Modules

8861 Odoo modules tracked across all registered organizations
Most changed module
3747 commits
Most contributors
370 committers
Widest Odoo reach
14 versions
Most relied-upon module
3954 dependents

Active Pull Requests 884

0 fresh 0 rotting 0 rotten

Module Repository Title Age CI
account-invoice-refund-reason OCA/account-invoicing [19.0][MIG] account_invoice_refund_reason: Migrate to 19.0 #2139 no CI data
account_analytic_distribution_manual OCA/account-analytic [19.0][mig] account analytic distribution manual #941 no CI data
account_analytic_line_commercial_partner OCA/account-analytic [19.0][MIG] account_analytic_line_commercial_partner: Migration to 19.0 #908 no CI data
account_analytic_organization OCA/account-analytic [19.0][MIG] account_analytic_organization: Migration to 19.0 #909 no CI data
account_analytic_parent OCA/account-analytic [19.0] [MIG] account_analytic_parent: Migration to 19.0 #886 no CI data
account_analytic_parent OCA/account-analytic [19.0] [mig] account_analytic_parent #942 no CI data
account_asset_compute_batch OCA/account-financial-tools [19.0][MIG] account_asset_compute_batch: Migration to 19.0 #2300 no CI data
account_asset_low_value OCA/account-financial-tools [19.0][MIG] account_asset_low_value: Migration to 19.0 #2296 no CI data
account_asset_management_stock_lot OCA/account-financial-tools [19.0][MIG] account_asset_management_stock_lot: Migration to 19.0 #2353 no CI data
account_asset_number OCA/account-financial-tools [19.0][MIG] account_asset_number: Migration to 19.0 #2298 no CI data
account_asset_transfer OCA/account-financial-tools [19.0][MIG] account_asset_transfer: Migration to 19.0 #2299 no CI data
account_avatax_exemption OCA/account-fiscal-rule [19.0][MIG] account_avatax_exemption: Migration to 19.0 #596 no CI data
account_avatax_exemption_base OCA/account-fiscal-rule [19.0][MIG] account_avatax_exemption_base: Migration to 19.0 #592 no CI data
account_avatax_oca OCA/account-fiscal-rule [19.0][MIG] account_avatax_oca: Migration to 19.0 #591 no CI data
account_avatax_oca_log OCA/account-fiscal-rule [19.0][MIG] account_avatax_oca_log: Migration to 19.0 #594 no CI data
account_avatax_sale_oca OCA/account-fiscal-rule [19.0][MIG] account_avatax_sale_oca: Migration to 19.0 #593 no CI data
account_avatax_website_sale OCA/account-fiscal-rule [19.0][MIG] account_avatax_website_sale: Migration to 19.0 #595 no CI data
account_bank_statement_chatter OCA/account-financial-tools [19.0][MIG] account_bank_statement_chatter: Migration to 19.0 #2275 no CI data
account_banking_ach_base OCA/l10n-usa [19.0][MIG] account_banking_ach_base: Migration to 19.0 #178 no CI data
account_banking_ach_credit_transfer OCA/l10n-usa [19.0][MIG] account_banking_ach_credit_transfer: Migration to 19.0 #179 no CI data
account_billing OCA/account-invoicing [19.0][MIG] account_billing: Migration to 19.0 #2349 no CI data
account_brand OCA/brand [19.0][MIG] account_brand: Migration to 19.0 #303 no CI data
account_cash_deposit OCA/account-financial-tools [19.0][MIG] account_cash_deposit: Migration to 19.0 #2281 no CI data
account_due_list_payment OCA/account-payment [19.0] [MIG] account_due_list_payment: Migration to 19.0 #956 no CI data
account_ecotax OCA/account-fiscal-rule [19.0][MIG] account_ecotax: Migration to 19.0 #589 no CI data
account_ecotax_sale OCA/account-fiscal-rule [19.0][MIG] account_ecotax_sale: Migration to 19.0 #599 no CI data
account_ecotax_tax OCA/account-fiscal-rule [19.0][MIG] account_ecotax_tax: Migration to 19.0 #604 no CI data
account_financial_report_sale OCA/account-financial-reporting [19.0][MIG] account_financial_report_sale: Migration to 19.0 #1448 no CI data
account_fiscal_month OCA/account-financial-tools [19.0][MIG] account_fiscal_month: Migration to 19.0 #2268 no CI data
account_fiscal_year_auto_create OCA/account-financial-tools [19.0][MIG] account_fiscal_year_auto_create: Migration to 19.0 #2284 no CI data
account_in_payment OCA/account-reconcile [19.0][MIG] account_in_payment: Migration to 19.0 #984 no CI data
account_invoice_bank_brand OCA/brand [19.0][MIG] account_invoice_bank_brand: Migration to 19.0 #310 no CI data
account_invoice_check_total OCA/account-invoicing [19.0][MIG] account_invoice_check_total: Migration to 19.0 #2189 no CI data
account_invoice_date_due OCA/account-invoicing [19.0][MIG] account_invoice_date_due: Migration to 19.0 #2282 no CI data
account_invoice_default_code_column OCA/account-invoicing [19.0][MIG] account_invoice_default_code_column: Migration to 19.0 #2332 no CI data
account_invoice_discount_display_amount OCA/account-invoicing [19.0] [Mig] account_invoice_discount_display_amount: Migrate to 19.0 #2346 no CI data
account_invoice_export OCA/edi [19.0][MIG] account_invoice_export: Migration to 19.0 #1371 no CI data
account_invoice_import OCA/edi [19.0][MIG] account_invoice_import: Migration to 19.0 #1363 no CI data
account_invoice_line_report OCA/account-invoice-reporting [19.0][MIG] account_invoice_line_report: Migration to 19.0 #402 no CI data
account_invoice_line_sale_line_position OCA/account-invoice-reporting [19.0][MIG] account_invoice_line_sale_line_position: Migration to 19.0 #403 no CI data
account_invoice_line_unit_price_untaxed-hda OCA/account-invoicing [19.0][MIG] account_invoice_line_unit_price_untaxed #2361 no CI data
account_invoice_merge OCA/account-invoicing [19.0][MIG] account_invoice_merge: Migration to 19.0 #2295 no CI data
account_invoice_overdue_reminder OCA/credit-control [19.0] [MIG] account_invoice_overdue_reminder: Migration to 19.0 #560 no CI data
account_invoice_payment_term_date_due OCA/account-invoicing [19.0][MIG] account_invoice_payment_term_date_due: Migration to 19.0 #2358 no CI data
account_invoice_qr_code_sepa_payconiq-hda OCA/account-invoicing [19.0][MIG] account_invoice_qr_code_sepa_payconiq #2367 no CI data
account_invoice_report_payment_info OCA/account-invoice-reporting [19.0][MIG] account_invoice_report_payment_info: Migration to 19.0 #407 no CI data
account_invoice_report_picking_customer_note OCA/account-invoice-reporting [19.0][MIG] account_invoice_report_picking_customer_note: Migartion to 19.0 #408 no CI data
account_invoice_report_salesperson OCA/account-invoice-reporting [19.0][MIG] account_invoice_report_salesperson: Migration to 19.0 #406 no CI data
account_invoice_supplier_ref_unique OCA/account-invoicing [19.0][MIG] account_invoice_supplier_ref_unique #2363 no CI data
account_invoice_supplierinfo_update OCA/account-invoicing [19.0][MIG] account_invoice_supplierinfo_update: Migration to 19.0 #2341 no CI data
account_invoice_tax_required OCA/account-invoicing [19.0][MIG] account_invoice_tax_required: migration to 19.0 #2210 no CI data
account_invoice_transmit_method OCA/account-invoicing [19.0][MIG] account_invoice_transmit_method: Migration to 19.0 #2222 no CI data
account_invoice_warn_message OCA/account-invoicing [19.0][MIG] account_invoice_warn_message: Migration to 19.0 #2360 no CI data
account_liquidity_forecast OCA/account-financial-reporting [19.0][MIG] account_liquidity_forecast #1450 no CI data
account_loan+port+refactor OCA/account-financial-tools [19.0][MIG] account_loan + refactor #2235 no CI data
account_loan_analytic_account OCA/account-financial-tools [19.0][MIG] account_loan_analytic_account #2231 no CI data
account_lock_to_date OCA/account-financial-tools [19.0][MIG] account_lock_to_date: Migration to 19.0 #2277 no CI data
account_maturity_date_default OCA/account-financial-tools [19.0][MIG] account_maturity_date_default: Migration to 19.0 #2271 no CI data
account_move_analytic_link OCA/account-analytic [19.0][MIG] account_move_analytic_link: Migration to 19.0 #911 no CI data
account_move_budget OCA/account-financial-tools [19.0][MIG] account_move_budget #2236 no CI data
account_move_fiscal_year OCA/account-financial-tools [19.0][MIG] account_move_fiscal_year: Migration to 19.0 #2285 no CI data
account_move_group_restriction OCA/account-financial-tools [19.0][MIG] account_move_group_restriction: Migration to 19.0 #2291 no CI data
account_move_line_mrp_info OCA/manufacture [19.0][MIG] account_move_line_mrp_info #1691 no CI data
account_move_line_purchase_info OCA/account-financial-tools [19.0][MIG] account_move_line_purchase_info #2187 no CI data
account_move_line_report_xls OCA/account-financial-reporting [19.0][MIG] account_move_line_report_xls: Migration to 19.0 #1449 no CI data
account_move_line_sale_info OCA/account-financial-tools [19.0][MIG] account_move_line_sale_info #2201 no CI data
account_move_reconcile_forbid_cancel OCA/account-reconcile [19.0][MIG] account_move_reconcile_forbid_cancel: Migration to 19.0 #992 no CI data
account_move_reconcile_helper OCA/account-reconcile [19.0][MIG] account_move_reconcile_helper #947 no CI data
account_move_tag OCA/account-invoicing [19.0][MIG] account_move_tag #2213 no CI data
account_move_tier_validation OCA/account-invoicing 19.0 [MIG] account move tier validation #2149 no CI data
account_move_tier_validation_approver OCA/tier-validation [MIG] account_move_tier_validation_approver: Migration to 19.0 #50 no CI data
account_partner_reconcile OCA/account-reconcile [19.0][MIG] account_partner_reconcile: Migration to 19.0 #982 no CI data
account_partner_required OCA/account-financial-tools [MIG][19.0] account_partner_required #2259 no CI data
account_partner_required OCA/account-financial-tools [19.0][MIG] account_partner_required: Migration to 19.0 #2207 no CI data
account_payment_batch_fs_storage OCA/bank-payment-alternative [19.0][MIG][RENAME][MOVE] account_payment_batch_fs_storage #68 no CI data
account_payment_order_return OCA/bank-payment [19.0] [MIG] account_payment_order_return: Migration to 19.0 #1531 no CI data
account_payment_show_invoice OCA/account-payment [19.0][MIG] account_payment_show_invoice: Migration to 19.0 #940 no CI data
account_payment_tier_validation OCA/tier-validation [MIG] account_payment_tier_validation: Migration to 19.0 #5 no CI data
account_reconcile_oca_add_default_filters OCA/account-reconcile [19.0][MIG] account_reconcile_oca_add_default_filters: Migration to 19.0 #985 no CI data
account_reporting_volume OCA/account-invoice-reporting [19.0][MIG] account_reporting_volume: Migration to 19.0 #405 no CI data
account_reporting_weight OCA/account-invoice-reporting [19.0][MIG] account_reporting_weight: Migration to 19.0 #404 no CI data
account_sequence_option OCA/account-financial-tools [19.0][MIG] account_sequence_option #2215 no CI data
account_spread_cost_revenue OCA/account-financial-tools [19.0][MIG] account_spread_cost_revenue: Migration to 19.0 #2208 no CI data
account_statement_import_move_line OCA/bank-statement-import [19.0][MIG] account_statement_import_move_line: Migration to 19.0 #932 no CI data
account_statement_import_ofx OCA/bank-statement-import [19.0][MIG] account_statement_import_ofx: Migration to 19.0 #924 no CI data
account_statement_import_online_paypal OCA/bank-statement-import [MIG] account_statement_import_online_paypal: Migration to 19.0 #866 no CI data
account_statement_import_online_stripe OCA/bank-statement-import [19.0][MIG] account_statement_import_online_stripe #901 no CI data
account_statement_reconcile_status OCA/account-reconcile [19.0][MIG] account_statement_reconcile_status: Migration to 19.0 #983 no CI data
account_tax_one_vat OCA/account-invoicing [19.0][MIG] account_tax_one_vat: Migration to 19.0 #2336 no CI data
account_tax_one_vat_purchase OCA/account-invoicing [19.0][MIG] account_tax_one_vat_purchase: Migration to 19.0 #2340 no CI data
account_tax_one_vat_sale OCA/account-invoicing [19.0][MIG] account_tax_one_vat_sale: Migration to 19.0 #2338 no CI data
agreement_account OCA/agreement [19.0][MIG] agreement_account: Migration to 19.0 #112 no CI data
analytic_brand-BAD OCA/brand [19.0][MIG] analytic_brand: Migration to 19.0 #273 no CI data
animal OCA/partner-contact [19.0] [MIG] animal: Migration to 19.0 #2329 no CI data
announcement-BAD OCA/server-ux [19.0][MIG] announcement: Migration to 19.0 #1161 no CI data
attachment_delete_restrict OCA/server-tools [19.0][MIG] attachment_delete_restrict: Migration to 19.0 #3398 no CI data
attachment_preview OCA/knowledge [19.0][MIG] attachment_preview: Migration to 19.0 #588 no CI data
attachment_queue OCA/server-tools [19.0][MIG] attachment_queue: Migration to 19.0 #3614 no CI data
attachment_synchronize OCA/server-tools [19.0][MIG] attachment_synchronize: Migration to 19.0 #3615 no CI data
auth_jwt OCA/server-auth [19.0][MIG] auth_jwt: Migration to 19.0 #844 no CI data
auth_ldaps OCA/server-auth [19.0][MIG] auth_ldaps: Migration to 19.0 #851 no CI data
auth_oidc_environment OCA/server-auth [19.0][MIG] auth_oidc_environment: Migration to 19.0 #967 no CI data
auth_saml OCA/server-auth [19.0][MIG] auth_saml: Migration to 19.0 #871 no CI data
auth_signup_verify_email OCA/server-auth [19.0][MIG] auth_signup_verify_email: Migration to 19.0 #905 no CI data
auth_signup_verify_email-BAD OCA/server-auth [19.0][MIG] auth_signup_verify_email: Migration to 19.0 #854 no CI data
auto_backup OCA/server-tools [19.0][MIG] auto_backup: Migration to 19.0 #3592 no CI data
automation_oca OCA/automation [19.0][MIG] automation_oca: Migration to 19.0 #54 no CI data
barcode_action OCA/server-ux [19.0][MIG] barcode_action #1290 no CI data
base_business_document_import_phone OCA/edi [19.0][MIG] base_business_document_import_phone: Migration to 19.0 #1345 no CI data
base_cron_exclusion-BAD OCA/server-tools [19.0][MIG] base_cron_exclusion: Migration to 19.0 #3379 no CI data
base_export_manager OCA/server-ux [19.0][MIG] base_export_manager: Migration to 19.0 #1309 no CI data
base_export_manager OCA/server-ux [19.0][MIG] base_export_manager: Migration to 19.0 #1188 no CI data
base_external_dbsource_mssql OCA/server-backend [19.0][MIG] Migration of module base_external_dbsource_mssql #416 no CI data
base_fontawesome OCA/server-tools [19.0][MIG] base_fontawesome: Migration to 19.0 #3608 no CI data
base_force_record_noupdate-BAD OCA/server-tools [19.0][MIG] base_force_record_noupdate: Migration to 19.0 #3380 no CI data
base_geoengine OCA/geospatial [MIG] base_geoengine: Migrated to 19.0 #414 no CI data
base_geoengine-consolidated OCA/geospatial [19.0][MIG] base_geoengine: consolidated migration #465 no CI data
base_import_match OCA/server-backend [19.0][MIG] base_import_match: Migration to 19.0 #467 no CI data
base_import_security_group OCA/server-ux [19.0][MIG] base_import_security_group: Migration to 19.0 #1274 no CI data
base_kanban_stage OCA/server-tools [19.0][MIG] base_kanban_stage #3473 no CI data
base_location_nuts OCA/partner-contact [19.0][MIG] base_location_nuts: Migration to 19.0 #2285 no CI data
base_m2m_custom_field OCA/server-tools [19.0][MIG] base_m2m_custom_field: Migration to 19.0 #3617 no CI data
base_mixin_restrict_field_access OCA/server-tools [19.0][MIG] base_mixin_restrict_field_access: Migration to 19.0 #3575 no CI data
base_model_restrict_update OCA/server-tools [19.0][MIG] base_model_restrict_update: Migration to 19.0 #3388 no CI data
base_multi_company OCA/multi-company [19.0][MIG] base_multi_company #1009 no CI data
base_multi_image OCA/server-tools [19.0][MIG] base_multi_image #3633 no CI data
base_multicompany_reporting_currency OCA/sale-reporting [19.0][MIG] base_multicompany_reporting_currency: migration to 19.0 #351 no CI data
base_name_search_improved OCA/server-tools [19.0][MIG] base_name_search_improved: Migration to 19.0 #3580 no CI data
base_name_search_improved-BAD OCA/server-tools [19.0][MIG] base_name_search_improved: Migration to 19.0 #3381 no CI data
base_optional_quick_create OCA/server-ux [19.0][MIG] base_optional_quick_create: Migration to 19.0 #1277 no CI data
base_optional_quick_create OCA/server-ux [19.0][MIG] base_optional_quick_create: Migration to 19.0 #1222 no CI data
base_optional_quick_create-hda OCA/server-ux [19.0][MIG] base_optional_quick_create #1239 no CI data
base_repair_config OCA/repair [19.0] [MIG] base_repair_config #150 no CI data
base_report_to_printer_mail OCA/report-print-send [19.0][MIG] base_report_to_printer_mail: Migration to 19.0 #440 no CI data
base_rest OCA/rest-framework [19.0] [MIG] base_rest: Migration to 19.0 #613 no CI data
base_sequence_option OCA/server-tools [19.0][MIG] base_sequence_option #3514 no CI data
base_sparse_field_list_support OCA/server-tools [19.0][MIG] base_sparse_field_list_support: Migration to 19.0 #3656 no CI data
base_tier_validation OCA/server-ux [19.0][MIG] base_tier_validation: Migration to 19.0 #1253 no CI data
base_tier_validation_board OCA/tier-validation [19.0][MIG][ADD] base_tier_validation_board: migration to 19.0 #40 no CI data
base_tier_validation_formula OCA/server-ux [19.0][MIG] base_tier_validation_formula: Migration to 19.0 #1254 no CI data
base_transaction_id OCA/account-reconcile [19.0][MIG] base_transaction_id: Migration to 19.0 #986 no CI data
base_user_locale OCA/server-ux [19.0][MIG] base_user_locale #1247 no CI data
base_user_role_history OCA/server-backend [19.0][MIG] base_user_role_history: Migration to 19.0 #384 no CI data
base_user_role_profile OCA/server-backend [19.0][MIG] base_user_role_profile: Migration to v19 #442 no CI data
brand_external_report_layout OCA/brand [19.0] [MIG] brand_external_report_layout: Migration to 19.0 #311 no CI data
calendar_public_holiday-v2 OCA/calendar [19.0][MIG] calendar_public_holiday: Migration to 19.0 #186 no CI data
chained_swapper OCA/server-ux [19.0][MIG] chained_swapper: Migration to 19.0 #1297 no CI data
cmis OCA/connector-cmis [19.0][MIG] cmis: Migration to 19.0 #50 no CI data
commission_formula_oca OCA/commission [19.0][MIG] commission formula oca #679 no CI data
connector_base_product OCA/connector [19.0][MIG] connector_base_product: Migration to 19.0 #532 no CI data
contract_forecast OCA/contract [19.0][MIG] contract_forecast #1464 no CI data
contract_invoice_start_end_dates OCA/contract [19.0][MIG] contract_invoice_start_end_dates #1373 no CI data
contract_line_successor OCA/contract [19.0][MIG] contract_line_successor #1370 no CI data
contract_line_successor OCA/contract 19.0 [MIG] contract line successor #1334 no CI data
contract_membership_delegated_partner OCA/vertical-association [19.0][MIG] contract_membership_delegated_partner: Migration to 19.0 #228 no CI data
contract_price_revision OCA/contract [19.0][MIG] contract_price_revision #1450 no CI data
contract_refund_on_stop OCA/contract [19.0][MIG] contract_refund_on_stop #1369 no CI data
contract_sale_generation OCA/contract 19.0 [MIG] contract sale generation #1333 no CI data
contract_termination OCA/contract [19.0][MIG] contract_termination #1367 no CI data
contract_termination OCA/contract 19.0 [MIG] contract termination #1335 no CI data
contract_variable_qty_prorated OCA/contract [19.0][MIG] contract_variable_qty_prorated #1365 no CI data
crm_lead_firstname OCA/crm [19.0] [MIG] crm_lead_firstname: Migration to 19.0 #730 no CI data
crm_lead_product OCA/crm [MIG] [19.0] crm_lead_product: Migration to 19.0 #739 no CI data
crm_lead_to_opportunity_contact OCA/crm [19.0][MIG] crm_lead_to_opportunity_contact #755 no CI data
crm_lost_reason_multi_company OCA/multi-company [19.0][MIG] crm_lost_reason_multi_company: Migration to 19.0 #923 no CI data
crm_multicompany_reporting_currency OCA/crm [19.0][MIG] crm_multicompany_reporting_currency: migration to 19.0 #719 no CI data
crm_partner_required OCA/crm [19.0][MIG] crm_partner_required: Migration to 19.0 #745 no CI data
crm_salesperson_planner OCA/crm [19.0][MIG] crm_salesperson_planner: Migration to 19.0 #751 no CI data
crm_salesperson_planner_sale OCA/crm [19.0][MIG] crm_salesperson_planner_sale : Migration to 19.0 #752 no CI data
crm_security_group-BAD OCA/crm [19.0][MIG] crm_security_group: Migration to 19.0 #682 no CI data
crm_stage_multi_company OCA/multi-company [19.0] [MIG] crm_stage_multi_company: Migrate to 19.0 #989 no CI data
crm_stage_multi_company OCA/multi-company [19.0][MIG] crm_stage_multi_company: Migration to 19.0 #920 no CI data
crm_tag_multi_company OCA/multi-company [19.0][MIG] crm_tag_multi_company: Migration to 19.0 #921 no CI data
crm_tag_multi_company_sale OCA/multi-company [19.0][MIG] crm_tag_multi_company_sale #951 no CI data
cross_connect_client OCA/server-auth [MIG][19] cross_connect_client #965 no CI data
currency_rate_update_by_nbb OCA/l10n-belarus [MIG] currency_rate_update_nbrb: migration to 19.0 #14 no CI data
currency_rate_update_nbp OCA/l10n-poland [19.0][MIG] currency_rate_update_nbp #16 no CI data
currency_rate_update_wise OCA/currency [19.0][MIG] currency_rate_update_wise #232 no CI data
database_size OCA/server-tools [19.0][MIG] database_size: Migration to 19.0 #3632 no CI data
datamodel OCA/rest-framework [19.0] [MIG] datamodel: Migration to 19.0 #595 no CI data
dbfilter_from_header OCA/server-tools [19.0][MIG] dbfilter_from_header: migration to 19.0 #3629 no CI data
ddmrp_report_part_flow_index OCA/ddmrp [19.0][MIG] ddmrp_report_part_flow_index: Migration to 19.0 #618 no CI data
default_multi_user OCA/server-ux [19.0][MIG] default_multi_user: Migration to 19.0 #1296 no CI data
delivery_auto_refresh OCA/delivery-carrier [19.0][MIG] delivery_auto_refresh #1085 no CI data
delivery_carrier_city OCA/delivery-carrier [19.0][MIG] delivery_carrier_city: Migration to 19.0 #1112 no CI data
delivery_carrier_info OCA/delivery-carrier [19.0][MIG] delivery_carrier_info: Migration to 19.0 #1088 no CI data
delivery_carrier_shipping_label OCA/delivery-carrier [19.0][MIG] delivery_carrier_shipping_label: Migration to 19.0 #1090 no CI data
delivery_cttexpress OCA/delivery-carrier [19.0][MIG] delivery_cttexpress: Migration to 19.0 #1157 no CI data
delivery_gls_asm OCA/l10n-spain [19.0][MIG] delivery_gls_asm: Migration to 19.0 #4685 no CI data
delivery_sending OCA/delivery-carrier [19.0][MIG] delivery_sending: Migration to 19.0 #1153 no CI data
despatch_advice_import OCA/edi [19.0][MIG] despatch_advice_import: Migration to 19.0 #1332 no CI data
despatch_advice_import_ubl OCA/edi [19.0][MIG] despatch_advice_import_ubl: Migration to 19.0 #1334 no CI data
dms OCA/dms [19.0][MIG] dms: Migration to 19.0 #475 no CI data
dms_auto_classification OCA/dms [19.0][MIG] dms_auto_classification: Migration to 19.0 #485 no CI data
dms_field OCA/dms [19.0][MIG] dms_field: Migration to 19.0 #486 no CI data
dms_field_auto_classification OCA/dms [19.0][MIG] dms_field_auto_classification: Migration to 19.0 #487 no CI data
dms_user_role OCA/dms [19.0][MIG] dms_user_role: Migration to 19.0 #488 no CI data
document_page_access_group OCA/knowledge [19.0] [MIG] document_page_access_group: Migration to 19.0 #571 no CI data
document_page_access_group_user_role OCA/knowledge [19.0] [MIG] document_page_access_group_user_role: Migration to 19.0 #572 no CI data
document_page_approval OCA/knowledge [19.0][MIG] document_page_approval: Migration to 19.0 #627 no CI data
document_page_group OCA/knowledge [19.0] [MIG] document_page_group: Migration to 19.0 #574 no CI data
document_page_reference OCA/knowledge [19.0][MIG] document_page_reference: Migration to 19.0 #589 no CI data
document_page_tag OCA/knowledge [19.0] [MIG] document_page_tag: Migration to 19.0 #577 no CI data
edi_account_core_oca OCA/edi-framework [19.0][MIG] edi_account_core_oca #239 no CI data
