint 'Database.backup' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/backup — Endpoint 'Database.backup' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/restore — Public HTTP endpoint 'Database.restore' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/restore — Endpoint 'Database.restore' uses auth="none": it runs with no user/session at all |
| web | route-public-csrf-off | /web/database/change_password — Public HTTP endpoint 'Database.change_password' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| web | route-auth-none | /web/database/change_password — Endpoint 'Database.change_password' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/database/list — Endpoint 'Database.list' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/get_session_info — Endpoint 'Session.get_session_info' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/authenticate — Endpoint 'Session.authenticate' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/get_lang_list — Endpoint 'Session.get_lang_list' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/session/logout — Endpoint 'Session.logout' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/binary/company_logo, /logo, /logo.png — Endpoint 'Binary.company_logo' uses auth="none": it runs with no user/session at all |
| web | route-auth-none | /web/pivot/check_xlwt — Endpoint 'TableExporter.check_xlwt' uses auth="none": it runs with no user/session at all |
| web_editor | route-auth-none | /web_editor/font_to_img/<icon>, /web_editor/font_to_img/<icon>/<color>, /web_editor/font_to_img/<icon>/<color>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<int:size>/<int:alpha> — Endpoint 'Web_Editor.export_icon_to_png' uses auth="none": it runs with no user/session at all |
| web_favicon | route-public-sudo | /web_favicon/favicon — Unauthenticated endpoint 'WebFavicon.icon' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| web_favicon | route-auth-none | /web_favicon/favicon — Endpoint 'WebFavicon.icon' uses auth="none": it runs with no user/session at all |
| web_tour | acl-global-read | access_web_tour_tour — Access rule grants read on 'model_web_tour_tour' to every user (portal/public included): no group is set |
| website | acl-global-read | access_website_public — Access rule grants read on 'website.model_website' to every user (portal/public included): no group is set |
| website | acl-global-read | access_website_menu — Access rule grants read on 'model_website_menu' to every user (portal/public included): no group is set |
| website | acl-global-read | access_website_redirect — Access rule grants read on 'model_website_redirect' to every user (portal/public included): no group is set |
| website | acl-global-read | access_website_page — Access rule grants read on 'model_website_page' to every user (portal/public included): no group is set |
| website | acl-global-read | access_seo_public — Access rule grants read on 'model_website_seo_metadata' to every user (portal/public included): no group is set |
| website | route-public-sudo | / — Unauthenticated endpoint 'Website.index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /sitemap.xml — Unauthenticated endpoint 'Website.sitemap_xml_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website | route-public-sudo | /website/info — Unauthenticated endpoint 'Website.website_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_apps_store | route-public-sudo | /shop/change_attribute_version — Unauthenticated endpoint 'WebsiteSaleCustom.change_product_attribute_version' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_apps_store | route-public-sudo | /shop/download_product_zip/<model("product.template"):product_tmpl>/<model("product.product"):product>/<string:google_captcha>, /shop/download_product_zip/<model("product.template"):product_tmpl>/<string:google_captcha> — Unauthenticated endpoint 'WebsiteSaleCustom.download_product_zip' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_blog | acl-global-read | blog_tag — Access rule grants read on 'model_blog_tag' to every user (portal/public included): no group is set |
| website_blog | route-public-sudo | /blog/<model("blog.blog"):blog>/feed — Unauthenticated endpoint 'WebsiteBlog.blog_feed' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_blog | route-public-sudo | /blog/<model("blog.blog"):blog>/post/<model("blog.post", "[('blog_id','=',blog[0])]"):blog_post> — Unauthenticated endpoint 'WebsiteBlog.blog_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_blog | route-public-sudo | /blog/post_get_discussion/ — Unauthenticated endpoint 'WebsiteBlog.discussion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_contact_extend | route-public-sudo | /verify_email — Unauthenticated endpoint 'VerifyController.verify_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_contact_extend | route-public-sudo | /website_form/<string:model_name> — Unauthenticated endpoint 'MyFilter.website_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_crm_partner_assign | route-public-sudo | /partners, /partners/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>, /partners/grade/<model("res.partner.grade"):grade>/page/<int:page>, /partners/country/<model("res.country"):country>, /partners/country/<model("res.country"):country>/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_crm_partner_assign | route-public-sudo | /partners/<partner_id> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_crm_phone_validation | route-public-sudo | /website_form/<string:model_name> — Unauthenticated endpoint 'WebsiteForm.website_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_customer | acl-global-read | res_partner_tag_sale_manager — Access rule grants read on 'model_res_partner_tag' to every user (portal/public included): no group is set |
| website_customer | route-public-sudo | /customers, /customers/page/<int:page>, /customers/country/<model("res.country"):country>, /customers/country/<model("res.country"):country>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>, /customers/industry/<model("res.partner.industry"):industry>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCustomer.customers' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_customer | route-public-sudo | /customers/<partner_id> — Unauthenticated endpoint 'WebsiteCustomer.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event | acl-global-read | access_event_type_public — Access rule grants read on 'event.model_event_type' to every user (portal/public included): no group is set |
| website_event | route-public-sudo | /event/<model("event.event"):event>/register — Unauthenticated endpoint 'WebsiteEventController.event_register' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event | route-public-sudo | /event/<model("event.event"):event>/registration/confirm — Unauthenticated endpoint 'WebsiteEventController.registration_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_questions | acl-global-write | event_registration_answer_all — Access rule grants write/create/unlink on 'model_event_registration_answer' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| website_event_sale | acl-global-read | access_event_event_ticket_public — Access rule grants read on 'event_sale.model_event_event_ticket' to every user (portal/public included): no group is set |
| website_event_sale | route-public-sudo | /event/<model("event.event"):event>/registration/confirm — Unauthenticated endpoint 'WebsiteEventSaleController.registration_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track | acl-global-read | access_event_track_tag_public — Access rule grants read on 'model_event_track_tag' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_location_public — Access rule grants read on 'model_event_track_location' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track__public — Access rule grants read on 'model_event_track' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_sponsor_type_public — Access rule grants read on 'model_event_sponsor_type' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_sponsor_public — Access rule grants read on 'model_event_sponsor' to every user (portal/public included): no group is set |
| website_event_track | route-public-sudo | /event/<model("event.event"):event>/track/<model("event.track", "[('event_id','=',event[0])]"):track> — Unauthenticated endpoint 'WebsiteEventTrackController.event_track_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track | route-public-sudo | /event/<model("event.event"):event>/track_proposal/post — Unauthenticated endpoint 'WebsiteEventTrackController.event_track_proposal_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_form | route-public-csrf-off | /website_form/<string:model_name> — Public HTTP endpoint 'WebsiteForm.website_form' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| website_form | route-public-sudo | /website_form/<string:model_name> — Unauthenticated endpoint 'WebsiteForm.website_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_form_recaptcha | route-public-sudo | /website/recaptcha/ — Unauthenticated endpoint 'WebsiteForm.recaptcha_public' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | acl-global-read | access_forum_forum — Access rule grants read on 'model_forum_forum' to every user (portal/public included): no group is set |
| website_forum | route-public-sudo | /forum/validate_email — Unauthenticated endpoint 'WebsiteForum.validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/question/<model("forum.post", "[('forum_id','=',forum[0]),('parent_id','=',False),('can_view', '=', True)]"):question> — Unauthenticated endpoint 'WebsiteForum.question' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/users, /forum/<model("forum.forum"):forum>/users/page/<int:page> — Unauthenticated endpoint 'WebsiteForum.users' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/partner/<int:partner_id> — Unauthenticated endpoint 'WebsiteForum.open_partner' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/user/<int:user_id> — Unauthenticated endpoint 'WebsiteForum.open_user' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/badge — Unauthenticated endpoint 'WebsiteForum.badges' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum_doc | acl-global-read | all_documentation_toc — Access rule grants read on 'model_forum_documentation_toc' to every user (portal/public included): no group is set |
| website_google_map | route-public-sudo | /google_map — Unauthenticated endpoint 'GoogleMap.google_map' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_hr_recruitment | acl-global-read | access_hr_job_public — Access rule grants read on 'hr.model_hr_job' to every user (portal/public included): no group is set |
| website_hr_recruitment | rule-group-bypass | hr_job_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_hr_recruitment | route-public-sudo | /jobs, /jobs/country/<model("res.country"):country>, /jobs/department/<model("hr.department"):department>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>, /jobs/office/<int:office_id>, /jobs/country/<model("res.country"):country>/office/<int:office_id>, /jobs/department/<model("hr.department"):department>/office/<int:office_id>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>/office/<int:office_id> — Unauthenticated endpoint 'WebsiteHrRecruitment.jobs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_livechat | acl-global-read | access_im_livechat_channel_public — Access rule grants read on 'im_livechat.model_im_livechat_channel' to every user (portal/public included): no group is set |
| website_livechat | route-public-sudo | /livechat/channel/<model("im_livechat.channel"):channel> — Unauthenticated endpoint 'WebsiteLivechat.channel_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_logo | route-auth-none | /web/binary/website_logo, /website_logo, /website_logo.png — Endpoint 'Website.website_logo' uses auth="none": it runs with no user/session at all |
| website_mail | route-public-sudo | /website_mail/follow — Unauthenticated endpoint 'WebsiteMail.website_message_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail | route-public-sudo | /website_mail/is_follower — Unauthenticated endpoint 'WebsiteMail.is_follower' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_channel | route-public-sudo | /groups/is_member — Unauthenticated endpoint 'MailGroup.is_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_channel | route-public-sudo | /groups/subscription — Unauthenticated endpoint 'MailGroup.subscription' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_channel | route-public-sudo | /groups/subscribe/<model('mail.channel'):channel>/<int:partner_id>/<string:token> — Unauthenticated endpoint 'MailGroup.confirm_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_channel | route-public-sudo | /groups/unsubscribe/<model('mail.channel'):channel>/<int:partner_id>/<string:token> — Unauthenticated endpoint 'MailGroup.confirm_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /mail/mailing/<int:mailing_id>/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /mail/mailing/unsubscribe — Unauthenticated endpoint 'MassMailController.unsubscribe' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-auth-none | /mail/mailing/unsubscribe — Endpoint 'MassMailController.unsubscribe' uses auth="none": it runs with no user/session at all |
| website_mass_mailing | route-public-sudo | /website_mass_mailing/is_subscriber — Unauthenticated endpoint 'MassMailController.is_subscriber' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /website_mass_mailing/subscribe — Unauthenticated endpoint 'MassMailController.subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /website_mass_mailing/get_content — Unauthenticated endpoint 'MassMailController.get_mass_mailing_content' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_membership | route-public-sudo | /members, /members/page/<int:page>, /members/association/<membership_id>, /members/association/<membership_id>/page/<int:page>, /members/country/<int:country_id>, /members/country/<country_name>-<int:country_id>, /members/country/<int:country_id>/page/<int:page>, /members/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<country_name>-<int:country_id>, /members/association/<membership_id>/country/<int:country_id>, /members/association/<membership_id>/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteMembership.members' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_membership | route-public-sudo | /members/<partner_id> — Unauthenticated endpoint 'WebsiteMembership.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_multi_theme | acl-global-read | access_website_theme_public — Access rule grants read on 'model_website_theme' to every user (portal/public included): no group is set |
| website_multi_theme | acl-global-read | access_website_theme_asset_public — Access rule grants read on 'model_website_theme_asset' to every user (portal/public included): no group is set |
| website_oca_integrator | acl-global-read | access_sponsorship_line — Access rule grants read on 'model_sponsorship_line' to every user (portal/public included): no group is set |
| website_oca_integrator | acl-global-read | access_contributor_module_reader — Access rule grants read on 'model_contributor_module_line' to every user (portal/public included): no group is set |
| website_oca_integrator | route-public-sudo | /integrators, /integrators/page/<int:page>, /integrators/country/<model("res.country"):country>, /integrators/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteIntegrator.integrators' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_oca_integrator | route-public-sudo | /integrators/<integrator_id> — Unauthenticated endpoint 'WebsiteIntegrator.integrators_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_oca_integrator | route-public-sudo | /integrators/<integrator_id>/contributors, /integrators/<integrator_id>/contributors/page/<int:page>, /integrators/<integrator_id>/contributors/country/<int:country_id>, /integrators/<integrator_id>/contributors/country/<int:country_id>/page/<int:page>, /integrators/<integrator_id>/contributors/country/<country_name>-<int:country_id>, /integrators/<integrator_id>/contributors/country/<country_name>-<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteIntegrator.integrator_contributors' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_oca_psc_team | route-public-sudo | /psc-teams — Unauthenticated endpoint 'WebsitePscTeam.psc_teams' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_oca_psc_team | route-public-sudo | /psc-teams/<project_id> — Unauthenticated endpoint 'WebsitePscTeam.psc_team_project_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_partner | route-public-sudo | /partners/<partner_id> — Unauthenticated endpoint 'WebsitePartnerPage.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_quote | route-public-sudo | /quote/<int:order_id>/<token> — Unauthenticated endpoint 'sale_quote.view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_quote | route-public-sudo | /quote/<int:order_id>/<token>/decline — Unauthenticated endpoint 'sale_quote.decline' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_quote | route-public-sudo | /quote/update_line_dict — Unauthenticated endpoint 'sale_quote.update_line_dict' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_quote | route-public-sudo | /quote/add_line/<int:option_id>/<int:order_id>/<token> — Unauthenticated endpoint 'sale_quote.add' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_quote | route-public-sudo | /quote/<int:order_id>/transaction/ — Unauthenticated endpoint 'sale_quote.payment_transaction_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_quote | route-public-sudo | /quote/<int:order_id>/transaction/token — Unauthenticated endpoint 'sale_quote.payment_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_quote | route-public-sudo | /quote/<int:order_id>/transaction/json_token — Unauthenticated endpoint 'sale_quote.payment_token_json' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_rating_project | route-public-sudo | /project/rating/ — Unauthenticated endpoint 'WebsiteRatingProject.index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_rating_project | route-public-sudo | /project/rating/<int:project_id> — Unauthenticated endpoint 'WebsiteRatingProject.page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | acl-global-read | access_product_product_public — Access rule grants read on 'product.model_product_product' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_template_public — Access rule grants read on 'product.model_product_template' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_category_public — Access rule grants read on 'product.model_product_category' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_public_category_public — Access rule grants read on 'model_product_public_category' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_pricelist_public — Access rule grants read on 'product.model_product_pricelist' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_pricelist_item_public — Access rule grants read on 'product.model_product_pricelist_item' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_style — Access rule grants read on 'website_sale.model_product_style' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_supplierinfo — Access rule grants read on 'product.model_product_supplierinfo' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_public — Access rule grants read on 'product.model_product_attribute' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_value_public — Access rule grants read on 'product.model_product_attribute_value' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_price_public — Access rule grants read on 'product.model_product_attribute_price' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_line_public — Access rule grants read on 'product.model_product_attribute_line' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_image_public — Access rule grants read on 'model_product_image' to every user (portal/public included): no group is set |
| website_sale | rule-group-bypass | payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_sale | route-public-sudo | /website_form/shop.sale.order — Unauthenticated endpoint 'WebsiteSaleForm.website_form_saleorder' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/pricelist — Unauthenticated endpoint 'WebsiteSale.pricelist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/cart — Unauthenticated endpoint 'WebsiteSale.cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-csrf-off | /shop/cart/update — Public HTTP endpoint 'WebsiteSale.cart_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| website_sale | route-public-sudo | /shop/address — Unauthenticated endpoint 'WebsiteSale.address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/checkout — Unauthenticated endpoint 'WebsiteSale.checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/payment/transaction/, /shop/payment/transaction/<int:so_id>, /shop/payment/transaction/<int:so_id>/<string:access_token> — Unauthenticated endpoint 'WebsiteSale.payment_transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/payment/token — Unauthenticated endpoint 'WebsiteSale.payment_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/payment/json_token — Unauthenticated endpoint 'WebsiteSale.payment_token_json' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/payment/get_status/<int:sale_order_id> — Unauthenticated endpoint 'WebsiteSale.payment_get_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/payment/validate — Unauthenticated endpoint 'WebsiteSale.payment_validate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/confirmation — Unauthenticated endpoint 'WebsiteSale.payment_confirmation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/print — Unauthenticated endpoint 'WebsiteSale.print_saleorder' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | route-public-sudo | /shop/tracking_last_order — Unauthenticated endpoint 'WebsiteSale.tracking_cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_comparison | acl-global-read | access_product_attribute_category_public — Access rule grants read on 'model_product_attribute_category' to every user (portal/public included): no group is set |
| website_sale_digital | route-public-sudo | /my/download — Unauthenticated endpoint 'WebsiteSaleDigital.download_attachment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_stock | route-public-sudo | /my/picking/pdf/<int:picking_id> — Unauthenticated endpoint 'SaleStockPortal.portal_my_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale_wishlist | route-public-sudo | /shop/wishlist/remove/<model("product.wishlist"):wish> — Unauthenticated endpoint 'WebsiteSaleWishlist.rm_from_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/slide/<model("slide.slide"):slide>/download — Unauthenticated endpoint 'WebsiteSlides.slide_download' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/embed/<int:slide_id> — Unauthenticated endpoint 'WebsiteSlides.slides_embed' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_theme_flexible | acl-global-read | read — Access rule grants read on 'model_theme_flexible' to every user (portal/public included): no group is set |
| website_twitter | acl-global-read | access_website_twitter_tweet_public — Access rule grants read on 'website_twitter.model_website_twitter_tweet' to every user (portal/public included): no group is set |
Active Pull Requests 6
0 fresh 0 rotting 0 rotten
| Module | Repository | Title | Age | CI |
|---|---|---|---|---|
| base_construction_architect | OCA/vertical-construction | [MIG] base_construction_architect: Migration to 10.0 #27 | — | no CI data |
| crm_construction_architect | OCA/vertical-construction | [MIG] crm_construction_architect: Migration to 10.0 #28 | — | no CI data |
| fetchmail_thread_default | OCA/social | [10.0][MIG] fetchmail_thread_default #1862 | — | no CI data |
| l10n_it_fatturapa_out_welfare | OCA/l10n-italy | [10.0][MIG] l10n_it_fatturapa_out_welfare #4831 | — | no CI data |
| magentoerpconnect_transaction_id-lmi | OCA/connector-magento | [WIP] [10.0] connector_magento_payment_ref: Migration to 10.0 #259 | — | no CI data |
| res_partner_attributes_add_SIN | OCA/l10n-canada | [10.0][MIG] res_partner_attributes_add_SIN: Migration to 10.0 #99 | — | no CI data |
Security Findings
Errors 156
| Module | Code | Message |
|---|---|---|
| anonymization | acl-global-write | access_ir_model_fields_anonymization_migration_fix — Access rule grants write/create/unlink on 'model_ir_model_fields_anonymization_migration_fix' to EVERY user (portal/public included): no group is set |
| base | acl-privilege-escalation | access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-global-write | access_ir_ui_view_custom_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_custom' to EVERY user (portal/public included): no group is set |
| base | acl-privilege-escalation | access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-global-write | access_ir_filter all — Access rule grants write/create/unlink on 'model_ir_filters' to EVERY user (portal/public included): no group is set |
| base | acl-global-write | access_ir_needaction_mixin — Access rule grants write/create/unlink on 'model_ir_needaction_mixin' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_template — Access rule grants write/create/unlink on 'model_custom_info_template' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_property — Access rule grants write/create/unlink on 'model_custom_info_property' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_value — Access rule grants write/create/unlink on 'model_custom_info_value' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_option — Access rule grants write/create/unlink on 'model_custom_info_option' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_category — Access rule grants write/create/unlink on 'model_custom_info_category' to EVERY user (portal/public included): no group is set |
| base_tier_validation | acl-global-write | access_tier_review — Access rule grants write/create/unlink on 'model_tier_review' to EVERY user (portal/public included): no group is set |
| bi_view_editor | acl-global-write | access_bve_view_everyone — Access rule grants write/create/unlink on 'bi_view_editor.model_bve_view' to EVERY user (portal/public included): no group is set |
| bus | acl-public-write | access_bus_presence_portal — Access rule grants write/create/unlink on 'model_bus_presence' to the portal/public group 'base.group_portal' |
| calendar | acl-public-write | access_calendar_attendee_portal — Access rule grants write on 'model_calendar_attendee' to the portal/public group 'base.group_portal' |
| calendar | rule-public-bypass | calendar_attendee_rule_my — Record rule with an always-true domain grants portal/public users access to every record of its model |
| cms_delete_content_example | acl-global-write | access_cms_delete_content_example — Access rule grants write/create/unlink on 'model_cms_delete_content_example' to EVERY user (portal/public included): no group is set |
| hr_recruitment | acl-global-write | access_hr_applicant_category — Access rule grants write/create on 'model_hr_applicant_category' to EVERY user (portal/public included): no group is set |
| l10n_br_hr | acl-global-write | access_hr_employee_dependent — Access rule grants write/create/unlink on 'model_hr_employee_dependent' to EVERY user (portal/public included): no group is set |
| acl-public-write | access_mail_message_portal — Access rule grants write/create/unlink on 'model_mail_message' to the portal/public group 'base.group_portal' |
|
| acl-public-write | access_mail_mail_portal — Access rule grants write/create on 'model_mail_mail' to the portal/public group 'base.group_portal' |
|
| acl-public-write | access_mail_followers_portal — Access rule grants write/create on 'model_mail_followers' to the portal/public group 'base.group_portal' |
|
| acl-public-write | access_mail_channel_partner_portal — Access rule grants write/create/unlink on 'model_mail_channel_partner' to the portal/public group 'base.group_portal' |
|
| medical | acl-privilege-escalation | assistant_res_users — Access rule grants write/create on security model 'base.model_res_users' to group 'group_medical_assistant': members can escalate their own permissions |
| medical | acl-privilege-escalation | user_res_users — Access rule grants write on security model 'base.model_res_users' to group 'group_medical_user': members can escalate their own permissions |
| openeducat_parent | acl-privilege-escalation | access_res_users_back_office — Access rule grants write/create/unlink on security model 'base.model_res_users' to group 'openeducat_core.group_op_back_office_admin': members can escalate their own permissions |
| payment | acl-public-write | payment_method_portal — Access rule grants write/create/unlink on 'model_payment_token' to the portal/public group 'base.group_portal' |
| portal | acl-public-write | access_ir_attachment_portal — Access rule grants create on 'base.model_ir_attachment' to the portal/public group 'base.group_portal' |
| portal_gamification | acl-public-write | goal_portal — Access rule grants write on 'gamification.model_gamification_goal' to the portal/public group 'base.group_portal' |
| portal_gamification | acl-public-write | badge_user_portal — Access rule grants write/create on 'gamification.model_gamification_badge_user' to the portal/public group 'base.group_portal' |
| product_dependencies | acl-global-write | access_product_dependency — Access rule grants write/create/unlink on 'model_product_dependency' to EVERY user (portal/public included): no group is set |
| purchase_transport_document | acl-global-write | access_transport_document — Access rule grants write/create/unlink on 'model_transport_document' to EVERY user (portal/public included): no group is set |
| rating | acl-public-write | access_rating_public — Access rule grants write/create on 'rating.model_rating_rating' to the portal/public group 'base.group_public' |
| rating | acl-public-write | access_rating_portal — Access rule grants write/create on 'rating.model_rating_rating' to the portal/public group 'base.group_portal' |
| report | acl-global-write | paperformat_access_employee — Access rule grants create on 'model_report_paperformat' to EVERY user (portal/public included): no group is set |
| report | acl-global-write | access_report — Access rule grants write/create/unlink on 'model_report' to EVERY user (portal/public included): no group is set |
| report_wkhtmltopdf_param | acl-global-write | paperformat_parameter_access_employee — Access rule grants create on 'model_report_paperformat_parameter' to EVERY user (portal/public included): no group is set |
| stock_scanner | acl-global-write | scanner_hardware_user — Access rule grants write on 'stock_scanner.model_scanner_hardware' to EVERY user (portal/public included): no group is set |
| stock_scanner | acl-global-write | scanner_hardware_step_history_user — Access rule grants write/create/unlink on 'stock_scanner.model_scanner_hardware_step_history' to EVERY user (portal/public included): no group is set |
| stock_scanner | acl-global-write | scanner_scenario_custom_user — Access rule grants write/create/unlink on 'stock_scanner.model_scanner_scenario_custom' to EVERY user (portal/public included): no group is set |
| survey | acl-global-write | access_survey_user_input_public — Access rule grants write/create on 'model_survey_user_input' to EVERY user (portal/public included): no group is set |
| survey | acl-global-write | access_survey_user_input_line_public — Access rule grants write/create on 'model_survey_user_input_line' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_some_obj — Access rule grants write/create/unlink on 'model_test_access_right_some_obj' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_container — Access rule grants write/create/unlink on 'model_test_access_right_container' to EVERY user (portal/public included): no group is set |
| test_component | acl-global-write | access_test_component_collection — Access rule grants write/create/unlink on 'model_test_component_collection' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_test_backend — Access rule grants write/create/unlink on 'model_test_backend' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_connector_test_record — Access rule grants write/create/unlink on 'model_connector_test_record' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_connector_test_binding — Access rule grants write/create/unlink on 'model_connector_test_binding' to EVERY user (portal/public included): no group is set |
| test_connector | acl-global-write | access_no_inherits_binding — Access rule grants write/create/unlink on 'model_no_inherits_binding' to EVERY user (portal/public included): no group is set |
| test_convert | acl-global-write | access_test_convert_test_model — Access rule grants write/create/unlink on 'model_test_convert_test_model' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_converter_model — Access rule grants write/create/unlink on 'model_test_converter_test_model' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_test_converter_test_model_sub — Access rule grants write/create/unlink on 'model_test_converter_test_model_sub' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_test_converter_monetary — Access rule grants write/create/unlink on 'model_test_converter_monetary' to EVERY user (portal/public included): no group is set |
| test_documentation_examples | acl-global-write | access_inheritance_0 — Access rule grants write/create/unlink on 'model_inheritance_0' to EVERY user (portal/public included): no group is set |
| test_documentation_examples | acl-global-write | access_inheritance_1 — Access rule grants write/create/unlink on 'model_inheritance_1' to EVERY user (portal/public included): no group is set |
| test_documentation_examples | acl-global-write | access_extension_0 — Access rule grants write/create/unlink on 'model_extension_0' to EVERY user (portal/public included): no group is set |
| test_documentation_examples | acl-global-write | access_delegation_child0 — Access rule grants write/create/unlink on 'model_delegation_child0' to EVERY user (portal/public included): no group is set |
| test_documentation_examples | acl-global-write | access_delegation_child1 — Access rule grants write/create/unlink on 'model_delegation_child1' to EVERY user (portal/public included): no group is set |
| test_documentation_examples | acl-global-write | access_delegation_parent — Access rule grants write/create/unlink on 'model_delegation_parent' to EVERY user (portal/public included): no group is set |
| test_exceptions | acl-global-write | access_test_exceptions_model — Access rule grants write/create/unlink on 'model_test_exceptions_model' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_boolean — Access rule grants write/create/unlink on 'model_export_boolean' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_float — Access rule grants write/create/unlink on 'model_export_float' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_decimal — Access rule grants write/create/unlink on 'model_export_decimal' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string_bounded — Access rule grants write/create/unlink on 'model_export_string_bounded' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string_required — Access rule grants write/create/unlink on 'model_export_string_required' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string — Access rule grants write/create/unlink on 'model_export_string' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_date — Access rule grants write/create/unlink on 'model_export_date' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_datetime — Access rule grants write/create/unlink on 'model_export_datetime' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_text — Access rule grants write/create/unlink on 'model_export_text' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection — Access rule grants write/create/unlink on 'model_export_selection' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection_function — Access rule grants write/create/unlink on 'model_export_selection_function' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2one — Access rule grants write/create/unlink on 'model_export_many2one' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many — Access rule grants write/create/unlink on 'model_export_one2many' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2many — Access rule grants write/create/unlink on 'model_export_many2many' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_function — Access rule grants write/create/unlink on 'model_export_function' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child — Access rule grants write/create/unlink on 'model_export_one2many_child' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_multiple — Access rule grants write/create/unlink on 'model_export_one2many_multiple' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_multiple_child — Access rule grants write/create/unlink on 'model_export_one2many_multiple_child' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child_1 — Access rule grants write/create/unlink on 'model_export_one2many_child_1' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child_2 — Access rule grants write/create/unlink on 'model_export_one2many_child_2' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2many_other — Access rule grants write/create/unlink on 'model_export_many2many_other' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection_withdefault — Access rule grants write/create/unlink on 'model_export_selection_withdefault' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_recursive — Access rule grants write/create/unlink on 'model_export_one2many_recursive' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_unique — Access rule grants write/create/unlink on 'model_export_unique' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_mother — Access rule grants write/create/unlink on 'model_test_inherit_mother' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_daughter — Access rule grants write/create/unlink on 'model_test_inherit_daughter' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_property — Access rule grants write/create/unlink on 'model_test_inherit_property' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_unit — Access rule grants write/create/unlink on 'model_test_unit' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_box — Access rule grants write/create/unlink on 'model_test_box' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_pallet — Access rule grants write/create/unlink on 'model_test_pallet' to EVERY user (portal/public included): no group is set |
| test_limits | acl-global-write | access_test_limits_model — Access rule grants write/create/unlink on 'model_test_limits_model' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_category — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_category' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_discussion — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_discussion' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_message — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_message' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_emailmessage — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_emailmessage' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi_line — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_creativework_edition — Access rule grants write/create/unlink on 'model_test_new_api_creativework_edition' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_creativework_book — Access rule grants write/create/unlink on 'model_test_new_api_creativework_book' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_creativework_movie — Access rule grants write/create/unlink on 'model_test_new_api_creativework_movie' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_mixed — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_mixed' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_domain_bool — Access rule grants write/create/unlink on 'model_domain_bool' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_foo — Access rule grants write/create/unlink on 'model_test_new_api_foo' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_bar — Access rule grants write/create/unlink on 'model_test_new_api_bar' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_related — Access rule grants write/create/unlink on 'model_test_new_api_related' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_company — Access rule grants write/create/unlink on 'model_test_new_api_company' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_company_attr — Access rule grants write/create/unlink on 'model_test_new_api_company_attr' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_sparse — Access rule grants write/create/unlink on 'model_test_new_api_sparse' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_compute_inverse — Access rule grants write/create/unlink on 'model_test_new_api_compute_inverse' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_recursive — Access rule grants write/create/unlink on 'model_test_new_api_recursive' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_cascade — Access rule grants write/create/unlink on 'model_test_new_api_cascade' to EVERY user (portal/public included): no group is set |
| test_queue_job | acl-global-write | access_test_queue_job — Access rule grants write/create/unlink on 'model_test_queue_job' to EVERY user (portal/public included): no group is set |
| test_queue_job | acl-global-write | access_test_queue_channel — Access rule grants write/create/unlink on 'model_test_queue_channel' to EVERY user (portal/public included): no group is set |
| test_queue_job | acl-global-write | access_test_related_action — Access rule grants write/create/unlink on 'model_test_related_action' to EVERY user (portal/public included): no group is set |
| test_rpc | acl-global-write | access_test_rpc_model_a — Access rule grants write/create/unlink on 'model_test_rpc_model_a' to EVERY user (portal/public included): no group is set |
| test_rpc | acl-global-write | access_test_rpc_model_b — Access rule grants write/create/unlink on 'model_test_rpc_model_b' to EVERY user (portal/public included): no group is set |
| test_uninstall | acl-global-write | access_test_uninstall_model — Access rule grants write/create/unlink on 'model_test_uninstall_model' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model — Access rule grants write/create/unlink on 'model_test_workflow_model' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_trigger — Access rule grants write/create/unlink on 'model_test_workflow_trigger' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_a — Access rule grants write/create/unlink on 'model_test_workflow_model_a' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_b — Access rule grants write/create/unlink on 'model_test_workflow_model_b' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_c — Access rule grants write/create/unlink on 'model_test_workflow_model_c' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_d — Access rule grants write/create/unlink on 'model_test_workflow_model_d' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_e — Access rule grants write/create/unlink on 'model_test_workflow_model_e' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_f — Access rule grants write/create/unlink on 'model_test_workflow_model_f' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_g — Access rule grants write/create/unlink on 'model_test_workflow_model_g' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_h — Access rule grants write/create/unlink on 'model_test_workflow_model_h' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_i — Access rule grants write/create/unlink on 'model_test_workflow_model_i' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_j — Access rule grants write/create/unlink on 'model_test_workflow_model_j' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_k — Access rule grants write/create/unlink on 'model_test_workflow_model_k' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_l — Access rule grants write/create/unlink on 'model_test_workflow_model_l' to EVERY user (portal/public included): no group is set |
| utm | acl-global-write | access_utm_campaign — Access rule grants create on 'model_utm_campaign' to EVERY user (portal/public included): no group is set |
| utm | acl-global-write | access_utm_medium — Access rule grants create on 'model_utm_medium' to EVERY user (portal/public included): no group is set |
| utm | acl-global-write | access_utm_source — Access rule grants create on 'model_utm_source' to EVERY user (portal/public included): no group is set |
| web_editor | acl-global-write | access_web_editor_converter_test — Access rule grants write/create/unlink on 'model_web_editor_converter_test' to EVERY user (portal/public included): no group is set |
| web_editor | acl-global-write | access_web_editor_converter_test_sub — Access rule grants write/create/unlink on 'model_web_editor_converter_test_sub' to EVERY user (portal/public included): no group is set |
| web_shortcut | acl-global-write | access_web_shortcut — Access rule grants write/create/unlink on 'model_web_shortcut' to EVERY user (portal/public included): no group is set |
| website_crm_partner_assign | acl-public-write | partner_access_crm_lead — Access rule grants write on 'crm.model_crm_lead' to the portal/public group 'base.group_portal' |
| website_crm_partner_assign | acl-public-write | crm_lead_portal_access — Access rule grants write on 'crm.model_crm_lead' to the portal/public group 'base.group_portal' |
| website_crm_partner_assign | acl-public-write | crm_activity_portal_access — Access rule grants write/create on 'crm.model_crm_activity' to the portal/public group 'base.group_portal' |
| website_crm_partner_assign | acl-public-write | mail_message_subtype_portal_access — Access rule grants write/create on 'mail.model_mail_message_subtype' to the portal/public group 'base.group_portal' |
| website_crm_partner_assign | acl-public-write | lead_portal_access — Access rule grants write on 'crm.model_crm_lead' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_post_portal — Access rule grants write/create/unlink on 'model_forum_post' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_post_vote_portal — Access rule grants write/create on 'model_forum_post_vote' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_tag_public — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_public' |
| website_forum | acl-public-write | access_forum_tag_portal — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_portal' |
| website_portal_contact | acl-public-write | access_partners — Access rule grants write/create on 'base.model_res_partner' to the portal/public group 'base.group_portal' |
| website_portal_contract | acl-public-write | account_analytic_account_portal — Access rule grants write on 'analytic.model_account_analytic_account' to the portal/public group 'base.group_portal' |
| website_portal_contract | acl-public-write | account_analytic_invoice_line_portal — Access rule grants write on 'contract.model_account_analytic_invoice_line' to the portal/public group 'base.group_portal' |
| website_sale_recently_viewed_products | acl-public-write | access_website_sale_product_view_public — Access rule grants write/create on 'model_website_sale_product_view' to the portal/public group 'base.group_public' |
| website_sale_wishlist | acl-global-write | access_product_wishlist — Access rule grants write/create/unlink on 'model_product_wishlist' to EVERY user (portal/public included): no group is set |
Warnings 331
| Module | Code | Message |
|---|---|---|
| account_invoice_transmit_method | acl-global-read | access_transmit_method_read — Access rule grants read on 'model_transmit_method' to every user (portal/public included): no group is set |
| anonymization | acl-global-read | access_ir_model_fields_anonymization_user — Access rule grants read on 'model_ir_model_fields_anonymization' to every user (portal/public included): no group is set |
| anonymization | acl-global-read | access_ir_model_fields_anonymization_history_user — Access rule grants read on 'model_ir_model_fields_anonymization_history' to every user (portal/public included): no group is set |
| attachment_base_synchronize | acl-global-read | access_attachment_metadata_user — Access rule grants read on 'model_ir_attachment_metadata' to every user (portal/public included): no group is set |
| auth_totp | route-public-sudo | /auth_totp/login — Unauthenticated endpoint 'AuthTotp.mfa_login_post' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_totp | route-auth-none | /auth_totp/login — Endpoint 'AuthTotp.mfa_login_post' uses auth="none": it runs with no user/session at all |
| base | acl-global-read | access_ir_model_constraint — Access rule grants read on 'model_ir_model_constraint' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_model_relation — Access rule grants read on 'model_ir_model_relation' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_property_group_user — Access rule grants read on 'model_ir_property' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_rule_group_user — Access rule grants read on 'model_ir_rule' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_ui_view_group_user — Access rule grants read on 'model_ir_ui_view' to every user (portal/public included): no group is set |
| base | acl-global-write | access_ir_values_group_all — Access rule grants write/create/unlink on 'model_ir_values' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| base | acl-global-read | access_res_company_group_user — Access rule grants read on 'model_res_company' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_partner_title_group_partner_manager — Access rule grants read on 'model_res_partner_title' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_request_link_group_user — Access rule grants read on 'model_res_request_link' to every user (portal/public included): no group is set |
| base | acl-global-write | access_res_users_log_all — Access rule grants create on 'model_res_users_log' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| base | acl-global-write | access_workflow_workitem_all — Access rule grants write/create/unlink on 'model_workflow_workitem' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| base | acl-global-read | access_ir_config_parameter — Access rule grants read on 'model_ir_config_parameter' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_actions_client — Access rule grants read on 'model_ir_actions_client' to every user (portal/public included): no group is set |
| base_action_rule | acl-global-read | access_base_action_rule — Access rule grants read on 'model_base_action_rule' to every user (portal/public included): no group is set |
| base_gengo | route-public-csrf-off | /website/gengo_callback — Public HTTP endpoint 'website_gengo.gengo_callback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| base_gengo | route-public-sudo | /website/gengo_callback — Unauthenticated endpoint 'website_gengo.gengo_callback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| base_gengo | route-auth-none | /website/gengo_callback — Endpoint 'website_gengo.gengo_callback' uses auth="none": it runs with no user/session at all |
| base_sms_client | acl-global-read | access_sms_gateway_global — Access rule grants read on 'model_sms_gateway' to every user (portal/public included): no group is set |
| base_sms_client | acl-global-read | access_sms_sms_global — Access rule grants read on 'model_sms_sms' to every user (portal/public included): no group is set |
| base_unece | acl-global-read | access_unece_code_list_read — Access rule grants read on 'model_unece_code_list' to every user (portal/public included): no group is set |
| board | acl-global-read | access_board_board all — Access rule grants read on 'model_board_board' to every user (portal/public included): no group is set |
| calendar | rule-group-bypass | calendar_event_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| connector_woocommerce | acl-global-read | access_woo_sale_order_status — Access rule grants read on 'model_woo_sale_order_status' to every user (portal/public included): no group is set |
| connector_woocommerce | acl-global-read | access_woo_sale_order_line — Access rule grants read on 'model_woo_sale_order_line' to every user (portal/public included): no group is set |
| crm | acl-global-read | access_crm_stage — Access rule grants read on 'model_crm_stage' to every user (portal/public included): no group is set |
| crm | rule-group-bypass | crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm | rule-group-bypass | crm_rule_all_lead_report — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm | rule-group-bypass | crm_activity_report_rule_all_activities — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm_action | rule-group-bypass | crm_rule_all_action — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm_mailchimp | route-public-csrf-off | /mailchimp/<string:key> — Public HTTP endpoint 'Mailchimp.hook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| crm_mailchimp | route-public-sudo | /mailchimp/<string:key> — Unauthenticated endpoint 'Mailchimp.hook' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| crm_mailchimp | route-auth-none | /mailchimp/<string:key> — Endpoint 'Mailchimp.hook' uses auth="none": it runs with no user/session at all |
| crm_phone | rule-group-bypass | all_crm_phonecall_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| decimal_precision | acl-global-write | access_decimal_precision_test_all — Access rule grants write/create/unlink on 'model_decimal_precision_test' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| event | acl-global-read | access_event_event_portal — Access rule grants read on 'model_event_event' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_organization_reader — Access rule grants read on 'model_github_organization' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_organization_serie_reader — Access rule grants read on 'model_github_organization_serie' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_repository_reader — Access rule grants read on 'model_github_repository' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_repository_branch_reader — Access rule grants read on 'model_github_repository_branch' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_team_reader — Access rule grants read on 'model_github_team' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_team_partner_reader — Access rule grants read on 'model_github_team_partner' to every user (portal/public included): no group is set |
| github_connector | acl-global-read | access_github_team_repository_reader — Access rule grants read on 'model_github_team_repository' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_author_reader — Access rule grants read on 'model_odoo_author' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_lib_bin_reader — Access rule grants read on 'model_odoo_lib_bin' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_lib_python_reader — Access rule grants read on 'model_odoo_lib_python' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_license_reader — Access rule grants read on 'model_odoo_license' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_module_reader — Access rule grants read on 'model_odoo_module' to every user (portal/public included): no group is set |
| github_connector_odoo | acl-global-read | access_odoo_module_version_reader — Access rule grants read on 'model_odoo_module_version' to every user (portal/public included): no group is set |
| google_account | route-auth-none | /google_account/authentication — Endpoint 'GoogleAuth.oauth2callback' uses auth="none": it runs with no user/session at all |
| help_online | rule-group-bypass | online_help_reader_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_attendance | rule-group-bypass | hr_attendance_rule_attendance_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_expense_accountedge | rule-group-bypass | property_rule_account_invoice_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_experience | rule-group-bypass | hr_curriculum_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_experience | rule-group-bypass | hr_academic_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_experience | rule-group-bypass | hr_experience_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_experience | rule-group-bypass | hr_certification_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | property_rule_holidays_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | resource_leaves_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_schedule | rule-group-bypass | property_rule_schedule_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_security | rule-group-bypass | property_rule_contract_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hw_blackbox_be | route-auth-none | /hw_proxy/request_blackbox/ — Endpoint 'BlackboxDriver.request_blackbox' uses auth="none": it runs with no user/session at all |
| hw_blackbox_be | route-auth-none | /hw_proxy/request_serial/ — Endpoint 'BlackboxDriver.request_serial' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | / — Endpoint 'PosboxHomepage.index' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /wifi — Endpoint 'PosboxHomepage.wifi' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /wifi_connect — Endpoint 'PosboxHomepage.connect_to_wifi' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /wifi_clear — Endpoint 'PosboxHomepage.clear_wifi_configuration' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /remote_connect — Endpoint 'PosboxHomepage.remote_connect' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /enable_ngrok — Endpoint 'PosboxHomepage.enable_ngrok' uses auth="none": it runs with no user/session at all |
| hw_posbox_upgrade | route-auth-none | /hw_proxy/upgrade — Endpoint 'PosboxUpgrader.upgrade' uses auth="none": it runs with no user/session at all |
| hw_posbox_upgrade | route-auth-none | /hw_proxy/perform_upgrade — Endpoint 'PosboxUpgrader.perform_upgrade' uses auth="none": it runs with no user/session at all |
| hw_scale | route-auth-none | /hw_proxy/scale_read/ — Endpoint 'ScaleDriver.scale_read' uses auth="none": it runs with no user/session at all |
| hw_scale | route-auth-none | /hw_proxy/scale_zero/ — Endpoint 'ScaleDriver.scale_zero' uses auth="none": it runs with no user/session at all |
| hw_scale | route-auth-none | /hw_proxy/scale_tare/ — Endpoint 'ScaleDriver.scale_tare' uses auth="none": it runs with no user/session at all |
| hw_scale | route-auth-none | /hw_proxy/scale_clear_tare/ — Endpoint 'ScaleDriver.scale_clear_tare' uses auth="none": it runs with no user/session at all |
| hw_scanner | route-auth-none | /hw_proxy/scanner — Endpoint 'ScannerDriver.scanner' uses auth="none": it runs with no user/session at all |
| hw_screen | route-auth-none | /hw_proxy/display_refresh — Endpoint 'HardwareScreen.display_refresh' uses auth="none": it runs with no user/session at all |
| hw_screen | route-auth-none | /hw_proxy/customer_facing_display — Endpoint 'HardwareScreen.update_user_facing_display' uses auth="none": it runs with no user/session at all |
| hw_screen | route-auth-none | /hw_proxy/take_control — Endpoint 'HardwareScreen.take_control' uses auth="none": it runs with no user/session at all |
| hw_screen | route-auth-none | /hw_proxy/test_ownership — Endpoint 'HardwareScreen.test_ownership' uses auth="none": it runs with no user/session at all |