edi_account_oca OCA/edi-framework [19.0][MIG] edi_account_oca #265 no CI data
edi_exchange_template_oca OCA/edi-framework [19.0][MIG] edi_exchange_template_oca: Migration to 19.0 #250 no CI data
edi_stock_oca OCA/edi-framework [19.0][MIG] edi_stock_oca: Migration to 19.0 #255 no CI data
edi_storage_oca OCA/edi-framework [19.0][MIG] edi_storage_oca: Migration to 19.0 #254 no CI data
excel_import_export OCA/server-tools [19.0][MIG] excel_import_export: Migration to 19.0 #3537 no CI data
fastapi_auth_api_key OCA/rest-framework [19.0][MIG] fastapi_auth_api_key: Migration to 19.0 #619 no CI data
fetchmail_attach_from_folder OCA/server-tools [19.0][MIG] fetchmail_attach_from_folder #3567 no CI data
fieldservice_route OCA/field-service [19.0][MIG] fieldservice_route: Migration to 19.0 #1552 no CI data
fieldservice_sale_agreement OCA/field-service [19.0][MIG] fieldservice_sale_agreement: Migration to 19.0 #1502 no CI data
filter_multi_user OCA/server-ux [19.0][MIG] filter_multi_user #1306 no CI data
fleet_vehicle_inspection_template OCA/fleet [MIG] fleet_vehicle_inspection_template: Migration to 19.0 #223 no CI data
fleet_vehicle_ownership OCA/fleet [19.0][MIG] fleet_vehicle_ownership: Migration to 19.0 #221 no CI data
fleet_vehicle_ownership OCA/fleet [19.0][MIG] fleet vehicle ownership: Migration to 19.0 #219 no CI data
fleet_vehicle_stock OCA/fleet 19.0 mig fleet vehicle stock #216 no CI data
geoengine_base_geolocalize OCA/geospatial [19.0][MIG] geoengine_base_geolocalize: Migration to 19.0 #451 no CI data
geoengine_partner OCA/geospatial [19.0][MIG] geoengine_partner: Migration to 19.0 #450 no CI data
github_connector OCA/interface-git [MIG] github_connector & github_connector_odoo: Migration to 19.0 #141 no CI data
helpdesk_mgmt OCA/helpdesk [19.0][MIG] helpdesk_mgmt: Migration to 19.0 #975 no CI data
helpdesk_mgmt_activity OCA/helpdesk [19.0][MIG] helpdesk_mgmt_activity: Migration to 19.0 #1045 no CI data
helpdesk_mgmt_assign_method OCA/helpdesk [19.0][MIG] helpdesk_mgmt_assign_method: migration to 19.0 #1040 no CI data
helpdesk_mgmt_fieldservice_equipment OCA/helpdesk [19.0][MIG] helpdesk_mgmt_fieldservice_equipment: Migration to 19.0 #1017 no CI data
helpdesk_mgmt_sla OCA/helpdesk [19.0][MIG] helpdesk_mgmt_sla: Migration to 19.0 #1012 no CI data
helpdesk_mgmt_stage_validation OCA/helpdesk [19.0][MIG] helpdesk_mgmt_stage_validation: Migration to 19.0 #1014 no CI data
helpdesk_mgmt_timesheet OCA/helpdesk [19.0][MIG] helpdesk_mgmt_timesheet: Migration to 19.0 #999 no CI data
helpdesk_motive OCA/helpdesk [19.0][MIG] helpdesk_motive: Migration to 19.0 #1016 no CI data
helpdesk_ticket_close_inactive OCA/helpdesk [19.0][MIG] helpdesk_ticket_close_inactive: Migration to 19.0 #1043 no CI data
helpdesk_ticket_partner_response OCA/helpdesk [19.0][MIG] helpdesk_ticket_partner_response: Migration to 19.0 #1044 no CI data
helpdesk_ticket_related OCA/helpdesk [19.0][MIG] helpdesk_ticket_related: Migration to 19.0 #1042 no CI data
helpdesk_timesheet_time_type OCA/helpdesk [19.0][MIG] helpdesk_timesheet_time_type: Migration to 19.0 #1013 no CI data
helpdesk_type_sla OCA/helpdesk [19.0][MIG] helpdesk_type_sla: Migration to 19.0 #1015 no CI data
hr-holidays-public-overtime OCA/hr-holidays [19.0][MIG] hr_holidays_public_overtime: migration to 19.0 #256 no CI data
hr_attendance_autoclose OCA/hr-attendance [19.0][MIG] hr_attendance_autoclose: Migration to 19.0 #252 no CI data
hr_attendance_reason OCA/hr-attendance 19.0 mig hr attendance reason #250 no CI data
hr_attendance_report_theoretical_time OCA/hr-attendance [19.0][MIG] hr_attendance_report_theoretical_time: Migration to 19.0 #283 no CI data
hr_commission_oca OCA/commission [19.0][MIG] hr_commission_oca #665 no CI data
hr_contract_employee_calendar_planning OCA/hr [19.0][MIG] hr_contract_employee_calendar_planning #1548 no CI data
hr_contract_reference OCA/hr [19.0] [MIG] hr_contract_reference: Migration to 19.0 #1534 no CI data
hr_dms_field OCA/dms [19.0][MIG] hr_dms_field: Migration to 19.0 #489 no CI data
hr_employee_age-BAD OCA/hr [19.0][MIG] hr_employee_age: Migration to 19.0 #1503 no CI data
hr_employee_birthday_mail-BAD OCA/hr [19.0][MIG] hr_employee_birthday_mail: Migration to 19.0 #1511 no CI data
hr_employee_cost_history OCA/timesheet [MIG] hr_employee_cost_history : Migration to 19.0. #914 no CI data
hr_employee_cost_history-BAD OCA/timesheet [19.0][MIG] hr_employee_cost_history: Migration to 19.0 #835 no CI data
hr_employee_document OCA/hr [19.0] [MIG] hr_employee_document: Migration to 19.0 #1587 no CI data
hr_employee_id-BAD OCA/hr [19.0][MIG] hr_employee_id: Migration to 19.0 #1509 no CI data
hr_employee_phone_extension OCA/hr [19.0][MIG] hr_employee_phone_extension #1576 no CI data
hr_employee_ppe OCA/hr [19.0] [MIG] hr_employee_ppe: Migration to 19.0 #1531 no CI data
hr_employee_service OCA/hr [19.0][MIG] hr_employee_service: Migration to 19.0 #1584 no CI data
hr_employee_service OCA/hr 19.0 mig hr employee service #1578 no CI data
hr_expense_advance_clearing OCA/hr-expense [19.0][MIG] hr_expense_advance_clearing: Migration to 19.0 #358 no CI data
hr_expense_advance_clearing_sequence OCA/hr-expense [19.0][MIG] hr_expense_advance_clearing_sequence: Migration to 19.0 #359 no CI data
hr_expense_cancel OCA/hr-expense [19.0][MIG] hr_expense_cancel: Migration to 19.0 #356 no CI data
hr_expense_employee_analytic_default OCA/hr-expense [19.0][MIG] hr_expense_employee_analytic_default: Migration to 19.0 #350 no CI data
hr_expense_employee_payment OCA/hr-expense [19.0][MIG] hr_expense_employee_payment #362 no CI data
hr_expense_invoice OCA/hr-expense [19.0][MIG] hr_expense_invoice #373 no CI data
hr_expense_payment OCA/hr-expense [19.0][MIG] hr_expense_payment: Migration to 19.0 #355 no CI data
hr_expense_sequence OCA/hr-expense [19.0][MIG] hr_expense_sequence: Migration to 19.0 #353 no CI data
hr_expense_sequence_option OCA/hr-expense [19.0][MIG] hr_expense_sequence_option: Migration to 19.0 #354 no CI data
hr_expense_tax_distribution OCA/hr-expense [19.0][MIG] hr_expense_tax_distribution: Migration to 19.0 #351 no CI data
hr_expense_tier_validation OCA/tier-validation [19.0][MIG] hr_expense_tier_validation: Migration to 19.0 #51 no CI data
hr_holidays_leave_repeated OCA/hr-holidays [19.0][MIG] hr_holidays_leave_repeated: Migration to 19.0 #258 no CI data
hr_holidays_settings-BAD OCA/hr-holidays [19.0][MIG] hr_holidays_settings: Migration to 19.0 #222 no CI data
hr_job_category OCA/hr [19.0] [MIG] hr_job_category: Migration to 19.0 #1533 no CI data
hr_personal_equipment_request OCA/hr [19.0] [MIG] hr_personal_equipment_request: Migration to 19.0 #1530 no CI data
hr_professional_category OCA/hr [19.0] [MIG] hr_professional_category: Migration to 19.0 #1532 no CI data
hr_shift OCA/shift-planning [19.0][MIG] hr_shift: Migration to 19.0 #38 no CI data
hr_timesheet_amount_security OCA/timesheet [19.0][MIG] hr_timesheet_amount_security #938 no CI data
hr_timesheet_calendar-BAD OCA/timesheet [19.0][MIG] hr_timesheet_calendar: Migration to 19.0 #842 no CI data
hr_timesheet_date_order_desc OCA/timesheet [19.0] [MIG] hr_timesheet_date_order_desc : Migration to 19.0. #939 no CI data
hr_timesheet_name_customer OCA/timesheet [19.0] [MIG] hr_timesheet_name_customer : Migration to 19.0. #925 no CI data
hr_timesheet_portal OCA/timesheet [19.0][MIG] hr_timesheet_portal: Migration to 19.0 #878 no CI data
hr_timesheet_report OCA/timesheet [19.0][MIG] hr_timesheet_report: Migration to 19.0 #919 no CI data
hr_timesheet_sheet OCA/timesheet [19.0][MIG] hr_timesheet_sheet: Migration to 19.0 #941 no CI data
hr_timesheet_sheet-BAD OCA/timesheet [19.0][MIG] hr_timesheet_sheet: Migration to 19.0 #841 no CI data
hr_timesheet_sheet_autodraft OCA/timesheet [19.0][MIG] hr_timesheet_sheet_autodraft: Migration to 19.0 #920 no CI data
hr_timesheet_sheet_policy_project_manager OCA/timesheet [19.0][MIG] hr_timesheet_sheet_policy_project_manager: Migration to 19.0 #921 no CI data
hr_timesheet_task_domain-BAD OCA/timesheet [19.0][MIG] hr_timesheet_task_domain: Migration to 19.0 #826 no CI data
hr_timesheet_time_type-BAD OCA/timesheet [19.0][MIG] hr_timesheet_time_type: Migration to 19.0 #824 no CI data
hr_timesheet_type_non_billable OCA/timesheet [19.0][MIG] hr_timesheet_type_non_billable: Migration to 19.0 #922 no CI data
html_text OCA/server-tools [19.0][MIG] html_text: Migration to 19.0 #3653 no CI data
import_processor OCA/server-tools 19.0 mig import processor #3542 no CI data
intrastat_product_hscodes_import OCA/intrastat-extrastat [19.0][MIG] intrastat_product_hscodes_import #332 no CI data
ir_filters_multi_company OCA/multi-company [19.0][MIG] ir_filters_multi_company: Migration to 19.0 #922 no CI data
jsonifier OCA/server-tools [19.0][MIG] jsonifier: Migration to 19.0 #3518 no CI data
l10n-es-atc OCA/l10n-spain [19.0][MIG] l10n_es_atc: Migration to 19.0 #5023 no CI data
l10n_be_intrastat_product OCA/l10n-belgium [19.0][MIG] l10n_be_intrastat_product: Migration to 19.0 #277 no CI data
l10n_be_mis_reports OCA/l10n-belgium [19.0] [MIG] l10n_be_mis_reports #280 no CI data
l10n_be_partner_identification OCA/l10n-belgium [19.0][MIG] l10n_be_partner_identification #276 no CI data
l10n_br_base_l10n_br_compat OCA/l10n-brazil [19.0][MIG] l10n_br_base_l10n_br_compat: Migration to 19.0 #4551 no CI data
l10n_br_coa_generic OCA/l10n-brazil [19.0][MIG] l10n_br_coa_generic #4605 no CI data
l10n_br_coa_simple OCA/l10n-brazil [19.0][MIG] l10n_br_coa_simple #4606 no CI data
l10n_br_fiscal OCA/l10n-brazil [19.0][MIG] l10n_br_fiscal: Migration to 19.0 #4552 no CI data
l10n_br_fiscal_certificate OCA/l10n-brazil [19.0][MIG] l10n_br_fiscal_certificate: Migration to 19.0 #4553 no CI data
l10n_br_mis_report OCA/l10n-brazil [19.0][MIG] l10n_br_mis_report #4607 no CI data
l10n_br_stock OCA/l10n-brazil [19.0][MIG] l10n_br_stock: Migration to 19.0 #4546 no CI data
l10n_by OCA/l10n-belarus [MIG] l10n_by: migration to 19.0 #15 no CI data
l10n_by_bank OCA/l10n-belarus [MIG] l10n_by, l10n_by_bank: migration to 19.0 #16 no CI data
l10n_es_account_asset OCA/l10n-spain [19.0][MIG] l10n_es_account_asset #5055 no CI data
l10n_es_aeat_mod303_vat_prorate OCA/l10n-spain [19.0][MIG] l10n_es_aeat_mod303_vat_prorate: Migration to 19.0 #4908 no CI data
l10n_es_cnae OCA/l10n-spain [MIG] l10n_es_cnae: Migration to Odoo 19.0 #4803 no CI data
l10n_es_facturae_face OCA/l10n-spain [19.0][MIG] l10n_es_facturae_face #4882 no CI data
l10n_es_pos_oca OCA/l10n-spain [MIG] l10n_es_pos_oca: Migration to Odoo 19.0 #4804 no CI data
l10n_es_vat_prorate OCA/l10n-spain [19.0][MIG] l10n_es_vat_prorate: Migration to 19.0 #4907 no CI data
l10n_fi_mis_templates OCA/l10n-finland [MIG] l10n_fi_mis_templates: Migration to 19.0 #108 no CI data
l10n_fr_fec_oca OCA/l10n-france [19.0][MIG] l10n_fr_fec_oca: Migration to 19.0 #783 no CI data
l10n_fr_intrastat_product-second OCA/l10n-france [19.0][MIG] l10n_fr_intrastat_product: Migration to 19.0 #771 no CI data
l10n_fr_mis_reports OCA/l10n-france [19.0][MIG] l10n_fr_mis_reports: Migration to 19.0 #785 no CI data
l10n_fr_siret OCA/l10n-france [19.0][MIG] l10n_fr_siret: Migration to 19.0 #770 no CI data
l10n_fr_siret_lookup OCA/l10n-france [19.0] [MIG] l10n_fr_siret_lookup: Migration to 19.0 #761 no CI data
l10n_it_accompanying_invoice OCA/l10n-italy [19.0][MIG] l10n_it_accompanying_invoice: Migration to 19.0 #5068 no CI data
l10n_it_account OCA/l10n-italy [19.0][MIG] l10n_it_account: Migration to 19.0 #5072 no CI data
l10n_it_account_invoice_start_end_dates OCA/l10n-italy [19.0][MIG] l10n_it_account_invoice_start_end_dates: Migration to 19.0 #5111 no CI data
l10n_it_account_stamp OCA/l10n-italy [19.0][MIG] l10n_it_account_stamp: Migration to 19.0 #5069 no CI data
l10n_it_account_vat_period_end_settlement OCA/l10n-italy [19.0][MIG] l10n_it_account_vat_period_end_settlement: Migration to 19.0 #5071 no CI data
l10n_it_amount_to_text OCA/l10n-italy [19.0][MIG] l10n_it_amount_to_text: Migration to 19.0 #5122 no CI data
l10n_it_appointment_code OCA/l10n-italy [19.0][MIG] l10n_it_appointment_code: Migration to 19.0 #5073 no CI data
l10n_it_asset_management OCA/l10n-italy [19.0][MIG] l10n_it_asset_management: Migration to 19.0 #5074 no CI data
l10n_it_bill_of_entry OCA/l10n-italy [19.0][MIG] l10n_it_bill_of_entry: Migration to 19.0 #5076 no CI data
l10n_it_central_journal_reportlab OCA/l10n-italy [19.0][MIG] l10n_it_central_journal_reportlab: Migration to 19.0 #5077 no CI data
l10n_it_currency_rate_update_boi OCA/l10n-italy [19.0][MIG] l10n_it_currency_rate_update_boi: Migration to 19.0 #5078 no CI data
l10n_it_delivery_note OCA/l10n-italy [19.0][MIG] l10n_it_delivery_note: Migration to 19.0 #5081 no CI data
l10n_it_delivery_note_batch OCA/l10n-italy [19.0][MIG] l10n_it_delivery_note_batch: Migration to 19.0 #5079 no CI data
l10n_it_delivery_note_customer_code OCA/l10n-italy [19.0][MIG] l10n_it_delivery_note_customer_code: Migration to 19.0 #5213 no CI data
l10n_it_delivery_note_order_link OCA/l10n-italy [19.0][MIG] l10n_it_delivery_note_order_link: Migration to 19.0 #5080 no CI data
l10n_it_edi_doi_extension OCA/l10n-italy [19.0][MIG] l10n_it_edi_doi_extension: Migration to 19.0 #5082 no CI data
l10n_it_edi_extension OCA/l10n-italy [19.0][MIG] l10n_it_edi_extension: Migration to 19.0 #5083 no CI data
l10n_it_edi_pec OCA/l10n-italy [19.0] [MIG] l10n_it_edi_pec: Migration to 19.0 #5218 no CI data
l10n_it_edi_related_document OCA/l10n-italy [19.0][MIG] l10n_it_edi_related_document: Migration to 19.0 #5084 no CI data
l10n_it_edi_sdi OCA/l10n-italy [19.0] [MIG] l10n_it_edi_sdi: Migration to 19.0 #5217 no CI data
l10n_it_edi_sender_partner OCA/l10n-italy [19.0][MIG] l10n_it_edi_sender_partner: Migration to 19.0 #5140 no CI data
l10n_it_financial_statement_eu OCA/l10n-italy [19.0][MIG] l10n_it_financial_statement_eu: Migration to 19.0 #5085 no CI data
l10n_it_financial_statements_report OCA/l10n-italy [19.0][MIG] l10n_it_financial_statements_report: Migration to 19.0 #5086 no CI data
l10n_it_fiscalcode_sale OCA/l10n-italy [19.0][MIG] l10n_it_fiscalcode_sale: Migration to 19.0 #5087 no CI data
l10n_it_intrastat OCA/l10n-italy [19.0][MIG] l10n_it_intrastat_oca: Migration to 19.0 #5089 no CI data
l10n_it_intrastat OCA/l10n-italy [19.0] porting l10n_it_intrastat #5031 no CI data
l10n_it_intrastat_statement OCA/l10n-italy [19.0][MIG] l10n_it_intrastat_statement_oca: Migration to 19.0 #5088 no CI data
l10n_it_location_nuts OCA/l10n-italy [19.0][MIG] l10n_it_location_nuts: Migration to 19.0 #5098 no CI data
l10n_it_riba_oca OCA/l10n-italy [19.0][MIG] l10n_it_riba_oca: Migration to 19.0 #5090 no CI data
l10n_it_vat_registries OCA/l10n-italy [19.0][MIG] l10n_it_vat_registries: Migration to 19.0 #5091 no CI data
l10n_it_vat_settlement_communication OCA/l10n-italy [19.0][MIG] l10n_it_vat_settlement_communication: Migration to 19.0 #5092 no CI data
l10n_it_vat_settlement_date OCA/l10n-italy [19.0][MIG] l10n_it_vat_settlement_date: Migration to 19.0 #5093 no CI data
l10n_jp_summary_invoice OCA/l10n-japan [19.0][MIG] l10n_jp_summary_invoice: Migration to 19.0 #124 no CI data
l10n_jp_summary_invoice_carryover OCA/l10n-japan [19.0][MIG] l10n_jp_summary_invoice_carryover: Migration to 19.0 #133 no CI data
l10n_mx_cfdi_comex OCA/l10n-mexico [19.0][ADD] l10n_mx_cfdi_comex #102 no CI data
l10n_mx_cfdi_waybill OCA/l10n-mexico [19.0][ADD] l10n_mx_cfdi_waybill #101 no CI data
l10n_mx_sat OCA/l10n-mexico [19.0][MIG] l10n_mx_sat: Migration to 19.0 #95 no CI data
l10n_pt_stock_vehicle_daily OCA/l10n-portugal [19.0][MIG] l10n_pt_stock_vehicle_daily: Migration from 14.0 to 19.0 #148 no CI data
l10n_th_account_tax OCA/l10n-thailand [19.0][MIG] l10n_th_account_tax: Migration to 19.0 #578 no CI data
l10n_th_account_tax_report OCA/l10n-thailand [19.0][MIG] l10n_th_account_tax_report: Migration to 19.0 #583 no CI data
l10n_th_account_wht_cert_form OCA/l10n-thailand [19.0][MIG] l10n_th_account_wht_cert_form: Migration to 19.0 #582 no CI data
l10n_th_base_utils OCA/l10n-thailand [19.0][MIG] l10n_th_base_utils: Migration to 19.0 #577 no CI data
l10n_th_mis_report OCA/l10n-thailand [19.0][MIG] l10n_th_mis_report: Migration to 19.0 #579 no CI data
l10n_th_partner OCA/l10n-thailand [19.0][MIG] l10n_th_partner: Migration to 19.0 #575 no CI data
l10n_th_tier_department OCA/l10n-thailand [19.0][MIG] l10n_th_tier_department: Migration to 19.0 #580 no CI data
l10n_th_tier_department_demo OCA/l10n-thailand [19.0][MIG] l10n_th_tier_department_demo: Migration to 19.0 #581 no CI data
l10n_us_account_routing OCA/l10n-usa [19.0][MIG] l10n_us_account_routing: Migration to 19.0 #176 no CI data
l10n_us_crm_county OCA/l10n-usa [19.0][MIG] l10n_us_crm_county: Migration to 19.0 #175 no CI data
l10n_us_mis_financial_report OCA/l10n-usa [19.0][MIG] l10n_us_mis_financial_report: Migration to 19.0 #180 no CI data
l10n_us_partner_legal_number OCA/l10n-usa [19.0][MIG] l10n_us_partner_legal_number: Migration to 19.0 #177 no CI data
log-modules OCA/rest-framework [19.0][MIG] api_log, api_log_mail, fastapi_log, fastapi_log_mail: Migration to 19.0 #616 no CI data
loyalty_criteria_multi_product OCA/sale-promotion [19.0] [MIG] loyalty_criteria_multi_product: Migration to 19.0 #314 no CI data
loyalty_incompatibility OCA/sale-promotion [19.0] [MIG] loyalty_incompatibility: Migration to 19.0 #317 no CI data
loyalty_limit OCA/sale-promotion [19.0][MIG] loyalty_limit: Migration to 19.0 #324 no CI data
loyalty_mass_mailing OCA/sale-promotion [19.0][MIG] loyalty_mass_mailing: Migration to 19.0 #330 no CI data
loyalty_multi_gift OCA/sale-promotion [19.0][MIG] loyalty_multi_gift: Migration to 19.0 #333 no CI data
loyalty_multi_gift OCA/sale-promotion [19.0] [MIG] loyalty_multi_gift: Migration to 19.0 #315 no CI data
loyalty_partner_applicability OCA/sale-promotion [19.0][MIG] loyalty_partner_applicability: Migration to 19.0 #325 no CI data
loyalty_program_chatter OCA/sale-promotion [19.0][MIG] loyalty_program_chatter: Migration to 19.0 #326 no CI data
mail OCA/edi-framework [19.0][MIG] edi_mail_import_oca #229 no CI data
mail_activity_done OCA/mail [19.0][MIG] mail_activity_done: Migration to 19.0 #198 no CI data
mail_activity_future_counter OCA/mail [19.0][MIG] mail_activity_future_counter: Migration to 19.0 #227 no CI data
mail_activity_restrict OCA/mail [19.0][MIG] mail_activity_restrict: Migration to 19.0 #169 no CI data
mail_activity_team_restrict OCA/mail [19.0][MIG] mail_activity_team_restrict: Migration to 19.0 #170 no CI data
mail_attach_existing_attachment_account OCA/mail [19.0][MIG] mail_attach_existing_attachment_account: Migration to 19.0 #174 no CI data
mail_autogenerated_header OCA/mail [19.0][MIG] mail_autogenerated_header: Migration to 19.0 #179 no CI data
mail_chatter_split OCA/mail [19.0][MIG] mail_chatter_split: Migration to 19.0 #226 no CI data
mail_cleanup OCA/server-tools [19.0][MIG] mail_cleanup: Migration to 19.0 #3618 no CI data
mail_composer_cc_bcc OCA/mail [19.0][MIG] mail_composer_cc_bcc: Migration to 19.0 #189 no CI data
mail_gateway OCA/mail [MIG] mail_gateway: Migration to 19.0 #202 no CI data
mail_gateway_whatsapp OCA/mail [MIG] mail_gateway_whatsapp: Migration to 19.0 #203 no CI data
mail_history_mark_unread OCA/social [19.0][MIG] mail_history_mark_unread: Migration to 19.0 #1882 no CI data
mail_layout_preview OCA/mail [19.0][MIG] mail_layout_preview: Migration to 19.0 #181 no CI data
mail_no_user_assign_notification OCA/mail [19.0][MIG] mail_no_user_assign_notification: Migration to 19.0 #180 no CI data
mail_notification_custom_subject OCA/mail [19.0][MIG] mail_notification_custom_subject: Migration to 19.0 #221 no CI data
mail_notification_sound_volume OCA/mail [19.0][MIG] mail_notification_sound_volume: Migration to 19.0 #229 no CI data
mail_notify_employee_leave OCA/mail [19.0][MIG] mail_notify_employee_leave: Migration to 19.0 #228 no CI data
mail_optional_follower_notification OCA/mail [MIG] mail_optional_follower_notification: Migration to 19.0 #210 no CI data
mail_quoted_reply OCA/mail 19.0 mig mail quoted reply #151 no CI data
mail_reply_stage OCA/social [19.0][MIG] mail_reply_stage: Migration to 19.0 #1767 no CI data
mail_restrict_follower_selection OCA/mail [19.0][MIG] mail_restrict_follower_selection: Migration to 19.0 #150 no CI data
mail_sent_history OCA/mail [19.0][MIG] mail_sent_history: Migration to 19.0 #230 no CI data
mail_show_follower OCA/mail [19.0][MIG] mail_show_follower: Migration to 19.0 #197 no CI data
mail_template_multi_company OCA/multi-company [19.0] [MIG] mail_template_multi_company : Migration to 19.0 #990 no CI data
mail_template_substitute OCA/mail [19.0][MIG] mail_template_substitute: Migration to 19.0 #171 no CI data
mail_tracking_mailgun OCA/mail [19.0][MIG] mail_tracking_mailgun #154 no CI data
mail_tracking_mass_mailing OCA/mail [19.0][MIG] mail_tracking_mass_mailing: Migration to 19.0 #139 no CI data
maintenance_equipment_contract OCA/maintenance [19.0][MIG] maintenance_equipment_contract: Migration to 19.0 #569 no CI data
maintenance_equipment_hierarchy OCA/maintenance [19.0][MIG] maintenance_equipment_hierarchy #566 no CI data
maintenance_stock OCA/maintenance [19.0][MIG] maintenance_stock #567 no CI data
mass_mailing_multi_company OCA/multi-company [19.0][MIG] mass_mailing_multi_company #950 no CI data
membership OCA/vertical-association [19.0][ADD+MIG] membership: Migration to 19.0 #224 no CI data
membership_delegated_partner OCA/vertical-association [19.0][MIG] membership_delegated_partner: Migration to 19.0 #225 no CI data
mercury OCA/bank-statement-import [19.0][ADD] account_statement_import_online_mercury #952 no CI data
misc_settings OCA/server-ux [19.0][MIG] migration misc_settings : add a custom settings section #1308 no CI data
module_analysis OCA/server-tools [19.0][MIG] module_analysis: Migration to 19.0 #3631 no CI data
mrp_bom_attribute_match OCA/manufacture [19.0][MIG] mrp_bom_attribute_match: Migration to 19.0. #1632 no CI data
mrp_bom_current_stock OCA/manufacture-reporting [19.0][MIG] mrp_bom_current_stock: Migration to 19.0 #153 no CI data
mrp_bom_line_formula_quantity OCA/manufacture [19.0][MIG] mrp_bom_line_formula_quantity: Migration to 19.0 #1786 no CI data
mrp_bom_matrix_report OCA/manufacture-reporting [19.0][MIG] mrp_bom_matrix_report: Migration to 19.0 #154 no CI data
mrp_bom_structure_xlsx OCA/manufacture-reporting [19.0][MIG] mrp_bom_structure_xlsx: Migration to 19.0 #151 no CI data
mrp_bom_structure_xlsx_level_1 OCA/manufacture-reporting [19.0] [MIG] mrp_bom_structure_xlsx_level_1: Migration to 19.0 #155 no CI data
mrp_flattened_bom_xlsx OCA/manufacture-reporting [19.0][MIG] mrp_flattened_bom_xlsx: Migration to 19.0 #152 no CI data
mrp_multi_level_estimate OCA/manufacture [19.0][MIG] mrp_multi_level_estimate #1772 no CI data
mrp_production_allow_recursive OCA/manufacture [19.0][MIG] mrp_production_allow_recursive #1758 no CI data
mrp_production_unique_lot OCA/manufacture [19.0][MIG] mrp_production_unique_lot #1734 no CI data
mrp_subcontracting_resupply_status OCA/manufacture [19.0][MIG] mrp_subcontracting_resupply_status #1703 no CI data
mrp_subcontracting_skip_no_negative OCA/manufacture [19.0][MIG] mrp_subcontracting_skip_no_negative: Migration to 19.0 #1825 no CI data
mrp_workorder_last_worker OCA/manufacture [19.0][MIG] mrp_workorder_last_worker #1708 no CI data