| hw_screen | route-auth-none | /point_of_sale/display — Endpoint 'HardwareScreen.render_main_display' uses auth="none": it runs with no user/session at all |
| hw_screen | route-auth-none | /point_of_sale/get_serialized_order — Endpoint 'HardwareScreen.get_serialized_order' uses auth="none": it runs with no user/session at all |
| im_livechat | acl-global-read | access_livechat_channel — Access rule grants read on 'model_im_livechat_channel' to every user (portal/public included): no group is set |
| im_livechat | acl-global-read | access_livechat_channel_rule — Access rule grants read on 'model_im_livechat_channel_rule' to every user (portal/public included): no group is set |
| im_livechat | route-auth-none | /im_livechat/external_lib.<any(css,js):ext> — Endpoint 'LivechatController.livechat_lib' uses auth="none": it runs with no user/session at all |
| im_livechat | route-public-sudo | /im_livechat/support/<int:channel_id> — Unauthenticated endpoint 'LivechatController.support_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/loader/<int:channel_id> — Unauthenticated endpoint 'LivechatController.loader' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/init — Unauthenticated endpoint 'LivechatController.livechat_init' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/feedback — Unauthenticated endpoint 'LivechatController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| intrastat_product | acl-global-read | access_intrastat_unit_read — Access rule grants read on 'model_intrastat_unit' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_transaction_read — Access rule grants read on 'model_intrastat_transaction' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_transport_mode_read — Access rule grants read on 'model_intrastat_transport_mode' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_region_read — Access rule grants read on 'model_intrastat_region' to every user (portal/public included): no group is set |
| keychain | acl-global-read | access_keychain_account — Access rule grants read on 'model_keychain_account' to every user (portal/public included): no group is set |
| l10n_be_intrastat | acl-global-read | access_l10n_be_intrastat_transaction — Access rule grants read on 'model_l10n_be_intrastat_transaction' to every user (portal/public included): no group is set |
| l10n_be_intrastat | acl-global-read | access_l10n_be_intrastat_transport_mode — Access rule grants read on 'model_l10n_be_intrastat_transport_mode' to every user (portal/public included): no group is set |
| l10n_be_intrastat | acl-global-read | access_l10n_be_intrastat_region — Access rule grants read on 'model_l10n_be_intrastat_region' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_deficiency — Access rule grants read on 'model_hr_deficiency' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_identity_type — Access rule grants read on 'model_hr_identity_type' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_civil_certificate_type — Access rule grants read on 'model_hr_civil_certificate_type' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_chronic_disease — Access rule grants read on 'model_hr_chronic_disease' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_dependent_type — Access rule grants read on 'model_hr_dependent_type' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_ethnicity — Access rule grants read on 'model_hr_ethnicity' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_educational_attainment — Access rule grants read on 'model_hr_educational_attainment' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_nationality_code — Access rule grants read on 'model_hr_nationality_code' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_admission_type — Access rule grants read on 'model_hr_contract_admission_type' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_labor_bond_type — Access rule grants read on 'model_hr_contract_labor_bond_type' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_labor_regime — Access rule grants read on 'model_hr_contract_labor_regime' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_salary_unit — Access rule grants read on 'model_hr_contract_salary_unit' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_resignation_cause — Access rule grants read on 'model_hr_contract_resignation_cause' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_notice_termination — Access rule grants read on 'model_hr_contract_notice_termination' to every user (portal/public included): no group is set |
| l10n_es_aeat_mod347 | route-public-sudo | /mod347/accept — Unauthenticated endpoint 'Mod347Controller.mod347_accept' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_es_aeat_mod347 | route-public-sudo | /mod347/reject — Unauthenticated endpoint 'Mod347Controller.mod347_reject' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| l10n_eu_service | acl-global-read | access_l10n_eu_service_service_tax_rate — Access rule grants read on 'model_l10n_eu_service_service_tax_rate' to every user (portal/public included): no group is set |
| l10n_it_account_tax_kind | acl-global-read | access_account_tax_kind_user — Access rule grants read on 'model_account_tax_kind' to every user (portal/public included): no group is set |
| l10n_nl_country_states | acl-global-read | access_res_country_state_nl_zip — Access rule grants read on 'model_res_country_state_nl_zip' to every user (portal/public included): no group is set |
| letsencrypt | route-auth-none | /.well-known/acme-challenge/<filename> — Endpoint 'Letsencrypt.acme_challenge' uses auth="none": it runs with no user/session at all |
| link_tracker | route-auth-none | /r/<string:code> — Endpoint 'LinkTracker.full_url_redirect' uses auth="none": it runs with no user/session at all |
| acl-global-write | access_mail_thread_all — Access rule grants write/create/unlink on 'model_mail_thread' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
|
| acl-global-write | access_publisher_warranty_contract_all — Access rule grants write/create/unlink on 'model_publisher_warranty_contract' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
|
| route-auth-none | /mail/receive — Endpoint 'MailController.receive' uses auth="none": it runs with no user/session at all |
|
| route-public-sudo | /mail/view — Unauthenticated endpoint 'MailController.mail_action_view' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-auth-none | /mail/view — Endpoint 'MailController.mail_action_view' uses auth="none": it runs with no user/session at all |
|
| route-public-sudo | /mail/<string:res_model>/<int:res_id>/avatar/<int:partner_id> — Unauthenticated endpoint 'MailController.avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/chat_post — Unauthenticated endpoint 'MailChatController.mail_chat_post' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-auth-none | /mail/chat_post — Endpoint 'MailChatController.mail_chat_post' uses auth="none": it runs with no user/session at all |
|
| route-public-sudo | /mail/chat_history — Unauthenticated endpoint 'MailChatController.mail_chat_history' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-auth-none | /mail/chat_history — Endpoint 'MailChatController.mail_chat_history' uses auth="none": it runs with no user/session at all |
|
| mail_sendgrid | route-auth-none | /mail/tracking/sendgrid/<string:db> — Endpoint 'SendgridTrackingController.mail_tracking_sendgrid' uses auth="none": it runs with no user/session at all |
| mail_tracking | route-public-csrf-off | /mail/tracking/all/<string:db> — Public HTTP endpoint 'MailTrackingController.mail_tracking_all' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| mail_tracking | route-auth-none | /mail/tracking/all/<string:db> — Endpoint 'MailTrackingController.mail_tracking_all' uses auth="none": it runs with no user/session at all |
| mail_tracking | route-public-csrf-off | /mail/tracking/event/<string:db>/<string:event_type> — Public HTTP endpoint 'MailTrackingController.mail_tracking_event' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| mail_tracking | route-auth-none | /mail/tracking/event/<string:db>/<string:event_type> — Endpoint 'MailTrackingController.mail_tracking_event' uses auth="none": it runs with no user/session at all |
| mail_tracking | route-auth-none | /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif — Endpoint 'MailTrackingController.mail_tracking_open' uses auth="none": it runs with no user/session at all |
| mass | acl-global-read | access_mass_request_type_user — Access rule grants read on 'model_mass_request_type' to every user (portal/public included): no group is set |
| mass_mailing | route-public-sudo | /mail/mailing/<int:mailing_id>/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-public-sudo | /mail/track/<int:mail_id>/blank.gif — Unauthenticated endpoint 'MassMailController.track_mail_open' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-auth-none | /mail/track/<int:mail_id>/blank.gif — Endpoint 'MassMailController.track_mail_open' uses auth="none": it runs with no user/session at all |
| mass_mailing | route-auth-none | /r/<string:code>/m/<int:stat_id> — Endpoint 'MassMailController.full_url_redirect' uses auth="none": it runs with no user/session at all |
| membership | acl-global-read | access_membership_membership_line — Access rule grants read on 'model_membership_membership_line' to every user (portal/public included): no group is set |
| mgmtsystem | rule-group-bypass | document_page_rule_document_user_r — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| mgmtsystem | rule-group-bypass | document_page_history_rule_document_user_r — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| openeducat_assignment | rule-group-bypass | backoffice_assignment_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| openeducat_assignment | rule-group-bypass | backoffice_assignment_sub_line_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| openeducat_attendance | route-public-sudo | /openeducat-attendance/take-attendance — Unauthenticated endpoint 'OpAttendanceController.create_attendance_lines' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| openeducat_attendance | route-auth-none | /openeducat-attendance/take-attendance — Endpoint 'OpAttendanceController.create_attendance_lines' uses auth="none": it runs with no user/session at all |
| openeducat_core | rule-group-bypass | view_students_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| openeducat_core | rule-group-bypass | view_faculty_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| openeducat_core | rule-group-bypass | view_all_subject_registration_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| openeducat_core | route-public-sudo | /openeducat_core/get_app_dash_data — Unauthenticated endpoint 'OpenEduCatAppController.compute_app_dashboard_data' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| openeducat_core | route-auth-none | /openeducat_core/get_app_dash_data — Endpoint 'OpenEduCatAppController.compute_app_dashboard_data' uses auth="none": it runs with no user/session at all |
| openeducat_core | route-public-sudo | /openeducat_core/get_faculty_dash_data — Unauthenticated endpoint 'OpenEduCatAppController.compute_faculty_dashboard_data' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| openeducat_core | route-auth-none | /openeducat_core/get_faculty_dash_data — Endpoint 'OpenEduCatAppController.compute_faculty_dashboard_data' uses auth="none": it runs with no user/session at all |
| openeducat_library | rule-group-bypass | view_media_request_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| openeducat_timetable | rule-group-bypass | backoffice_session_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| operating_unit | acl-global-read | access_account_operating_unit_user — Access rule grants read on 'model_operating_unit' to every user (portal/public included): no group is set |
| partner_external_map | acl-global-read | access_map_website_read — Access rule grants read on 'model_map_website' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation — Access rule grants read on 'model_res_partner_relation' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation_type — Access rule grants read on 'model_res_partner_relation_type' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation_type_selection — Access rule grants read on 'model_res_partner_relation_type_selection' to every user (portal/public included): no group is set |
| partner_multi_relation_hierarchy | acl-global-read | read_res_partner_relation_hierarchy — Access rule grants read on 'model_res_partner_relation_hierarchy' to every user (portal/public included): no group is set |
| partner_multi_relation_tabs | acl-global-read | read_res_partner_tab — Access rule grants read on 'model_res_partner_tab' to every user (portal/public included): no group is set |
| payment_adyen | route-public-csrf-off | /payment/adyen/return — Public HTTP endpoint 'AdyenController.adyen_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_adyen | route-public-sudo | /payment/adyen/return — Unauthenticated endpoint 'AdyenController.adyen_return' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-auth-none | /payment/adyen/return — Endpoint 'AdyenController.adyen_return' uses auth="none": it runs with no user/session at all |
| payment_adyen | route-public-csrf-off | /payment/adyen/notification — Public HTTP endpoint 'AdyenController.adyen_notification' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_adyen | route-public-sudo | /payment/adyen/notification — Unauthenticated endpoint 'AdyenController.adyen_notification' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_adyen | route-auth-none | /payment/adyen/notification — Endpoint 'AdyenController.adyen_notification' uses auth="none": it runs with no user/session at all |
| payment_authorize | route-public-csrf-off | /payment/authorize/return/, /payment/authorize/cancel/ — Public HTTP endpoint 'AuthorizeController.authorize_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_authorize | route-public-sudo | /payment/authorize/return/, /payment/authorize/cancel/ — Unauthenticated endpoint 'AuthorizeController.authorize_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_buckaroo | route-public-csrf-off | /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Public HTTP endpoint 'BuckarooController.buckaroo_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_buckaroo | route-public-sudo | /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Unauthenticated endpoint 'BuckarooController.buckaroo_return' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_buckaroo | route-auth-none | /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Endpoint 'BuckarooController.buckaroo_return' uses auth="none": it runs with no user/session at all |
| payment_paypal | route-public-csrf-off | /payment/paypal/ipn/ — Public HTTP endpoint 'PaypalController.paypal_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_paypal | route-auth-none | /payment/paypal/ipn/ — Endpoint 'PaypalController.paypal_ipn' uses auth="none": it runs with no user/session at all |
| payment_paypal | route-public-csrf-off | /payment/paypal/dpn — Public HTTP endpoint 'PaypalController.paypal_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_paypal | route-auth-none | /payment/paypal/dpn — Endpoint 'PaypalController.paypal_dpn' uses auth="none": it runs with no user/session at all |
| payment_paypal | route-public-csrf-off | /payment/paypal/cancel — Public HTTP endpoint 'PaypalController.paypal_cancel' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_paypal | route-auth-none | /payment/paypal/cancel — Endpoint 'PaypalController.paypal_cancel' uses auth="none": it runs with no user/session at all |
| payment_payumoney | route-public-csrf-off | /payment/payumoney/return, /payment/payumoney/cancel, /payment/payumoney/error — Public HTTP endpoint 'PayuMoneyController.payu_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_payumoney | route-public-sudo | /payment/payumoney/return, /payment/payumoney/cancel, /payment/payumoney/error — Unauthenticated endpoint 'PayuMoneyController.payu_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_redsys | route-public-csrf-off | /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Public HTTP endpoint 'RedsysController.redsys_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_redsys | route-public-sudo | /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Unauthenticated endpoint 'RedsysController.redsys_return' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_redsys | route-auth-none | /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Endpoint 'RedsysController.redsys_return' uses auth="none": it runs with no user/session at all |
| payment_redsys | route-public-sudo | /payment/redsys/result/<page> — Unauthenticated endpoint 'RedsysController.redsys_result' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_sips | route-public-csrf-off | /payment/sips/ipn/ — Public HTTP endpoint 'SipsController.sips_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_sips | route-auth-none | /payment/sips/ipn/ — Endpoint 'SipsController.sips_ipn' uses auth="none": it runs with no user/session at all |
| payment_sips | route-public-csrf-off | /payment/sips/dpn — Public HTTP endpoint 'SipsController.sips_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_sips | route-auth-none | /payment/sips/dpn — Endpoint 'SipsController.sips_dpn' uses auth="none": it runs with no user/session at all |
| payment_stripe | route-public-sudo | /payment/stripe/create_charge — Unauthenticated endpoint 'StripeController.stripe_create_charge' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe_sca | route-public-sudo | /payment/stripe/success, /payment/stripe/cancel — Unauthenticated endpoint 'StripeControllerSCA.stripe_success' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe_sca | route-public-sudo | /payment/stripe/set_payment_intent — Unauthenticated endpoint 'StripeControllerSCA.stripe_create_payment_intent' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_stripe_sca | route-public-sudo | /payment/stripe/s2s/process_payment_intent — Unauthenticated endpoint 'StripeControllerSCA.stripe_s2s_confirm_payment_intent' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_transfer | route-public-csrf-off | /payment/transfer/feedback — Public HTTP endpoint 'OgoneController.transfer_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_transfer | route-public-sudo | /payment/transfer/feedback — Unauthenticated endpoint 'OgoneController.transfer_form_feedback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_transfer | route-auth-none | /payment/transfer/feedback — Endpoint 'OgoneController.transfer_form_feedback' uses auth="none": it runs with no user/session at all |
| point_of_sale | rule-group-bypass | rule_pos_bank_statement_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| point_of_sale | rule-group-bypass | rule_pos_bank_statement_line_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| point_of_sale | rule-group-bypass | rule_pos_cashbox_line_accountant — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| pos_mercury | acl-global-read | access_pos_mercury_mercury_transaction — Access rule grants read on 'model_pos_mercury_mercury_transaction' to every user (portal/public included): no group is set |
| privacy_consent | route-public-sudo | /privacy/consent/<any(accept,reject):choice>/<int:consent_id>/<token> — Unauthenticated endpoint 'ConsentController.consent' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| privacy_consent | route-auth-none | /privacy/consent/<any(accept,reject):choice>/<int:consent_id>/<token> — Endpoint 'ConsentController.consent' uses auth="none": it runs with no user/session at all |
| product_brand | acl-global-read | access_product_brand_public — Access rule grants read on 'model_product_brand' to every user (portal/public included): no group is set |
| product_harmonized_system | acl-global-read | access_hs_code_read — Access rule grants read on 'model_hs_code' to every user (portal/public included): no group is set |
| product_life_period | acl-global-read | access_product_life_period_user — Access rule grants read on 'model_product_life_period' to every user (portal/public included): no group is set |
| product_price_category | acl-global-read | access_product_price_category_user — Access rule grants read on 'model_product_price_category' to every user (portal/public included): no group is set |
| product_variant_configurator | acl-global-write | access_product_configurator_attribute_all — Access rule grants write/create/unlink on 'model_product_configurator_attribute' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| quality_control | acl-global-read | access_manager_qc_trigger_product_template_line_user — Access rule grants read on 'quality_control.model_qc_trigger_product_template_line' to every user (portal/public included): no group is set |
| quality_control | acl-global-read | access_manager_qc_trigger_product_line_user — Access rule grants read on 'quality_control.model_qc_trigger_product_line' to every user (portal/public included): no group is set |
| queue_job | route-auth-none | /queue_job/session — Endpoint 'RunJobController.session' uses auth="none": it runs with no user/session at all |
| queue_job | route-auth-none | /queue_job/runjob — Endpoint 'RunJobController.runjob' uses auth="none": it runs with no user/session at all |
| rating | route-public-sudo | /rating/<string:token>/<int:rate> — Unauthenticated endpoint 'Rating.open_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| rating | route-public-sudo | /rating/<string:token>/<int:rate>/submit_feedback — Unauthenticated endpoint 'Rating.submit_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| report | acl-global-read | paperformat_access_portal — Access rule grants read on 'model_report_paperformat' to every user (portal/public included): no group is set |
| stay | acl-global-read | access_stay_date_label_user — Access rule grants read on 'model_stay_date_label' to every user (portal/public included): no group is set |
| stock_lot_sale_tracking | acl-global-read | stock_lot_tracking_access_everybody — Access rule grants read on 'model_stock_lot_sale_tracking_report' to every user (portal/public included): no group is set |
| stock_scanner | acl-global-read | scanner_scenario_user — Access rule grants read on 'stock_scanner.model_scanner_scenario' to every user (portal/public included): no group is set |
| stock_scanner | acl-global-read | scanner_scenario_step_user — Access rule grants read on 'stock_scanner.model_scanner_scenario_step' to every user (portal/public included): no group is set |
| stock_scanner | acl-global-read | scanner_scenario_transition_user — Access rule grants read on 'stock_scanner.model_scanner_scenario_transition' to every user (portal/public included): no group is set |
| stock_scanner | rule-group-bypass | scanner_hardware_access_group_sentinel — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| stock_tracking_add_remove | acl-global-write | access_stock_packaging_add_type_all — Access rule grants write/create on 'model_stock_packaging_add_type' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| storage_file | acl-global-read | access_storage_file_read_public — Access rule grants read on 'model_storage_file' to every user (portal/public included): no group is set |
| survey | acl-global-read | access_survey_public — Access rule grants read on 'model_survey_survey' to every user (portal/public included): no group is set |
| survey | acl-global-read | access_survey_page_public — Access rule grants read on 'model_survey_page' to every user (portal/public included): no group is set |
| survey | acl-global-read | access_survey_question_public — Access rule grants read on 'model_survey_question' to every user (portal/public included): no group is set |
| survey | acl-global-read | access_survey_label_public — Access rule grants read on 'model_survey_label' to every user (portal/public included): no group is set |
| survey | acl-global-read | access_survey_stage_public — Access rule grants read on 'model_survey_stage' to every user (portal/public included): no group is set |
| survey | route-public-sudo | /survey/start/<model("survey.survey"):survey>, /survey/start/<model("survey.survey"):survey>/<string:token> — Unauthenticated endpoint 'WebsiteSurvey.start_survey' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| survey | route-public-sudo | /survey/fill/<model("survey.survey"):survey>/<string:token>, /survey/fill/<model("survey.survey"):survey>/<string:token>/<string:prev> — Unauthenticated endpoint 'WebsiteSurvey.fill_survey' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| survey | route-public-sudo | /survey/prefill/<model("survey.survey"):survey>/<string:token>, /survey/prefill/<model("survey.survey"):survey>/<string:token>/<model("survey.page"):page> — Unauthenticated endpoint 'WebsiteSurvey.prefill' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| survey | route-public-sudo | /survey/scores/<model("survey.survey"):survey>/<string:token> — Unauthenticated endpoint 'WebsiteSurvey.get_scores' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| survey | route-public-sudo | /survey/submit/<model("survey.survey"):survey> — Unauthenticated endpoint 'WebsiteSurvey.submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| test_read_group | acl-global-read | access_test_read_group_on_date — Access rule grants read on 'model_test_read_group_on_date' to every user (portal/public included): no group is set |
| test_read_group | acl-global-read | access_test_read_group_aggregate_boolean — Access rule grants read on 'model_test_read_group_aggregate_boolean' to every user (portal/public included): no group is set |
| web | route-auth-none | /web/pivot/check_xlwt — Endpoint 'TableExporter.check_xlwt' uses auth="none": it runs with no user/session at all |
| web_favicon | route-public-sudo | /web_favicon/favicon — Unauthenticated endpoint 'WebFavicon.icon' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| web_favicon | route-auth-none | /web_favicon/favicon — Endpoint 'WebFavicon.icon' uses auth="none": it runs with no user/session at all |
| web_tour | acl-global-read | access_web_tour_tour — Access rule grants read on 'model_web_tour_tour' to every user (portal/public included): no group is set |
| webhook | route-public-sudo | /webhook/<webhook_name> — Unauthenticated endpoint 'WebhookController.webhook' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| webhook | route-auth-none | /webhook/<webhook_name> — Endpoint 'WebhookController.webhook' uses auth="none": it runs with no user/session at all |
| website | acl-global-read | access_website_public — Access rule grants read on 'website.model_website' to every user (portal/public included): no group is set |
| website | acl-global-read | access_website_menu — Access rule grants read on 'model_website_menu' to every user (portal/public included): no group is set |
| website | acl-global-read | access_seo_public — Access rule grants read on 'model_website_seo_metadata' to every user (portal/public included): no group is set |
| website_blog | acl-global-read | blog_tag — Access rule grants read on 'model_blog_tag' to every user (portal/public included): no group is set |
| website_blog | route-public-sudo | /blog/<model("blog.blog"):blog>/post/<model("blog.post", "[('blog_id','=',blog[0])]"):blog_post> — Unauthenticated endpoint 'WebsiteBlog.blog_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_blog | route-public-sudo | /blog/post_get_discussion/ — Unauthenticated endpoint 'WebsiteBlog.discussion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_blog_category | acl-global-read | blog_category — Access rule grants read on 'model_blog_category' to every user (portal/public included): no group is set |
| website_crm_partner_assign | route-public-sudo | /partners, /partners/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>, /partners/grade/<model("res.partner.grade"):grade>/page/<int:page>, /partners/country/<model("res.country"):country>, /partners/country/<model("res.country"):country>/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_crm_partner_assign | route-public-sudo | /partners/<partner_id> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_customer | acl-global-read | res_partner_tag_sale_manager — Access rule grants read on 'model_res_partner_tag' to every user (portal/public included): no group is set |
| website_customer | route-public-sudo | /customers, /customers/page/<int:page>, /customers/country/<int:country_id>, /customers/country/<country_name>-<int:country_id>, /customers/country/<int:country_id>/page/<int:page>, /customers/country/<country_name>-<int:country_id>/page/<int:page>, /customers/tag/<tag_id>, /customers/tag/<tag_id>/page/<int:page>, /customers/tag/<tag_id>/country/<int:country_id>, /customers/tag/<tag_id>/country/<country_name>-<int:country_id>, /customers/tag/<tag_id>/country/<int:country_id>/page/<int:page>, /customers/tag/<tag_id>/country/<country_name>-<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteCustomer.customers' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_customer | route-public-sudo | /customers/<partner_id> — Unauthenticated endpoint 'WebsiteCustomer.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event | acl-global-read | access_event_type_public — Access rule grants read on 'event.model_event_type' to every user (portal/public included): no group is set |