multi_step_wizard OCA/server-ux [19.0][MIG] multi_step_wizard: Migration to 19.0 #1218 no CI data
multicompany_configuration OCA/multi-company [19.0][MIG] multicompany_configuration #912 no CI data
oauth_provider OCA/server-auth [WIP][MIG] oauth_provider: Migration to 19.0 #853 no CI data
odoo_test_xmlrunner OCA/server-tools [MIG] odoo_test_xmlrunner: Migration to 19.0 #3598 no CI data
partner_accreditation OCA/partner-contact [19.0][MIG] partner_accreditation: Migration to 19.0 #2213 no CI data
partner_address_format_domestic OCA/partner-contact [19.0][MIG] partner_address_format_domestic: Migration to 19.0 #2345 no CI data
partner_address_split OCA/partner-contact [19.0] [MIG] partner_address_split : Migration to 19.0. #2386 no CI data
partner_bank_code OCA/partner-contact [19.0][MIG] partner_bank_code: Migration to 19.0 #2390 no CI data
partner_brand OCA/brand [19.0][MIG] partner_brand: Migration to 19.0 #302 no CI data
partner_brand OCA/brand [19.0][MIG] partner_brand: Migration to 19.0 #280 no CI data
partner_capital OCA/partner-contact [19.0][MIG] partner_capital: Migration to 19.0 #2177 no CI data
partner_category_multi_company OCA/multi-company [19.0][MIG] partner_category_multi_company #937 no CI data
partner_category_multi_company OCA/multi-company [19.0][MIG] partner_category_multi_company: Migration to 19.0 #919 no CI data
partner_category_type OCA/partner-contact [19.0] partner_category_type: Migration to 19.0 #2402 no CI data
partner_category_type OCA/partner-contact [19.0] [MIG] partner_category_type : Migration to v19. #2366 no CI data
partner_category_type OCA/partner-contact [19.0][MIG] partner_category_type: Migration to 19.0 #2169 no CI data
partner_contact_age_range OCA/partner-contact [19.0][MIG] partner_contact_age_range: Migration to 19.0 #2399 no CI data
partner_contact_in_several_companies OCA/partner-contact [19.0][MIG] partner_contact_in_several_companies: Migration to 19.0 #2387 no CI data
partner_contact_tags_in_popup OCA/partner-contact [19.0][MIG] partner_contact_tags_in_popup: Migration to 19.0 #2355 no CI data
partner_contact_type_end_user OCA/partner-contact [19.0] [MIG] partner_contact_type_end_user : Migration to 19.0. #2385 no CI data
partner_delivery_zone_calendar-hda OCA/delivery-carrier [19.0][MIG] partner_delivery_zone_calendar #1185 no CI data
partner_duns-BAD OCA/partner-contact [19.0][MIG] partner_duns: Migration to 19.0 #2255 no CI data
partner_external_map OCA/partner-contact [19.0] [MIG] partner_external_map : Migration to 19.0. #2371 no CI data
partner_firstname_portal OCA/partner-contact [19.0][MIG] partner_firstname_portal #2368 no CI data
partner_identification_notification OCA/partner-contact [19.0][MIG] partner_identification_notification #2216 no CI data
partner_industry_parent OCA/partner-contact [19.0] [MIG] partner_industry_parent : Migration to 19.0. #2381 no CI data
partner_interest_group OCA/partner-contact [19.0][mig] partner_interest_group #2362 no CI data
partner_is_company_auth_signup OCA/partner-contact [19.0] [MIG] partner_is_company_auth_signup : Migration to 19.0. #2370 no CI data
partner_label OCA/partner-contact [19.0][MIG] partner_label: Migration to 19.0 #2388 no CI data
partner_middlename OCA/partner-contact [19.0][MIG] partner_middlename #2360 no CI data
partner_pricelist_tracking OCA/partner-contact [19.0] [MIG] partner_pricelist_tracking : Migration to 19.0. #2380 no CI data
partner_property OCA/partner-contact [19.0][MIG] partner_property: Migration to 19.0 #2358 no CI data
partner_purchase_manager OCA/partner-contact [19.0] [MIG] partner_purchase_manager: Migration to 19.0. #2365 no CI data
partner_rank_single OCA/partner-contact [19.0] [MIG] partner_rank_single : Migration to 19.0. #2369 no CI data
partner_readonly_security OCA/partner-contact [19.0][MIG] partner_readonly_security: Migration to 19.0 #2282 no CI data
partner_repair_button OCA/repair [19.0][MIG] partner_repair_button #165 no CI data
partner_repair_button OCA/repair [19.0][MIG] partner_repair_button: Migration to 19.0 #143 no CI data
partner_search_alias OCA/partner-contact [19.0][MIG] partner_search_alias: Migration to 19.0 #2306 no CI data
partner_second_lastname OCA/partner-contact [19.0][MIG] partner_second_lastname: Migration to 19.0 #2207 no CI data
partner_stage_only_confirmed OCA/partner-contact [19.0][MIG] partner_stage_only_confirmed #2217 no CI data
partner_street_city_search OCA/partner-contact [19.0][MIG] partner_street_city_search: Migration to 19.0 #2389 no CI data
partner_subject_to_vat OCA/partner-contact [19.0] [MIG] partner_subject_to_vat : Migration to 19.0 #2379 no CI data
partner_supplier_ref_sequence OCA/partner-contact [19.0][MIG] partner_supplier_ref_sequence #2289 no CI data
partner_survey OCA/survey [19.0][MIG] partner_survey #220 no CI data
partner_time_to_pay OCA/account-invoice-reporting [19.0][MIG] partner_time_to_pay: Migration to 19.0 #423 no CI data
password_security OCA/server-auth [19.0][MIG] password_security: Migration from 18.0 to 19.0 #910 no CI data
password_security-BAD OCA/server-auth [19.0][MIG] password_security: Migration to 19.0 #855 no CI data
payment_easypay OCA/l10n-portugal [MIG] payment_easypay: Migration to 19.0 #165 no CI data
payroll_account OCA/payroll [19.0] [MIG] payroll_account: Migration to 19.0 #269 no CI data
payroll_account OCA/payroll [19.0][MIG] payroll_account: Migration to 19.0 #260 no CI data
plaid OCA/bank-statement-import [19.0][MIG] account_statement_import_online_plaid #951 no CI data
pms_website OCA/pms [FIX] pms_website: remove undefined no_of_guests from property template #429 no CI data
pms_website_sale OCA/pms [19.0][MIG] pms_website_sale: Migration to 19.0 #428 no CI data
portal_sale_order_search OCA/sale-workflow [19.0][MIG] portal_sale_order_search: Migration to 19.0 #4276 no CI data
pos_barcode_rule_priced_with_change_rate OCA/pos [MIG] pos_barcode_rule_priced_with_change_rate: Migration to 19.0 #1553 no CI data
pos_config_logo OCA/pos [19.0] [MIG] pos_config_logo: Migration to 19.0 #1534 no CI data
pos_display_order_number OCA/pos [19.0][MIG] pos_display_order_number: Migration to 19.0 #1560 no CI data
pos_divide_order_summary OCA/pos [19.0][MIG] pos_divide_order_summary: Migration to 19.0 #1558 no CI data
pos_financial_risk OCA/pos [19.0][MIG] pos_financial_risk #1464 no CI data
pos_lot_barcode OCA/pos [MIG] pos_lot_barcode: Migration to 19.0 #1465 no CI data
pos_order_remove_line-oca OCA/pos [19.0][MIG] pos_order_remove_line: Migration to 19.0 #1555 no CI data
pos_order_to_sale_order-hda OCA/pos [19.0][MIG] pos_order_to_sale_order #1484 no CI data
pos_product_display_default_code OCA/pos [19.0][MIG] pos_product_display_default_code #1462 no CI data
pos_product_multi_barcode OCA/pos [19.0][MIG] pos_product_multi_barcode: Migration to 19.0 #1579 no CI data
pos_sale_picking_keep OCA/pos [19.0][MIG] pos_sale_picking_keep #1576 no CI data
pos_sale_product_config_no_variant OCA/pos [19.0][MIG] pos_sale_product_config_no_variant : Migration to 19.0 #1540 no CI data
pos_stock_available_online OCA/pos [19.0][MIG]: pos_stock_available_online #1567 no CI data
pricelist_brand OCA/brand [19.0][MIG]: pricelist_brand #297 no CI data
printer_zpl2 OCA/report-print-send [19.0][MIG] printer_zpl2 #466 no CI data
printing_auto_base OCA/report-print-send [19.0][MIG] printing_auto_base #437 no CI data
printing_auto_stock_picking OCA/stock-logistics-reporting [19.0][MIG] printing_auto_stock_picking #459 no CI data
privacy_partner_to_be_forgotten OCA/data-protection [19.0][MIG] privacy_partner_to_be_forgotten #94 no CI data
procurement_purchase_sale_no_grouping OCA/purchase-workflow [19.0][MIG] procurement_purchase_sale_no_grouping #3111 no CI data
product_abc_classification-BAD OCA/product-attribute [19.0][MIG] product_abc_classification: Migration to 19.0 #2188 no CI data
product_analytic OCA/account-analytic [19.0][MIG] product_analytic : Migration to 19.0 #912 no CI data
product_assortment-BAD OCA/product-attribute [19.0][MIG] product_assortment: Migration to 19.0 #2124 no CI data
product_assortment_supersede OCA/product-attribute [19.0][MIG]: product_assortment #2298 no CI data
product_attachment_zipped_download OCA/product-attribute [19.0][MIG] product_attachment_zipped_download: Migration to 19.0 #2281 no CI data
product_attribute_value_menu-BAD OCA/product-attribute [19.0][MIG] product_attribute_value_menu: Migration to 19.0 #2187 no CI data
product_barcode_required OCA/product-attribute [19.0][MIG] product_barcode_required: Migration to 19.0 #2282 no CI data
product_brand_purchase OCA/brand [19.0][MIG] product_brand_purchase: Migration to 19.0 #291 no CI data
product_brand_tag OCA/brand [19.0][MIG] product_brand_tag: Migration to 19.0 #306 no CI data
product_catalog_stock OCA/product-attribute [19.0][MIG] product_catalog_stock: Migration to 19.0 #2285 no CI data
product_category_company OCA/multi-company [19.0][MIG] product_category_company #947 no CI data
product_category_name_translatable-BAD OCA/product-attribute [19.0][MIG] product_category_name_translatable: Migration to 19.0 #2082 no CI data
product_category_product_link-BAD OCA/product-attribute [19.0][MIG] product_category_product_link: Migration to 19.0 #2083 no CI data
product_category_tag-BAD OCA/product-attribute [19.0][MIG] product_category_tag: Migration to 19.0 #2084 no CI data
product_category_tax OCA/account-financial-tools [19.0][MIG] product_category_tax: Migration to 19.0 #2272 no CI data
product_code_mandatory OCA/product-attribute [19.0][MIG] product_code_mandatory: Migration to 19.0 #2125 no CI data
product_configurator OCA/product-configurator [19.0][MIG] product_configurator: Migration to 19.0. #168 no CI data
product_configurator_mrp OCA/product-configurator [19.0][MIG] product_configurator_mrp: Migration to 19.0. #177 no CI data
product_configurator_sale OCA/product-configurator [19.0][MIG] product_configurator_sale: Migration to 19.0. #169 no CI data
product_contract OCA/contract [19.0][MIG] product_contract #1371 no CI data
product_contract OCA/contract 19.0 [MIG] product contract #1336 no CI data
product_contract-gf OCA/contract 19.0 mig product contract gf #1387 no CI data
product_cost_security OCA/product-attribute [19.0][MIG] product_cost_security: Migration to 19.0 #2176 no CI data
product_customerinfo_elaboration OCA/sale-workflow [19.0][MIG] product_customerinfo_elaboration: Migration to 19.0 #4278 no CI data
product_customerinfo_picking OCA/stock-logistics-workflow [19.0][MIG] product_customerinfo_picking: Migration to 19.0 #2362 no CI data
product_customerinfo_sale OCA/sale-workflow [19.0][MIG] product_customerinfo_sale #4111 no CI data
product_list_price_from_pricelist-BAD OCA/product-attribute [19.0][MIG] product_list_price_from_pricelist: Migration to 19.0 #2185 no CI data
product_lot_from_category OCA/product-attribute [MIG] product_lot_from_category: Migration to 19.0 #2296 no CI data
product_main_supplierinfo-BAD OCA/product-attribute [19.0][MIG] product_main_supplierinfo: Migration to 19.0 #2180 no CI data
product_meat_unece OCA/community-data-files [MIG][19.0] `product_meat_unece` #276 no CI data
product_multi_barcode-BAD OCA/stock-logistics-barcode [19.0][MIG] product_multi_barcode: Migration to 19.0 #723 no CI data
product_multi_category-BAD OCA/product-attribute [19.0][MIG] product_multi_category: Migration to 19.0 #2186 no CI data
product_multi_company OCA/multi-company [19.0][MIG] product_multi_company #1014 no CI data
product_multi_company-BAD OCA/multi-company [19.0][MIG] product_multi_company #975 no CI data
product_multi_company-BAD OCA/multi-company [19.0][MIG] product_multi_company: Migration to 19.0 #917 no CI data
product_multi_price OCA/product-attribute [19.0][MIG] product_multi_price #2136 no CI data
product_next_reception_date OCA/product-attribute [19.0][MIG] product_next_reception_date: Migration to 19.0 #2300 no CI data
product_pack_type OCA/product-pack [19.0][MIG] product_pack_type: Migration to 19.0 #254 no CI data
product_packaging_dimension OCA/product-attribute [19.0][MIG] product_packaging_dimension: Migration to 19.0 #2327 no CI data
product_packaging_level-BAD OCA/product-attribute [19.0][MIG] product_packaging_level: Migration to 19.0 #2181 no CI data
product_pricelist_alternative OCA/product-attribute [19.0][MIG] product_pricelist_alternative: Migration to 19.0 #2294 no CI data
product_pricelist_assortment OCA/product-attribute 19.0 mig product pricelist assortment #2198 no CI data
product_pricelist_direct_print OCA/product-attribute [19.0][MIG]: product_pricelist_direct_print #2220 no CI data
product_pricelist_direct_print_xlsx OCA/product-attribute [19.0][MIG] product_pricelist_direct_print_xlsx: Migration to 19.0 #2246 no CI data
product_pricelist_fixed_currency_rate OCA/product-attribute [19.0][MIG] product_pricelist_fixed_currency_rate : Migration to 19.0. #2297 no CI data
product_pricelist_fixed_currency_rate OCA/product-attribute [19.0][MIG] product_pricelist_fixed_currency_rate #2231 no CI data
product_pricelist_item_uom OCA/product-attribute [19.0][MIG] product_pricelist_item_uom #2308 no CI data
product_pricelist_simulation OCA/product-attribute [19.0][MIG] product_pricelist_simulation #2144 no CI data
product_pricelist_simulation_margin OCA/product-attribute [19.0][MIG] product_pricelist_simulation_margin #2145 no CI data
product_pricelist_supplierinfo OCA/product-attribute [MIG] product_pricelist_supplierinfo: Migration to 19.0 #2331 no CI data
product_product_template_link OCA/product-attribute [19.0][MIG] product_product_template_link: Migration to 19.0 #2233 no CI data
product_refund_account OCA/account-fiscal-rule [19.0][MIG] product_refund_account: Migration to 19.0 #583 no CI data
product_sale_description OCA/product-attribute [19.0][MIG] product_sale_description: Migration to 19.0 #2302 no CI data
product_sale_manufactured_for OCA/product-attribute [19.0][MIG] product_sale_manufactured_for: Migration to 19.0 #2238 no CI data
product_sale_team OCA/product-attribute [19.0][MIG] product_sale_team: Migration to 19.0 #2303 no CI data
product_sequence OCA/product-attribute [19.0][MIG] product_sequence: Migration to 19.0 #2127 no CI data
product_sold_by_delivery_week OCA/sale-reporting [19.0][MIG] product_sold_by_delivery_week : Migration to 19.0. #383 no CI data
product_standard_margin OCA/margin-analysis [MIG] product_standard_margin: Migration to 19.0 #261 no CI data
product_state OCA/product-attribute [19.0][MIG] product_state #2142 no CI data
product_state_stock_base OCA/product-attribute [MIG] product_state_stock_base : Migration to 19.0. #2295 no CI data
product_stock_state OCA/product-attribute [MIG] product_stock_state : Migration to 19.0 #2283 no CI data
product_supplierinfo_archive-BAD OCA/product-attribute [19.0][MIG] product_supplierinfo_archive: Migration to 19.0 #2087 no CI data
product_supplierinfo_code OCA/product-attribute [MIG] product_supplierinfo_code: Migration to 19.0 #2280 no CI data
product_supplierinfo_comment OCA/product-attribute [19.0][MIG] product_supplierinfo_comment: Migration to 19.0 #2306 no CI data
product_supplierinfo_disable_autocreation OCA/purchase-workflow [MIG] product_supplierinfo_disable_autocreation: Migration to 19.0 #3095 no CI data
product_supplierinfo_import OCA/product-attribute [19.0][MIG] product_supplierinfo_import: Migration to 19.0 #2305 no CI data
product_supplierinfo_purchase_contact OCA/purchase-workflow [19.0][MIG] product_supplierinfo_purchase_contact: Migration to 19.0 #3025 no CI data
product_supplierinfo_qty_multiplier OCA/purchase-workflow [19.0][MIG] product_supplierinfo_qty_multiplier: Migration to 19.0 #2948 no CI data
product_supplierinfo_revision-BAD OCA/product-attribute [19.0][MIG] product_supplierinfo_revision: Migration to 19.0 #2088 no CI data
product_supplierinfo_stock_picking_type-BAD OCA/product-attribute [19.0][MIG] product_supplierinfo_stock_picking_type: Migration to 19.0 #2090 no CI data
product_tag_multi_company OCA/multi-company [19.0][MIG] product_tag_multi_company #952 no CI data
product_tags_code-BAD OCA/product-attribute [19.0][MIG] product_tags_code: Migration to 19.0 #2091 no CI data
product_usability OCA/product-attribute [19.0][MIG] product_usability: Migration to 19.0 #2304 no CI data
product_variant_name OCA/product-variant [19.0][MIG] product_variant_name #435 no CI data
product_variant_sale_price OCA/product-variant [19.0][MIG] product_variant_sale_price: Migration to 19.0 #423 no CI data
product_variant_specific_description OCA/product-variant [19.0][MIG] product_variant_specific_description #436 no CI data
project_group_hr_timesheet OCA/project [19.0] [MIG] project_group_hr_timesheet : Migration to 19.0. #1749 no CI data
project_reviewer OCA/project [19.0] [MIG] project_reviewer : Migration to 19.0. #1751 no CI data
project_role OCA/project [19.0] [MiIG] project role #1747 no CI data
project_status OCA/project [19.0] project_status: Migration to 19.0 #1766 no CI data
project_status OCA/project [19.0] [MIG] project_status : Migration to 19.0. #1750 no CI data
project_task_description_portal OCA/project [19.0] [MIG] project_task_description_portal : Migration to 19.0. #1753 no CI data
project_task_material OCA/project [19.0] [MIG] project_task_material : Migration to 19.0. #1752 no CI data
project_task_related OCA/project [19.0] [MIG] project_task_related : Migration to 19.0. #1754 no CI data
project_task_report OCA/project-reporting [19.0] [MIG] project_task_report: Migration to 19.0 #60 no CI data
project_task_stage_lock OCA/project [19.0] [MIG] project_task_stage_lock : Migration to 19.0. #1755 no CI data
project_task_stock-BAD OCA/project [19.0][MIG] project_task_stock: Migration to 19.0 #1653 no CI data
project_template OCA/project [19.0][MIG] project_template: Migration to 19.0 #1617 no CI data
project_template_milestone OCA/project [19.0][MIG] project_template_milestone: Migration to 19.0 #1634 no CI data
project_timesheet_holidays_editable OCA/timesheet [19.0][MIG] project_timesheet_holidays_editable #935 no CI data
purchase_all_shipments OCA/purchase-workflow [19.0][MIG] purchase_all_shipments: Migration to 19.0 #2879 no CI data
purchase_analytic_tag OCA/account-analytic [19.0][MIG] purchase_analytic_tag: Migration to 19.0 #938 no CI data
purchase_blanket_order OCA/purchase-workflow [19.0] [MIG] purchase_blanket_order: Migration to 19.0 #3118 no CI data
purchase_cancel_reason OCA/purchase-workflow [19.0][MIG] purchase_cancel_reason: Migration to 19.0 #3027 no CI data
purchase_commercial_partner OCA/purchase-workflow [19.0][MIG] purchase_commercial_partner: Migration to 19.0 #3028 no CI data
purchase_container OCA/purchase-workflow [19.0][MIG] purchase_container #3055 no CI data
purchase_fop_shipping OCA/purchase-workflow [19.0][MIG] purchase_fop_shipping: Migration to 19.0 #3030 no CI data
purchase_force_invoiced_quantity OCA/purchase-workflow [19.0][MIG] purchase_force_invoiced_quantity: Migration to 19.0 #3031 no CI data
purchase_invoice_status_line OCA/purchase-workflow [19.0][MIG] purchase_invoice_status_line: Migration to 19.0 #3036 no CI data
purchase_last_price_info OCA/purchase-workflow [19.0][MIG] purchase_last_price_info : migrate to 19.0 #2851 no CI data
purchase_lot OCA/purchase-workflow [19.0][MIG] purchase_lot: Migration to 19.0 #3071 no CI data
purchase_open_qty OCA/purchase-workflow [19.0][MIG] purchase_open_qty: Migration to 19.0 #2989 no CI data
purchase_operating_unit OCA/operating-unit [19.0] [MIG] purchase_operating_unit: Migration from 18.0 to 19.0 #861 no CI data
purchase_order_archive OCA/purchase-workflow [19.0][MIG] purchase_order_archive: Migration to 19.0 #3038 no CI data
purchase_order_date_approve_editable OCA/purchase-workflow [19.0][MIG] purchase_order_date_approve_editable: Migration to 19.0 #2996 no CI data
purchase_order_import OCA/edi [19.0][MIG] purchase_order_import: Migration to 19.0 #1335 no CI data
purchase_order_import_ubl OCA/edi [19.0][MIG] purchase_order_import_ubl: Migration to 19.0 #1336 no CI data
purchase_order_line_original_date OCA/purchase-workflow [19.0][MIG] purchase_order_line_original_date: Migration to 19.0 #2850 no CI data
purchase_order_line_price_history OCA/purchase-workflow [19.0][MIG] purchase_order_line_price_history: Migration to 19.0 #2993 no CI data
purchase_order_line_stock_available OCA/purchase-workflow [19.0][MIG] purchase_order_line_stock_available: Migration to 19.0 #3039 no CI data
purchase_order_no_zero_price OCA/purchase-workflow [19.0][MIG] purchase_order_no_zero_price: Migration to 19.0 #2992 no CI data
purchase_order_revision OCA/purchase-workflow [19.0][MIG] purchase_order_revision: Migration to 19.0 #3004 no CI data
purchase_order_secondary_unit OCA/purchase-workflow [19.0][MIG]: purchase_order_secondary_unit #2968 no CI data
purchase_order_type_dashboard OCA/purchase-workflow [19.0][MIG] purchase_order_type_dashboard: Migration to 19.0 #2872 no CI data
purchase_order_uninvoiced_amount OCA/purchase-workflow [19.0][MIG] purchase_order_uninvoiced_amount: Migration to 19.0 #2997 no CI data
purchase_order_uninvoiced_amount_line OCA/purchase-workflow [19.0][MIG] purchase_order_uninvoiced_amount_line: Migration to 19.0 #2998 no CI data
purchase_partner_selectable_option= OCA/purchase-workflow [19.0][MIG] purchase_partner_selectable_option: Migration to 19.0 #3050 no CI data
purchase_product_pack OCA/product-pack [19.0][MIG] purchase_product_pack: Migration to 19.0 #237 no CI data
purchase_reception_notify OCA/purchase-workflow [19.0][MIG] purchase_reception_notify: Migration to 19.0 #3035 no CI data
purchase_reception_status_line OCA/purchase-workflow [19.0][MIG] purchase_reception_status_line: Migration to 19.0 #3042 no CI data
purchase_report_date_format OCA/purchase-reporting [19.0] [MIG] purchase_report_date_format: Migration to 19.0 #92 no CI data
purchase_representative OCA/purchase-workflow [19.0][MIG] purchase_representative: Migration to 19.0 #3043 no CI data
purchase_request_cancel_confirm OCA/purchase-workflow [19.0][MIG] purchase_request_cancel_confirm: Migration to 19.0 #3044 no CI data
purchase_request_department OCA/purchase-workflow [19.0][MIG] purchase_request_department: Migration to 19.0 #3045 no CI data
purchase_request_substate OCA/purchase-workflow [19.0][MIG] purchase_request_substate: Migrate to 19.0 #3046 no CI data
purchase_request_type OCA/purchase-workflow [19.0][MIG] purchase_request_type: Migration to 19.0 #3047 no CI data
purchase_sale_stock_inter_company OCA/multi-company [19.0][MIG] purchase_sale_stock_inter_company #945 no CI data
purchase_sale_stock_inter_company_mrp OCA/multi-company [19.0][MIG] purchase_sale_stock_inter_company_mrp #946 no CI data
purchase_stock_analytic OCA/account-analytic [19.0][mig] purchase_stock_analytic: Migration to v19 #859 no CI data
purchase_stock_packaging OCA/purchase-workflow [19.0][MIG] purchase_stock_packaging: Migration to 19.0 #3051 no CI data
purchase_stock_picking_invoice_link OCA/stock-logistics-workflow [19.0][MIG] purchase_stock_picking_invoice_link: Migration to version 19.0 #2388 no CI data
purchase_stock_picking_return_invoicing OCA/account-invoicing [19.0][MIG] purchase_stock_picking_return_invoicing: Migration to 19.0 #2337 no CI data
purchase_supplierinfo_editable_tree OCA/purchase-workflow [19.0][MIG] purchase_supplierinfo_editable_list ( renamed from purchase_supplierinfo_editable_tree) #2954 no CI data