| website_event | route-public-sudo | /event/<model("event.event"):event>/register — Unauthenticated endpoint 'WebsiteEventController.event_register' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event | route-public-sudo | /event/<model("event.event"):event>/registration/confirm — Unauthenticated endpoint 'WebsiteEventController.registration_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_questions | acl-global-write | event_registration_answer_all — Access rule grants write/create/unlink on 'model_event_registration_answer' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| website_event_sale | acl-global-read | access_event_event_ticket_public — Access rule grants read on 'event_sale.model_event_event_ticket' to every user (portal/public included): no group is set |
| website_event_sale | route-public-sudo | /event/<model("event.event"):event>/registration/confirm — Unauthenticated endpoint 'WebsiteEventSaleController.registration_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track | acl-global-read | access_event_track_tag_public — Access rule grants read on 'model_event_track_tag' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_location_public — Access rule grants read on 'model_event_track_location' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track__public — Access rule grants read on 'model_event_track' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_sponsor_type_public — Access rule grants read on 'model_event_sponsor_type' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_sponsor_public — Access rule grants read on 'model_event_sponsor' to every user (portal/public included): no group is set |
| website_event_track | route-public-sudo | /event/<model("event.event"):event>/track/<model("event.track", "[('event_id','=',event[0])]"):track> — Unauthenticated endpoint 'WebsiteEventTrackController.event_track_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track | route-public-sudo | /event/<model("event.event", "[('show_tracks','=',1)]"):event>/agenda — Unauthenticated endpoint 'WebsiteEventTrackController.event_agenda' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track | route-public-sudo | /event/<model("event.event"):event>/track_proposal/post — Unauthenticated endpoint 'WebsiteEventTrackController.event_track_proposal_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | acl-global-read | access_forum_forum — Access rule grants read on 'model_forum_forum' to every user (portal/public included): no group is set |
| website_forum | route-public-sudo | /forum/validate_email — Unauthenticated endpoint 'WebsiteForum.validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/question/<model("forum.post", "[('forum_id','=',forum[0]),('parent_id','=',False),('can_view', '=', True)]"):question> — Unauthenticated endpoint 'WebsiteForum.question' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/users, /forum/<model("forum.forum"):forum>/users/page/<int:page> — Unauthenticated endpoint 'WebsiteForum.users' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/partner/<int:partner_id> — Unauthenticated endpoint 'WebsiteForum.open_partner' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/user/<int:user_id> — Unauthenticated endpoint 'WebsiteForum.open_user' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/badge — Unauthenticated endpoint 'WebsiteForum.badges' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum_censored | acl-global-read | access_forum_censored_phrase_everyone — Access rule grants read on 'model_forum_censored_phrase' to every user (portal/public included): no group is set |
| website_forum_doc | acl-global-read | all_documentation_toc — Access rule grants read on 'model_forum_documentation_toc' to every user (portal/public included): no group is set |
| website_google_map | route-public-sudo | /google_map — Unauthenticated endpoint 'GoogleMap.google_map' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_hr_recruitment | acl-global-read | access_hr_job_public — Access rule grants read on 'hr.model_hr_job' to every user (portal/public included): no group is set |
| website_hr_recruitment | rule-group-bypass | hr_job_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_hr_recruitment | route-public-sudo | /jobs, /jobs/country/<model("res.country", "[(0, '=', 1)]"):country>, /jobs/department/<model("hr.department", "[(0, '=', 1)]"):department>, /jobs/country/<model("res.country"):country>/department/<model("hr.department", "[(0, '=', 1)]"):department>, /jobs/office/<int:office_id>, /jobs/country/<model("res.country", "[(0, '=', 1)]"):country>/office/<int:office_id>, /jobs/department/<model("hr.department", "[(0, '=', 1)]"):department>/office/<int:office_id>, /jobs/country/<model("res.country"):country>/department/<model("hr.department", "[(0, '=', 1)]"):department>/office/<int:office_id> — Unauthenticated endpoint 'WebsiteHrRecruitment.jobs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_livechat | acl-global-read | access_im_livechat_channel_public — Access rule grants read on 'im_livechat.model_im_livechat_channel' to every user (portal/public included): no group is set |
| website_livechat | route-public-sudo | /livechat/channel/<model("im_livechat.channel"):channel> — Unauthenticated endpoint 'WebsiteLivechat.channel_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_logo | route-auth-none | /web/binary/website_logo, /website_logo, /website_logo.png — Endpoint 'Website.website_logo' uses auth="none": it runs with no user/session at all |
| website_mail | route-public-sudo | /website_mail/follow — Unauthenticated endpoint 'WebsiteMail.website_message_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail | route-public-sudo | /website_mail/is_follower — Unauthenticated endpoint 'WebsiteMail.is_follower' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_channel | route-public-sudo | /groups/is_member — Unauthenticated endpoint 'MailGroup.is_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_channel | route-public-sudo | /groups/subscription — Unauthenticated endpoint 'MailGroup.subscription' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_channel | route-public-sudo | /groups/subscribe/<model('mail.channel'):channel>/<int:partner_id>/<string:token> — Unauthenticated endpoint 'MailGroup.confirm_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_channel | route-public-sudo | /groups/unsubscribe/<model('mail.channel'):channel>/<int:partner_id>/<string:token> — Unauthenticated endpoint 'MailGroup.confirm_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /mail/mailing/<int:mailing_id>/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /mail/mailing/unsubscribe — Unauthenticated endpoint 'MassMailController.unsubscribe' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-auth-none | /mail/mailing/unsubscribe — Endpoint 'MassMailController.unsubscribe' uses auth="none": it runs with no user/session at all |
| website_mass_mailing | route-public-sudo | /website_mass_mailing/is_subscriber — Unauthenticated endpoint 'MassMailController.is_subscriber' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /website_mass_mailing/subscribe — Unauthenticated endpoint 'MassMailController.subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /website_mass_mailing/get_content — Unauthenticated endpoint 'MassMailController.get_mass_mailing_content' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_membership | route-public-sudo | /members, /members/page/<int:page>, /members/association/<membership_id>, /members/association/<membership_id>/page/<int:page>, /members/country/<int:country_id>, /members/country/<country_name>-<int:country_id>, /members/country/<int:country_id>/page/<int:page>, /members/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<country_name>-<int:country_id>, /members/association/<membership_id>/country/<int:country_id>, /members/association/<membership_id>/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteMembership.members' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_membership | route-public-sudo | /members/<partner_id> — Unauthenticated endpoint 'WebsiteMembership.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_multi_theme | acl-global-read | access_website_theme_public — Access rule grants read on 'model_website_theme' to every user (portal/public included): no group is set |
| website_multi_theme | acl-global-read | access_website_theme_asset_public — Access rule grants read on 'model_website_theme_asset' to every user (portal/public included): no group is set |
| website_partner | route-public-sudo | /partners/<partner_id> — Unauthenticated endpoint 'WebsitePartnerPage.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_payment | route-public-sudo | /website_payment/pay — Unauthenticated endpoint 'WebsitePayment.pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_payment | route-public-sudo | /website_payment/transaction — Unauthenticated endpoint 'WebsitePayment.transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_quote | route-public-sudo | /quote/<int:order_id>/<token> — Unauthenticated endpoint 'sale_quote.view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_quote | route-public-sudo | /quote/accept — Unauthenticated endpoint 'sale_quote.accept' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_quote | route-public-sudo | /quote/<int:order_id>/<token>/decline — Unauthenticated endpoint 'sale_quote.decline' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_quote | route-public-sudo | /quote/update_line_dict — Unauthenticated endpoint 'sale_quote.update_line_dict' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_quote | route-public-sudo | /quote/add_line/<int:option_id>/<int:order_id>/<token> — Unauthenticated endpoint 'sale_quote.add' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_quote | route-public-sudo | /quote/<int:order_id>/transaction/<int:acquirer_id>/<token> — Unauthenticated endpoint 'sale_quote.payment_transaction_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | acl-global-read | access_product_product_public — Access rule grants read on 'product.model_product_product' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_template_public — Access rule grants read on 'product.model_product_template' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_category_public — Access rule grants read on 'product.model_product_category' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_public_category_public — Access rule grants read on 'model_product_public_category' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_pricelist_public — Access rule grants read on 'product.model_product_pricelist' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_pricelist_item_public — Access rule grants read on 'product.model_product_pricelist_item' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_style — Access rule grants read on 'website_sale.model_product_style' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_supplierinfo — Access rule grants read on 'product.model_product_supplierinfo' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_public — Access rule grants read on 'product.model_product_attribute' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_value_public — Access rule grants read on 'product.model_product_attribute_value' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_price_public — Access rule grants read on 'product.model_product_attribute_price' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_line_public — Access rule grants read on 'product.model_product_attribute_line' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_image_public — Access rule grants read on 'model_product_image' to every user (portal/public included): no group is set |
| website_sale | rule-group-bypass | payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_sale_digital | route-public-sudo | /my/download — Unauthenticated endpoint 'WebsiteSaleDigital.download_attachment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_seo_redirection | acl-global-read | read_everyone — Access rule grants read on 'model_website_seo_redirection' to every user (portal/public included): no group is set |
| website_slides | route-public-sudo | /slides/slide/<model("slide.slide", "[('channel_id.can_see', '=', True)]"):slide>/comment — Unauthenticated endpoint 'WebsiteSlides.slide_comment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/embed/<int:slide_id> — Unauthenticated endpoint 'WebsiteSlides.slides_embed' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_twitter | acl-global-read | access_website_twitter_tweet_public — Access rule grants read on 'website_twitter.model_website_twitter_tweet' to every user (portal/public included): no group is set |
Active Pull Requests 0
No open migration PRs/MRs tracked.
Security Findings
Errors 133
| Module | Code | Message |
|---|---|---|
| anonymization | acl-global-write | access_ir_model_fields_anonymization_migration_fix — Access rule grants write/create/unlink on 'model_ir_model_fields_anonymization_migration_fix' to EVERY user (portal/public included): no group is set |
| base | acl-privilege-escalation | access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-global-write | access_ir_ui_view_custom_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_custom' to EVERY user (portal/public included): no group is set |
| base | acl-privilege-escalation | access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-global-write | access_ir_filter all — Access rule grants write/create/unlink on 'model_ir_filters' to EVERY user (portal/public included): no group is set |
| base | acl-global-write | access_ir_needaction_mixin — Access rule grants write/create/unlink on 'model_ir_needaction_mixin' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_template — Access rule grants write/create/unlink on 'model_custom_info_template' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_property — Access rule grants write/create/unlink on 'model_custom_info_property' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_value — Access rule grants write/create/unlink on 'model_custom_info_value' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_option — Access rule grants write/create/unlink on 'model_custom_info_option' to EVERY user (portal/public included): no group is set |
| base_custom_info | acl-global-write | access_category — Access rule grants write/create/unlink on 'model_custom_info_category' to EVERY user (portal/public included): no group is set |
| base_tier_validation | acl-global-write | access_tier_review — Access rule grants write/create/unlink on 'model_tier_review' to EVERY user (portal/public included): no group is set |
| bi_view_editor | acl-global-write | access_bve_view_everyone — Access rule grants write/create/unlink on 'bi_view_editor.model_bve_view' to EVERY user (portal/public included): no group is set |
| bus | acl-public-write | access_bus_presence_portal — Access rule grants write/create/unlink on 'model_bus_presence' to the portal/public group 'base.group_portal' |
| calendar | acl-public-write | access_calendar_attendee_portal — Access rule grants write on 'model_calendar_attendee' to the portal/public group 'base.group_portal' |
| calendar | rule-public-bypass | calendar_attendee_rule_my — Record rule with an always-true domain grants portal/public users access to every record of its model |
| crm_partner_assign | acl-public-write | lead_portal_access — Access rule grants write on 'crm.model_crm_lead' to the portal/public group 'base.group_portal' |
| crm_partner_assign | acl-public-write | partner_access_crm_lead — Access rule grants write on 'model_crm_lead' to the portal/public group 'base.group_portal' |
| hr_recruitment | acl-global-write | access_hr_applicant_category — Access rule grants write/create on 'model_hr_applicant_category' to EVERY user (portal/public included): no group is set |
| acl-public-write | access_mail_message_portal — Access rule grants write/create/unlink on 'model_mail_message' to the portal/public group 'base.group_portal' |
|
| acl-public-write | access_mail_mail_portal — Access rule grants write/create on 'model_mail_mail' to the portal/public group 'base.group_portal' |
|
| acl-public-write | access_mail_followers_portal — Access rule grants write/create on 'model_mail_followers' to the portal/public group 'base.group_portal' |
|
| acl-public-write | access_mail_channel_partner_portal — Access rule grants write/create/unlink on 'model_mail_channel_partner' to the portal/public group 'base.group_portal' |
|
| openeducat_classroom | acl-global-write | access_op_asset — Access rule grants write/create/unlink on 'model_op_asset' to EVERY user (portal/public included): no group is set |
| payment | acl-public-write | payment_method_portal — Access rule grants write/create/unlink on 'model_payment_method' to the portal/public group 'base.group_portal' |
| portal | acl-public-write | access_ir_attachment_portal — Access rule grants create on 'base.model_ir_attachment' to the portal/public group 'base.group_portal' |
| portal_gamification | acl-public-write | goal_portal — Access rule grants write on 'gamification.model_gamification_goal' to the portal/public group 'base.group_portal' |
| portal_gamification | acl-public-write | badge_user_portal — Access rule grants write/create on 'gamification.model_gamification_badge_user' to the portal/public group 'base.group_portal' |
| product_dependencies | acl-global-write | access_product_dependency — Access rule grants write/create/unlink on 'model_product_dependency' to EVERY user (portal/public included): no group is set |
| purchase_transport_document | acl-global-write | access_transport_document — Access rule grants write/create/unlink on 'model_transport_document' to EVERY user (portal/public included): no group is set |
| rating | acl-public-write | access_rating_public — Access rule grants write/create on 'rating.model_rating_rating' to the portal/public group 'base.group_public' |
| rating | acl-public-write | access_rating_portal — Access rule grants write/create on 'rating.model_rating_rating' to the portal/public group 'base.group_portal' |
| report | acl-global-write | paperformat_access_employee — Access rule grants create on 'model_report_paperformat' to EVERY user (portal/public included): no group is set |
| report | acl-global-write | access_report — Access rule grants write/create/unlink on 'model_report' to EVERY user (portal/public included): no group is set |
| report_webkit | acl-global-write | access_ir_header_webkit — Access rule grants create on 'model_ir_header_webkit' to EVERY user (portal/public included): no group is set |
| report_webkit | acl-global-write | access_ir_header_img — Access rule grants create on 'model_ir_header_img' to EVERY user (portal/public included): no group is set |
| report_wkhtmltopdf_param | acl-global-write | paperformat_parameter_access_employee — Access rule grants create on 'model_report_paperformat_parameter' to EVERY user (portal/public included): no group is set |
| stock_scanner | acl-global-write | scanner_hardware_user — Access rule grants write on 'stock_scanner.model_scanner_hardware' to EVERY user (portal/public included): no group is set |
| stock_scanner | acl-global-write | scanner_hardware_step_history_user — Access rule grants write/create/unlink on 'stock_scanner.model_scanner_hardware_step_history' to EVERY user (portal/public included): no group is set |
| stock_scanner | acl-global-write | scanner_scenario_custom_user — Access rule grants write/create/unlink on 'stock_scanner.model_scanner_scenario_custom' to EVERY user (portal/public included): no group is set |
| survey | acl-global-write | access_survey_user_input_public — Access rule grants write/create on 'model_survey_user_input' to EVERY user (portal/public included): no group is set |
| survey | acl-global-write | access_survey_user_input_line_public — Access rule grants write/create on 'model_survey_user_input_line' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_some_obj — Access rule grants write/create/unlink on 'model_test_access_right_some_obj' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_container — Access rule grants write/create/unlink on 'model_test_access_right_container' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_converter_model — Access rule grants write/create/unlink on 'model_test_converter_test_model' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_test_converter_test_model_sub — Access rule grants write/create/unlink on 'model_test_converter_test_model_sub' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_test_converter_monetary — Access rule grants write/create/unlink on 'model_test_converter_monetary' to EVERY user (portal/public included): no group is set |
| test_documentation_examples | acl-global-write | access_inheritance_0 — Access rule grants write/create/unlink on 'model_inheritance_0' to EVERY user (portal/public included): no group is set |
| test_documentation_examples | acl-global-write | access_inheritance_1 — Access rule grants write/create/unlink on 'model_inheritance_1' to EVERY user (portal/public included): no group is set |
| test_documentation_examples | acl-global-write | access_extension_0 — Access rule grants write/create/unlink on 'model_extension_0' to EVERY user (portal/public included): no group is set |
| test_documentation_examples | acl-global-write | access_delegation_child0 — Access rule grants write/create/unlink on 'model_delegation_child0' to EVERY user (portal/public included): no group is set |
| test_documentation_examples | acl-global-write | access_delegation_child1 — Access rule grants write/create/unlink on 'model_delegation_child1' to EVERY user (portal/public included): no group is set |
| test_documentation_examples | acl-global-write | access_delegation_parent — Access rule grants write/create/unlink on 'model_delegation_parent' to EVERY user (portal/public included): no group is set |
| test_exceptions | acl-global-write | access_test_exceptions_model — Access rule grants write/create/unlink on 'model_test_exceptions_model' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_boolean — Access rule grants write/create/unlink on 'model_export_boolean' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_float — Access rule grants write/create/unlink on 'model_export_float' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_decimal — Access rule grants write/create/unlink on 'model_export_decimal' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string_bounded — Access rule grants write/create/unlink on 'model_export_string_bounded' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string_required — Access rule grants write/create/unlink on 'model_export_string_required' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string — Access rule grants write/create/unlink on 'model_export_string' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_date — Access rule grants write/create/unlink on 'model_export_date' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_datetime — Access rule grants write/create/unlink on 'model_export_datetime' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_text — Access rule grants write/create/unlink on 'model_export_text' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection — Access rule grants write/create/unlink on 'model_export_selection' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection_function — Access rule grants write/create/unlink on 'model_export_selection_function' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2one — Access rule grants write/create/unlink on 'model_export_many2one' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many — Access rule grants write/create/unlink on 'model_export_one2many' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2many — Access rule grants write/create/unlink on 'model_export_many2many' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_function — Access rule grants write/create/unlink on 'model_export_function' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child — Access rule grants write/create/unlink on 'model_export_one2many_child' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_multiple — Access rule grants write/create/unlink on 'model_export_one2many_multiple' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_multiple_child — Access rule grants write/create/unlink on 'model_export_one2many_multiple_child' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child_1 — Access rule grants write/create/unlink on 'model_export_one2many_child_1' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child_2 — Access rule grants write/create/unlink on 'model_export_one2many_child_2' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2many_other — Access rule grants write/create/unlink on 'model_export_many2many_other' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection_withdefault — Access rule grants write/create/unlink on 'model_export_selection_withdefault' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_recursive — Access rule grants write/create/unlink on 'model_export_one2many_recursive' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_unique — Access rule grants write/create/unlink on 'model_export_unique' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_mother — Access rule grants write/create/unlink on 'model_test_inherit_mother' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_daughter — Access rule grants write/create/unlink on 'model_test_inherit_daughter' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_property — Access rule grants write/create/unlink on 'model_test_inherit_property' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_unit — Access rule grants write/create/unlink on 'model_test_unit' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_box — Access rule grants write/create/unlink on 'model_test_box' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_pallet — Access rule grants write/create/unlink on 'model_test_pallet' to EVERY user (portal/public included): no group is set |
| test_limits | acl-global-write | access_test_limits_model — Access rule grants write/create/unlink on 'model_test_limits_model' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_category — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_category' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_discussion — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_discussion' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_message — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_message' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_emailmessage — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_emailmessage' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi_line — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_mixed — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_mixed' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_function_noinfiniterecursion — Access rule grants write/create/unlink on 'model_test_old_api_function_noinfiniterecursion' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_function_counter — Access rule grants write/create/unlink on 'model_test_old_api_function_counter' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_domain_bool — Access rule grants write/create/unlink on 'model_domain_bool' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_foo — Access rule grants write/create/unlink on 'model_test_new_api_foo' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_bar — Access rule grants write/create/unlink on 'model_test_new_api_bar' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_recursive — Access rule grants write/create/unlink on 'model_test_new_api_recursive' to EVERY user (portal/public included): no group is set |
| test_uninstall | acl-global-write | access_test_uninstall_model — Access rule grants write/create/unlink on 'model_test_uninstall_model' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model — Access rule grants write/create/unlink on 'model_test_workflow_model' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_trigger — Access rule grants write/create/unlink on 'model_test_workflow_trigger' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_a — Access rule grants write/create/unlink on 'model_test_workflow_model_a' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_b — Access rule grants write/create/unlink on 'model_test_workflow_model_b' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_c — Access rule grants write/create/unlink on 'model_test_workflow_model_c' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_d — Access rule grants write/create/unlink on 'model_test_workflow_model_d' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_e — Access rule grants write/create/unlink on 'model_test_workflow_model_e' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_f — Access rule grants write/create/unlink on 'model_test_workflow_model_f' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_g — Access rule grants write/create/unlink on 'model_test_workflow_model_g' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_h — Access rule grants write/create/unlink on 'model_test_workflow_model_h' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_i — Access rule grants write/create/unlink on 'model_test_workflow_model_i' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_j — Access rule grants write/create/unlink on 'model_test_workflow_model_j' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_k — Access rule grants write/create/unlink on 'model_test_workflow_model_k' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_l — Access rule grants write/create/unlink on 'model_test_workflow_model_l' to EVERY user (portal/public included): no group is set |
| utm | acl-global-write | access_utm_campaign — Access rule grants create on 'model_utm_campaign' to EVERY user (portal/public included): no group is set |
| utm | acl-global-write | access_utm_medium — Access rule grants create on 'model_utm_medium' to EVERY user (portal/public included): no group is set |
| utm | acl-global-write | access_utm_source — Access rule grants create on 'model_utm_source' to EVERY user (portal/public included): no group is set |