purchase_tier_validation OCA/purchase-workflow [19.0] [MIG] purchase tier validation: Migration to 19.0 #2891 no CI data
purchase_triple_discount OCA/purchase-workflow [19.0]MIG purchase_triple_discount #2942 no CI data
purchase_uninvoiced_amount_force_invoiced_line OCA/purchase-workflow [19.0][MIG] purchase_uninvoiced_amount_force_invoiced_line: Migration to 19.0 #3052 no CI data
pydantic OCA/rest-framework [19.0][MIG] pydantic: Migration to 19.0 #611 no CI data
quality-control-stock-oca OCA/manufacture [19.0][MIG] quality_control_stock_oca: Migration to 19.0 #1785 no CI data
repair_order_product_by_lot OCA/repair [19.0][MIG] repair_order_product_by_lot #166 no CI data
repair_order_template OCA/repair [MIG] repair_order_template: Migration to 19.0 #171 no CI data
repair_quotation_manual_sync OCA/repair [19.0][MIG] repair_quotation_manual_sync: Migration to 19.0 #176 no CI data
repair_service OCA/repair [MIG] repair_service: Migration to 19.0 #173 no CI data
repair_service OCA/repair [19.0][MIG] repair_service #167 no CI data
repair_stock OCA/repair [19.0][MIG] repair_stock #168 no CI data
repair_stock_move_menu OCA/repair [19.0][MIG] repair_stock_move_menu: Migration to 19.0 #177 no CI data
repair_timesheet OCA/repair [MIG] repair_timesheet: Migration to 19.0 #170 no CI data
report_async OCA/reporting-engine [19.0][MIG] report_async: Migration to 19.0 #1174 no CI data
report_label OCA/reporting-engine [19.0][MIG] report_label: Migration to 19.0 #1171 no CI data
report_pdf_form OCA/reporting-engine [19.0][MIG] report_pdf_form #1107 no CI data
report_py3o_fusion_server OCA/reporting-engine [19.0][MIG] report_py3o_fusion_server: Migration to 19.0 #1133 no CI data
report_qr OCA/reporting-engine [19.0][MIG] report_qr: Migration to 19.0 #1172 no CI data
report_qweb_operating_unit OCA/operating-unit [19.0][MIG]: report_qweb_operating_unit: Migration to 19.0 #822 no CI data
report_qweb_pdf_watermark OCA/reporting-engine [19.0][MIG] report_qweb_pdf_watermark #1091 no CI data
report_text_format_option OCA/reporting-engine [19.0][MIG] report_text_format_option: Migration to 19.0 #1170 no CI data
res_company_category OCA/multi-company [19.0][MIG] res_company_category: Migration to 19.0 #930 no CI data
res_company_code OCA/multi-company [19.0] [MIG] res_company_code: Migration to 19.0 #886 no CI data
resource_booking OCA/calendar [19.0][MIG] resource_booking: Migration to 19.0 #217 no CI data
resource_booking-v2 OCA/calendar [19.0][MIG] resource_booking: Migration to 19.0 #187 no CI data
resource_calendar_flexible_exclude_weekend OCA/hr-holidays [MIG] resource_calendar_flexible_exclude_weekend: 19.0 #263 no CI data
sale_automatic_workflow_payment_mode OCA/sale-workflow [19.0][MIG] sale_automatic_workflow_payment_mode: Migration to 19.0 #4198 no CI data
sale_block_no_stock OCA/sale-workflow [19.0][MIG] sale_block_no_stock: Migration to 19.0 #4181 no CI data
sale_brand OCA/brand [19.0][MIG] sale_brand: Migration to 19.0 #305 no CI data
sale_cancel_reason-cleaned OCA/sale-workflow [19.0] [MIG] `sale_cancel_reason` #4105 no CI data
sale_channel OCA/sale-channel [MIG][19.0] sale_channel (from 18.0) #57 no CI data
sale_channel_partner OCA/sale-channel [MIG][19.0] sale_channel_partner (from 18.0) #58 no CI data
sale_channel_product-oca OCA/sale-channel [19.0][MIG] sale_channel_product #59 no CI data
sale_comment_template OCA/sale-reporting [19.0][MIG] sale_comment_template: Migration to 19.0 #370 no CI data
sale_commission_oca_product_criteria OCA/commission [19.0][MIG] sale_commission_oca_product_criteria #682 no CI data
sale_commission_product_criteria OCA/commission [19.0][MIG] sale_commission_product_criteria_oca #664 no CI data
sale_commission_salesman OCA/commission [19.0][MIG] sale_commission_salesman #666 no CI data
sale_credit_note_reversal OCA/account-invoicing [19.0][MIG] sale_credit_note_reversal #2227 no CI data
sale_discount_display_amount OCA/sale-workflow [19.0][MIG] sale_discount_display_amount: Migration to 19.0 #4284 no CI data
sale_elaboration_brand OCA/sale-workflow [19.0][MIG] sale_elaboration_brand: Migration to 19.0 #4368 no CI data
sale_elaboration_margin OCA/margin-analysis [19.0][MIG] sale_elaboration_margin : Migration to 19.0. #275 no CI data
sale_invoice_plan OCA/sale-workflow [19.0][MIG] `sale_invoice_plan` #4121 no CI data
sale_invoice_policy OCA/sale-workflow [19.0][MIG] sale_invoice_policy: Migration to 19.0 #4071 no CI data
sale_invoice_split_payment OCA/sale-workflow [19.0] [MIG] sale_invoice_split_payment : Migration to 19.0 #4389 no CI data
sale_layout_category_hide_detail-hda OCA/sale-reporting [19.0][MIG] sale_layout_category_hide_detail #354 no CI data
sale_loyalty_incompatibility OCA/sale-promotion [19.0][MIG] sale_loyalty_incompatibility: Migration to 19.0 #318 no CI data
sale_loyalty_limit OCA/sale-promotion [19.0][MIG] sale_loyalty_limit: Migration to 19.0 #331 no CI data
sale_loyalty_multi_gift OCA/sale-promotion [19.0][MIG] sale_loyalty_multi_gift: Migration to 19.0 #334 no CI data
sale_loyalty_order_info OCA/sale-promotion [19.0][MIG] sale_loyalty_order_info: Migration to 19.0 #327 no CI data
sale_loyalty_order_line_link OCA/sale-promotion [19.0][MIG] sale_loyalty_order_line_link: Migration to 19.0 #328 no CI data
sale_loyalty_order_suggestion OCA/sale-promotion [19.0][MIG] sale_loyalty_order_suggestion: Migration to 19.0 #335 no CI data
sale_loyalty_order_suggestion OCA/sale-promotion [19.0] [MIG] sale_loyalty_order_suggestion: Migration to 19.0 #316 no CI data
sale_loyalty_order_suggestion_multi_gift OCA/sale-promotion [19.0][MIG] sale_loyalty_order_suggestion_multi_gift: Migration to 19.0 #337 no CI data
sale_loyalty_partner OCA/sale-promotion [19.0][MIG] sale_loyalty_partner: Migration to 19.0 #329 no CI data
sale_loyalty_partner_applicability OCA/sale-promotion [19.0][MIG] sale_loyalty_partner_applicability: Migration to 19.0 #332 no CI data
sale_margin_security OCA/margin-analysis [19.0][MIG] sale_margin_security: Migration to 19.0 #253 no CI data
sale_mrp_bom OCA/sale-workflow [19.0][MIG] sale_mrp_bom #4107 no CI data
sale_order_amount_to_invoice OCA/sale-workflow [19.0] [MIG] sale_order_amount_to_invoice #4401 no CI data
sale_order_amount_to_invoice OCA/sale-workflow [19.0][MIG] sale_order_amount_to_invoice: Migration to 19.0 #4350 no CI data
sale_order_general_discount_triple OCA/sale-workflow [19.0][MIG] sale_order_general_discount_triple: Migration to 19.0 #4134 no CI data
sale_order_invoice_date OCA/sale-reporting [19.0][MIG] sale_order_invoice_date #366 no CI data
sale_order_invoicing_grouping_criteria OCA/account-invoicing [19.0][MIG] sale_order_invoicing_grouping_criteria: Migration to 19.0 #2296 no CI data
sale_order_line_delivery_state OCA/sale-workflow [19.0][MIG] sale_order_line_delivery_state: Migration to 19.0 #4285 no CI data
sale_order_line_input OCA/sale-workflow [19.0][MIG] sale_order_line_input: Migration to 19.0 #4286 no CI data
sale_order_line_input OCA/sale-workflow 19.0 [MIG] sale order line input #3971 no CI data
sale_order_line_price_unit-digits OCA/sale-workflow [19.0][MIG] sale_order_line_price_unit_digits: Migration to 19.0 #4424 no CI data
sale_order_line_product_attribute_values OCA/sale-workflow [19.0][MIG] sale_order_line_product_attribute_values : Migration to 19.0 #4455 no CI data
sale_order_line_remove OCA/sale-workflow [19.0][MIG] sale_order_line_remove: Migration to 19.0 #4287 no CI data
sale_order_line_stock_move_history OCA/sale-workflow [19.0][MIG] sale_order_line_stock_move_history: Migration to 19.0 #4289 no CI data
sale_order_line_variant_description OCA/product-variant [19.0][MIG] sale_order_line_variant_description: Migration to 19.0 #424 no CI data
sale_order_lot_selection OCA/sale-workflow [19.0][MIG] sale_order_lot_selection: Migration to 19.0 #4385 no CI data
sale_order_mass_action-hda OCA/sale-workflow [19.0][MIG] sale_order_mass_action #4345 no CI data
sale_order_note_template OCA/sale-workflow [19.0][MIG] sale_order_note_template: Migration to 19.0 #4292 no CI data
sale_order_product_assortment OCA/sale-workflow [19.0][mig]: sale_order_product_assortment #4348 no CI data
sale_order_product_recommendation_product_sold_by_delivery_week OCA/sale-reporting [19.0][MIG] sale_order_product_recommendation_product_sold_by_delivery_week : Migration to 19.0. #384 no CI data
sale_order_qty_change_no_recompute OCA/sale-workflow [19.0][MIG] sale_order_qty_change_no_recompute: Migration to 19.0 #4376 no CI data
sale_order_report_hide_tax OCA/sale-reporting [19.0][MIG] sale_order_report_hide_tax: Migration to 19.0 #381 no CI data
sale_order_report_hide_tax OCA/sale-reporting [19.0][MIG] sale_order_report_hide_tax: Migration to 19.0 #371 no CI data
sale_order_requested_delivery OCA/sale-workflow [19.0][MIG] sale_order_requested_delivery: Migration to 19.0 #4293 no CI data
sale_order_restrict_copy_archived_product OCA/sale-workflow [19.0][MIG] sale_order_restrict_copy_archived_product: Migration to 19.0 #4375 no CI data
sale_order_secondary_unit OCA/sale-workflow [19.0][MIG]: sale_order_secondary_unit #4175 no CI data
sale_order_warehouse_from_delivery_carrier OCA/delivery-carrier [19.0][MIG] sale_order_warehouse_from_delivery_carrier: Migration to 19.0 #1200 no CI data
sale_order_weight OCA/sale-reporting [19.0][MIG] sale_order_weight: Migration to 19.0 #369 no CI data
sale_packaging_report OCA/sale-reporting [19.0][MIG] sale_packaging_report : Migration to 19.0. #385 no CI data
sale_partner_address_restrict OCA/sale-workflow [19.0][MIG] sale_partner_address_restrict: Migration to 19.0 #4294 no CI data
sale_partner_primeship OCA/sale-workflow [19.0][MIG] sale_partner_primeship: Migration to 19.0 #4295 no CI data
sale_partner_sale_contact OCA/sale-workflow [19.0][MIG] sale_partner_sale_contact & sale_partner_sale_contact_on_project #4225 no CI data
sale_pricelist_display_surcharge OCA/sale-workflow [19.0][MIG] sale_pricelist_display_surcharge: Migration to 19.0 #4298 no CI data
sale_pricelist_triple_discount OCA/sale-workflow [19.0][MIG] sale_pricelist_triple_discount: Migration to 19.0 #4088 no CI data
sale_product_identification OCA/sale-workflow [19.0][MIG] sale_product_identification: Migration to 19.0 #4402 no CI data
sale_product_identification_pos OCA/pos [19.0][MIG] sale_product_identification_pos: : Migration to 19.0 #1568 no CI data
sale_product_pack_line_modification OCA/product-pack [MIG] sale_product_pack_line_modification: Migration to 19.0 #257 no CI data
sale_project_task_recurrency-BAD OCA/project [19.0][MIG] sale_project_task_recurrency: Migration to 19.0 #1647 no CI data
sale_quotation_number-v2 OCA/sale-workflow [19.0][MIG] sale_quotation_number #4441 no CI data
sale_report_delivered OCA/sale-reporting [19.0][MIG] sale_report_delivered : Migration to 19.0. #387 no CI data
sale_report_delivered_attribute_values OCA/sale-reporting [19.0][MIG] sale_report_delivered_attribute_values : Migration to 19.0. #390 no CI data
sale_report_delivered_brand OCA/sale-reporting [19.0][MIG] sale_report_delivered_brand : Migration to 19.0. #388 no CI data
sale_report_delivered_partner_priority OCA/sale-reporting [19.0][MIG] sale_report_delivered_partner_priority : Migration to 19.0. #389 no CI data
sale_report_delivered_subtotal OCA/sale-reporting [19.0][MIG] sale_report_delivered_subtotal: Migration to 19.0 #377 no CI data
sale_report_delivered_volume OCA/sale-reporting [19.0][MIG] sale_report_delivered_volume : Migration to 19.0. #386 no CI data
sale_report_margin OCA/margin-analysis 19.0 mig sale report margin #259 no CI data
sale_report_salesperson_from_partner OCA/sale-reporting [19.0][MIG] sale_report_salesperson_from_partner: Migration to 19.0 #374 no CI data
sale_restricted_qty OCA/sale-workflow [19.0][MIG] sale_restricted_qty #4154 no CI data
sale_semaphore OCA/sale-workflow [19.0][MIG] sale_semaphore : Migration to 19.0. #4456 no CI data
sale_shipping_info_helper OCA/sale-workflow [19.0][MIG] sale_shipping_info_helper: Migration to 19.0 #4300 no CI data
sale_stock_analytic-hda OCA/account-analytic [19.0][MIG] sale_stock_analytic #935 no CI data
sale_stock_delivery_state OCA/sale-workflow [19.0][MIG] sale_stock_delivery_state: Migration to 19.0 #4301 no CI data
sale_stock_line_sequence OCA/sale-workflow [19.0][MIG] sale_stock_line_sequence: Migration to 19.0 #4310 no CI data
sale_stock_secondary_unit OCA/sale-workflow [19.0] [MIG] sale_stock_secondary_unit #4428 no CI data
sale_tier_validation OCA/tier-validation [19.0][MIG] sale_tier_validation #9 no CI data
sale_tier_validation OCA/tier-validation [19.0][MIG] sale_tier_validation #55 no CI data
sale_timesheet_budget OCA/timesheet [MIG] sale_timesheet_budget : Migration to 19.0 #918 no CI data
sale_timesheet_invoice_description OCA/account-invoicing [19.0][MIG] sale_timesheet_invoice_description: Migration to 19.0 #2259 no CI data
sale_timesheet_rounded OCA/timesheet [MIG] sale_timesheet_rounded : Migration to 19.0 #917 no CI data
sale_triple_discount OCA/sale-workflow [19.0][MIG] sale_triple_discount: Migration to 19.0 #3965 no CI data
sale_wishlist OCA/sale-workflow [19.0][MIG] sale_wishlist: Migration to 19.0 #4308 no CI data
sales_team_security OCA/sale-workflow [19.0][MIG] sales_team_security: Migration to 19.0 #3960 no CI data
sales_team_security_crm OCA/sale-workflow [19.0][MIG] sales_team_security_crm: Migration to 19.0 #3963 no CI data
sales_team_security_crm-dummy OCA/sale-workflow [DUMMY][MIG] sales_team_security_crm: Migration to 19.0 #4050 no CI data
sales_team_security_sale OCA/sale-workflow [19.0][MIG] sales_team_security_sale: Migration to 19.0 #3962 no CI data
sales_team_security_sale-dummy OCA/sale-workflow [DUMMY][MIG] sales_team_security_sale: Migration to 19.0 #4049 no CI data
scrap_reason_code OCA/stock-logistics-warehouse [19.0][MIG] scrap_reason_code: Migration to 19.0 #2542 no CI data
scrap_reason_code OCA/stock-logistics-workflow [19.0][MIG] scrap_reason_code: Migration to 19.0 #2334 no CI data
sentry OCA/server-tools [MIG] sentry: Migration to 19.0 #3545 no CI data
sequence_check_digit OCA/server-ux [19.0][MIG] sequence_check_digit: Migration to 19.0 #1273 no CI data
sequence_check_digit OCA/server-ux [MIG] sequence_check_digit: Migration to 19.0 #1270 no CI data
sequence_custom_data OCA/server-tools [MIG][19.0] sequence_custom_data #3616 no CI data
server_action_domain OCA/server-ux [19.0][MIG] server_action_domain #1286 no CI data
server_action_mass_edit_onchange OCA/server-ux [19.0][MIG] server_action_mass_edit_onchange: Migration to 19.0 #1310 no CI data
server_action_sort OCA/server-backend [19.0][MIG] server_action_sort: Migration to 19.0 #449 no CI data
social_media_base OCA/social [19.0][MIG] social_media_base: Migration to 19.0 #1788 no CI data
social_media_calendar OCA/social [19.0][MIG] social_media_calendar: Migration to 19.0 #1789 no CI data
social_media_facebook OCA/social [19.0][MIG] social_media_facebook: Migration to 19.0 #1792 no CI data
social_media_linkedin OCA/social [19.0][MIG] social_media_linkedin: Migration to 19.0 #1790 no CI data
social_media_x OCA/social [19.0][MIG] social_media_x: Migration to 19.0 #1791 no CI data
spreadsheet_oca2 OCA/spreadsheet [19.0][MIG] spreadsheet_oca: Migration to 19 #109 no CI data
sql_export OCA/reporting-engine [19.0][MIG] sql export: Migration to 19.0 #1128 no CI data
sql_export_excel OCA/reporting-engine [19.0][MIG] sql_export_excel: Migration to 19.0 #1129 no CI data
stock_account_valuation_report OCA/stock-logistics-reporting [19.0][MIG] stock_account_valuation_report #456 no CI data
stock_analytic OCA/account-analytic [19.0][MIG] stock_analytic: Migration to 19.0 #898 no CI data
stock_available_base_exclude_location OCA/stock-logistics-availability [19.0][MIG] stock_available_base_exclude_location: Migration to v19 #76 no CI data
stock_barcodes OCA/stock-logistics-barcode [19.0][MIG] stock_barcodes: Migration to 19.0 #742 no CI data
stock_brand OCA/brand [19.0][MIG] stock_brand: Migration to 19.0 #308 no CI data
stock_change_qty_reason OCA/stock-logistics-warehouse [19.0][MIG] stock_change_qty_reason: Migration to 19.0 #2554 no CI data
stock_depot OCA/stock-logistics-transport [19.0][MIG] stock_depot: Migration to 19.0 #217 no CI data
stock_dock OCA/stock-logistics-transport [19.0][MIG] stock_dock: Migration to 19.0 #218 no CI data
stock_exception OCA/stock-logistics-workflow [19.0][MIG] stock_exception #2185 no CI data
stock_financial_risk OCA/credit-control [19.0][MIG] stock_financial_risk #546 no CI data
stock_inventory_analytic-hda OCA/account-analytic [19.0][MIG] stock_inventory_analytic #929 no CI data
stock_inventory_analytic_warehouse_default-hda OCA/account-analytic [19.0][MIG] stock_inventory_analytic_warehouse_default #931 no CI data
stock_inventory_discrepancy OCA/stock-logistics-warehouse [19.0][MIG] stock_inventory_discrepancy #2481 no CI data
stock_inventory_justification OCA/stock-logistics-warehouse [19.0][MIG] stock_inventory_justification: Migration to 19.0 #2531 no CI data
stock_landed_costs_purchase_auto OCA/stock-logistics-workflow [19.0][MIG] stock_landed_costs_purchase_auto: Migration to 19.0 #2181 no CI data
stock_location_children OCA/stock-logistics-warehouse [19.0][MIG] stock_location_children: Migration to 19.0 #2596 no CI data
stock_location_lockdown OCA/stock-logistics-warehouse [19.0][MIG] stock_location_lockdown: Migration to 19.0 #2532 no CI data
stock_lock_lot OCA/stock-logistics-workflow [19.0][MIG] stock_lock_lot: Migration to 19.0 #2350 no CI data
stock_lock_lot OCA/stock-logistics-workflow [19.0][MIG] stock_lock_lot #2229 no CI data
stock_lot_condition OCA/stock-logistics-warehouse [19.0][MIG] stock_lot_condition #2470 no CI data
stock_lot_production_date-BAD OCA/product-attribute [19.0][MIG] stock_lot_production_date: Migration to 19.0 #2093 no CI data
stock_move_actual_date OCA/stock-logistics-workflow [19.0][MIG] stock_move_actual_date: Migration to 19.0 and rename to stock_date_done #2346 no CI data
stock_move_backdating OCA/stock-logistics-workflow [19.0][MIG] stock_move_backdating #2332 no CI data
stock_move_common_dest OCA/stock-logistics-warehouse [19.0][MIG] stock_move_common_dest: Migration to 19.0 #2595 no CI data
stock_move_line_dates OCA/stock-logistics-workflow [19.0][MIG] stock_move_line_dates #2351 no CI data
stock_move_line_expiration_date_required OCA/stock-logistics-workflow [19.0][MIG] stock_move_line_expiration_date_required: Migration to 19.0 #2367 no CI data
stock_move_location OCA/stock-logistics-warehouse [19.0][MIG] stock_move_location: Migration to 19.0 #2500 no CI data
stock_move_value_report OCA/stock-logistics-reporting [MIG] stock_move_value_report: Migration to 19.0 #475 no CI data
stock_operating_unit OCA/operating-unit [19.0] [MIG] stock_operating_unit: Migration to 19.0 #862 no CI data
stock_picking_analytic OCA/account-analytic [19.0] [MIG] stock_picking_analytic: Migration to 19.0 #913 no CI data
stock_picking_customer_ref OCA/stock-logistics-workflow [19.0][MIG] stock_picking_customer_ref #2259 no CI data
stock_picking_kit_by_unit OCA/stock-logistics-workflow [19.0][MIG] stock_picking_kit_by_unit: Migration to 19.0 #2253 no CI data
stock_picking_mass_action OCA/stock-logistics-workflow [19.0][MIG] stock_picking_mass_action: Migration to 19.0 #2161 no CI data
stock_picking_move_package_to_package OCA/stock-logistics-workflow [19.0][MIG] stock_picking_move_package_to_package: Migration to 19.0 #2254 no CI data
stock_picking_origin_reference_purchase OCA/stock-logistics-workflow [19.0][MIG] stock_picking_origin_reference_purchase #2233 no CI data
stock_picking_origin_reference_sale OCA/stock-logistics-workflow [19.0][MIG] stock_picking_origin_reference_sale #2234 no CI data
stock_picking_origin_state OCA/stock-logistics-workflow [19.0][MIG] stock_picking_origin_state: Migration to 19.0 #2389 no CI data
stock_picking_partner_brand OCA/brand [19.0][MIG] stock_picking_partner_brand: Migration to 19.0 #309 no CI data
stock_picking_report_custom_description OCA/stock-logistics-reporting [19.0][MIG] stock_picking_report_custom_description: Migration to 19.0 #464 no CI data
stock_picking_report_delivery_custom_name OCA/stock-logistics-reporting [19.0][MIG] stock_picking_report_delivery_custom_name: Migration to 19.0 #497 no CI data
stock_picking_show_linked OCA/stock-logistics-warehouse [19.0][MIG] stock_picking_show_linked: Migration to 19.0 #2610 no CI data
stock_picking_supplier_ref OCA/stock-logistics-warehouse [19.0][MIG] stock_picking_supplier_ref: Migration to 19.0 #2472 no CI data
stock_picking_type_analytic-hda OCA/account-analytic [19.0][MIG] stock_picking_type_analytic #928 no CI data
stock_picking_type_user_restriction-hda OCA/stock-logistics-warehouse [19.0][MIG] stock_picking_type_user_restriction #2583 no CI data
stock_production_lot_active OCA/stock-logistics-workflow [19.0][MIG] stock_production_lot_active: Migration to 19.0 #2257 no CI data
stock_production_lot_traceability OCA/stock-logistics-workflow [19.0][MIG] stock_lot_traceability: Migration to 19.0 #2224 no CI data
stock_production_lot_warranty OCA/rma [19.0][MIG] stock_production_lot_warranty #606 no CI data
stock_putaway_product_template OCA/stock-logistics-warehouse [19.0][MIG] stock_putaway_product_template: Migration to 19.0 #2530 no CI data
stock_quant_manual_assign OCA/stock-logistics-reservation [MIG] stock_quant_manual_assign: Migration to 19.0 #44 no CI data
stock_quant_package_product_packaging OCA/stock-logistics-tracking [19.0][ADD] stock_package_product_packaging (Renamed from stock_quant_package_product_packaging) #59 no CI data
stock_quant_reservation_info OCA/stock-logistics-warehouse [19.0][MIG] stock_quant_reservation_info: Migration to 19.0 #2556 no CI data
stock_quant_reservation_info_mrp OCA/stock-logistics-warehouse [19.0][MIG] stock_quant_reservation_info_mrp: Migration to 19.0 #2557 no CI data
stock_request_kanban OCA/stock-logistics-request [MIG] stock_request_kanban: Migration to 19.0 #90 no CI data
stock_request_mrp OCA/stock-logistics-request [MIG] stock_request_mrp: Migration to 19.0 #91 no CI data
stock_reserve OCA/stock-logistics-reservation [19.0][MIG] stock_reserve: Migration to 19.0 #59 no CI data
stock_scrap_cancel OCA/stock-logistics-workflow [19.0][MIG] stock_scrap_cancel: Migration to 19.0 #2352 no CI data
stock_secondary_unit OCA/stock-logistics-warehouse [19.0][MIG] stock_secondary_unit #2546 no CI data
stock_shipment_composer OCA/stock-logistics-workflow [19.0][MIG] stock_shipment_composer: Migration to 19.0 #2341 no CI data
stock_warehouse_analytic-hda OCA/account-analytic [19.0][MIG] stock_warehouse_analytic #930 no CI data
storage_backend-hda OCA/storage [19.0][MIG] storage_backend #636 no CI data
storage_backend_ftp-hda OCA/storage [19.0][MIG] storage_backend_ftp #637 no CI data
survey_question_type_binary-hda OCA/survey [19.0][MIG] survey_question_type_binary #216 no CI data
survey_xlsx OCA/survey [19.0] [mig] survey_xlsx #233 no CI data
template_content_swapper OCA/server-ux [19.0][MIG] template_content_swapper: Migration to 19.0 #1166 no CI data
uom_qty_unique OCA/product-attribute [MIG] uom_qty_unique: Migration to 19.0 #2284 no CI data
user_log_view OCA/server-auth [19.0][MIG] user_log_view: Migration to 19.0 #884 no CI data
utm_medium_multi_company OCA/multi-company [19.0][MIG] utm_medium_multi_company: Migration to 19.0 #1022 no CI data
utm_source_multi_company OCA/multi-company [19.0][MIG] utm_source_multi_company: Migration to 19.0 #1023 no CI data
vcp_git OCA/version-control-platform [19.0][MIG] vcp_git: Migration to 19.0 #12 no CI data
vcp_github OCA/version-control-platform [19.0][MIG] vcp_GitHub: Migration to 19.0 #13 no CI data
vcp_management OCA/version-control-platform [19.0][MIG] vcp_management: Migration to 19.0 #11 no CI data
vcp_odoo OCA/version-control-platform [19.0][MIG] vcp_odoo: Migration to 19.0 #14 no CI data
vendor_transport_lead_time OCA/purchase-workflow [19.0][MIG] vendor_transport_lead_time #3085 no CI data
web_company_color OCA/web [19.0][MIG] web_company_color: Migration to 19.0 #3326 no CI data
web_copy_confirm OCA/web [19.0][MIG] web_copy_confirm: Migration to 19.0 #3504 no CI data
web_copy_confirm OCA/web [19.0][MIG] web_copy_confirm: Migration to 19.0 #3327 no CI data
web_disable_export_group OCA/web [19.0][MIG] web_disable_export_group: Migration to 19.0 #3503 no CI data
web_editor_media_dialog_dms OCA/dms [19.0][MIG] web_editor_media_dialog_dms: Migration to 19.0 #490 no CI data
web_export_html_as_text OCA/web [19.0][MIG] web_export_html_as_text: Migration to 19.0 #3312 no CI data
web_filter_header_button OCA/web [19.0][MIG] web_filter_header_button: Migration to 19.0 #3329 no CI data
web_help OCA/web [19.0][MIG] web_help: Migration to 19.0 #3585 no CI data
web_ir_actions_act_multi OCA/web 19.0 mig web ir actions act multi #3364 no CI data
web_leaflet_lib OCA/geospatial [19.0][MIG] web_leaflet_lib: Migration to 19.0 #464 no CI data
web_notify OCA/web [19.0][MIG] web_notify: Migration to 19.0 #3377 no CI data
web_notify_upgrade OCA/web [19.0][MIG] web_notify_upgrade: Migration to 19.0 #3441 no CI data
web_save_discard_button OCA/web [19.0][MIG] web_save_discard_button: Migration to 19.0 #3579 no CI data
web_send_message_popup OCA/web [19.0][MIG] web_send_message_popup: Migration to 19.0 #3581 no CI data
web_session_auto_close OCA/web [19.0][MIG] web_session_auto_close: Migration to 19.0 #3472 no CI data
web_sort_menu OCA/web [19.0][MIG] web_sort_menu: Migration to 19.0 #3580 no CI data
web_systray_button_init_action OCA/web [19.0][MIG] web_systray_button_init_action: Migration to 19.0 #3583 no CI data
web_theme_classic OCA/web [19.0][MIG] web_theme_classic: Migration to 19.0 #3547 no CI data
web_toggle_chatter OCA/web [19.0][MIG] web_toggle_chatter: Migration to 19.0 #3582 no CI data
web_tree_dynamic_colored_field OCA/web [19.0][MIG] web_tree_dynamic_colored_field: Migration to 19.0 #3584 no CI data
web_widget_bokeh_chart-BAD OCA/web [19.0][MIG] partner_contact_type_end_user: Migration to 19.0 #3406 no CI data
web_widget_numeric_step OCA/web [19.0][MIG] web_widget_numeric_step: Migration to 19.0 #3429 no CI data
web_widget_product_label_section_and_note_name_visibility OCA/web [19.0][MIG] web_widget_product_label_section_and_note_name_visibility: Migration to 19.0 #3526 no CI data
web_widget_section_and_note_text_scrollable OCA/web [19.0][MIG] web_widget_section_and_note_text_scrollable: Migration to 19.0 #3373 no CI data
web_widget_url_advanced OCA/web [19.0][MIG] web_widget_url_advanced #3370 no CI data
web_widget_x2many_2d_matrix OCA/web [19.0][MIG] web_widget_x2many_2d_matrix: Migration to 19.0 #3578 no CI data
web_widget_x2many_2d_matrix-BAD OCA/web [19.0][MIG] web_widget_x2many_2d_matrix: Migration to 19.0 #3310 no CI data
web_widget_x2many_2d_matrix-s73 OCA/web [19.0][MIG] web_widget_x2many_2d_matrix: Migration to 19.0 #3438 no CI data
website_event_membership_restriction OCA/event [19.0][MIG] website_event_membership_restriction: Migration to 19.0 #516 no CI data
website_forum_subscription OCA/website [19.0][MIG] website_forum_subscription: Migration to version 19.0 #1205 no CI data
website_geoengine OCA/geospatial [19.0][MIG] website_geoengine: Migration to 19.0 #452 no CI data
website_geoengine_store_locator OCA/geospatial [19.0][MIG] website_geoengine_store_locator: Migration to 19.0 #453 no CI data
website_membership OCA/vertical-association [19.0][MIG] website_membership: Migration to 19.0 #226 no CI data
website_membership_gamification OCA/vertical-association [19.0][MIG] website_membership_gamification: Migration to 19.0 #227 no CI data
website_product_configurator OCA/product-configurator [19.0][MIG] website_product_configurator: Migration to 19.0. #176 no CI data
website_require_login OCA/website [19.0][MIG] website_require_login: Migration to 19.0 #1155 no CI data
website_sale_carrier_auto_assign OCA/e-commerce [19.0][MIG] website_sale_carrier_auto_assign: Migration to 19.0 #1257 no CI data
website_sale_comparison_hide_price OCA/e-commerce [19.0][MIG] website_sale_comparison_hide_price #1178 no CI data
website_sale_product_detail_attribute_image OCA/e-commerce [19.0][MIG] website_sale_product_detail_attribute_image: Migration to 19.0 #1266 no CI data
website_sale_product_pack OCA/product-pack [19.0][MIG] website_sale_product_pack: Migration to 19.0 #229 no CI data
website_sale_product_sort OCA/e-commerce [19.0][MIG] website_sale_product_sort: Migration to 19.0 #1263 no CI data
website_sale_require_legal OCA/e-commerce [19.0][MIG] website sale require legal: Migration to 19.0 #1236 no CI data
website_sale_stock_list_preview OCA/e-commerce [19.0][MIG] website_sale_stock_list_preview #1265 no CI data
website_sale_vat_required OCA/e-commerce [19.0][MIG] website_sale_vat_required: Migration to 19.0 #1264 no CI data
website_sale_wishlist_hide_price OCA/e-commerce [19.0][MIG] website_sale_wishlist_hide_price #1256 no CI data
website_whatsapp OCA/website [19.0][MIG] website_whatsapp: migration to 19.0 #1154 no CI data

Security Findings

Errors 39

Module Code Message
auth_passkey acl-public-write auth_passkey.access_auth_passkey_key_portal — Access rule grants write on 'model_auth_passkey_key' to the portal/public group 'base.group_portal'
auth_passkey acl-public-write auth_passkey.access_auth_passkey_key_create_portal — Access rule grants write/create/unlink on 'model_auth_passkey_key_create' to the portal/public group 'base.group_portal'
auth_totp_portal acl-public-write access_auth_totp_portal_wizard — Access rule grants write/create/unlink on 'auth_totp.model_auth_totp_wizard' to the portal/public group 'base.group_portal'
base acl-privilege-escalation access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions
calendar rule-public-bypass calendar_attendee_rule_my — Record rule with an always-true domain grants portal/public users access to every record of its model
fieldservice_stock acl-public-write access_stock_move_portal — Access rule grants write on 'stock.model_stock_move' to the portal/public group 'base.group_portal'
gamification acl-public-write goal_portal — Access rule grants write on 'gamification.model_gamification_goal' to the portal/public group 'base.group_portal'
gamification acl-public-write badge_user_portal — Access rule grants write/create on 'gamification.model_gamification_badge_user' to the portal/public group 'base.group_portal'
helpdesk_mgmt acl-public-write access_helpdesk_ticket_stage_public — Access rule grants write on 'model_helpdesk_ticket_stage' to the portal/public group 'base.group_public'
mail acl-public-write access_mail_message_portal — Access rule grants write/create/unlink on 'model_mail_message' to the portal/public group 'base.group_portal'
mail acl-public-write access_discuss_channel_member_public — Access rule grants write/create/unlink on 'model_discuss_channel_member' to the portal/public group 'base.group_public'
mail acl-public-write access_discuss_channel_member_portal — Access rule grants write/create/unlink on 'model_discuss_channel_member' to the portal/public group 'base.group_portal'
mrp_subcontracting acl-public-write access_subcontracting_portal_stock_move — Access rule grants write/create on 'stock.model_stock_move' to the portal/public group 'base.group_portal'
mrp_subcontracting acl-public-write access_subcontracting_portal_stock_move_line — Access rule grants write/create/unlink on 'stock.model_stock_move_line' to the portal/public group 'base.group_portal'
mrp_subcontracting acl-public-write access_subcontracting_portal_lot — Access rule grants create on 'stock.model_stock_lot' to the portal/public group 'base.group_portal'
mrp_subcontracting acl-public-write access_subcontracting_portal_production — Access rule grants write on 'mrp.model_mrp_production' to the portal/public group 'base.group_portal'
mrp_subcontracting acl-public-write access_subcontracting_portal_consumption_warning — Access rule grants write/create on 'mrp.model_mrp_consumption_warning' to the portal/public group 'base.group_portal'
mrp_subcontracting acl-public-write access_subcontracting_portal_consumption_warning_line — Access rule grants write/create on 'mrp.model_mrp_consumption_warning_line' to the portal/public group 'base.group_portal'
mrp_subcontracting acl-public-write access_subcontracting_portal_mrp_production_serials — Access rule grants write/create on 'mrp.model_mrp_production_serials' to the portal/public group 'base.group_portal'
mrp_subcontracting_account acl-public-write access_subcontracting_portal_analytic_line — Access rule grants write on 'mrp_account.model_account_analytic_line' to the portal/public group 'base.group_portal'
pms_website acl-public-write access_pms_property_public — Access rule grants write/create/unlink on 'pms_base.model_pms_property' to the portal/public group 'base.group_public'
project acl-public-write access_project_sharing_task_portal — Access rule grants write/create on 'model_project_task' to the portal/public group 'base.group_portal'
test_access_rights acl-public-write access_test_access_right_some_obj_public — Access rule grants write/create/unlink on 'model_test_access_right_some_obj' to the portal/public group 'base.group_public'
test_access_rights acl-public-write access_test_access_right_container_public — Access rule grants write/create/unlink on 'model_test_access_right_container' to the portal/public group 'base.group_public'
test_access_rights acl-public-write access_test_access_right_inherits_public — Access rule grants write/create/unlink on 'model_test_access_right_inherits' to the portal/public group 'base.group_public'
test_access_rights acl-public-write access_test_access_right_child_public — Access rule grants write/create/unlink on 'model_test_access_right_child' to the portal/public group 'base.group_public'
test_mail acl-public-write access_mail_test_access_portal — Access rule grants write on 'model_mail_test_access' to the portal/public group 'base.group_portal'
test_mail acl-public-write access_mail_test_access_public_public — Access rule grants write on 'model_mail_test_access_public' to the portal/public group 'base.group_public'
test_mail acl-public-write access_mail_test_access_public_portal — Access rule grants write on 'model_mail_test_access_public' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_post_portal — Access rule grants write/create/unlink on 'model_forum_post' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_post_vote_portal — Access rule grants write/create on 'model_forum_post_vote' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_tag_public — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_public'
website_forum acl-public-write access_forum_tag_portal — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_portal'
website_sale_wishlist acl-public-write access_product_wishlist_portal — Access rule grants write/create/unlink on 'model_product_wishlist' to the portal/public group 'base.group_portal'

Warnings 415

Module Code Message
account rule-group-bypass account_analytic_line_rule_billing_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_analytic_line_rule_readonly_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_rule_group_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_line_rule_group_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_line_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_send_single_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_send_batch_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass ir_rule_res_partner_bank_billing_officers — Record rule with an always-true domain bypasses every other record rule of its model for its group
account route-public-sudo /terms — Unauthenticated endpoint 'TermsController.terms_conditions' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
account route-public-sudo /my/journal/<int:journal_id>/unsubscribe — Unauthenticated endpoint 'PortalAccount.portal_my_journal_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
account_payment rule-group-bypass payment_token_billing_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
account_peppol route-public-csrf-off /peppol/webhook/new-message — Public HTTP endpoint 'PeppolWebhookController.webhook_new_message' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
account_peppol route-public-sudo /peppol/webhook/new-message — Unauthenticated endpoint 'PeppolWebhookController.webhook_new_message' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
account_peppol route-public-csrf-off /peppol/webhook/message-state-update — Public HTTP endpoint 'PeppolWebhookController.webhook_message_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
account_peppol route-public-sudo /peppol/webhook/message-state-update — Unauthenticated endpoint 'PeppolWebhookController.webhook_message_update' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
account_peppol route-public-csrf-off /peppol/webhook/user-state-update — Public HTTP endpoint 'PeppolWebhookController.webhook_user_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
account_peppol route-public-sudo /peppol/webhook/user-state-update — Unauthenticated endpoint 'PeppolWebhookController.webhook_user_update' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
auth_oauth route-auth-none /auth_oauth/signin — Endpoint 'OAuthController.signin' uses auth="none": it runs with no user/session at all
auth_oauth route-auth-none /auth_oauth/oea — Endpoint 'OAuthController.oea' uses auth="none": it runs with no user/session at all
auth_signup route-public-sudo /web/signup — Unauthenticated endpoint 'AuthSignupHome.web_auth_signup' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
auth_signup route-public-sudo /web/reset_password — Unauthenticated endpoint 'AuthSignupHome.web_auth_reset_password' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
auth_totp route-public-sudo /web/login/totp — Unauthenticated endpoint 'Home.web_totp' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
base_automation route-public-csrf-off /web/hook/<string:rule_uuid> — Public HTTP endpoint 'BaseAutomationController.call_webhook_http' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base_automation route-public-sudo /web/hook/<string:rule_uuid> — Unauthenticated endpoint 'BaseAutomationController.call_webhook_http' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
base_import_module route-public-csrf-off /base_import_module/login_upload — Public HTTP endpoint 'ImportModule.login_upload' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base_import_module route-auth-none /base_import_module/login_upload — Endpoint 'ImportModule.login_upload' uses auth="none": it runs with no user/session at all
base_report_to_printer_qztray route-public-sudo /qz-certificate/ — Unauthenticated endpoint 'SignMessage.qz_certificate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
base_report_to_printer_qztray route-public-sudo /qz-sign-message/ — Unauthenticated endpoint 'SignMessage.qz_sign_message' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
base_setup route-auth-none /kpi/summary — Endpoint 'KpiController.kpi_summary' uses auth="none": it runs with no user/session at all
base_vat route-public-csrf-off /base_vat/1/webhook_update_vies — Public HTTP endpoint 'BaseVatWebhookController.webhook_update_vies' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
bus route-public-sudo /bus/has_missed_notifications — Unauthenticated endpoint 'BusController.has_missed_notifications' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
bus route-auth-none /websocket/health — Endpoint 'WebsocketController.health' uses auth="none": it runs with no user/session at all
calendar rule-group-bypass calendar_event_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
calendar route-public-sudo /calendar/join_videocall/<string:access_token> — Unauthenticated endpoint 'CalendarController.calendar_join_videocall' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
crm rule-group-bypass crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm rule-group-bypass crm_activity_report_rule_all_activities — Record rule with an always-true domain bypasses every other record rule of its model for its group
digest route-public-csrf-off /digest/<int:digest_id>/unsubscribe_oneclik — Public HTTP endpoint 'DigestController.digest_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
digest route-public-sudo /digest/<int:digest_id>/unsubscribe — Unauthenticated endpoint 'DigestController.digest_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
event route-public-sudo /event/<model("event.event"):event>/ics — Unauthenticated endpoint 'EventController.event_ics_file' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
event route-public-sudo /event/<int:event_id>/my_tickets — Unauthenticated endpoint 'EventController.event_my_tickets' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
fieldservice rule-group-bypass fsm_order_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
helpdesk_mgmt rule-group-bypass helpdesk_ticket_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr rule-group-bypass ir_rule_res_partner_bank_employees — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_attendance rule-group-bypass hr_attendance_rule_attendance_admin — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_attendance rule-group-bypass hr_attendance_overtime_line_rule_admin — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_attendance route-public-sudo /hr_attendance/<token> — Unauthenticated endpoint 'HrAttendance.open_kiosk_mode' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
hr_attendance route-public-sudo /hr_attendance/attendance_employee_data — Unauthenticated endpoint 'HrAttendance.employee_attendance_data' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
hr_attendance route-public-sudo /hr_attendance/attendance_barcode_scanned — Unauthenticated endpoint 'HrAttendance.scan_barcode_with_geolocation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
hr_attendance route-public-sudo /hr_attendance/manual_selection — Unauthenticated endpoint 'HrAttendance.manual_selection' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
hr_attendance route-public-sudo /hr_attendance/employees_infos — Unauthenticated endpoint 'HrAttendance.employees_infos' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
hr_expense rule-group-bypass ir_rule_hr_expense_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_gamification rule-group-bypass hr_gamification_badge_group_hr_user_access — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass hr_leave_rule_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass hr_leave_allocation_rule_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass resource_leaves_base_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass resource_leaves_holidays_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass hr_leave_report_rule_group_holiday_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_homeworking rule-group-bypass homeworking_admin_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_homeworking_calendar rule-group-bypass homeworking_location_wizard_admin_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_recruitment rule-group-bypass hr_applicant_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_recruitment rule-group-bypass hr_job_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_recruitment rule-group-bypass hr_talent_pool_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_recruitment rule-group-bypass mail_message_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_recruitment_skills rule-group-bypass hr_applicant_skill_officer_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_resume_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_resume_rule_employee_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_skill_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_skill_rule_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_employee_skill_report_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_employee_skill_history_report_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_timesheet_attendance rule-group-bypass hr_timesheet_attendance_report_rule_approver — Record rule with an always-true domain bypasses every other record rule of its model for its group
html_editor route-public-sudo /web_editor/shape/<module>/<path:filename>, /html_editor/shape/<module>/<path:filename> — Unauthenticated endpoint 'HTML_Editor.shape' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
http_routing route-public-sudo /website/translations — Unauthenticated endpoint 'Routing.get_website_translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-auth-none /im_livechat/font-awesome — Endpoint 'LivechatController.fontawesome' uses auth="none": it runs with no user/session at all
im_livechat route-auth-none /im_livechat/odoo_ui_icons — Endpoint 'LivechatController.odoo_ui_icons' uses auth="none": it runs with no user/session at all
im_livechat route-public-sudo /im_livechat/support/<int:channel_id> — Unauthenticated endpoint 'LivechatController.support_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/loader/<int:channel_id> — Unauthenticated endpoint 'LivechatController.loader' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/get_session — Unauthenticated endpoint 'LivechatController.get_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/feedback — Unauthenticated endpoint 'LivechatController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/history — Unauthenticated endpoint 'LivechatController.history_pages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/download_transcript/<int:channel_id> — Unauthenticated endpoint 'LivechatController.download_livechat_transcript' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /chatbot/answer/save — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_save_answer' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /chatbot/step/trigger — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_trigger_step' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /chatbot/step/validate_email — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-csrf-off /im_livechat/cors/attachment/upload — Public HTTP endpoint 'LivechatAttachmentController.im_livechat_attachment_upload' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_drivers route-auth-none /hw_proxy/scale_read — Endpoint 'ScaleReadHardwareProxy.scale_read' uses auth="none": it runs with no user/session at all