| web_editor | acl-global-write | access_web_editor_converter_test — Access rule grants write/create/unlink on 'model_web_editor_converter_test' to EVERY user (portal/public included): no group is set |
| web_editor | acl-global-write | access_web_editor_converter_test_sub — Access rule grants write/create/unlink on 'model_web_editor_converter_test_sub' to EVERY user (portal/public included): no group is set |
| web_shortcut | acl-global-write | access_web_shortcut — Access rule grants write/create/unlink on 'model_web_shortcut' to EVERY user (portal/public included): no group is set |
| web_tip | acl-global-write | access_web_tip — Access rule grants write on 'model_web_tip' to EVERY user (portal/public included): no group is set |
| website_crm_claim | acl-public-write | access_crm_claim — Access rule grants create on 'crm_claim.model_crm_claim' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_post_portal — Access rule grants write/create/unlink on 'model_forum_post' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_post_vote_portal — Access rule grants write/create on 'model_forum_post_vote' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_tag_public — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_public' |
| website_forum | acl-public-write | access_forum_tag_portal — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_portal' |
| website_portal_contact | acl-public-write | access_partners — Access rule grants write/create on 'base.model_res_partner' to the portal/public group 'base.group_portal' |
| website_sale_recently_viewed_products | acl-public-write | access_website_sale_product_view_public — Access rule grants write/create on 'model_website_sale_product_view' to the portal/public group 'base.group_public' |
| website_sale_wishlist | acl-global-write | access_product_wishlist — Access rule grants write/create/unlink on 'model_product_wishlist' to EVERY user (portal/public included): no group is set |
Warnings 244
| Module | Code | Message |
|---|---|---|
| anonymization | acl-global-read | access_ir_model_fields_anonymization_user — Access rule grants read on 'model_ir_model_fields_anonymization' to every user (portal/public included): no group is set |
| anonymization | acl-global-read | access_ir_model_fields_anonymization_history_user — Access rule grants read on 'model_ir_model_fields_anonymization_history' to every user (portal/public included): no group is set |
| auth_totp | route-public-sudo | /auth_totp/login — Unauthenticated endpoint 'AuthTotp.mfa_login_post' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_totp | route-auth-none | /auth_totp/login — Endpoint 'AuthTotp.mfa_login_post' uses auth="none": it runs with no user/session at all |
| base | acl-global-read | access_ir_model_constraint — Access rule grants read on 'model_ir_model_constraint' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_model_relation — Access rule grants read on 'model_ir_model_relation' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_property_group_user — Access rule grants read on 'model_ir_property' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_rule_group_user — Access rule grants read on 'model_ir_rule' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_ui_view_group_user — Access rule grants read on 'model_ir_ui_view' to every user (portal/public included): no group is set |
| base | acl-global-write | access_ir_values_group_all — Access rule grants write/create/unlink on 'model_ir_values' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| base | acl-global-read | access_res_company_group_user — Access rule grants read on 'model_res_company' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_partner_title_group_partner_manager — Access rule grants read on 'model_res_partner_title' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_request_link_group_user — Access rule grants read on 'model_res_request_link' to every user (portal/public included): no group is set |
| base | acl-global-write | access_res_users_log_all — Access rule grants create on 'model_res_users_log' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| base | acl-global-write | access_workflow_workitem_all — Access rule grants write/create/unlink on 'model_workflow_workitem' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| base | acl-global-read | access_ir_config_parameter — Access rule grants read on 'model_ir_config_parameter' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_actions_client — Access rule grants read on 'model_ir_actions_client' to every user (portal/public included): no group is set |
| base_action_rule | acl-global-read | access_base_action_rule — Access rule grants read on 'model_base_action_rule' to every user (portal/public included): no group is set |
| base_unece | acl-global-read | access_unece_code_list_read — Access rule grants read on 'model_unece_code_list' to every user (portal/public included): no group is set |
| board | acl-global-read | access_board_board all — Access rule grants read on 'model_board_board' to every user (portal/public included): no group is set |
| calendar | rule-group-bypass | calendar_event_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| calendar | route-auth-none | /calendar/notify — Endpoint 'meeting_invitation.notify' uses auth="none": it runs with no user/session at all |
| calendar | route-auth-none | /calendar/notify_ack — Endpoint 'meeting_invitation.notify_ack' uses auth="none": it runs with no user/session at all |
| connector | route-auth-none | /connector/runjob — Endpoint 'RunJobController.runjob' uses auth="none": it runs with no user/session at all |
| connector_woocommerce | acl-global-read | access_woo_sale_order_status — Access rule grants read on 'model_woo_sale_order_status' to every user (portal/public included): no group is set |
| connector_woocommerce | acl-global-read | access_woo_sale_order_line — Access rule grants read on 'model_woo_sale_order_line' to every user (portal/public included): no group is set |
| crm | acl-global-read | access_crm_stage — Access rule grants read on 'model_crm_stage' to every user (portal/public included): no group is set |
| crm | rule-group-bypass | crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm | rule-group-bypass | crm_rule_all_lead_report — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm_action | rule-group-bypass | crm_rule_all_action — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm_phone | rule-group-bypass | all_crm_phonecall_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| decimal_precision | acl-global-write | access_decimal_precision_test_all — Access rule grants write/create/unlink on 'model_decimal_precision_test' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| event | acl-global-read | access_event_event_portal — Access rule grants read on 'model_event_event' to every user (portal/public included): no group is set |
| google_account | route-auth-none | /google_account/authentication — Endpoint 'google_auth.oauth2callback' uses auth="none": it runs with no user/session at all |
| help_online | rule-group-bypass | online_help_reader_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_evaluation | rule-group-bypass | hr_employee_interview_hr — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_expense_accountedge | rule-group-bypass | property_rule_account_invoice_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_experience | rule-group-bypass | hr_curriculum_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_experience | rule-group-bypass | hr_academic_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_experience | rule-group-bypass | hr_experience_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_experience | rule-group-bypass | hr_certification_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_gamification | rule-group-bypass | goal_officer_visibility — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | property_rule_holidays_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | resource_leaves_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_schedule | rule-group-bypass | property_rule_schedule_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_security | rule-group-bypass | property_rule_contract_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hw_blackbox_be | route-auth-none | /hw_proxy/request_blackbox/ — Endpoint 'BlackboxDriver.request_blackbox' uses auth="none": it runs with no user/session at all |
| hw_blackbox_be | route-auth-none | /hw_proxy/request_serial/ — Endpoint 'BlackboxDriver.request_serial' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | / — Endpoint 'PosboxHomepage.index' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /wifi — Endpoint 'PosboxHomepage.wifi' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /wifi_connect — Endpoint 'PosboxHomepage.connect_to_wifi' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /wifi_clear — Endpoint 'PosboxHomepage.clear_wifi_configuration' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /remote_connect — Endpoint 'PosboxHomepage.remote_connect' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /enable_ngrok — Endpoint 'PosboxHomepage.enable_ngrok' uses auth="none": it runs with no user/session at all |
| hw_posbox_upgrade | route-auth-none | /hw_proxy/upgrade — Endpoint 'PosboxUpgrader.upgrade' uses auth="none": it runs with no user/session at all |
| hw_posbox_upgrade | route-auth-none | /hw_proxy/perform_upgrade — Endpoint 'PosboxUpgrader.perform_upgrade' uses auth="none": it runs with no user/session at all |
| hw_scale | route-auth-none | /hw_proxy/scale_read/ — Endpoint 'ScaleDriver.scale_read' uses auth="none": it runs with no user/session at all |
| hw_scale | route-auth-none | /hw_proxy/scale_zero/ — Endpoint 'ScaleDriver.scale_zero' uses auth="none": it runs with no user/session at all |
| hw_scale | route-auth-none | /hw_proxy/scale_tare/ — Endpoint 'ScaleDriver.scale_tare' uses auth="none": it runs with no user/session at all |
| hw_scale | route-auth-none | /hw_proxy/scale_clear_tare/ — Endpoint 'ScaleDriver.scale_clear_tare' uses auth="none": it runs with no user/session at all |
| hw_scanner | route-auth-none | /hw_proxy/scanner — Endpoint 'ScannerDriver.scanner' uses auth="none": it runs with no user/session at all |
| hw_screen | route-auth-none | /hw_proxy/display_refresh — Endpoint 'HardwareScreen.display_refresh' uses auth="none": it runs with no user/session at all |
| hw_screen | route-auth-none | /hw_proxy/customer_facing_display — Endpoint 'HardwareScreen.update_user_facing_display' uses auth="none": it runs with no user/session at all |
| hw_screen | route-auth-none | /hw_proxy/take_control — Endpoint 'HardwareScreen.take_control' uses auth="none": it runs with no user/session at all |
| hw_screen | route-auth-none | /hw_proxy/test_ownership — Endpoint 'HardwareScreen.test_ownership' uses auth="none": it runs with no user/session at all |
| hw_screen | route-auth-none | /point_of_sale/display — Endpoint 'HardwareScreen.render_main_display' uses auth="none": it runs with no user/session at all |
| hw_screen | route-auth-none | /point_of_sale/get_serialized_order — Endpoint 'HardwareScreen.get_serialized_order' uses auth="none": it runs with no user/session at all |
| im_livechat | acl-global-read | access_livechat_channel — Access rule grants read on 'model_im_livechat_channel' to every user (portal/public included): no group is set |
| im_livechat | acl-global-read | access_livechat_channel_rule — Access rule grants read on 'model_im_livechat_channel_rule' to every user (portal/public included): no group is set |
| im_livechat | route-auth-none | /im_livechat/external_lib.<any(css,js):ext> — Endpoint 'LivechatController.livechat_lib' uses auth="none": it runs with no user/session at all |
| im_livechat | route-public-sudo | /im_livechat/support/<int:channel_id> — Unauthenticated endpoint 'LivechatController.support_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/loader/<int:channel_id> — Unauthenticated endpoint 'LivechatController.loader' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/init — Unauthenticated endpoint 'LivechatController.livechat_init' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/history — Unauthenticated endpoint 'LivechatController.history' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| im_livechat | route-public-sudo | /im_livechat/feedback — Unauthenticated endpoint 'LivechatController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| intrastat_product | acl-global-read | access_intrastat_unit_read — Access rule grants read on 'model_intrastat_unit' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_transaction_read — Access rule grants read on 'model_intrastat_transaction' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_transport_mode_read — Access rule grants read on 'model_intrastat_transport_mode' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_region_read — Access rule grants read on 'model_intrastat_region' to every user (portal/public included): no group is set |
| l10n_be_intrastat | acl-global-read | access_l10n_be_intrastat_transaction — Access rule grants read on 'model_l10n_be_intrastat_transaction' to every user (portal/public included): no group is set |
| l10n_be_intrastat | acl-global-read | access_l10n_be_intrastat_transport_mode — Access rule grants read on 'model_l10n_be_intrastat_transport_mode' to every user (portal/public included): no group is set |
| l10n_be_intrastat | acl-global-read | access_l10n_be_intrastat_region — Access rule grants read on 'model_l10n_be_intrastat_region' to every user (portal/public included): no group is set |
| l10n_eu_service | acl-global-read | access_l10n_eu_service_service_tax_rate — Access rule grants read on 'model_l10n_eu_service_service_tax_rate' to every user (portal/public included): no group is set |
| letsencrypt | route-auth-none | /.well-known/acme-challenge/<filename> — Endpoint 'Letsencrypt.acme_challenge' uses auth="none": it runs with no user/session at all |
| link_tracker | route-auth-none | /r/<string:code> — Endpoint 'link_tracker.full_url_redirect' uses auth="none": it runs with no user/session at all |
| acl-global-write | access_mail_thread_all — Access rule grants write/create/unlink on 'model_mail_thread' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
|
| acl-global-write | access_publisher_warranty_contract_all — Access rule grants write/create/unlink on 'model_publisher_warranty_contract' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
|
| route-auth-none | /mail/receive — Endpoint 'MailController.receive' uses auth="none": it runs with no user/session at all |
|
| route-public-sudo | /mail/view — Unauthenticated endpoint 'MailController.mail_action_view' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-auth-none | /mail/view — Endpoint 'MailController.mail_action_view' uses auth="none": it runs with no user/session at all |
|
| route-public-sudo | /mail/<string:res_model>/<int:res_id>/avatar/<int:partner_id> — Unauthenticated endpoint 'MailController.avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-public-sudo | /mail/chat_post — Unauthenticated endpoint 'MailChatController.mail_chat_post' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-auth-none | /mail/chat_post — Endpoint 'MailChatController.mail_chat_post' uses auth="none": it runs with no user/session at all |
|
| route-public-sudo | /mail/chat_history — Unauthenticated endpoint 'MailChatController.mail_chat_history' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-auth-none | /mail/chat_history — Endpoint 'MailChatController.mail_chat_history' uses auth="none": it runs with no user/session at all |
|
| route-public-sudo | /mail/chat_init — Unauthenticated endpoint 'MailChatController.mail_chat_init' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
|
| route-auth-none | /mail/chat_init — Endpoint 'MailChatController.mail_chat_init' uses auth="none": it runs with no user/session at all |
|
| mail_tracking | route-public-csrf-off | /mail/tracking/all/<string:db> — Public HTTP endpoint 'MailTrackingController.mail_tracking_all' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| mail_tracking | route-auth-none | /mail/tracking/all/<string:db> — Endpoint 'MailTrackingController.mail_tracking_all' uses auth="none": it runs with no user/session at all |
| mail_tracking | route-public-csrf-off | /mail/tracking/event/<string:db>/<string:event_type> — Public HTTP endpoint 'MailTrackingController.mail_tracking_event' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| mail_tracking | route-auth-none | /mail/tracking/event/<string:db>/<string:event_type> — Endpoint 'MailTrackingController.mail_tracking_event' uses auth="none": it runs with no user/session at all |
| mail_tracking | route-auth-none | /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif — Endpoint 'MailTrackingController.mail_tracking_open' uses auth="none": it runs with no user/session at all |
| mass | acl-global-read | access_mass_request_type_user — Access rule grants read on 'model_mass_request_type' to every user (portal/public included): no group is set |
| mass_mailing | route-public-sudo | /mail/mailing/<int:mailing_id>/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| mass_mailing | route-auth-none | /mail/track/<int:mail_id>/blank.gif — Endpoint 'MassMailController.track_mail_open' uses auth="none": it runs with no user/session at all |
| mass_mailing | route-auth-none | /r/<string:code>/m/<int:stat_id> — Endpoint 'MassMailController.full_url_redirect' uses auth="none": it runs with no user/session at all |
| membership | acl-global-read | access_membership_membership_line — Access rule grants read on 'model_membership_membership_line' to every user (portal/public included): no group is set |
| oauth_provider | acl-global-read | oauth_provider_client_all_users — Access rule grants read on 'model_oauth_provider_client' to every user (portal/public included): no group is set |
| oauth_provider | acl-global-read | oauth_provider_scope_all_users — Access rule grants read on 'model_oauth_provider_scope' to every user (portal/public included): no group is set |
| oauth_provider | acl-global-read | oauth_provider_redirect_uri_all_users — Access rule grants read on 'model_oauth_provider_redirect_uri' to every user (portal/public included): no group is set |
| oauth_provider | acl-global-read | oauth_provider_authorization_code_all_users — Access rule grants read on 'model_oauth_provider_authorization_code' to every user (portal/public included): no group is set |
| oauth_provider | acl-global-read | oauth_provider_token_all_users — Access rule grants read on 'model_oauth_provider_token' to every user (portal/public included): no group is set |
| oauth_provider | route-public-csrf-off | /oauth2/token — Public HTTP endpoint 'OAuth2ProviderController.token' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| oauth_provider | route-public-sudo | /oauth2/token — Unauthenticated endpoint 'OAuth2ProviderController.token' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| oauth_provider | route-auth-none | /oauth2/token — Endpoint 'OAuth2ProviderController.token' uses auth="none": it runs with no user/session at all |
| oauth_provider | route-auth-none | /oauth2/tokeninfo — Endpoint 'OAuth2ProviderController.tokeninfo' uses auth="none": it runs with no user/session at all |
| oauth_provider | route-auth-none | /oauth2/userinfo — Endpoint 'OAuth2ProviderController.userinfo' uses auth="none": it runs with no user/session at all |
| oauth_provider | route-auth-none | /oauth2/otherinfo — Endpoint 'OAuth2ProviderController.otherinfo' uses auth="none": it runs with no user/session at all |
| oauth_provider | route-auth-none | /oauth2/revoke_token — Endpoint 'OAuth2ProviderController.revoke_token' uses auth="none": it runs with no user/session at all |
| oauth_provider_jwt | route-public-sudo | /oauth2/public_key — Unauthenticated endpoint 'OAuth2ProviderController.public_key' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| oauth_provider_jwt | route-auth-none | /oauth2/public_key — Endpoint 'OAuth2ProviderController.public_key' uses auth="none": it runs with no user/session at all |
| operating_unit | acl-global-read | access_account_operating_unit_user — Access rule grants read on 'model_operating_unit' to every user (portal/public included): no group is set |
| partner_external_map | acl-global-read | access_map_website_read — Access rule grants read on 'model_map_website' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation — Access rule grants read on 'model_res_partner_relation' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation_type — Access rule grants read on 'model_res_partner_relation_type' to every user (portal/public included): no group is set |
| partner_multi_relation | acl-global-read | read_res_partner_relation_type_selection — Access rule grants read on 'model_res_partner_relation_type_selection' to every user (portal/public included): no group is set |
| payment | rule-group-bypass | payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| payment_adyen | route-public-csrf-off | /payment/adyen/return — Public HTTP endpoint 'AdyenController.adyen_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_adyen | route-auth-none | /payment/adyen/return — Endpoint 'AdyenController.adyen_return' uses auth="none": it runs with no user/session at all |
| payment_adyen | route-public-csrf-off | /payment/adyen/notification — Public HTTP endpoint 'AdyenController.adyen_notification' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_adyen | route-auth-none | /payment/adyen/notification — Endpoint 'AdyenController.adyen_notification' uses auth="none": it runs with no user/session at all |
| payment_authorize | route-public-csrf-off | /payment/authorize/return/, /payment/authorize/cancel/ — Public HTTP endpoint 'AuthorizeController.authorize_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_authorize | route-public-sudo | /payment/authorize/return/, /payment/authorize/cancel/ — Unauthenticated endpoint 'AuthorizeController.authorize_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_buckaroo | route-public-csrf-off | /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Public HTTP endpoint 'BuckarooController.buckaroo_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_buckaroo | route-auth-none | /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Endpoint 'BuckarooController.buckaroo_return' uses auth="none": it runs with no user/session at all |
| payment_ogone | route-auth-none | /payment/ogone/accept, /payment/ogone/test/accept, /payment/ogone/decline, /payment/ogone/test/decline, /payment/ogone/exception, /payment/ogone/test/exception, /payment/ogone/cancel, /payment/ogone/test/cancel — Endpoint 'OgoneController.ogone_form_feedback' uses auth="none": it runs with no user/session at all |
| payment_ogone | route-public-csrf-off | /payment/ogone/s2s/create — Public HTTP endpoint 'OgoneController.ogone_s2s_create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_ogone | route-public-csrf-off | /payment/ogone/s2s/feedback — Public HTTP endpoint 'OgoneController.feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_ogone | route-auth-none | /payment/ogone/s2s/feedback — Endpoint 'OgoneController.feedback' uses auth="none": it runs with no user/session at all |
| payment_paypal | route-public-csrf-off | /payment/paypal/ipn/ — Public HTTP endpoint 'PaypalController.paypal_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_paypal | route-auth-none | /payment/paypal/ipn/ — Endpoint 'PaypalController.paypal_ipn' uses auth="none": it runs with no user/session at all |
| payment_paypal | route-public-csrf-off | /payment/paypal/dpn — Public HTTP endpoint 'PaypalController.paypal_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_paypal | route-auth-none | /payment/paypal/dpn — Endpoint 'PaypalController.paypal_dpn' uses auth="none": it runs with no user/session at all |
| payment_paypal | route-public-csrf-off | /payment/paypal/cancel — Public HTTP endpoint 'PaypalController.paypal_cancel' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_paypal | route-auth-none | /payment/paypal/cancel — Endpoint 'PaypalController.paypal_cancel' uses auth="none": it runs with no user/session at all |
| payment_redsys | route-public-csrf-off | /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Public HTTP endpoint 'RedsysController.redsys_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_redsys | route-auth-none | /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Endpoint 'RedsysController.redsys_return' uses auth="none": it runs with no user/session at all |
| payment_redsys | route-public-sudo | /payment/redsys/result/<page> — Unauthenticated endpoint 'RedsysController.redsys_result' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_sips | route-public-csrf-off | /payment/sips/ipn/ — Public HTTP endpoint 'SipsController.sips_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_sips | route-auth-none | /payment/sips/ipn/ — Endpoint 'SipsController.sips_ipn' uses auth="none": it runs with no user/session at all |
| payment_sips | route-public-csrf-off | /payment/sips/dpn — Public HTTP endpoint 'SipsController.sips_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_sips | route-auth-none | /payment/sips/dpn — Endpoint 'SipsController.sips_dpn' uses auth="none": it runs with no user/session at all |
| payment_transfer | route-public-csrf-off | /payment/transfer/feedback — Public HTTP endpoint 'OgoneController.transfer_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise) |
| payment_transfer | route-auth-none | /payment/transfer/feedback — Endpoint 'OgoneController.transfer_form_feedback' uses auth="none": it runs with no user/session at all |
| point_of_sale | rule-group-bypass | rule_pos_bank_statement_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| point_of_sale | rule-group-bypass | rule_pos_bank_statement_line_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| point_of_sale | rule-group-bypass | rule_pos_cashbox_line_accountant — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| pos_mercury | acl-global-read | access_pos_mercury_mercury_transaction — Access rule grants read on 'model_pos_mercury_mercury_transaction' to every user (portal/public included): no group is set |
| product_brand | acl-global-read | access_product_brand_public — Access rule grants read on 'model_product_brand' to every user (portal/public included): no group is set |
| product_extended | acl-global-write | access_wizard_price_all — Access rule grants write/create/unlink on 'model_wizard_price' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| product_harmonized_system | acl-global-read | access_hs_code_read — Access rule grants read on 'model_hs_code' to every user (portal/public included): no group is set |
| product_variant_configurator | acl-global-write | access_product_configurator_attribute_all — Access rule grants write/create/unlink on 'model_product_configurator_attribute' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| quality_control | acl-global-read | access_manager_qc_trigger_product_template_line_user — Access rule grants read on 'quality_control.model_qc_trigger_product_template_line' to every user (portal/public included): no group is set |
| quality_control | acl-global-read | access_manager_qc_trigger_product_line_user — Access rule grants read on 'quality_control.model_qc_trigger_product_line' to every user (portal/public included): no group is set |
| report | acl-global-read | paperformat_access_portal — Access rule grants read on 'model_report_paperformat' to every user (portal/public included): no group is set |
| stock_scanner | acl-global-read | scanner_scenario_user — Access rule grants read on 'stock_scanner.model_scanner_scenario' to every user (portal/public included): no group is set |
| stock_scanner | acl-global-read | scanner_scenario_step_user — Access rule grants read on 'stock_scanner.model_scanner_scenario_step' to every user (portal/public included): no group is set |
| stock_scanner | acl-global-read | scanner_scenario_transition_user — Access rule grants read on 'stock_scanner.model_scanner_scenario_transition' to every user (portal/public included): no group is set |
| stock_scanner | rule-group-bypass | scanner_hardware_access_group_sentinel — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| stock_tracking_add_remove | acl-global-write | access_stock_packaging_add_type_all — Access rule grants write/create on 'model_stock_packaging_add_type' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| survey | acl-global-read | access_survey_public — Access rule grants read on 'model_survey_survey' to every user (portal/public included): no group is set |
| survey | acl-global-read | access_survey_page_public — Access rule grants read on 'model_survey_page' to every user (portal/public included): no group is set |
| survey | acl-global-read | access_survey_question_public — Access rule grants read on 'model_survey_question' to every user (portal/public included): no group is set |
| survey | acl-global-read | access_survey_label_public — Access rule grants read on 'model_survey_label' to every user (portal/public included): no group is set |
| survey | acl-global-read | access_survey_stage_public — Access rule grants read on 'model_survey_stage' to every user (portal/public included): no group is set |
| test_new_api | acl-global-read | access_test_new_api_alpha — Access rule grants read on 'model_test_new_api_alpha' to every user (portal/public included): no group is set |
| test_new_api | acl-global-read | access_test_new_api_bravo — Access rule grants read on 'model_test_new_api_bravo' to every user (portal/public included): no group is set |