l10n_dk_nemhandel route-public-csrf-off /nemhandel/webhook/new-message — Public HTTP endpoint 'NemhandelWebhookController.webhook_nemhandel_new_message' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
l10n_dk_nemhandel route-public-sudo /nemhandel/webhook/new-message — Unauthenticated endpoint 'NemhandelWebhookController.webhook_nemhandel_new_message' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_dk_nemhandel route-public-csrf-off /nemhandel/webhook/message-state-update — Public HTTP endpoint 'NemhandelWebhookController.webhook_nemhandel_message_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
l10n_dk_nemhandel route-public-sudo /nemhandel/webhook/message-state-update — Unauthenticated endpoint 'NemhandelWebhookController.webhook_nemhandel_message_update' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_dk_nemhandel route-public-csrf-off /nemhandel/webhook/user-state-update — Public HTTP endpoint 'NemhandelWebhookController.webhook_nemhandel_user_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
l10n_dk_nemhandel route-public-sudo /nemhandel/webhook/user-state-update — Unauthenticated endpoint 'NemhandelWebhookController.webhook_nemhandel_user_update' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_es_aeat_mod347 route-public-sudo /mod347/accept — Unauthenticated endpoint 'Mod347Controller.mod347_accept' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_es_aeat_mod347 route-public-sudo /mod347/reject — Unauthenticated endpoint 'Mod347Controller.mod347_reject' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_fr_pdp route-public-csrf-off /api/signaturit_authentication_status/1/webhooks — Public HTTP endpoint 'IapAuthenticationWebhook.notify_authentication_status' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
l10n_fr_pdp route-public-sudo /api/signaturit_authentication_status/1/webhooks — Unauthenticated endpoint 'IapAuthenticationWebhook.notify_authentication_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_fr_pdp route-public-csrf-off /peppol/webhook/new-regulatory-message — Public HTTP endpoint 'PdpWebhookController.webhook_regulatory_message' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
l10n_fr_pdp route-public-sudo /peppol/webhook/new-regulatory-message — Unauthenticated endpoint 'PdpWebhookController.webhook_regulatory_message' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_pe route-public-sudo /portal/state_infos/<model("res.country.state"):state> — Unauthenticated endpoint 'L10nPEPortalAccount.state_infos' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_pe route-public-sudo /portal/city_infos/<model("res.city"):city> — Unauthenticated endpoint 'L10nPEPortalAccount.city_infos' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_tw_edi_ecpay route-public-csrf-off /invoice/ecpay/agreed_invoice_allowance/<int:invoice_id> — Public HTTP endpoint 'EcpayInvoiceController.agreed_invoice_allowance' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
link_tracker route-public-sudo /r/<string:code> — Unauthenticated endpoint 'LinkTracker.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/guest/update_name — Unauthenticated endpoint 'GuestController.mail_guest_update_name' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/message/reaction — Unauthenticated endpoint 'MessageReactionController.mail_message_reaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/link_preview — Unauthenticated endpoint 'LinkPreviewController.mail_link_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/link_preview/hide — Unauthenticated endpoint 'LinkPreviewController.mail_link_preview_hide' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/message/post — Unauthenticated endpoint 'ThreadController.mail_message_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/message/update_content — Unauthenticated endpoint 'ThreadController.mail_message_update_content' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/view — Unauthenticated endpoint 'MailController.mail_action_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-csrf-off /mail/unfollow — Public HTTP endpoint 'MailController.mail_action_unfollow' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mail route-public-sudo /mail/unfollow — Unauthenticated endpoint 'MailController.mail_action_unfollow' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-auth-none /web_editor/font_to_img/<icon>, /web_editor/font_to_img/<icon>/<color>, /web_editor/font_to_img/<icon>/<color>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<int:width>x<int:height>, /web_editor/font_to_img/<icon>/<color>/<int:size>/<int:alpha>, /web_editor/font_to_img/<icon>/<color>/<int:width>x<int:height>/<int:alpha>, /web_editor/font_to_img/<icon>/<color>/<bg>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:width>x<int:height>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:width>x<int:height>/<int:alpha>, /mail/font_to_img/<icon>, /mail/font_to_img/<icon>/<color>, /mail/font_to_img/<icon>/<color>/<int:size>, /mail/font_to_img/<icon>/<color>/<int:width>x<int:height>, /mail/font_to_img/<icon>/<color>/<int:size>/<int:alpha>, /mail/font_to_img/<icon>/<color>/<int:width>x<int:height>/<int:alpha>, /mail/font_to_img/<icon>/<color>/<bg>, /mail/font_to_img/<icon>/<color>/<bg>/<int:size>, /mail/font_to_img/<icon>/<color>/<bg>/<int:width>x<int:height>, /mail/font_to_img/<icon>/<color>/<bg>/<int:width>x<int:height>/<int:alpha> — Endpoint 'MailController.export_icon_to_png' uses auth="none": it runs with no user/session at all
mail route-public-sudo /mail/attachment/upload — Unauthenticated endpoint 'AttachmentController.mail_attachment_upload' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/attachment/delete — Unauthenticated endpoint 'AttachmentController.mail_attachment_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/attachment/pdf_first_page/<int:attachment_id> — Unauthenticated endpoint 'AttachmentController.mail_attachment_pdf_first_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/attachment/update_thumbnail — Unauthenticated endpoint 'AttachmentController.mail_attachement_update_thumbnail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /chat/<int:channel_id>/<string:invitation_token> — Unauthenticated endpoint 'PublicPageController.discuss_channel_invitation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/rtc/session/notify_call_members — Unauthenticated endpoint 'RtcController.session_call_notify' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/rtc/session/update_and_broadcast — Unauthenticated endpoint 'RtcController.session_update_and_broadcast' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/rtc/channel/join_call — Unauthenticated endpoint 'RtcController.channel_call_join' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/rtc/channel/leave_call — Unauthenticated endpoint 'RtcController.channel_call_leave' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/rtc/channel/cancel_call_invitation — Unauthenticated endpoint 'RtcController.channel_call_cancel_invitation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /discuss/channel/ping — Unauthenticated endpoint 'RtcController.channel_ping' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /discuss/channel/attachments — Unauthenticated endpoint 'ChannelController.load_attachments' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-sudo /groups — Unauthenticated endpoint 'PortalMailGroup.groups_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-sudo /groups/<model("mail.group"):group>, /groups/<model("mail.group"):group>/page/<int:page> — Unauthenticated endpoint 'PortalMailGroup.group_view_messages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-sudo /groups/<model("mail.group"):group>/<model("mail.group.message"):message> — Unauthenticated endpoint 'PortalMailGroup.group_view_message' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-sudo /groups/<model("mail.group"):group>/<model("mail.group.message"):message>/get_replies — Unauthenticated endpoint 'PortalMailGroup.group_message_get_replies' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-csrf-off /group/<int:group_id>/unsubscribe_oneclick — Public HTTP endpoint 'PortalMailGroup.group_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mail_group route-public-sudo /group/<int:group_id>/unsubscribe_oneclick — Unauthenticated endpoint 'PortalMailGroup.group_unsubscribe_oneclick' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-sudo /group/subscribe-confirm — Unauthenticated endpoint 'PortalMailGroup.group_subscribe_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_plugin route-auth-none /mail_plugin/auth/check_version — Endpoint 'Authenticate.auth_check_version' uses auth="none": it runs with no user/session at all
mail_plugin route-auth-none /mail_client_extension/auth/access_token, /mail_plugin/auth/access_token — Endpoint 'Authenticate.auth_access_token' uses auth="none": it runs with no user/session at all
mail_tracking route-public-sudo /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MailTrackingController.mail_tracking_open' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail_tracking route-auth-none /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Endpoint 'MailTrackingController.mail_tracking_open' uses auth="none": it runs with no user/session at all
marketing_card route-public-sudo /cards/<string:card_slug>/card.jpg, /cards/<int:card_id>/card.jpg — Unauthenticated endpoint 'MarketingCardController.card_campaign_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
marketing_card route-public-sudo /cards/<string:card_slug>/preview, /cards/<int:card_id>/preview — Unauthenticated endpoint 'MarketingCardController.card_campaign_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
marketing_card route-public-sudo /cards/<string:card_slug>/redirect, /cards/<int:card_id>/redirect — Unauthenticated endpoint 'MarketingCardController.card_campaign_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-csrf-off /mailing/<int:mailing_id>/unsubscribe_oneclick — Public HTTP endpoint 'MassMailController.mailing_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mass_mailing route-public-sudo /mailing/<int:mailing_id>/confirm_unsubscribe — Unauthenticated endpoint 'MassMailController.mailing_confirm_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/list/update — Unauthenticated endpoint 'MassMailController.mailing_update_list_subscription' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/feedback — Unauthenticated endpoint 'MassMailController.mailing_send_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mail/track/<int:mail_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MassMailController.track_mail_open' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /r/<string:code>/m/<int:mailing_trace_id> — Unauthenticated endpoint 'MassMailController.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/report/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing_report_deactivate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/<int:mailing_id>/view — Unauthenticated endpoint 'MassMailController.mailing_view_in_browser' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/blocklist/add — Unauthenticated endpoint 'MassMailController.mail_blocklist_add' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/blocklist/remove — Unauthenticated endpoint 'MassMailController.mail_blocklist_remove' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing_sms route-public-sudo /sms/<int:mailing_id>/<string:trace_code> — Unauthenticated endpoint 'MailingSMSController.blacklist_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing_sms route-public-sudo /sms/<int:mailing_id>/unsubscribe/<string:trace_code> — Unauthenticated endpoint 'MailingSMSController.blacklist_number' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing_sms route-public-sudo /r/<string:code>/s/<int:sms_id_int> — Unauthenticated endpoint 'MailingSMSController.sms_short_link_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /payment/pay — Unauthenticated endpoint 'PaymentPortal.payment_pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /payment/confirmation — Unauthenticated endpoint 'PaymentPortal.payment_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-sudo /payment/adyen/payment_methods — Unauthenticated endpoint 'AdyenController.adyen_payment_methods' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-sudo /payment/adyen/payments — Unauthenticated endpoint 'AdyenController.adyen_payments' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-sudo /payment/adyen/payments/details — Unauthenticated endpoint 'AdyenController.adyen_payment_details' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-csrf-off /payment/adyen/return — Public HTTP endpoint 'AdyenController.adyen_return_from_3ds_auth' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_adyen route-public-sudo /payment/adyen/return — Unauthenticated endpoint 'AdyenController.adyen_return_from_3ds_auth' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-csrf-off AdyenController.adyen_webhook — Public HTTP endpoint 'AdyenController.adyen_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_adyen route-public-sudo AdyenController.adyen_webhook — Unauthenticated endpoint 'AdyenController.adyen_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_aps route-public-csrf-off APSController.aps_return_from_checkout — Public HTTP endpoint 'APSController.aps_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_aps route-public-sudo APSController.aps_return_from_checkout — Unauthenticated endpoint 'APSController.aps_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_aps route-public-csrf-off APSController.aps_webhook — Public HTTP endpoint 'APSController.aps_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_aps route-public-sudo APSController.aps_webhook — Unauthenticated endpoint 'APSController.aps_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_asiapay route-public-csrf-off AsiaPayController.asiapay_webhook — Public HTTP endpoint 'AsiaPayController.asiapay_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_asiapay route-public-sudo AsiaPayController.asiapay_webhook — Unauthenticated endpoint 'AsiaPayController.asiapay_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_authorize route-public-sudo /payment/authorize/payment — Unauthenticated endpoint 'AuthorizeController.authorize_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_buckaroo route-public-csrf-off BuckarooController.buckaroo_return_from_checkout — Public HTTP endpoint 'BuckarooController.buckaroo_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_buckaroo route-public-sudo BuckarooController.buckaroo_return_from_checkout — Unauthenticated endpoint 'BuckarooController.buckaroo_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_buckaroo route-public-csrf-off BuckarooController.buckaroo_webhook — Public HTTP endpoint 'BuckarooController.buckaroo_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_buckaroo route-public-sudo BuckarooController.buckaroo_webhook — Unauthenticated endpoint 'BuckarooController.buckaroo_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_custom route-public-csrf-off CustomController.custom_process_transaction — Public HTTP endpoint 'CustomController.custom_process_transaction' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_custom route-public-sudo CustomController.custom_process_transaction — Unauthenticated endpoint 'CustomController.custom_process_transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_demo route-public-sudo PaymentDemoController.demo_simulate_payment — Unauthenticated endpoint 'PaymentDemoController.demo_simulate_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ecpay route-public-csrf-off EcpayController.ecpay_return_from_checkout — Public HTTP endpoint 'EcpayController.ecpay_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_ecpay route-public-sudo EcpayController.ecpay_return_from_checkout — Unauthenticated endpoint 'EcpayController.ecpay_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ecpay route-public-csrf-off EcpayController.ecpay_webhook — Public HTTP endpoint 'EcpayController.ecpay_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_ecpay route-public-sudo EcpayController.ecpay_webhook — Unauthenticated endpoint 'EcpayController.ecpay_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_flutterwave route-public-csrf-off FlutterwaveController.flutterwave_webhook — Public HTTP endpoint 'FlutterwaveController.flutterwave_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_flutterwave route-public-sudo FlutterwaveController.flutterwave_webhook — Unauthenticated endpoint 'FlutterwaveController.flutterwave_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_iyzico route-public-csrf-off IyzicoController.iyzico_return_from_payment — Public HTTP endpoint 'IyzicoController.iyzico_return_from_payment' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_iyzico route-public-csrf-off IyzicoController.iyzico_webhook — Public HTTP endpoint 'IyzicoController.iyzico_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_mercado_pago route-public-sudo /payment/mercado_pago/payments — Unauthenticated endpoint 'MercadoPagoPaymentController.mercado_pago_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_mercado_pago route-public-csrf-off MercadoPagoPaymentController.mercado_pago_webhook — Public HTTP endpoint 'MercadoPagoPaymentController.mercado_pago_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_mollie route-public-csrf-off MollieController.mollie_return_from_checkout — Public HTTP endpoint 'MollieController.mollie_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_mollie route-public-csrf-off MollieController.mollie_webhook — Public HTTP endpoint 'MollieController.mollie_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_nuvei route-public-sudo NuveiController.nuvei_return_from_checkout — Unauthenticated endpoint 'NuveiController.nuvei_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_nuvei route-public-csrf-off NuveiController.nuvei_webhook — Public HTTP endpoint 'NuveiController.nuvei_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_nuvei route-public-sudo NuveiController.nuvei_webhook — Unauthenticated endpoint 'NuveiController.nuvei_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_paymob route-public-sudo PaymobController.paymob_return_from_checkout — Unauthenticated endpoint 'PaymobController.paymob_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_paymob route-public-csrf-off PaymobController.paymob_webhook — Public HTTP endpoint 'PaymobController.paymob_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_paymob route-public-sudo PaymobController.paymob_webhook — Unauthenticated endpoint 'PaymobController.paymob_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_paypal route-public-sudo PaypalController.paypal_complete_order — Unauthenticated endpoint 'PaypalController.paypal_complete_order' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_paypal route-public-csrf-off PaypalController.paypal_webhook — Public HTTP endpoint 'PaypalController.paypal_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_paypal route-public-sudo PaypalController.paypal_webhook — Unauthenticated endpoint 'PaypalController.paypal_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_payu route-public-csrf-off PayuController.payu_return_from_checkout — Public HTTP endpoint 'PayuController.payu_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_payu route-public-sudo PayuController.payu_return_from_checkout — Unauthenticated endpoint 'PayuController.payu_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_payu route-public-csrf-off PayuController.payu_webhook — Public HTTP endpoint 'PayuController.payu_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_payu route-public-sudo PayuController.payu_webhook — Unauthenticated endpoint 'PayuController.payu_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_razorpay route-public-csrf-off RazorpayController.razorpay_return_from_checkout — Public HTTP endpoint 'RazorpayController.razorpay_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_razorpay route-public-sudo RazorpayController.razorpay_return_from_checkout — Unauthenticated endpoint 'RazorpayController.razorpay_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_razorpay route-public-csrf-off RazorpayController.razorpay_webhook — Public HTTP endpoint 'RazorpayController.razorpay_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_razorpay route-public-sudo RazorpayController.razorpay_webhook — Unauthenticated endpoint 'RazorpayController.razorpay_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_redsys route-public-sudo RedsysController.redsys_return_from_checkout — Unauthenticated endpoint 'RedsysController.redsys_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_redsys route-public-csrf-off RedsysController.redsys_webhook — Public HTTP endpoint 'RedsysController.redsys_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_redsys route-public-sudo RedsysController.redsys_webhook — Unauthenticated endpoint 'RedsysController.redsys_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe route-public-sudo StripeController.stripe_return — Unauthenticated endpoint 'StripeController.stripe_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe route-public-csrf-off StripeController.stripe_webhook — Public HTTP endpoint 'StripeController.stripe_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_stripe route-public-sudo StripeController.stripe_webhook — Unauthenticated endpoint 'StripeController.stripe_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe route-public-csrf-off StripeController.stripe_apple_pay_get_domain_association_file — Public HTTP endpoint 'StripeController.stripe_apple_pay_get_domain_association_file' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_toss_payments route-public-sudo TossPaymentsController._toss_payments_success_return — Unauthenticated endpoint 'TossPaymentsController._toss_payments_success_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_toss_payments route-public-sudo TossPaymentsController._toss_payments_failure_return — Unauthenticated endpoint 'TossPaymentsController._toss_payments_failure_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_toss_payments route-public-csrf-off TossPaymentsController._toss_payments_webhook — Public HTTP endpoint 'TossPaymentsController._toss_payments_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_toss_payments route-public-sudo TossPaymentsController._toss_payments_webhook — Unauthenticated endpoint 'TossPaymentsController._toss_payments_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_worldline route-public-sudo WorldlineController.worldline_return_from_checkout — Unauthenticated endpoint 'WorldlineController.worldline_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_worldline route-public-csrf-off WorldlineController.worldline_webhook — Public HTTP endpoint 'WorldlineController.worldline_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_worldline route-public-sudo WorldlineController.worldline_webhook — Unauthenticated endpoint 'WorldlineController.worldline_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_xendit route-public-sudo /payment/xendit/payment — Unauthenticated endpoint 'XenditController.xendit_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_xendit route-public-csrf-off XenditController.xendit_webhook — Public HTTP endpoint 'XenditController.xendit_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_xendit route-public-sudo XenditController.xendit_webhook — Unauthenticated endpoint 'XenditController.xendit_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_xendit route-public-sudo XenditController.xendit_return — Unauthenticated endpoint 'XenditController.xendit_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
point_of_sale rule-group-bypass rule_pos_bank_statement_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
point_of_sale rule-group-bypass rule_pos_bank_statement_line_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
point_of_sale route-public-sudo /pos/ticket — Unauthenticated endpoint 'PosController.invoice_request_screen' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
point_of_sale route-public-sudo /pos/ticket/validate — Unauthenticated endpoint 'PosController.show_ticket_validation_screen' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
point_of_sale route-public-sudo /pos_customer_display/<id_>/<device_uuid> — Unauthenticated endpoint 'PosCustomerDisplay.pos_customer_display' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
portal route-public-sudo /my/address/country_info/<model("res.country"):country> — Unauthenticated endpoint 'CustomerPortal.portal_address_country_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
portal route-public-sudo /mail/avatar/mail.message/<int:res_id>/author_avatar/<int:width>x<int:height> — Unauthenticated endpoint 'PortalChatter.portal_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
portal route-public-sudo /portal/chatter_init — Unauthenticated endpoint 'PortalChatter.portal_chatter_init' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
portal route-public-sudo /mail/chatter_fetch — Unauthenticated endpoint 'PortalChatter.portal_message_fetch' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_adyen route-public-sudo /pos_adyen/notification — Unauthenticated endpoint 'PosAdyenController.notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_mercado_pago route-public-csrf-off /pos_mercado_pago/notification — Public HTTP endpoint 'PosMercadoPagoWebhook.notification' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
pos_mercado_pago route-public-sudo /pos_mercado_pago/notification — Unauthenticated endpoint 'PosMercadoPagoWebhook.notification' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
pos_mercado_pago route-auth-none /pos_mercado_pago/notification — Endpoint 'PosMercadoPagoWebhook.notification' uses auth="none": it runs with no user/session at all
pos_mollie route-public-csrf-off /pos_mollie/webhook — Public HTTP endpoint 'PosMollie.mollie_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
pos_mollie route-public-sudo /pos_mollie/webhook — Unauthenticated endpoint 'PosMollie.mollie_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_online_payment route-public-sudo /pos/pay/<int:pos_order_id> — Unauthenticated endpoint 'PaymentPortal.pos_order_pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_online_payment route-public-sudo /pos/pay/confirmation/<int:pos_order_id> — Unauthenticated endpoint 'PaymentPortal.pos_order_pay_confirmation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_qfpay route-public-csrf-off /qfpay/notify — Public HTTP endpoint 'QFPayNotificationController.qfpay_notify' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
pos_qfpay route-public-sudo /qfpay/notify — Unauthenticated endpoint 'QFPayNotificationController.qfpay_notify' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_safaricom route-public-csrf-off /pos_safaricom/callback — Public HTTP endpoint 'SafaricomController.safaricom_callback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
pos_safaricom route-public-sudo /pos_safaricom/callback — Unauthenticated endpoint 'SafaricomController.safaricom_callback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_safaricom route-public-csrf-off /c2b/validation/callback — Public HTTP endpoint 'SafaricomController.c2b_validation_callback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
pos_safaricom route-public-sudo /c2b/validation/callback — Unauthenticated endpoint 'SafaricomController.c2b_validation_callback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_safaricom route-public-csrf-off /c2b/confirmation/callback — Public HTTP endpoint 'SafaricomController.c2b_confirmation_callback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
pos_safaricom route-public-sudo /c2b/confirmation/callback — Unauthenticated endpoint 'SafaricomController.c2b_confirmation_callback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_self_order route-public-sudo /pos-self-order/process-order/<device_type>/ — Unauthenticated endpoint 'PosSelfOrderController.process_order' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_self_order route-public-sudo /pos-self-order/validate-partner — Unauthenticated endpoint 'PosSelfOrderController.validate_partner' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_self_order route-public-sudo /pos-self/<config_id>, /pos-self/<config_id>/<path:subpath> — Unauthenticated endpoint 'PosSelfKiosk.start_self_ordering' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_viva_com route-public-csrf-off /pos_viva_com/notification — Public HTTP endpoint 'PosVivaComController.notification' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
pos_viva_com route-public-sudo /pos_viva_com/notification — Unauthenticated endpoint 'PosVivaComController.notification' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
pos_viva_com route-auth-none /pos_viva_com/notification — Endpoint 'PosVivaComController.notification' uses auth="none": it runs with no user/session at all
queue_job route-auth-none /queue_job/runjob — Endpoint 'RunJobController.runjob' uses auth="none": it runs with no user/session at all
rpc route-auth-none /web/version, /json/version — Endpoint 'RPC.version' uses auth="none": it runs with no user/session at all
rpc route-auth-none /jsonrpc — Endpoint 'JSONRPC.jsonrpc' uses auth="none": it runs with no user/session at all
rpc route-public-csrf-off /xmlrpc/<service> — Public HTTP endpoint 'XMLRPC.xmlrpc_1' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
rpc route-auth-none /xmlrpc/<service> — Endpoint 'XMLRPC.xmlrpc_1' uses auth="none": it runs with no user/session at all
rpc route-public-csrf-off /xmlrpc/2/<service> — Public HTTP endpoint 'XMLRPC.xmlrpc_2' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
rpc route-auth-none /xmlrpc/2/<service> — Endpoint 'XMLRPC.xmlrpc_2' uses auth="none": it runs with no user/session at all
sale rule-group-bypass payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale rule-group-bypass payment_token_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale_gelato route-public-csrf-off GelatoController.gelato_webhook — Public HTTP endpoint 'GelatoController.gelato_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
sale_gelato route-public-sudo GelatoController.gelato_webhook — Unauthenticated endpoint 'GelatoController.gelato_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sale_stock rule-group-bypass sale_order_line_rule_stock_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale_stock route-public-sudo /my/picking/pdf/<int:picking_id> — Unauthenticated endpoint 'SaleStockPortal.portal_my_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sale_stock route-public-sudo /my/picking/return/pdf/<int:picking_id> — Unauthenticated endpoint 'SaleStockPortal.portal_my_picking_return_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sales_team rule-group-bypass crm_rule_all_salesteam — Record rule with an always-true domain bypasses every other record rule of its model for its group
sms route-public-sudo /sms/status — Unauthenticated endpoint 'SmsController.update_sms_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sms_twilio route-public-csrf-off /sms_twilio/status/<string:uuid> — Public HTTP endpoint 'SmsTwilioController.update_sms_status' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
sms_twilio route-public-sudo /sms_twilio/status/<string:uuid> — Unauthenticated endpoint 'SmsTwilioController.update_sms_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
spreadsheet_dashboard route-public-sudo /dashboard/share/<int:share_id>/<token> — Unauthenticated endpoint 'DashboardShareRoute.share_portal' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
spreadsheet_dashboard route-public-sudo /dashboard/data/<int:share_id>/<token> — Unauthenticated endpoint 'DashboardShareRoute.get_shared_dashboard_data' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
survey route-public-sudo /survey/start/<string:survey_token> — Unauthenticated endpoint 'Survey.survey_start' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
survey route-public-sudo /survey/get_question_image/<string:survey_token>/<string:answer_token>/<int:question_id>/<int:suggested_answer_id> — Unauthenticated endpoint 'Survey.survey_get_question_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
survey route-public-sudo /survey/submit/<string:survey_token>/<string:answer_token> — Unauthenticated endpoint 'Survey.survey_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
test_http route-auth-none /test_http/greeting, /test_http/greeting-none — Endpoint 'TestHttp.greeting_none' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/wsgi_environ — Endpoint 'TestHttp.wsgi_environ' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/echo-http-get — Endpoint 'TestHttp.echo_http_get' uses auth="none": it runs with no user/session at all
test_http route-public-csrf-off /test_http/echo-http-post — Public HTTP endpoint 'TestHttp.echo_http_post' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
test_http route-auth-none /test_http/echo-http-post — Endpoint 'TestHttp.echo_http_post' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/echo-http-csrf — Endpoint 'TestHttp.echo_http_csrf' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/echo-json — Endpoint 'TestHttp.echo_json' uses auth="none": it runs with no user/session at all
test_http route-public-csrf-off /test_http/echo-json-over-http — Public HTTP endpoint 'TestHttp.echo_json_over_http' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
test_http route-auth-none /test_http/echo-json-over-http — Endpoint 'TestHttp.echo_json_over_http' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/cors_http_default — Endpoint 'TestHttp.cors_http' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/cors_http_methods — Endpoint 'TestHttp.cors_http_verbs' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/cors_json — Endpoint 'TestHttp.cors_json' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/ensure_db — Endpoint 'TestHttp.ensure_db_endpoint' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/geoip — Endpoint 'TestHttp.geoip' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/save_session — Endpoint 'TestHttp.touch' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/fail — Endpoint 'TestHttp.fail' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/json_value_error — Endpoint 'TestHttp.json_value_error' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/hide_errors/decorator — Endpoint 'TestHttp.hide_errors_decorator' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/hide_errors/context-manager — Endpoint 'TestHttp.hide_errors_context_manager' uses auth="none": it runs with no user/session at all
test_http route-public-csrf-off /test_http/upload_file — Public HTTP endpoint 'TestHttp.upload_file_retry' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
test_http route-auth-none /test_http/upload_file — Endpoint 'TestHttp.upload_file_retry' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/concurrency_error — Endpoint 'TestHttp.concurrency_error' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/httprequest_attrs — Endpoint 'TestHttp.request_attrs' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/httprequest_environ — Endpoint 'TestHttp.request_environ' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/f2qs/step1/no-operation-to-perform — Endpoint 'TestHttp.f2qs_test' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/f2qs/step2/1-var-in-fragment — Endpoint 'TestHttp.f2qs_test_simple_fragment' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/f2qs/step3/3-var-in-fragment — Endpoint 'TestHttp.f2qs_test_3_args_fragment' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/f2qs/step4/empty-query-3-var-in-frag — Endpoint 'TestHttp.f2qs_test_empty_query_with_fragment' uses auth="none": it runs with no user/session at all
test_website route-public-sudo /test_website/model_item_sudo/<int:record_id> — Unauthenticated endpoint 'WebsiteTest.test_model_item_sudo' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web route-auth-none /web/database/selector — Endpoint 'Database.selector' uses auth="none": it runs with no user/session at all
web route-auth-none /web/database/manager — Endpoint 'Database.manager' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/create — Public HTTP endpoint 'Database.create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/create — Endpoint 'Database.create' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/duplicate — Public HTTP endpoint 'Database.duplicate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/duplicate — Endpoint 'Database.duplicate' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/drop — Public HTTP endpoint 'Database.drop' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/drop — Endpoint 'Database.drop' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/backup — Public HTTP endpoint 'Database.backup' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/backup — Endpoint 'Database.backup' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/restore — Public HTTP endpoint 'Database.restore' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/restore — Endpoint 'Database.restore' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/change_password — Public HTTP endpoint 'Database.change_password' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/change_password — Endpoint 'Database.change_password' uses auth="none": it runs with no user/session at all
web route-auth-none /web/database/list — Endpoint 'Database.list' uses auth="none": it runs with no user/session at all
web route-auth-none /web/filestore/<path:_path> — Endpoint 'Binary.content_filestore' uses auth="none": it runs with no user/session at all
web route-public-sudo /web/assets/<string:unique>/<string:filename> — Unauthenticated endpoint 'Binary.content_assets' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web route-public-sudo /web/image, /web/image/<string:xmlid>, /web/image/<string:xmlid>/<string:filename>, /web/image/<string:xmlid>/<int:width>x<int:height>, /web/image/<string:xmlid>/<int:width>x<int:height>/<string:filename>, /web/image/<string:model>/<int:id>/<string:field>, /web/image/<string:model>/<int:id>/<string:field>/<string:filename>, /web/image/<string:model>/<int:id>/<string:field>/<int:width>x<int:height>, /web/image/<string:model>/<int:id>/<string:field>/<int:width>x<int:height>/<string:filename>, /web/image/<int:id>, /web/image/<int:id>/<string:filename>, /web/image/<int:id>/<int:width>x<int:height>, /web/image/<int:id>/<int:width>x<int:height>/<string:filename>, /web/image/<int:id>-<string:unique>, /web/image/<int:id>-<string:unique>/<string:filename>, /web/image/<int:id>-<string:unique>/<int:width>x<int:height>, /web/image/<int:id>-<string:unique>/<int:width>x<int:height>/<string:filename> — Unauthenticated endpoint 'Binary.content_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web route-auth-none /web/binary/company_logo, /logo, /logo.png — Endpoint 'Binary.company_logo' uses auth="none": it runs with no user/session at all
web route-auth-none /web/sign/get_fonts, /web/sign/get_fonts/<string:fontname> — Endpoint 'Binary.get_fonts' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/authenticate — Endpoint 'Session.authenticate' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/get_lang_list — Endpoint 'Session.get_lang_list' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/logout — Endpoint 'Session.logout' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/bootstrap_translations — Endpoint 'WebClient.bootstrap_translations' uses auth="none": it runs with no user/session at all
web route-public-sudo /web/webclient/translations — Unauthenticated endpoint 'WebClient.translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web route-auth-none /web/webclient/version_info — Endpoint 'WebClient.version_info' uses auth="none": it runs with no user/session at all
web route-auth-none / — Endpoint 'Home.index' uses auth="none": it runs with no user/session at all
web route-auth-none /web, /odoo, /odoo/<path:subpath>, /scoped_app/<path:subpath> — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all
web route-auth-none /web/login — Endpoint 'Home.web_login' uses auth="none": it runs with no user/session at all
web route-auth-none /web/health — Endpoint 'Home.health' uses auth="none": it runs with no user/session at all
web route-auth-none /robots.txt — Endpoint 'Home.robots' uses auth="none": it runs with no user/session at all
web_pwa_customize route-public-sudo /web/manifest.webmanifest — Unauthenticated endpoint 'WebManifest.webmanifest' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web_unsplash route-public-sudo /web_unsplash/get_app_id — Unauthenticated endpoint 'Web_Unsplash.get_unsplash_app_id' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
webservice route-public-csrf-off /webservice/<int:backend_id>/oauth2/redirect — Public HTTP endpoint 'OAuth2Controller.redirect' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
webservice route-public-sudo /webservice/<int:backend_id>/oauth2/redirect — Unauthenticated endpoint 'OAuth2Controller.redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /sitemap.xml — Unauthenticated endpoint 'Website.sitemap_xml_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/info — Unauthenticated endpoint 'Website.website_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/snippet/filters — Unauthenticated endpoint 'Website.get_dynamic_filter' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/snippet/filter_templates — Unauthenticated endpoint 'Website.get_dynamic_snippet_templates' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/snippet/autocomplete — Unauthenticated endpoint 'Website.autocomplete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /google<string(length=16):key>.html — Unauthenticated endpoint 'Website.google_console_search' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/action/<path_or_xml_id_or_id>, /website/action/<path_or_xml_id_or_id>/<path:path> — Unauthenticated endpoint 'Website.actions_server' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /model/<string:page_name_slugified>, /model/<string:page_name_slugified>/page/<int:page_number>, /model/<string:page_name_slugified>/<string:record_slug> — Unauthenticated endpoint 'ModelPageController.generic_model' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-csrf-off /website/form/<string:model_name> — Public HTTP endpoint 'WebsiteForm.website_form' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
website_customer route-public-sudo /customers, /customers/page/<int:page>, /customers/country/<model("res.country"):country>, /customers/country/<model("res.country"):country>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>, /customers/industry/<model("res.partner.industry"):industry>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCustomer.customers' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_customer route-public-sudo /customers/<partner_id> — Unauthenticated endpoint 'WebsiteCustomer.customers_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event rule-group-bypass ir_rule_event_question_event_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_event rule-group-bypass ir_rule_event_question_answer_event_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_event route-public-sudo WebsiteEventController.events — Unauthenticated endpoint 'WebsiteEventController.events' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event route-public-sudo /event/<model("event.event"):event>/page/<path:page> — Unauthenticated endpoint 'WebsiteEventController.event_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event route-public-sudo /event/<model("event.event"):event>/registration/success — Unauthenticated endpoint 'WebsiteEventController.event_registration_success' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_booth route-public-sudo /event/booth/check_availability — Unauthenticated endpoint 'WebsiteEventBoothController.check_booths_availability' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_booth route-public-sudo /event/booth_category/get_available_booths — Unauthenticated endpoint 'WebsiteEventBoothController.get_booth_category_available_booths' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_exhibitor route-public-sudo /event/<model("event.event", "[('exhibitor_menu', '=', True)]"):event>/exhibitor/<model("event.sponsor", "[('event_id', '=', event.id)]"):sponsor> — Unauthenticated endpoint 'ExhibitorController.event_exhibitor' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_exhibitor route-public-sudo /event_sponsor/<int:sponsor_id>/read — Unauthenticated endpoint 'ExhibitorController.event_sponsor_read' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track route-public-sudo /event/<model("event.event", "[('website_track', '=', True)]"):event>/track/<model("event.track", "[('event_id', '=', event.id)]"):track> — Unauthenticated endpoint 'EventTrackController.event_track_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track route-public-sudo /event/track/send_email_reminder — Unauthenticated endpoint 'EventTrackController.send_email_reminder' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track route-public-sudo /event/<model("event.event"):event>/track_proposal/post — Unauthenticated endpoint 'EventTrackController.event_track_proposal_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track_live route-public-sudo /event_track/get_track_suggestion — Unauthenticated endpoint 'EventTrackLiveController.get_next_track_suggestion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track_quiz route-public-sudo /event_track/quiz/submit — Unauthenticated endpoint 'WebsiteEventTrackQuiz.event_track_quiz_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track_quiz route-public-sudo /event_track/quiz/reset — Unauthenticated endpoint 'WebsiteEventTrackQuiz.quiz_reset' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum rule-group-bypass website_forum_create_website_designer — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/<model("forum.post"):question> — Unauthenticated endpoint 'WebsiteForum.question' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/partner/<int:partner_id> — Unauthenticated endpoint 'WebsiteForum.open_partner' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_google_map route-public-sudo /google_map — Unauthenticated endpoint 'GoogleMap.google_map' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_hr_recruitment rule-group-bypass hr_job_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_hr_recruitment route-public-sudo /jobs, /jobs/page/<int:page> — Unauthenticated endpoint 'WebsiteHrRecruitment.jobs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_hr_recruitment route-public-sudo /website_hr_recruitment/check_recent_application — Unauthenticated endpoint 'WebsiteHrRecruitment.check_recent_application' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail route-public-sudo /website_mail/follow — Unauthenticated endpoint 'WebsiteMail.website_message_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail route-public-sudo /website_mail/is_follower — Unauthenticated endpoint 'WebsiteMail.is_follower' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_group route-public-sudo /group/is_member — Unauthenticated endpoint 'WebsiteMailGroup.group_is_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /website_mass_mailing/is_subscriber — Unauthenticated endpoint 'MassMailController.is_subscriber' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_partner route-public-sudo /partners/<partner_id> — Unauthenticated endpoint 'WebsitePartnerPage.