| tr_barcode | acl-global-write | access_tr_barcode_all — Access rule grants write/create on 'model_tr_barcode' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| web | route-auth-none | /web/pivot/check_xlwt — Endpoint 'TableExporter.check_xlwt' uses auth="none": it runs with no user/session at all |
| web_easy_switch_company | route-auth-none | /web_easy_switch_company/switch/change_current_company — Endpoint 'WebEasySwitchCompanyController.change_current_company' uses auth="none": it runs with no user/session at all |
| web_favicon | route-public-sudo | /web_favicon/favicon — Unauthenticated endpoint 'WebFavicon.icon' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| web_favicon | route-auth-none | /web_favicon/favicon — Endpoint 'WebFavicon.icon' uses auth="none": it runs with no user/session at all |
| website | acl-global-read | access_website_public — Access rule grants read on 'website.model_website' to every user (portal/public included): no group is set |
| website | acl-global-read | access_website_menu — Access rule grants read on 'model_website_menu' to every user (portal/public included): no group is set |
| website | acl-global-read | access_seo_public — Access rule grants read on 'model_website_seo_metadata' to every user (portal/public included): no group is set |
| website_blog | acl-global-read | blog_tag — Access rule grants read on 'model_blog_tag' to every user (portal/public included): no group is set |
| website_crm_partner_assign | route-public-sudo | /partners, /partners/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>, /partners/grade/<model("res.partner.grade"):grade>/page/<int:page>, /partners/country/<model("res.country"):country>, /partners/country/<model("res.country"):country>/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_customer | acl-global-read | res_partner_tag_sale_manager — Access rule grants read on 'model_res_partner_tag' to every user (portal/public included): no group is set |
| website_customer | route-public-sudo | /customers, /customers/page/<int:page>, /customers/country/<int:country_id>, /customers/country/<country_name>-<int:country_id>, /customers/country/<int:country_id>/page/<int:page>, /customers/country/<country_name>-<int:country_id>/page/<int:page>, /customers/tag/<tag_id>, /customers/tag/<tag_id>/page/<int:page>, /customers/tag/<tag_id>/country/<int:country_id>, /customers/tag/<tag_id>/country/<country_name>-<int:country_id>, /customers/tag/<tag_id>/country/<int:country_id>/page/<int:page>, /customers/tag/<tag_id>/country/<country_name>-<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteCustomer.customers' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event | acl-global-read | access_event_type_public — Access rule grants read on 'event.model_event_type' to every user (portal/public included): no group is set |
| website_event | route-public-sudo | /event/<model("event.event"):event>/registration/confirm — Unauthenticated endpoint 'website_event.registration_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_questions | acl-global-write | event_registration_answer_all — Access rule grants write/create/unlink on 'model_event_registration_answer' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| website_event_sale | acl-global-read | access_event_event_ticket_public — Access rule grants read on 'event_sale.model_event_event_ticket' to every user (portal/public included): no group is set |
| website_event_sale | route-public-sudo | /event/<model("event.event"):event>/registration/confirm — Unauthenticated endpoint 'website_event.registration_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_track | acl-global-read | access_event_track_tag_public — Access rule grants read on 'model_event_track_tag' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_location_public — Access rule grants read on 'model_event_track_location' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track__public — Access rule grants read on 'model_event_track' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_sponsor_type_public — Access rule grants read on 'model_event_sponsor_type' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_sponsor_public — Access rule grants read on 'model_event_sponsor' to every user (portal/public included): no group is set |
| website_forum | acl-global-read | access_forum_forum — Access rule grants read on 'model_forum_forum' to every user (portal/public included): no group is set |
| website_forum | route-public-sudo | /forum/validate_email — Unauthenticated endpoint 'WebsiteForum.validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/question/<model("forum.post", "[('forum_id','=',forum[0]),('parent_id','=',False),('can_view', '=', True)]"):question> — Unauthenticated endpoint 'WebsiteForum.question' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/users, /forum/<model("forum.forum"):forum>/users/page/<int:page> — Unauthenticated endpoint 'WebsiteForum.users' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/partner/<int:partner_id> — Unauthenticated endpoint 'WebsiteForum.open_partner' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/user/<int:user_id> — Unauthenticated endpoint 'WebsiteForum.open_user' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/badge — Unauthenticated endpoint 'WebsiteForum.badges' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum | route-public-sudo | /forum/<model("forum.forum"):forum>/badge/<model("gamification.badge"):badge> — Unauthenticated endpoint 'WebsiteForum.badge_users' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_forum_censored | acl-global-read | access_forum_censored_phrase_everyone — Access rule grants read on 'model_forum_censored_phrase' to every user (portal/public included): no group is set |
| website_forum_doc | acl-global-read | all_documentation_toc — Access rule grants read on 'model_forum_documentation_toc' to every user (portal/public included): no group is set |
| website_google_map | route-public-sudo | /google_map — Unauthenticated endpoint 'google_map.google_map' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_hr_recruitment | acl-global-read | access_hr_job_public — Access rule grants read on 'hr.model_hr_job' to every user (portal/public included): no group is set |
| website_hr_recruitment | rule-group-bypass | hr_job_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_hr_recruitment | route-public-sudo | /jobs, /jobs/country/<model("res.country"):country>, /jobs/department/<model("hr.department"):department>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>, /jobs/office/<int:office_id>, /jobs/country/<model("res.country"):country>/office/<int:office_id>, /jobs/department/<model("hr.department"):department>/office/<int:office_id>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>/office/<int:office_id> — Unauthenticated endpoint 'website_hr_recruitment.jobs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_livechat | acl-global-read | access_im_livechat_channel_public — Access rule grants read on 'im_livechat.model_im_livechat_channel' to every user (portal/public included): no group is set |
| website_livechat | route-public-sudo | /livechat/channel/<model("im_livechat.channel"):channel> — Unauthenticated endpoint 'WebsiteLivechat.channel_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_logo | route-auth-none | /web/binary/website_logo, /website_logo, /website_logo.png — Endpoint 'Website.website_logo' uses auth="none": it runs with no user/session at all |
| website_mail_channel | route-public-sudo | /groups/is_member — Unauthenticated endpoint 'MailGroup.is_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mail_channel | route-public-sudo | /groups/subscription — Unauthenticated endpoint 'MailGroup.subscription' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /mail/mailing/<int:mailing_id>/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-public-sudo | /mail/mailing/unsubscribe — Unauthenticated endpoint 'MassMailController.unsubscribe' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_mass_mailing | route-auth-none | /mail/mailing/unsubscribe — Endpoint 'MassMailController.unsubscribe' uses auth="none": it runs with no user/session at all |
| website_membership | route-public-sudo | /members, /members/page/<int:page>, /members/association/<membership_id>, /members/association/<membership_id>/page/<int:page>, /members/country/<int:country_id>, /members/country/<country_name>-<int:country_id>, /members/country/<int:country_id>/page/<int:page>, /members/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<country_name>-<int:country_id>, /members/association/<membership_id>/country/<int:country_id>, /members/association/<membership_id>/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteMembership.members' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_payment | route-public-sudo | /website_payment/pay — Unauthenticated endpoint 'website_payment.pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_payment | route-public-sudo | /website_payment/transaction — Unauthenticated endpoint 'website_payment.transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_rating_project_issue | route-public-sudo | /project/rating/ — Unauthenticated endpoint 'WebsiteRatingProject.index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_rating_project_issue | route-public-sudo | /project/rating/<int:project_id> — Unauthenticated endpoint 'WebsiteRatingProject.page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_sale | acl-global-read | access_product_product_public — Access rule grants read on 'product.model_product_product' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_template_public — Access rule grants read on 'product.model_product_template' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_category_public — Access rule grants read on 'product.model_product_category' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_public_category_public — Access rule grants read on 'model_product_public_category' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_pricelist_public — Access rule grants read on 'product.model_product_pricelist' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_pricelist_item_public — Access rule grants read on 'product.model_product_pricelist_item' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_style — Access rule grants read on 'website_sale.model_product_style' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_supplierinfo — Access rule grants read on 'product.model_product_supplierinfo' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_public — Access rule grants read on 'product.model_product_attribute' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_value_public — Access rule grants read on 'product.model_product_attribute_value' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_price_public — Access rule grants read on 'product.model_product_attribute_price' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_line_public — Access rule grants read on 'product.model_product_attribute_line' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_website_pricelist — Access rule grants read on 'model_website_pricelist' to every user (portal/public included): no group is set |
| website_sale_digital | route-public-sudo | /my/download — Unauthenticated endpoint 'website_sale_digital.download_attachment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_seo_redirection | acl-global-read | read_everyone — Access rule grants read on 'model_website_seo_redirection' to every user (portal/public included): no group is set |
| website_slides | route-public-sudo | /slides/slide/<model("slide.slide", "[('channel_id.can_see', '=', True)]"):slide>/comment — Unauthenticated endpoint 'website_slides.slide_comment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/embed/<int:slide_id> — Unauthenticated endpoint 'website_slides.slides_embed' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_twitter | acl-global-read | access_website_twitter_tweet_public — Access rule grants read on 'website_twitter.model_website_twitter_tweet' to every user (portal/public included): no group is set |
Active Pull Requests 0
No open migration PRs/MRs tracked.
Security Findings
Errors 128
| Module | Code | Message |
|---|---|---|
| anonymization | acl-global-write | access_ir_model_fields_anonymization_migration_fix — Access rule grants write/create/unlink on 'model_ir_model_fields_anonymization_migration_fix' to EVERY user (portal/public included): no group is set |
| base | acl-global-write | access_ir_default_group_system — Access rule grants write/create/unlink on 'model_ir_default' to EVERY user (portal/public included): no group is set |
| base | acl-privilege-escalation | access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-global-write | access_ir_ui_view_custom_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_custom' to EVERY user (portal/public included): no group is set |
| base | acl-privilege-escalation | access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-global-write | access_ir_filter all — Access rule grants write/create/unlink on 'model_ir_filters' to EVERY user (portal/public included): no group is set |
| base | acl-global-write | access_ir_needaction_mixin — Access rule grants write/create/unlink on 'model_ir_needaction_mixin' to EVERY user (portal/public included): no group is set |
| bi_view_editor | acl-global-write | access_bve_view_everyone — Access rule grants write/create/unlink on 'bi_view_editor.model_bve_view' to EVERY user (portal/public included): no group is set |
| calendar | acl-public-write | access_calendar_attendee_portal — Access rule grants write on 'model_calendar_attendee' to the portal/public group 'base.group_portal' |
| calendar | rule-public-bypass | calendar_attendee_rule_my — Record rule with an always-true domain grants portal/public users access to every record of its model |
| crm_partner_assign | acl-public-write | lead_portal_access — Access rule grants write on 'crm.model_crm_lead' to the portal/public group 'base.group_portal' |
| crm_partner_assign | acl-public-write | partner_access_crm_lead — Access rule grants write on 'model_crm_lead' to the portal/public group 'base.group_portal' |
| hr_recruitment | acl-global-write | access_hr_applicant_category — Access rule grants write/create on 'model_hr_applicant_category' to EVERY user (portal/public included): no group is set |
| im_chat | acl-public-write | access_im_chat_message_portal — Access rule grants create on 'model_im_chat_message' to the portal/public group 'base.group_portal' |
| im_chat | acl-public-write | access_im_chat_session_portal — Access rule grants write/create on 'model_im_chat_session' to the portal/public group 'base.group_portal' |
| im_chat | acl-public-write | access_im_chat_conversation_state_portal — Access rule grants write/create on 'model_im_chat_conversation_state' to the portal/public group 'base.group_portal' |
| im_chat | acl-public-write | access_im_chat_presence_portal — Access rule grants write/create/unlink on 'model_im_chat_presence' to the portal/public group 'base.group_portal' |
| l10n_br_hr | acl-global-write | access_hr_employee_dependent — Access rule grants write/create/unlink on 'model_hr_employee_dependent' to EVERY user (portal/public included): no group is set |
| lunch | acl-global-write | access_report_order_line — Access rule grants write/create/unlink on 'model_report_lunch_order_line' to EVERY user (portal/public included): no group is set |
| lunch | acl-global-write | access_lunch_validation — Access rule grants write/create/unlink on 'model_lunch_validation' to EVERY user (portal/public included): no group is set |
| lunch | acl-global-write | access_lunch_cancel — Access rule grants write/create/unlink on 'model_lunch_cancel' to EVERY user (portal/public included): no group is set |
| openeducat_erp | acl-global-write | access_op_room — Access rule grants write/create/unlink on 'model_op_room' to EVERY user (portal/public included): no group is set |
| openeducat_erp | acl-global-write | access_op_asset — Access rule grants write/create/unlink on 'model_op_asset' to EVERY user (portal/public included): no group is set |
| openeducat_erp | acl-global-write | access_op_allocat_division — Access rule grants write/create/unlink on 'model_op_allocat_division' to EVERY user (portal/public included): no group is set |
| portal | acl-public-write | access_mail_message_portal — Access rule grants write/create/unlink on 'mail.model_mail_message' to the portal/public group 'base.group_portal' |
| portal | acl-public-write | access_mail_mail_portal — Access rule grants write/create on 'mail.model_mail_mail' to the portal/public group 'base.group_portal' |
| portal | acl-public-write | access_mail_notification_portal — Access rule grants write/create on 'mail.model_mail_notification' to the portal/public group 'base.group_portal' |
| portal | acl-public-write | access_mail_followers_portal — Access rule grants write on 'mail.model_mail_followers' to the portal/public group 'base.group_portal' |
| portal | acl-public-write | access_ir_attachment_group_portal — Access rule grants create on 'base.model_ir_attachment' to the portal/public group 'base.group_portal' |
| portal_claim | acl-public-write | access_crm_claim — Access rule grants create on 'crm_claim.model_crm_claim' to the portal/public group 'base.group_portal' |
| portal_gamification | acl-public-write | goal_portal — Access rule grants write on 'gamification.model_gamification_goal' to the portal/public group 'base.group_portal' |
| portal_gamification | acl-public-write | badge_user_portal — Access rule grants write/create on 'gamification.model_gamification_badge_user' to the portal/public group 'base.group_portal' |
| product_dependencies | acl-global-write | access_product_dependency — Access rule grants write/create/unlink on 'model_product_dependency' to EVERY user (portal/public included): no group is set |
| purchase_transport_document | acl-global-write | access_transport_document — Access rule grants write/create/unlink on 'model_transport_document' to EVERY user (portal/public included): no group is set |
| report | acl-global-write | paperformat_access_employee — Access rule grants create on 'model_report_paperformat' to EVERY user (portal/public included): no group is set |
| report | acl-global-write | access_report — Access rule grants write/create/unlink on 'model_report' to EVERY user (portal/public included): no group is set |
| report_webkit | acl-global-write | access_ir_header_webkit — Access rule grants create on 'model_ir_header_webkit' to EVERY user (portal/public included): no group is set |
| report_webkit | acl-global-write | access_ir_header_img — Access rule grants create on 'model_ir_header_img' to EVERY user (portal/public included): no group is set |
| stock_scanner | acl-global-write | scanner_hardware_user — Access rule grants write on 'stock_scanner.model_scanner_hardware' to EVERY user (portal/public included): no group is set |
| stock_scanner | acl-global-write | scanner_hardware_step_history_user — Access rule grants write/create/unlink on 'stock_scanner.model_scanner_hardware_step_history' to EVERY user (portal/public included): no group is set |
| stock_scanner | acl-global-write | scanner_scenario_custom_user — Access rule grants write/create/unlink on 'stock_scanner.model_scanner_scenario_custom' to EVERY user (portal/public included): no group is set |
| survey | acl-global-write | access_survey_user_input_public — Access rule grants write/create on 'model_survey_user_input' to EVERY user (portal/public included): no group is set |
| survey | acl-global-write | access_survey_user_input_line_public — Access rule grants write/create on 'model_survey_user_input_line' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_some_obj — Access rule grants write/create/unlink on 'model_test_access_right_some_obj' to EVERY user (portal/public included): no group is set |
| test_access_rights | acl-global-write | access_test_access_right_container — Access rule grants write/create/unlink on 'model_test_access_right_container' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_converter_model — Access rule grants write/create/unlink on 'model_test_converter_test_model' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_test_converter_test_model_sub — Access rule grants write/create/unlink on 'model_test_converter_test_model_sub' to EVERY user (portal/public included): no group is set |
| test_converter | acl-global-write | access_test_converter_monetary — Access rule grants write/create/unlink on 'model_test_converter_monetary' to EVERY user (portal/public included): no group is set |
| test_documentation_examples | acl-global-write | access_inheritance_0 — Access rule grants write/create/unlink on 'model_inheritance_0' to EVERY user (portal/public included): no group is set |
| test_documentation_examples | acl-global-write | access_inheritance_1 — Access rule grants write/create/unlink on 'model_inheritance_1' to EVERY user (portal/public included): no group is set |
| test_documentation_examples | acl-global-write | access_extension_0 — Access rule grants write/create/unlink on 'model_extension_0' to EVERY user (portal/public included): no group is set |
| test_documentation_examples | acl-global-write | access_delegation_child0 — Access rule grants write/create/unlink on 'model_delegation_child0' to EVERY user (portal/public included): no group is set |
| test_documentation_examples | acl-global-write | access_delegation_child1 — Access rule grants write/create/unlink on 'model_delegation_child1' to EVERY user (portal/public included): no group is set |
| test_documentation_examples | acl-global-write | access_delegation_parent — Access rule grants write/create/unlink on 'model_delegation_parent' to EVERY user (portal/public included): no group is set |
| test_exceptions | acl-global-write | access_test_exceptions_model — Access rule grants write/create/unlink on 'model_test_exceptions_model' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_boolean — Access rule grants write/create/unlink on 'model_export_boolean' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_float — Access rule grants write/create/unlink on 'model_export_float' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_decimal — Access rule grants write/create/unlink on 'model_export_decimal' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string_bounded — Access rule grants write/create/unlink on 'model_export_string_bounded' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string_required — Access rule grants write/create/unlink on 'model_export_string_required' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_string — Access rule grants write/create/unlink on 'model_export_string' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_date — Access rule grants write/create/unlink on 'model_export_date' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_datetime — Access rule grants write/create/unlink on 'model_export_datetime' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_text — Access rule grants write/create/unlink on 'model_export_text' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection — Access rule grants write/create/unlink on 'model_export_selection' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection_function — Access rule grants write/create/unlink on 'model_export_selection_function' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2one — Access rule grants write/create/unlink on 'model_export_many2one' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many — Access rule grants write/create/unlink on 'model_export_one2many' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2many — Access rule grants write/create/unlink on 'model_export_many2many' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_function — Access rule grants write/create/unlink on 'model_export_function' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child — Access rule grants write/create/unlink on 'model_export_one2many_child' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_multiple — Access rule grants write/create/unlink on 'model_export_one2many_multiple' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_multiple_child — Access rule grants write/create/unlink on 'model_export_one2many_multiple_child' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child_1 — Access rule grants write/create/unlink on 'model_export_one2many_child_1' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_child_2 — Access rule grants write/create/unlink on 'model_export_one2many_child_2' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_many2many_other — Access rule grants write/create/unlink on 'model_export_many2many_other' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_selection_withdefault — Access rule grants write/create/unlink on 'model_export_selection_withdefault' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_one2many_recursive — Access rule grants write/create/unlink on 'model_export_one2many_recursive' to EVERY user (portal/public included): no group is set |
| test_impex | acl-global-write | access_export_unique — Access rule grants write/create/unlink on 'model_export_unique' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_mother — Access rule grants write/create/unlink on 'model_test_inherit_mother' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_daughter — Access rule grants write/create/unlink on 'model_test_inherit_daughter' to EVERY user (portal/public included): no group is set |
| test_inherit | acl-global-write | access_test_inherit_property — Access rule grants write/create/unlink on 'model_test_inherit_property' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_unit — Access rule grants write/create/unlink on 'model_test_unit' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_box — Access rule grants write/create/unlink on 'model_test_box' to EVERY user (portal/public included): no group is set |
| test_inherits | acl-global-write | access_test_pallet — Access rule grants write/create/unlink on 'model_test_pallet' to EVERY user (portal/public included): no group is set |
| test_limits | acl-global-write | access_test_limits_model — Access rule grants write/create/unlink on 'model_test_limits_model' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_category — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_category' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_discussion — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_discussion' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_message — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_message' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_emailmessage — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_emailmessage' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_multi_line — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_mixed — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_mixed' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_function_noinfiniterecursion — Access rule grants write/create/unlink on 'model_test_old_api_function_noinfiniterecursion' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_function_counter — Access rule grants write/create/unlink on 'model_test_old_api_function_counter' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_domain_bool — Access rule grants write/create/unlink on 'model_domain_bool' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_foo — Access rule grants write/create/unlink on 'model_test_new_api_foo' to EVERY user (portal/public included): no group is set |
| test_new_api | acl-global-write | access_test_new_api_bar — Access rule grants write/create/unlink on 'model_test_new_api_bar' to EVERY user (portal/public included): no group is set |
| test_uninstall | acl-global-write | access_test_uninstall_model — Access rule grants write/create/unlink on 'model_test_uninstall_model' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model — Access rule grants write/create/unlink on 'model_test_workflow_model' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_trigger — Access rule grants write/create/unlink on 'model_test_workflow_trigger' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_a — Access rule grants write/create/unlink on 'model_test_workflow_model_a' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_b — Access rule grants write/create/unlink on 'model_test_workflow_model_b' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_c — Access rule grants write/create/unlink on 'model_test_workflow_model_c' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_d — Access rule grants write/create/unlink on 'model_test_workflow_model_d' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_e — Access rule grants write/create/unlink on 'model_test_workflow_model_e' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_f — Access rule grants write/create/unlink on 'model_test_workflow_model_f' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_g — Access rule grants write/create/unlink on 'model_test_workflow_model_g' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_h — Access rule grants write/create/unlink on 'model_test_workflow_model_h' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_i — Access rule grants write/create/unlink on 'model_test_workflow_model_i' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_j — Access rule grants write/create/unlink on 'model_test_workflow_model_j' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_k — Access rule grants write/create/unlink on 'model_test_workflow_model_k' to EVERY user (portal/public included): no group is set |
| test_workflow | acl-global-write | access_test_workflow_model_l — Access rule grants write/create/unlink on 'model_test_workflow_model_l' to EVERY user (portal/public included): no group is set |
| web_shortcuts | acl-global-write | access_web_shortcut — Access rule grants write/create/unlink on 'model_web_shortcut' to EVERY user (portal/public included): no group is set |
| website | acl-global-write | access_website_converter_test — Access rule grants write/create/unlink on 'model_website_converter_test' to EVERY user (portal/public included): no group is set |
| website | acl-global-write | access_website_converter_test_sub — Access rule grants write/create/unlink on 'model_website_converter_test_sub' to EVERY user (portal/public included): no group is set |
| website_calendar_snippet | rule-public-bypass | website_calendar_block_partner_public — Record rule with an always-true domain grants portal/public users access to every record of its model |
| website_forum | acl-public-write | access_forum_post_portal — Access rule grants write/create/unlink on 'model_forum_post' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_post_vote_portal — Access rule grants write/create on 'model_forum_post_vote' to the portal/public group 'base.group_portal' |
| website_forum | acl-public-write | access_forum_tag_public — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_public' |
| website_forum | acl-public-write | access_forum_tag_portal — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_portal' |
| website_sale_recently_viewed_products | acl-global-write | access_website_sale_product_view_public — Access rule grants write/create on 'model_website_sale_product_view' to EVERY user (portal/public included): no group is set |
| website_slides | acl-public-write | access_slide_slide_portal — Access rule grants write/create on 'model_slide_slide' to the portal/public group 'base.group_portal' |
Warnings 229
| Module | Code | Message |
|---|---|---|
| account_invoice_rounding_by_currency | acl-global-read | access_company_rounding — Access rule grants read on 'model_company_rounding' to every user (portal/public included): no group is set |
| account_invoice_transmit_method | acl-global-read | access_transmit_method_read — Access rule grants read on 'model_transmit_method' to every user (portal/public included): no group is set |
| account_outstanding_payment | acl-global-read | access_account_config_settings — Access rule grants read on 'model_account_config_settings' to every user (portal/public included): no group is set |
| anonymization | acl-global-read | access_ir_model_fields_anonymization_user — Access rule grants read on 'model_ir_model_fields_anonymization' to every user (portal/public included): no group is set |
| anonymization | acl-global-read | access_ir_model_fields_anonymization_history_user — Access rule grants read on 'model_ir_model_fields_anonymization_history' to every user (portal/public included): no group is set |
| auth_totp | route-public-sudo | /auth_totp/login — Unauthenticated endpoint 'AuthTotp.mfa_login_post' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| auth_totp | route-auth-none | /auth_totp/login — Endpoint 'AuthTotp.mfa_login_post' uses auth="none": it runs with no user/session at all |
| base | acl-global-read | access_ir_model_constraint — Access rule grants read on 'model_ir_model_constraint' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_model_relation — Access rule grants read on 'model_ir_model_relation' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_module_category_group_user — Access rule grants read on 'model_ir_module_category' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_module_module_user — Access rule grants read on 'model_ir_module_module' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_property_group_user — Access rule grants read on 'model_ir_property' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_rule_group_user — Access rule grants read on 'model_ir_rule' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_sequence_type_group_user — Access rule grants read on 'model_ir_sequence_type' to every user (portal/public included): no group is set |
| base | acl-global-write | access_ir_translation_all — Access rule grants write/create/unlink on 'model_ir_translation' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| base | acl-global-read | access_ir_ui_view_group_user — Access rule grants read on 'model_ir_ui_view' to every user (portal/public included): no group is set |
| base | acl-global-write | access_ir_values_group_all — Access rule grants write/create/unlink on 'model_ir_values' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| base | acl-global-read | access_res_company_group_user — Access rule grants read on 'model_res_company' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_partner_bank_type_group_user — Access rule grants read on 'model_res_partner_bank_type' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_partner_bank_type_field_group_user — Access rule grants read on 'model_res_partner_bank_type_field' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_partner_title_group_partner_manager — Access rule grants read on 'model_res_partner_title' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_request_link_group_user — Access rule grants read on 'model_res_request_link' to every user (portal/public included): no group is set |
| base | acl-global-write | access_workflow_workitem_all — Access rule grants write/create/unlink on 'model_workflow_workitem' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| base | acl-global-read | access_multi_company_default user — Access rule grants read on 'model_multi_company_default' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_config_parameter — Access rule grants read on 'model_ir_config_parameter' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_actions_client — Access rule grants read on 'model_ir_actions_client' to every user (portal/public included): no group is set |
| base_action_rule | acl-global-read | access_base_action_rule — Access rule grants read on 'model_base_action_rule' to every user (portal/public included): no group is set |
| base_report_to_printer | acl-global-read | ir_model_access_printingprinterall0 — Access rule grants read on 'model_printing_printer' to every user (portal/public included): no group is set |
| base_report_to_printer | acl-global-read | ir_model_access_printing_action_all0 — Access rule grants read on 'model_printing_action' to every user (portal/public included): no group is set |
| base_report_to_printer | acl-global-read | ir_model_access_printing_report_xml_action_all0 — Access rule grants read on 'model_printing_report_xml_action' to every user (portal/public included): no group is set |
| base_unece | acl-global-read | access_unece_code_list_read — Access rule grants read on 'model_unece_code_list' to every user (portal/public included): no group is set |
| board | acl-global-read | access_board_board all — Access rule grants read on 'model_board_board' to every user (portal/public included): no group is set |
| calendar | rule-group-bypass | calendar_event_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| calendar | route-auth-none | /calendar/notify — Endpoint 'meeting_invitation.notify' uses auth="none": it runs with no user/session at all |
| calendar | route-auth-none | /calendar/notify_ack — Endpoint 'meeting_invitation.notify_ack' uses auth="none": it runs with no user/session at all |
| connector | route-auth-none | /connector/runjob — Endpoint 'RunJobController.runjob' uses auth="none": it runs with no user/session at all |
| connector_salesforce | route-auth-none | /salesforce/oauth — Endpoint 'SalesforceOAuthController.oauth' uses auth="none": it runs with no user/session at all |
| connector_woocommerce | acl-global-read | access_woo_sale_order_status — Access rule grants read on 'model_woo_sale_order_status' to every user (portal/public included): no group is set |
| connector_woocommerce | acl-global-read | access_woo_sale_order_line — Access rule grants read on 'model_woo_sale_order_line' to every user (portal/public included): no group is set |
| crm | acl-global-read | access_crm_case_stage — Access rule grants read on 'model_crm_case_stage' to every user (portal/public included): no group is set |
| crm | rule-group-bypass | crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm | rule-group-bypass | crm_rule_all_phones — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm | rule-group-bypass | crm_rule_all_lead_report — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm_action | rule-group-bypass | crm_rule_all_action — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| dead_mans_switch_server | route-public-sudo | /dead_mans_switch/alive — Unauthenticated endpoint 'Main.alive' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| dead_mans_switch_server | route-auth-none | /dead_mans_switch/alive — Endpoint 'Main.alive' uses auth="none": it runs with no user/session at all |
| decimal_precision | acl-global-write | access_decimal_precision_test_all — Access rule grants write/create/unlink on 'model_decimal_precision_test' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| edi | route-auth-none | /edi/import_url — Endpoint 'EDI.import_url' uses auth="none": it runs with no user/session at all |
| edi | route-auth-none | /edi/import_edi_url — Endpoint 'EDI.import_edi_url' uses auth="none": it runs with no user/session at all |
| event | acl-global-read | access_event_event_portal — Access rule grants read on 'model_event_event' to every user (portal/public included): no group is set |
| event | acl-global-read | access_event_registration_portal — Access rule grants read on 'model_event_registration' to every user (portal/public included): no group is set |
| google_account | route-auth-none | /google_account/authentication — Endpoint 'google_auth.oauth2callback' uses auth="none": it runs with no user/session at all |
| help_online | rule-group-bypass | online_help_reader_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_evaluation | rule-group-bypass | hr_employee_interview_hr — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_expense_accountedge | rule-group-bypass | property_rule_account_invoice_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_experience | rule-group-bypass | hr_curriculum_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_experience | rule-group-bypass | hr_academic_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_experience | rule-group-bypass | hr_experience_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_experience | rule-group-bypass | hr_certification_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_gamification | rule-group-bypass | goal_officer_visibility — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | property_rule_holidays_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | resource_leaves_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_schedule | rule-group-bypass | property_rule_schedule_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_security | rule-group-bypass | property_rule_contract_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hw_blackbox_be | route-auth-none | /hw_proxy/request_blackbox/ — Endpoint 'BlackboxDriver.request_blackbox' uses auth="none": it runs with no user/session at all |
| hw_blackbox_be | route-auth-none | /hw_proxy/request_serial/ — Endpoint 'BlackboxDriver.request_serial' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | / — Endpoint 'PosboxHomepage.index' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /wifi — Endpoint 'PosboxHomepage.wifi' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /wifi_connect — Endpoint 'PosboxHomepage.connect_to_wifi' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /wifi_clear — Endpoint 'PosboxHomepage.clear_wifi_configuration' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /remote_connect — Endpoint 'PosboxHomepage.remote_connect' uses auth="none": it runs with no user/session at all |
| hw_posbox_homepage | route-auth-none | /enable_ngrok — Endpoint 'PosboxHomepage.enable_ngrok' uses auth="none": it runs with no user/session at all |
| hw_posbox_upgrade | route-auth-none | /hw_proxy/upgrade — Endpoint 'PosboxUpgrader.upgrade' uses auth="none": it runs with no user/session at all |
| hw_posbox_upgrade | route-auth-none | /hw_proxy/perform_upgrade — Endpoint 'PosboxUpgrader.perform_upgrade' uses auth="none": it runs with no user/session at all |
| hw_scale | route-auth-none | /hw_proxy/scale_read/ — Endpoint 'ScaleDriver.scale_read' uses auth="none": it runs with no user/session at all |
| hw_scale | route-auth-none | /hw_proxy/scale_zero/ — Endpoint 'ScaleDriver.scale_zero' uses auth="none": it runs with no user/session at all |
| hw_scale | route-auth-none | /hw_proxy/scale_tare/ — Endpoint 'ScaleDriver.scale_tare' uses auth="none": it runs with no user/session at all |
| hw_scale | route-auth-none | /hw_proxy/scale_clear_tare/ — Endpoint 'ScaleDriver.scale_clear_tare' uses auth="none": it runs with no user/session at all |
| hw_scanner | route-auth-none | /hw_proxy/scanner — Endpoint 'ScannerDriver.scanner' uses auth="none": it runs with no user/session at all |
| hw_screen | route-auth-none | /hw_proxy/display_refresh — Endpoint 'HardwareScreen.display_refresh' uses auth="none": it runs with no user/session at all |
| hw_screen | route-auth-none | /hw_proxy/customer_facing_display — Endpoint 'HardwareScreen.update_user_facing_display' uses auth="none": it runs with no user/session at all |
| hw_screen | route-auth-none | /hw_proxy/take_control — Endpoint 'HardwareScreen.take_control' uses auth="none": it runs with no user/session at all |
| hw_screen | route-auth-none | /hw_proxy/test_ownership — Endpoint 'HardwareScreen.test_ownership' uses auth="none": it runs with no user/session at all |
| hw_screen | route-auth-none | /point_of_sale/display — Endpoint 'HardwareScreen.render_main_display' uses auth="none": it runs with no user/session at all |
| hw_screen | route-auth-none | /point_of_sale/get_serialized_order — Endpoint 'HardwareScreen.get_serialized_order' uses auth="none": it runs with no user/session at all |
| hw_telium_payment_terminal | route-auth-none | /hw_proxy/payment_terminal_transaction_start — Endpoint 'TeliumPaymentTerminalProxy.payment_terminal_transaction_start' uses auth="none": it runs with no user/session at all |
| im_chat | route-auth-none | /im_chat/init — Endpoint 'Controller.init' uses auth="none": it runs with no user/session at all |
| im_chat | route-auth-none | /im_chat/post — Endpoint 'Controller.post' uses auth="none": it runs with no user/session at all |
| im_chat | route-auth-none | /im_chat/image/<string:uuid>/<string:user_id> — Endpoint 'Controller.image' uses auth="none": it runs with no user/session at all |
| im_chat | route-auth-none | /im_chat/history — Endpoint 'Controller.history' uses auth="none": it runs with no user/session at all |
| im_livechat | acl-global-read | access_ls_chann1 — Access rule grants read on 'model_im_livechat_channel' to every user (portal/public included): no group is set |
| im_livechat | route-auth-none | /im_livechat/support/<string:dbname>/<int:channel_id> — Endpoint 'LiveChatController.support_page' uses auth="none": it runs with no user/session at all |
| im_livechat | route-auth-none | /im_livechat/loader/<string:dbname>/<int:channel_id> — Endpoint 'LiveChatController.loader' uses auth="none": it runs with no user/session at all |
| im_livechat | route-auth-none | /im_livechat/get_session — Endpoint 'LiveChatController.get_session' uses auth="none": it runs with no user/session at all |
| im_livechat | route-auth-none | /im_livechat/available — Endpoint 'LiveChatController.available' uses auth="none": it runs with no user/session at all |
| intrastat_product | acl-global-read | access_intrastat_unit_read — Access rule grants read on 'model_intrastat_unit' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_transaction_read — Access rule grants read on 'model_intrastat_transaction' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_transport_mode_read — Access rule grants read on 'model_intrastat_transport_mode' to every user (portal/public included): no group is set |
| intrastat_product | acl-global-read | access_intrastat_region_read — Access rule grants read on 'model_intrastat_region' to every user (portal/public included): no group is set |
| l10n_be_intrastat | acl-global-read | access_l10n_be_intrastat_transaction — Access rule grants read on 'model_l10n_be_intrastat_transaction' to every user (portal/public included): no group is set |
| l10n_be_intrastat | acl-global-read | access_l10n_be_intrastat_transport_mode — Access rule grants read on 'model_l10n_be_intrastat_transport_mode' to every user (portal/public included): no group is set |
| l10n_be_intrastat | acl-global-read | access_l10n_be_intrastat_region — Access rule grants read on 'model_l10n_be_intrastat_region' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_deficiency — Access rule grants read on 'model_hr_deficiency' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_identity_type — Access rule grants read on 'model_hr_identity_type' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_civil_certificate_type — Access rule grants read on 'model_hr_civil_certificate_type' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_chronic_disease — Access rule grants read on 'model_hr_chronic_disease' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_dependent_type — Access rule grants read on 'model_hr_dependent_type' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_ethnicity — Access rule grants read on 'model_hr_ethnicity' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_educational_attainment — Access rule grants read on 'model_hr_educational_attainment' to every user (portal/public included): no group is set |
| l10n_br_hr | acl-global-read | access_hr_nationality_code — Access rule grants read on 'model_hr_nationality_code' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_admission_type — Access rule grants read on 'model_hr_contract_admission_type' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_labor_bond_type — Access rule grants read on 'model_hr_contract_labor_bond_type' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_labor_regime — Access rule grants read on 'model_hr_contract_labor_regime' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_salary_unit — Access rule grants read on 'model_hr_contract_salary_unit' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_resignation_cause — Access rule grants read on 'model_hr_contract_resignation_cause' to every user (portal/public included): no group is set |
| l10n_br_hr_contract | acl-global-read | access_hr_contract_notice_termination — Access rule grants read on 'model_hr_contract_notice_termination' to every user (portal/public included): no group is set |
| l10n_cn_fapiao | acl-global-read | access_fapiao_tag — Access rule grants read on 'model_fapiao_tag' to every user (portal/public included): no group is set |
| l10n_cn_fapiao | acl-global-read | access_fapiao_tax_type — Access rule grants read on 'model_fapiao_tax_type' to every user (portal/public included): no group is set |
| l10n_eu_service | acl-global-read | access_l10n_eu_service_service_tax_rate — Access rule grants read on 'model_l10n_eu_service_service_tax_rate' to every user (portal/public included): no group is set |
| l10n_it_account_tax_kind | acl-global-read | access_account_tax_kind_user — Access rule grants read on 'model_account_tax_kind' to every user (portal/public included): no group is set |
| l10n_pe_toponyms | acl-global-read | access_res_country_district_group_user — Access rule grants read on 'model_res_country_district' to every user (portal/public included): no group is set |
| l10n_pe_toponyms | acl-global-read | access_res_country_province_group_user — Access rule grants read on 'model_res_country_province' to every user (portal/public included): no group is set |
| letsencrypt | route-auth-none | /.well-known/acme-challenge/<filename> — Endpoint 'Letsencrypt.acme_challenge' uses auth="none": it runs with no user/session at all |
| acl-global-write | access_mail_thread_all — Access rule grants write/create/unlink on 'model_mail_thread' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
|
| acl-global-write | access_publisher_warranty_contract_all — Access rule grants write/create/unlink on 'model_publisher_warranty_contract' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
|
| rule-group-bypass | mail_followers_read_write_others — Record rule with an always-true domain bypasses every other record rule of its model for its group |
|
| route-auth-none | /mail/receive — Endpoint 'MailController.receive' uses auth="none": it runs with no user/session at all |
|
| mail_mandrill | route-auth-none | /mandrill/event — Endpoint 'MailController.event' uses auth="none": it runs with no user/session at all |
| mail_tracking | route-auth-none | /mail/tracking/all/<string:db> — Endpoint 'MailTrackingController.mail_tracking_all' uses auth="none": it runs with no user/session at all |
| mail_tracking | route-auth-none | /mail/tracking/event/<string:db>/<string:event_type> — Endpoint 'MailTrackingController.mail_tracking_event' uses auth="none": it runs with no user/session at all |
| mail_tracking | route-auth-none | /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif — Endpoint 'MailTrackingController.mail_tracking_open' uses auth="none": it runs with no user/session at all |
| mass | acl-global-read | access_mass_request_type_user — Access rule grants read on 'model_mass_request_type' to every user (portal/public included): no group is set |
| mass_mailing | route-auth-none | /mail/track/<int:mail_id>/blank.gif — Endpoint 'MassMailController.track_mail_open' uses auth="none": it runs with no user/session at all |
| mass_mailing | route-auth-none | /mail/mailing/<int:mailing_id>/unsubscribe — Endpoint 'MassMailController.mailing' uses auth="none": it runs with no user/session at all |
| mass_mailing_custom_unsubscribe | route-public-sudo | CustomUnsubscribe.mailing — Unauthenticated endpoint 'CustomUnsubscribe.mailing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| membership | acl-global-read | access_membership_membership_line — Access rule grants read on 'model_membership_membership_line' to every user (portal/public included): no group is set |
| operating_unit | acl-global-read | access_account_operating_unit_user — Access rule grants read on 'model_operating_unit' to every user (portal/public included): no group is set |
| partner_external_maps | acl-global-read | access_map_website_read — Access rule grants read on 'model_map_website' to every user (portal/public included): no group is set |
| partner_relations | acl-global-read | read_res_partner_relation — Access rule grants read on 'model_res_partner_relation' to every user (portal/public included): no group is set |
| partner_relations | acl-global-read | read_res_partner_relation_type — Access rule grants read on 'model_res_partner_relation_type' to every user (portal/public included): no group is set |
| partner_relations | acl-global-read | read_res_partner_relation_type_selection — Access rule grants read on 'model_res_partner_relation_type_selection' to every user (portal/public included): no group is set |
| payment | rule-group-bypass | payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| payment_adyen | route-auth-none | /payment/adyen/return — Endpoint 'AdyenController.adyen_return' uses auth="none": it runs with no user/session at all |
| payment_adyen | route-auth-none | /payment/adyen/notification — Endpoint 'AdyenController.adyen_notification' uses auth="none": it runs with no user/session at all |
| payment_alipay | route-auth-none | /payment/alipay/notify/ — Endpoint 'AlipayController.alipay_autoreceive' uses auth="none": it runs with no user/session at all |
| payment_alipay | route-auth-none | /payment/alipay/return/ — Endpoint 'AlipayController.alipay_return' uses auth="none": it runs with no user/session at all |
| payment_authorize | route-public-sudo | /payment/authorize/return/, /payment/authorize/cancel/ — Unauthenticated endpoint 'AuthorizeController.authorize_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_buckaroo | route-auth-none | /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Endpoint 'BuckarooController.buckaroo_return' uses auth="none": it runs with no user/session at all |
| payment_ogone | route-auth-none | /payment/ogone/accept, /payment/ogone/test/accept, /payment/ogone/decline, /payment/ogone/test/decline, /payment/ogone/exception, /payment/ogone/test/exception, /payment/ogone/cancel, /payment/ogone/test/cancel — Endpoint 'OgoneController.ogone_form_feedback' uses auth="none": it runs with no user/session at all |
| payment_paypal | route-auth-none | /payment/paypal/ipn/ — Endpoint 'PaypalController.paypal_ipn' uses auth="none": it runs with no user/session at all |
| payment_paypal | route-auth-none | /payment/paypal/dpn — Endpoint 'PaypalController.paypal_dpn' uses auth="none": it runs with no user/session at all |
| payment_paypal | route-auth-none | /payment/paypal/cancel — Endpoint 'PaypalController.paypal_cancel' uses auth="none": it runs with no user/session at all |
| payment_redsys | route-auth-none | /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Endpoint 'RedsysController.redsys_return' uses auth="none": it runs with no user/session at all |
| payment_redsys | route-public-sudo | /payment/redsys/result/<page> — Unauthenticated endpoint 'RedsysController.redsys_result' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| payment_sips | route-auth-none | /payment/sips/ipn/ — Endpoint 'SipsController.sips_ipn' uses auth="none": it runs with no user/session at all |
| payment_sips | route-auth-none | /payment/sips/dpn — Endpoint 'SipsController.sips_dpn' uses auth="none": it runs with no user/session at all |
| payment_transfer | route-auth-none | /payment/transfer/feedback — Endpoint 'OgoneController.transfer_form_feedback' uses auth="none": it runs with no user/session at all |
| payment_wcpay | route-auth-none | /payment/weixin/notify — Endpoint 'WcpayController.weixin_notify' uses auth="none": it runs with no user/session at all |
| product | acl-global-read | access_product_pricelist_type_user — Access rule grants read on 'model_product_pricelist_type' to every user (portal/public included): no group is set |
| product_brand | acl-global-read | access_product_brand_public — Access rule grants read on 'model_product_brand' to every user (portal/public included): no group is set |
| product_extended | acl-global-write | access_wizard_price_all — Access rule grants write/create/unlink on 'model_wizard_price' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| product_harmonized_system | acl-global-read | access_hs_code_read — Access rule grants read on 'model_hs_code' to every user (portal/public included): no group is set |
| product_pricelist_cache | acl-global-read | access_product_price_cache_public — Access rule grants read on 'model_product_price_cache' to every user (portal/public included): no group is set |
| product_variant_cost_price | acl-global-read | access_product_price_history_product_global — Access rule grants read on 'model_product_price_history_product' to every user (portal/public included): no group is set |
| project | acl-global-read | access_project_category — Access rule grants read on 'model_project_category' to every user (portal/public included): no group is set |
| quality_control | acl-global-read | access_manager_qc_trigger_product_template_line_user — Access rule grants read on 'quality_control.model_qc_trigger_product_template_line' to every user (portal/public included): no group is set |
| quality_control | acl-global-read | access_manager_qc_trigger_product_line_user — Access rule grants read on 'quality_control.model_qc_trigger_product_line' to every user (portal/public included): no group is set |
| report | acl-global-read | paperformat_access_portal — Access rule grants read on 'model_report_paperformat' to every user (portal/public included): no group is set |
| stock_scanner | acl-global-read | scanner_scenario_user — Access rule grants read on 'stock_scanner.model_scanner_scenario' to every user (portal/public included): no group is set |
| stock_scanner | acl-global-read | scanner_scenario_step_user — Access rule grants read on 'stock_scanner.model_scanner_scenario_step' to every user (portal/public included): no group is set |
| stock_scanner | acl-global-read | scanner_scenario_transition_user — Access rule grants read on 'stock_scanner.model_scanner_scenario_transition' to every user (portal/public included): no group is set |
| stock_scanner | rule-group-bypass | scanner_hardware_access_group_sentinel — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| stock_tracking_add_remove | acl-global-write | access_stock_packaging_add_type_all — Access rule grants write/create on 'model_stock_packaging_add_type' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| survey | acl-global-read | access_survey_public — Access rule grants read on 'model_survey_survey' to every user (portal/public included): no group is set |
| survey | acl-global-read | access_survey_page_public — Access rule grants read on 'model_survey_page' to every user (portal/public included): no group is set |
| survey | acl-global-read | access_survey_question_public — Access rule grants read on 'model_survey_question' to every user (portal/public included): no group is set |
| survey | acl-global-read | access_survey_label_public — Access rule grants read on 'model_survey_label' to every user (portal/public included): no group is set |
| survey | acl-global-read | access_survey_stage_public — Access rule grants read on 'model_survey_stage' to every user (portal/public included): no group is set |
| tr_barcode | acl-global-write | access_tr_barcode_all — Access rule grants write/create on 'model_tr_barcode' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| users_ldap_push | acl-global-read | read_field_mappings — Access rule grants read on 'model_res_company_ldap_field_mapping' to every user (portal/public included): no group is set |
| web_easy_switch_company | route-auth-none | /web_easy_switch_company/switch/change_current_company — Endpoint 'WebEasySwitchCompanyController.change_current_company' uses auth="none": it runs with no user/session at all |
| web_favicon | route-public-sudo | /web_favicon/favicon — Unauthenticated endpoint 'WebFavicon.icon' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes |
| web_favicon | route-auth-none | /web_favicon/favicon — Endpoint 'WebFavicon.icon' uses auth="none": it runs with no user/session at all |
| web_graph | route-auth-none | /web_graph/check_xlwt — Endpoint 'TableExporter.check_xlwt' uses auth="none": it runs with no user/session at all |
| web_no_crawler | route-auth-none | /robots.txt — Endpoint 'Main.robots' uses auth="none": it runs with no user/session at all |
| website | acl-global-read | access_website_public — Access rule grants read on 'website.model_website' to every user (portal/public included): no group is set |
| website | acl-global-read | access_website_menu — Access rule grants read on 'model_website_menu' to every user (portal/public included): no group is set |
| website | acl-global-read | access_seo_public — Access rule grants read on 'model_website_seo_metadata' to every user (portal/public included): no group is set |
| website_blog | acl-global-read | blog_tag — Access rule grants read on 'model_blog_tag' to every user (portal/public included): no group is set |
| website_certification | acl-global-read | access_certifications_public — Access rule grants read on 'model_certification_certification' to every user (portal/public included): no group is set |
| website_certification | acl-global-read | access_certifications_types_public — Access rule grants read on 'model_certification_type' to every user (portal/public included): no group is set |
| website_country_localized_pages | acl-global-read | access_ir_ui_view_country_line_group_user — Access rule grants read on 'model_ir_ui_view_country_line' to every user (portal/public included): no group is set |
| website_event | acl-global-read | access_event_type_public — Access rule grants read on 'event.model_event_type' to every user (portal/public included): no group is set |
| website_event_filter_organizer | route-public-sudo | /event, /event/page/<int:page> — Unauthenticated endpoint 'WebsiteEventOrganizer.events' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_register_free | route-public-sudo | /event/<model("event.event"):event>/register/register_free — Unauthenticated endpoint 'WebsiteEvent.event_register_free' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_event_sale | acl-global-read | access_event_event_ticket_public — Access rule grants read on 'event_sale.model_event_event_ticket' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_tag_public — Access rule grants read on 'model_event_tag' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_stage_public — Access rule grants read on 'model_event_track_stage' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_tag_public — Access rule grants read on 'model_event_track_tag' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_location_public — Access rule grants read on 'model_event_track_location' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track__public — Access rule grants read on 'model_event_track' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_sponsor_type_public — Access rule grants read on 'model_event_sponsor_type' to every user (portal/public included): no group is set |
| website_event_track | acl-global-read | access_event_track_sponsor_public — Access rule grants read on 'model_event_sponsor' to every user (portal/public included): no group is set |
| website_forum | acl-global-read | access_forum_forum — Access rule grants read on 'model_forum_forum' to every user (portal/public included): no group is set |
| website_forum_doc | acl-global-read | all_documentation_toc — Access rule grants read on 'model_forum_documentation_toc' to every user (portal/public included): no group is set |
| website_hr_recruitment | acl-global-read | access_hr_job_public — Access rule grants read on 'hr.model_hr_job' to every user (portal/public included): no group is set |
| website_hr_recruitment | rule-group-bypass | hr_job_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| website_hr_recruitment | route-public-sudo | /jobs, /jobs/country/<model("res.country"):country>, /jobs/department/<model("hr.department"):department>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>, /jobs/office/<int:office_id>, /jobs/country/<model("res.country"):country>/office/<int:office_id>, /jobs/department/<model("hr.department"):department>/office/<int:office_id>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>/office/<int:office_id> — Unauthenticated endpoint 'website_hr_recruitment.jobs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_logo | route-auth-none | /web/binary/website_logo, /website_logo, /website_logo.png — Endpoint 'Website.website_logo' uses auth="none": it runs with no user/session at all |
| website_sale | acl-global-read | access_product_product_public — Access rule grants read on 'product.model_product_product' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_template_public — Access rule grants read on 'product.model_product_template' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_category_public — Access rule grants read on 'product.model_product_category' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_public_category_public — Access rule grants read on 'model_product_public_category' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_pricelist_version_public — Access rule grants read on 'product.model_product_pricelist_version' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_pricelist_public — Access rule grants read on 'product.model_product_pricelist' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_pricelist_item_public — Access rule grants read on 'product.model_product_pricelist_item' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_product_price_type_public — Access rule grants read on 'product.model_product_price_type' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_style — Access rule grants read on 'website_sale.model_product_style' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_supplierinfo — Access rule grants read on 'product.model_product_supplierinfo' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_public — Access rule grants read on 'product.model_product_attribute' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_value_public — Access rule grants read on 'product.model_product_attribute_value' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_price_public — Access rule grants read on 'product.model_product_attribute_price' to every user (portal/public included): no group is set |
| website_sale | acl-global-read | access_product_attribute_line_public — Access rule grants read on 'product.model_product_attribute_line' to every user (portal/public included): no group is set |
| website_sale_delivery | acl-global-read | access_delivery_carrier_public — Access rule grants read on 'delivery.model_delivery_carrier' to every user (portal/public included): no group is set |
| website_sale_product_legal | acl-global-read | everyone_read — Access rule grants read on 'model_website_sale_product_legal_legal_term' to every user (portal/public included): no group is set |
| website_seo_redirection | acl-global-read | read_everyone — Access rule grants read on 'model_website_seo_redirection' to every user (portal/public included): no group is set |
| website_slides | route-public-sudo | /slides/slide/<model("slide.slide", "[('channel_id.can_see', '=', True)]"):slide>/comment — Unauthenticated endpoint 'WebsiteSlides.slide_comment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_slides | route-public-sudo | /slides/embed/<int:slide_id> — Unauthenticated endpoint 'WebsiteSlides.slides_embed' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes |
| website_twitter | acl-global-read | access_website_twitter_tweet_public — Access rule grants read on 'website_twitter.model_website_twitter_tweet' to every user (portal/public included): no group is set |
Active Pull Requests 0
No open migration PRs/MRs tracked.
Security Findings
Errors 24
| Module | Code | Message |
|---|---|---|
| anonymization | acl-global-write | access_ir_model_fields_anonymization_migration_fix — Access rule grants write/create/unlink on 'model_ir_model_fields_anonymization_migration_fix' to EVERY user (portal/public included): no group is set |
| base | acl-global-write | access_ir_default_group_system — Access rule grants write/create/unlink on 'model_ir_default' to EVERY user (portal/public included): no group is set |
| base | acl-privilege-escalation | access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-global-write | access_ir_ui_view_custom_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_custom' to EVERY user (portal/public included): no group is set |
| base | acl-global-write | access_ir_ui_view_sc_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_sc' to EVERY user (portal/public included): no group is set |
| base | acl-privilege-escalation | access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-global-write | access_ir_filter all — Access rule grants write/create/unlink on 'model_ir_filters' to EVERY user (portal/public included): no group is set |
| base | acl-global-write | access_ir_needaction_mixin — Access rule grants write/create/unlink on 'model_ir_needaction_mixin' to EVERY user (portal/public included): no group is set |
| base_calendar | acl-global-write | access_calendar_attendee — Access rule grants write/create/unlink on 'model_calendar_attendee' to EVERY user (portal/public included): no group is set |
| base_report_assembler | acl-global-write | access_assembled_report — Access rule grants write/create/unlink on 'model_assembled_report' to EVERY user (portal/public included): no group is set |
| hr_recruitment | acl-global-write | access_hr_applicant_category — Access rule grants write/create on 'model_hr_applicant_category' to EVERY user (portal/public included): no group is set |
| lunch | acl-global-write | access_report_order_line — Access rule grants write/create/unlink on 'model_report_lunch_order_line' to EVERY user (portal/public included): no group is set |
| lunch | acl-global-write | access_lunch_validation — Access rule grants write/create/unlink on 'model_lunch_validation' to EVERY user (portal/public included): no group is set |
| lunch | acl-global-write | access_lunch_cancel — Access rule grants write/create/unlink on 'model_lunch_cancel' to EVERY user (portal/public included): no group is set |
| portal | acl-public-write | access_ir_attachment_group_portal — Access rule grants create on 'base.model_ir_attachment' to the portal/public group 'portal.group_portal' |
| portal_claim | acl-public-write | access_crm_claim — Access rule grants create on 'crm_claim.model_crm_claim' to the portal/public group 'portal.group_portal' |
| portal_event | acl-public-write | access_registration — Access rule grants write/create/unlink on 'event.model_event_registration' to the portal/public group 'portal.group_portal' |
| product_dependencies | acl-global-write | access_product_dependency — Access rule grants write/create/unlink on 'model_product_dependency' to EVERY user (portal/public included): no group is set |
| report_webkit | acl-global-write | access_ir_header_webkit — Access rule grants create on 'model_ir_header_webkit' to EVERY user (portal/public included): no group is set |
| report_webkit | acl-global-write | access_ir_header_img — Access rule grants create on 'model_ir_header_img' to EVERY user (portal/public included): no group is set |
Warnings 51
| Module | Code | Message |
|---|---|---|
| anonymization | acl-global-read | access_ir_model_fields_anonymization_user — Access rule grants read on 'model_ir_model_fields_anonymization' to every user (portal/public included): no group is set |
| anonymization | acl-global-read | access_ir_model_fields_anonymization_history_user — Access rule grants read on 'model_ir_model_fields_anonymization_history' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_model_constraint — Access rule grants read on 'model_ir_model_constraint' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_model_relation — Access rule grants read on 'model_ir_model_relation' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_module_category_group_user — Access rule grants read on 'model_ir_module_category' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_module_module_user — Access rule grants read on 'model_ir_module_module' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_property_group_user — Access rule grants read on 'model_ir_property' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_rule_group_user — Access rule grants read on 'model_ir_rule' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_sequence_type_group_user — Access rule grants read on 'model_ir_sequence_type' to every user (portal/public included): no group is set |
| base | acl-global-write | access_ir_translation_all — Access rule grants write/create/unlink on 'model_ir_translation' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| base | acl-global-read | access_ir_ui_menu_group_user — Access rule grants read on 'model_ir_ui_menu' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_ui_view_group_user — Access rule grants read on 'model_ir_ui_view' to every user (portal/public included): no group is set |
| base | acl-global-write | access_ir_values_group_all — Access rule grants write/create/unlink on 'model_ir_values' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| base | acl-global-read | access_res_company_group_user — Access rule grants read on 'model_res_company' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_partner_bank_type_group_user — Access rule grants read on 'model_res_partner_bank_type' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_partner_bank_type_field_group_user — Access rule grants read on 'model_res_partner_bank_type_field' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_partner_title_group_partner_manager — Access rule grants read on 'model_res_partner_title' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_request_link_group_user — Access rule grants read on 'model_res_request_link' to every user (portal/public included): no group is set |
| base | acl-global-write | access_workflow_workitem_all — Access rule grants write/create/unlink on 'model_workflow_workitem' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| base | acl-global-read | access_multi_company_default user — Access rule grants read on 'model_multi_company_default' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_actions_client — Access rule grants read on 'model_ir_actions_client' to every user (portal/public included): no group is set |
| base_action_rule | acl-global-read | access_base_action_rule — Access rule grants read on 'model_base_action_rule' to every user (portal/public included): no group is set |
| base_report_to_printer | acl-global-read | ir_model_access_printingprinterall0 — Access rule grants read on 'model_printing_printer' to every user (portal/public included): no group is set |
| board | acl-global-read | access_board_board all — Access rule grants read on 'model_board_board' to every user (portal/public included): no group is set |
| crm | acl-global-read | access_crm_case_stage — Access rule grants read on 'model_crm_case_stage' to every user (portal/public included): no group is set |
| crm | rule-group-bypass | crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| crm | rule-group-bypass | crm_rule_all_phones — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| currency_rate_update | acl-global-read | ir_model_access_currencyrateupdate0 — Access rule grants read on 'currency_rate_update.model_currency_rate_update' to every user (portal/public included): no group is set |
| currency_rate_update | acl-global-read | ir_model_access_currencyrateupdate4 — Access rule grants read on 'currency_rate_update.model_currency_rate_update_service' to every user (portal/public included): no group is set |
| document_webdav | acl-global-write | access_webdav_file_property_all — Access rule grants write/create/unlink on 'model_document_webdav_file_property' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| event | acl-global-read | access_event_event_portal — Access rule grants read on 'model_event_event' to every user (portal/public included): no group is set |
| event | acl-global-read | access_event_registration_portal — Access rule grants read on 'model_event_registration' to every user (portal/public included): no group is set |
| google_docs | acl-global-read | access_google_docs — Access rule grants read on 'model_google_docs_config' to every user (portal/public included): no group is set |
| hr_evaluation | rule-group-bypass | hr_employee_interview_hr — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_expense_accountedge | rule-group-bypass | property_rule_account_invoice_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_holidays | rule-group-bypass | property_rule_holidays_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_schedule | rule-group-bypass | property_rule_schedule_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_security | rule-group-bypass | property_rule_contract_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| l10n_pe_toponyms | acl-global-read | access_res_country_district_group_user — Access rule grants read on 'model_res_country_district' to every user (portal/public included): no group is set |
| l10n_pe_toponyms | acl-global-read | access_res_country_province_group_user — Access rule grants read on 'model_res_country_province' to every user (portal/public included): no group is set |
| acl-global-write | access_mail_thread_all — Access rule grants write/create/unlink on 'model_mail_thread' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
|
| acl-global-write | access_publisher_warranty_contract_all — Access rule grants write/create/unlink on 'model_publisher_warranty_contract' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
|
| membership | acl-global-read | access_membership_membership_line — Access rule grants read on 'model_membership_membership_line' to every user (portal/public included): no group is set |
| partner_relations | acl-global-read | read_res_partner_relation — Access rule grants read on 'model_res_partner_relation' to every user (portal/public included): no group is set |
| partner_relations | acl-global-read | read_res_partner_relation_type — Access rule grants read on 'model_res_partner_relation_type' to every user (portal/public included): no group is set |
| partner_relations | acl-global-read | read_res_partner_relation_type_selection — Access rule grants read on 'model_res_partner_relation_type_selection' to every user (portal/public included): no group is set |
| portal | acl-global-read | access_acquirer — Access rule grants read on 'portal.model_portal_payment_acquirer' to every user (portal/public included): no group is set |
| project | acl-global-read | access_project_category — Access rule grants read on 'model_project_category' to every user (portal/public included): no group is set |
| stock_tracking_add_remove | acl-global-write | access_stock_packaging_add_type_all — Access rule grants write/create on 'model_stock_packaging_add_type' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| tr_barcode | acl-global-write | access_tr_barcode_all — Access rule grants write/create on 'model_tr_barcode' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| tree_view_record_id | acl-global-read | access_module_tree_view_record_id_installed — Access rule grants read on 'model_module_tree_view_record_id_installed' to every user (portal/public included): no group is set |
Active Pull Requests 0
No open migration PRs/MRs tracked.
Security Findings
Errors 18
| Module | Code | Message |
|---|---|---|
| base | acl-global-write | access_ir_default_group_system — Access rule grants write/create/unlink on 'model_ir_default' to EVERY user (portal/public included): no group is set |
| base | acl-privilege-escalation | access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-global-write | access_ir_ui_view_custom_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_custom' to EVERY user (portal/public included): no group is set |
| base | acl-global-write | access_ir_ui_view_sc_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_sc' to EVERY user (portal/public included): no group is set |
| base | acl-privilege-escalation | access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions |
| base | acl-privilege-escalation | access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions |
| base_module_quality | acl-global-write | access_module_quality_check — Access rule grants write/create/unlink on 'model_module_quality_check' to EVERY user (portal/public included): no group is set |
| base_module_quality | acl-global-write | access_module_quality_detail — Access rule grants write/create/unlink on 'model_module_quality_detail' to EVERY user (portal/public included): no group is set |
| email_template | acl-global-write | access_email_template_manager — Access rule grants write/create/unlink on 'model_email_template' to EVERY user (portal/public included): no group is set |
| hr_performance | acl-global-write | access_attribute_line — Access rule grants write/create/unlink on 'model_attribute_line' to EVERY user (portal/public included): no group is set |
| import_google | acl-privilege-escalation | access_ir_model_data_partner_manager — Access rule grants write on security model 'base.model_res_users' to group 'base.group_partner_manager': members can escalate their own permissions |
| acl-global-write | access_mail_message — Access rule grants write/create on 'model_mail_message' to EVERY user (portal/public included): no group is set |
|
| acl-global-write | access_mail_thread — Access rule grants write/create on 'model_mail_thread' to EVERY user (portal/public included): no group is set |
|
| report_webkit | acl-global-write | access_ir_header_webkit — Access rule grants create on 'model_ir_header_webkit' to EVERY user (portal/public included): no group is set |
| report_webkit | acl-global-write | access_ir_header_img — Access rule grants create on 'model_ir_header_img' to EVERY user (portal/public included): no group is set |
Warnings 46
| Module | Code | Message |
|---|---|---|
| anonymization | acl-global-read | access_ir_model_fields_anonymization_user — Access rule grants read on 'model_ir_model_fields_anonymization' to every user (portal/public included): no group is set |
| anonymization | acl-global-read | access_ir_model_fields_anonymization_history_user — Access rule grants read on 'model_ir_model_fields_anonymization_history' to every user (portal/public included): no group is set |
| base | acl-global-write | access_res_widget_user_all — Access rule grants write/create/unlink on 'model_res_widget_user' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| base | acl-global-read | access_ir_module_category_group_user — Access rule grants read on 'model_ir_module_category' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_module_module_user — Access rule grants read on 'model_ir_module_module' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_property_group_user — Access rule grants read on 'model_ir_property' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_rule_group_user — Access rule grants read on 'model_ir_rule' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_sequence_group_user — Access rule grants read on 'model_ir_sequence' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_sequence_type_group_user — Access rule grants read on 'model_ir_sequence_type' to every user (portal/public included): no group is set |
| base | acl-global-write | access_ir_translation_all — Access rule grants write/create/unlink on 'model_ir_translation' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| base | acl-global-read | access_ir_ui_menu_group_user — Access rule grants read on 'model_ir_ui_menu' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_ui_view_group_user — Access rule grants read on 'model_ir_ui_view' to every user (portal/public included): no group is set |
| base | acl-global-write | access_ir_values_group_all — Access rule grants write/create/unlink on 'model_ir_values' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| base | acl-global-read | access_res_company_group_user — Access rule grants read on 'model_res_company' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_groups_group_user — Access rule grants read on 'model_res_groups' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_partner_bank_type_group_user — Access rule grants read on 'model_res_partner_bank_type' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_partner_bank_type_field_group_user — Access rule grants read on 'model_res_partner_bank_type_field' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_partner_title_group_partner_manager — Access rule grants read on 'model_res_partner_title' to every user (portal/public included): no group is set |
| base | acl-global-read | access_res_request_link_group_user — Access rule grants read on 'model_res_request_link' to every user (portal/public included): no group is set |
| base | acl-global-write | access_workflow_workitem_all — Access rule grants write/create/unlink on 'model_workflow_workitem' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| base | acl-global-read | access_multi_company_default user — Access rule grants read on 'model_multi_company_default' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_filter all — Access rule grants read on 'model_ir_filters' to every user (portal/public included): no group is set |
| base | acl-global-write | access_ir_filters — Access rule grants write/create/unlink on 'model_ir_filters' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| base | acl-global-read | access_res_widget_user — Access rule grants read on 'model_res_widget' to every user (portal/public included): no group is set |
| base | acl-global-write | access_res_log_all — Access rule grants write/create/unlink on 'model_res_log' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| base | acl-global-read | access_ir_config_parameter — Access rule grants read on 'model_ir_config_parameter' to every user (portal/public included): no group is set |
| base | acl-global-read | access_ir_actions_client — Access rule grants read on 'model_ir_actions_client' to every user (portal/public included): no group is set |
| base_action_rule | acl-global-read | access_base_action_rule — Access rule grants read on 'model_base_action_rule' to every user (portal/public included): no group is set |
| base_report_to_printer | acl-global-read | ir_model_access_printingprinterall0 — Access rule grants read on 'model_printing_printer' to every user (portal/public included): no group is set |
| board | acl-global-read | access_board_board all — Access rule grants read on 'model_board_board' to every user (portal/public included): no group is set |
| board | acl-global-read | access_board_board_line all — Access rule grants read on 'model_board_board_line' to every user (portal/public included): no group is set |
| board | acl-global-read | access_res_log_report all — Access rule grants read on 'model_res_log_report' to every user (portal/public included): no group is set |
| crm | rule-group-bypass | crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| currency_rate_update | acl-global-read | ir_model_access_currencyrateupdate0 — Access rule grants read on 'currency_rate_update.model_currency_rate_update' to every user (portal/public included): no group is set |
| currency_rate_update | acl-global-read | ir_model_access_currencyrateupdate4 — Access rule grants read on 'currency_rate_update.model_currency_rate_update_service' to every user (portal/public included): no group is set |
| document_webdav | acl-global-write | access_webdav_file_property_all — Access rule grants write/create/unlink on 'model_document_webdav_file_property' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |
| edi | acl-global-read | access_ir_edi_all_read — Access rule grants read on 'model_edi_document' to every user (portal/public included): no group is set |
| email_template | acl-global-read | access_email_template — Access rule grants read on 'model_email_template' to every user (portal/public included): no group is set |
| hr_evaluation | rule-group-bypass | hr_employee_interview_hr — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_expense_accountedge | rule-group-bypass | property_rule_account_invoice_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_experience | rule-group-bypass | hr_academic_hruser_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_experience | rule-group-bypass | hr_professional_hruser_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| hr_experience | rule-group-bypass | hr_certification_hruser_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| membership | acl-global-read | access_membership_membership_line — Access rule grants read on 'model_membership_membership_line' to every user (portal/public included): no group is set |
| project_service_base | rule-group-bypass | project_group_project_user_all_tasks — Record rule with an always-true domain bypasses every other record rule of its model for its group |
| tr_barcode | acl-global-write | access_tr_barcode_all — Access rule grants write/create on 'model_tr_barcode' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional) |