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_payment route-public-sudo /website_payment/snippet/supported_payment_methods — Unauthenticated endpoint 'PaymentPortal.get_supported_payment_methods' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_profile route-public-sudo /profile/avatar/<int:user_id> — Unauthenticated endpoint 'WebsiteProfile.get_user_profile_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_profile route-public-sudo /profile/users, /profile/users/page/<int:page> — Unauthenticated endpoint 'WebsiteProfile.view_all_users_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_profile route-public-sudo /profile/validate_email — Unauthenticated endpoint 'WebsiteProfile.validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo WebsiteSale.shop — Unauthenticated endpoint 'WebsiteSale.shop' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/<model("product.template"):product_template>/document/<int:document_id> — Unauthenticated endpoint 'WebsiteSale.product_document' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/product/is_add_to_cart_allowed — Unauthenticated endpoint 'WebsiteSale.is_add_to_cart_allowed' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/pricelist — Unauthenticated endpoint 'WebsiteSale.pricelist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/update_address — Unauthenticated endpoint 'WebsiteSale.shop_update_address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/payment/validate — Unauthenticated endpoint 'WebsiteSale.shop_payment_validate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/confirmation — Unauthenticated endpoint 'WebsiteSale.shop_payment_confirmation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/print — Unauthenticated endpoint 'WebsiteSale.print_saleorder' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/products/recently_viewed_delete — Unauthenticated endpoint 'WebsiteSale.products_recently_viewed_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/set_delivery_method — Unauthenticated endpoint 'Delivery.shop_set_delivery_method' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/get_delivery_rate — Unauthenticated endpoint 'Delivery.shop_get_delivery_rate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo Cart.cart — Unauthenticated endpoint 'Cart.cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo Cart.add_to_cart — Unauthenticated endpoint 'Cart.add_to_cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /website/form/shop.sale.order — Unauthenticated endpoint 'WebsiteSaleForm.website_form_saleorder' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_charge_payment_fee route-public-sudo /shop/payment — Unauthenticated endpoint 'WebsiteSaleFee.shop_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_collect route-public-sudo /shop/set_click_and_collect_location — Unauthenticated endpoint 'InStoreDelivery.shop_set_click_and_collect_location' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_loyalty route-public-sudo /shop/claimreward — Unauthenticated endpoint 'WebsiteSale.claim_reward' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_mondialrelay route-public-sudo /website_sale_mondialrelay/update_shipping — Unauthenticated endpoint 'MondialRelay.mondial_relay_update_shipping' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_product_brand route-public-sudo /page/product_brands — Unauthenticated endpoint 'WebsiteSale.product_brands' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_stock route-public-sudo /shop/add/stock_notification — Unauthenticated endpoint 'WebsiteSaleStock.add_stock_email_notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_wishlist route-public-sudo /shop/wishlist/add — Unauthenticated endpoint 'WebsiteSaleWishlist.add_to_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_wishlist route-public-sudo /shop/wishlist/remove/<int:wish_id> — Unauthenticated endpoint 'WebsiteSaleWishlist.remove_from_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides rule-group-bypass rule_slide_channel_officer_r — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides rule-group-bypass rule_slide_slide_officer_r — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides rule-group-bypass rule_slide_slide_resource_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides route-public-sudo /slides/<int:channel_id>, /slides/<int:channel_id>/category/<int:category_id>, /slides/<int:channel_id>/category/<int:category_id>/page/<int:page>, /slides/<model("slide.channel"):channel>, /slides/<model("slide.channel"):channel>/page/<int:page>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>/page/<int:page>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>/page/<int:page> — Unauthenticated endpoint 'WebsiteSlides.channel' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/channel/join — Unauthenticated endpoint 'WebsiteSlides.slide_channel_join' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/<model("slide.slide"):slide> — Unauthenticated endpoint 'WebsiteSlides.slide_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/like — Unauthenticated endpoint 'WebsiteSlides.slide_like' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/quiz/submit — Unauthenticated endpoint 'WebsiteSlides.slide_quiz_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides_forum rule-group-bypass website_slides_forum_website_slides_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides_forum rule-group-bypass website_slides_forum_website_slides_officer_post — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides_forum rule-group-bypass website_slides_forum_website_slides_officer_tag — Record rule with an always-true domain bypasses every other record rule of its model for its group

Active Pull Requests 522

0 fresh 0 rotting 0 rotten

Module Repository Title Age CI
account-payment-state OCA/OpenUpgrade [18.0][OU-FIX] account: correct payment state for migrated payments #5767 no CI data
account-receipt OCA/account-invoicing [18.0][MIG] account_receipt_base, account_receipt_sale: Migration to 18.0 #2351 no CI data
account_account_tag_code OCA/account-financial-tools [18.0][MIG] account_account_tag_code: Migration to 18.0 #2006 no CI data
account_analytic_distribution_widget_rebalance OCA/account-analytic [18.0][MIG] account_analytic_distribution_widget_rebalance #832 no CI data
account_analytic_plan_applicability_product OCA/account-analytic [18.0][ADD] account_analytic_plan_applicability_product #889 no CI data
account_asset_batch_compute OCA/account-financial-tools [18.0][MIG] account_asset_batch_compute #2112 no CI data
account_asset_management_stock_lot OCA/account-financial-tools [18.0][MIG] account_asset_management_stock_lot: Migration to 18.0 #2283 no CI data
account_bank_reconciliation_summary_xlsx OCA/account-financial-reporting [18.0][MIG] account_bank_reconciliation_summary_xlsx #1380 no CI data
account_bank_statement_chatter OCA/account-financial-tools [18.0][MIG] account_bank_statement_chatter: Migration to 18.0 #2274 no CI data
account_bank_statement_reconcile_option OCA/account-reconcile [18.0][MIG] account_bank_statement_reconcile_option: Migration to 18.0 #922 no CI data
account_banking_ach_direct_debit OCA/l10n-usa [18.0][MIG] account_banking_ach_direct_debit: Migration to 18.0 #150 no CI data
account_banking_ach_discount OCA/l10n-usa [18.0][MIG] account_banking_ach_discount: Migration to 18.0 #153 no CI data
account_billing_from_cutoff OCA/l10n-japan [18.0][MIG] account_billing_from_cutoff: migration to 18.0 #110 no CI data
account_clearance_plan-qgr OCA/account-financial-tools [18.0][MIG] account_clearance_plan #2335 no CI data
account_clearance_plan_bank_payment-qgr OCA/account-financial-tools [18.0][MIG] account_clearance_plan_bank_payment #2345 no CI data
account_cost_center OCA/account-financial-tools [18.0][MIG] account_cost_center: Migration to 18.0 #2092 no CI data
account_due_list_aging_comment OCA/account-payment [MIG] account_due_list_aging_comment: Migration to 18.0 #957 no CI data
account_due_list_days_overdue OCA/account-payment [18.0][MIG] account_due_list_days_overdue #921 no CI data
account_ecotax_sale_tax OCA/account-fiscal-rule [18.0][MIG] account_ecotax_sale_tax #564 no CI data
account_ecotax_tax OCA/account-fiscal-rule [18.0][MIG] account_ecotax_tax #562 no CI data
account_fiscal_position_type OCA/account-fiscal-rule [18.0][MIG] account_fiscal_position_type #601 no CI data
account_invoice_block_payment OCA/account-invoicing [18.0][MIG] account_invoice_block_payment: Migration to 18.0 #1963 no CI data
account_invoice_change_currency OCA/account-invoicing [18.0][MIG]account_invoice_change_currency: Migration to v18 #2030 no CI data
account_invoice_check_picking_date OCA/account-invoicing [18.0][MIG] account_invoice_check_picking_date: Migration to 18.0 #1966 no CI data
account_invoice_currency_by_partner OCA/account-invoicing [18.0][MIG] account_invoice_currency_by_partner: Migration to version 18.0 #2380 no CI data
account_invoice_customer_no_autofollow OCA/account-invoicing [18.0][MIG] account_invoice_customer_no_autofollow: Migration to 18.0 #1967 no CI data
account_invoice_force_number OCA/account-invoicing [18.0][MIG] account_invoice_force_number: Migration to 18.0 #2316 no CI data
account_invoice_line_sequence OCA/account-invoicing [18.0][MIG] account_invoice_line_sequence Migration to 18.0 #2016 no CI data
account_invoice_payment_retention OCA/account-invoicing [18.0][MIG] account_invoice_payment_retention #2025 no CI data
account_invoice_refund_option OCA/account-invoicing [18.0][MIG] account_invoice_refund_option: Migration to 18.0 #2129 no CI data
account_invoice_refund_reinvoice OCA/account-invoicing [18.0][MIG] account_invoice_refund_reinvoice: Migration to 18.0 #1970 no CI data
account_invoice_supplier_self_invoice OCA/account-invoicing [18.0][MIG] account_invoice_supplier_self_invoice: Migration to 18.0 #2226 no CI data
account_liquidity_forecast OCA/account-financial-reporting [18.0][MIG] account_liquidity_forecast #1343 no CI data
account_mass_reconcile OCA/account-reconcile [18][MIG] account_mass_reconcile #969 no CI data
account_move_budget OCA/account-financial-tools [18.0][MIG] account_move_budget: Migration to 18.0 #2278 no CI data
account_move_exception OCA/account-invoicing [18.0][MIG] account_move_exception: Migration to 18.0 #2147 no CI data
account_move_exception-check OCA/account-invoicing [18.0][FIX] check migration of account_move_exception doing in 2147 #2355 no CI data
account_move_line_landed_cost_info OCA/account-financial-tools [18.0][MIG] account_move_line_landed_cost_info: Migration to 18.0 #2122 no CI data
account_move_line_product OCA/stock-logistics-warehouse [18.0][MIG] account_move_line_product: Migration to 18.0 #2420 no CI data
account_move_line_reconcile_manual OCA/account-reconcile [18.0][MIG] Account_move_line_reconcile_manual: Migration to 18.0 #814 no CI data
account_move_line_repair_info OCA/account-financial-tools [18.0][MIG] account_move_line_repair_info #2210 no CI data
account_move_line_repair_info_sale OCA/account-financial-tools [18.0][ADD] account_move_line_repair_info_sale #2211 no CI data
account_move_line_stock_info OCA/stock-logistics-warehouse [MIGRATION] account_move_line_stock_info: Migrate to Odoo 19.0 #2549 no CI data
account_move_mercanet_import OCA/l10n-france [18.0][ADD] account_move_mercanet_import #776 no CI data
account_move_monetico_import OCA/l10n-france [18.0][ADD] account_move_monetico_import #775 no CI data
account_move_sale_partner OCA/account-invoicing [18.0][MIG] account_move_order_partner: Migration to 18.0 #2166 no CI data
account_move_so_import OCA/account-reconcile [18][MIG] account_move_so_import #996 no CI data
account_move_substate OCA/account-invoicing [18.0][MIG] account_move_substate: Migrate to 18.0 #2143 no CI data
account_move_substate_superseed OCA/account-invoicing [18.0][MIG] account_move_substate: Migrate to 18.0 #2377 no CI data
account_move_transactionid_import OCA/account-reconcile [18.0][WIP] mig account move transactionid import #961 no CI data
account_multicurrency_revaluation OCA/account-closing [MIG][18.0] account_multicurrency_revaluation: Migration to 18.0. #362 no CI data
account_operating_unit_access_all OCA/operating-unit [18.0][MIG] account_operating_unit_access_all #805 no CI data
account_partner_journal OCA/account-invoicing [18.0][MIG] account_partner_journal: Migration to 18.0 #2112 no CI data
account_payment_multi_deduction OCA/account-payment [18.0][MIG] account_payment_multi_deduction: Migration to 18.0 #922 no CI data
account_payment_term_partner_holiday OCA/account-payment MIG 18.0 account_payment_term_partner_holiday #951 no CI data
account_payment_term_partner_paydays OCA/account-payment MIG 18.0 account_payment_term_partner_paydays #952 no CI data
account_portal_invoice_search_by_lot OCA/account-invoicing [MIG] account_portal_invoice_search_by_lot: migration to 18.0 #2299 no CI data
account_reconcile_model_multicompany_propagate OCA/multi-company [18.0][MIG] account_reconcile_model_multicompany_propagate #867 no CI data
account_reconcile_sale_order-imp-tx OCA/account-reconcile [18.0][IMP] account_reconcile_sale_order: payment transaction & downpayment #971 no CI data
account_report_invoice_barcode OCA/l10n-finland [18.0] Migrate account report invoice barcode #77 no CI data
account_reversal OCA/account-financial-tools [18.0][MIG] account_reversal: Migration to 18.0 #2326 no CI data
account_sale_stock_report_non_billed OCA/account-financial-reporting [18.0][MIG] account_sale_stock_report_non_billed: Migration to 18.0 #1491 no CI data
account_sale_stock_report_non_billed-BAD OCA/account-financial-reporting [18.0][MIG] account_sale_stock_report_non_billed: Migration to 18.0 #1386 no CI data
account_spread_cost_revenue_enhanced OCA/account-financial-tools [18.0][MIG] account_spread_cost_revenue_enhanced #2204 no CI data
account_statement_import_caisse_epargne OCA/bank-statement-import [18.0][MIG] account_statement_import_caisse_epargne: Migration to 18.0 #836 no CI data
account_statement_import_online_qonto OCA/bank-statement-import [18.0][MIG] account_statement_import_online_qonto: Migration to 18.0 #875 no CI data
account_statement_import_paypal OCA/bank-statement-import [18.0][MIG] account statement import paypal: Migration to 18.0 #849 no CI data
agreement_tier_validation OCA/contract [18.0][MIG] agreement_tier_validation: Migration to 18.0 #1244 no CI data
ai_automation OCA/ai [18.0] [MIG] ai_automation -> ai_server_action #81 no CI data
ai_automation OCA/ai [18.0][MIG] ai_automation #72 no CI data
ai_oca_mcp OCA/ai [18.0] [MIG] ai_oca_mcp #76 no CI data
analytic_operating_unit_access_all OCA/operating-unit [18.0][MIG] analytic_operating_unit_access_all: Migration to 18.0 #728 no CI data
analytic_partner OCA/account-analytic [18.0] [MIG] analytic_partner: Migration to 18.0 #823 no CI data
animal_owner OCA/partner-contact [18.0] [MIG] animal_owner: Migration to 18.0 #2397 no CI data
apps_download OCA/apps-store [18.0][MIG] apps_download #101 no CI data
apps_product_creator OCA/apps-store [18.0][MIG] apps_product_creator #100 no CI data
attachment_category OCA/knowledge [MIG] attachment_category: Migration to 18.0 #628 no CI data
attribute_set_completeness OCA/odoo-pim [18.0][MIG] attribute_set_completeness: Migration to 18.0 #233 no CI data
attribute_set_mass_edit OCA/odoo-pim [18.0][MIG] attribute_set_mass_edit: Migration to 18.0 #234 no CI data
attribute_set_searchable OCA/odoo-pim [MIG] attribute_set_searchable: Migration to 18.0 #205 no CI data
auth_oauth_autologin OCA/server-auth [18.0][MIG] auth_oauth_autologin: Migration to 18.0 #868 no CI data
auto_backup_fs_file OCA/server-tools [18.0] [MIG] auto_backup_fs_file #3619 no CI data
barcodes_generator_package OCA/stock-logistics-barcode [18.0][MIG] barcodes_generator_package: Migration to 18.0 #738 no CI data
base-edifact OCA/edi [18.0][MIG] base_edifact: Migration to 18.0 #1324 no CI data
base_conditional_image OCA/server-tools [MIG] base_conditional_image: Migration to 18.0 #3556 no CI data
base_domain_inverse_function OCA/server-tools [MIG] base_domain_inverse_function: Migration to 18.0 #3557 no CI data
base_domain_inverse_function OCA/server-tools [18.0][MIG] base_domain_inverse_function: Migration to 18.0 #3252 no CI data
base_duplicate_security_group OCA/server-ux [18.0] [MIG] base_duplicate_security_group #1288 no CI data
base_export_async OCA/queue [18.0][MIG] base_export_async: migrate #849 no CI data
base_external_dbsource_importer OCA/server-backend [18.0][ADD] base_external_dbsource_importer: New module #461 no CI data
base_external_dbsource_sap_hana OCA/server-backend [18.0][MIG] base_external_dbsource_sap_hana: Migration to 18.0 #463 no CI data
base_import_default_enable_tracking OCA/server-tools [MIG] base_import_default_enable_tracking: Migration to 18.0 #3558 no CI data
base_kanban_stage OCA/server-tools [18.0][MIG] base_kanban_stage: Migration to 18.0 #3548 no CI data
base_multi_image OCA/server-tools 18.0 mig base multi image #3199 no CI data
base_report_to_printer_websocket OCA/report-print-send [18.0][MIG] base_report_to_printer_websocket #457 no CI data
base_sequence_default OCA/server-tools [18.0][MIG] base_sequence_default: Migration to 18.0 #3259 no CI data
base_write_diff OCA/server-tools [18.0][MIG] `base_write_diff`: Migration to 18.0 #3466 no CI data
calendar_dav OCA/calendar [18.0][MIG] calendar dav: Migration to 18.0 #205 no CI data
calendar_event_link_base OCA/calendar [18.0] [MIG] calendar_event_link_base: Migration to 18.0 #148 no CI data
cmis-pha OCA/connector-cmis [18.0][MIG] cmis: Migration to 18.0 #47 no CI data
company_dependent_flag OCA/multi-company [18.0][MIG] company_dependent_flag: Migration to 18.0 #709 no CI data
compute_field_after_install OCA/server-tools [18.0][ADD] compute_field_after_install #3648 no CI data
connector-pretashop-fix OCA/connector-prestashop [18.0][MIG] connector pretashop : Migration #189 no CI data
connector_ecommerce OCA/connector-ecommerce [18.0][MIG] connector_ecommerce: Migration to 18.0 #85 no CI data
connector_woocommerce OCA/connector-woocommerce [18.0][MIG] connector_woocommerce #59 no CI data
contract_operating_unit OCA/operating-unit [18.0][MIG] contract_operating_unit: Migration to 18.0 #829 no CI data
crm_phonecall_timesheet OCA/timesheet [18.0][MIG] crm_phonecall_timesheet: Migration to 18.0 #855 no CI data
currency_rate_inverted OCA/currency [18.0][MIG] currency_rate_inverted #231 no CI data
currency_rate_update_wise OCA/currency [18.0][MIG] currency_rate_update_wise #225 no CI data
datetime_formatter OCA/server-tools [MIG] datetime_formatter: Migration to 18.0 #3554 no CI data
delivery_carrier_label_batch OCA/delivery-carrier [18.0][MIG] delivery_carrier_label_batch: Migration to 18.0 #984 no CI data
delivery_carrier_service_level OCA/delivery-carrier [18.0][MIG] delivery_carrier_service_level: Migration to 18.0 #1197 no CI data
delivery_fee OCA/delivery-carrier [18.0][MIG] delivery_fee: migrate to 18.0 #1146 no CI data
delivery_mrw OCA/l10n-spain [18.0][MIG] delivery_mrw: Migration to 18.0 #4758 no CI data
delivery_sendcloud_oca OCA/delivery-carrier [18.0][MIG] delivery_sendcloud_oca: Migration to 18.0 #1063 no CI data
dms_account_avatax_exemption OCA/l10n-usa [MIG] dms_account_avatax_exemption: Migration to 18.0 #165 no CI data
dms_attachment_link OCA/dms [MIG] dms_attachment_link: Migration to 18.0 #478 no CI data
dms_attachment_link OCA/dms [MIG] dms_attachment_link: Migration to 18.0 #460 no CI data
dms_storage OCA/dms [18.0][MIG] dms_storage: Migration to 18.0 #410 no CI data
document_page_portal OCA/knowledge [18.0][MIG] document_page_portal #615 no CI data
edi_partner_oca_v2 OCA/edi-framework [18.0][MIG] edi_partner_oca: Migration to 18.0 #241 no CI data
edi_voxel_stock_picking_secondary_unit_oca OCA/edi-voxel [18.0][MIG] edi_voxel_stock_picking_secondary_unit_oca: Migration to version 18.0 and move from OCA/edi to OCA/edi-voxel #14 no CI data
ediversa OCA/edi-ediversa [DO NOT MERGE][18.0][MIG] edi_ediversa_oca #2 no CI data
event_sale_reservation OCA/event [18.0][MIG] event_sale_reservation: Migration to 18.0 #436 no CI data
excel_import_export_demo OCA/server-tools [18.0][MIG] excel_import_export_demo: Migration to 18.0 #3208 no CI data
fastapi_encrypted_errors OCA/rest-framework [18.0][MIG] fastapi encrypted errors #583 no CI data
fetchmail_mail_activity_team_activity OCA/mail [18.0][MIG] fetchmail_mail_activity_team_activity: Migration to v18.0 #132 no CI data
fieldservice_account_payment OCA/field-service [18.0] [MIG] fieldservice_account_payment #1511 no CI data
fieldservice_maintenance OCA/field-service 18.0 mig fieldservice maintenance #1520 no CI data
fieldservice_order_property OCA/field-service [18.0] [MIG] fieldservice_order_property #1538 no CI data
fieldservice_purchase OCA/field-service [18.0] [MIG] fieldservice_purchase #1551 no CI data
fiscal_epos_print OCA/l10n-italy porting fiscal_epos_print to 18 > l10n_it_fiscal_epos_print #4898 no CI data
fs_base_multi_image OCA/storage [MIG] fs_base_multi_image: Migration to 18.0 #506 no CI data
fs_file_demo OCA/storage [18.0][MIG] fs_file_demo: Migration to 18.0 #504 no CI data
fs_product_brand_multi_image OCA/storage [18.0][MIG] fs_product_brand_multi_image: Migration to 18.0 #505 no CI data
fs_storage_backup OCA/storage [18.0][MIG] Migration of fs_storage_backup #475 no CI data
geoengine_partner OCA/geospatial [18.0] [MIG] geoengine_partner #460 no CI data
graphql_base OCA/rest-framework [18.0][MIG] graphql_base: Migration to 18.0 #474 no CI data
graphql_demo OCA/rest-framework [18.0][MIG] graphql_demo: Migration to 18.0 #475 no CI data
helpdesk_mgmt_assign_method OCA/helpdesk [18.0][MIG] helpdesk_mgmt_assign_method: Migration to 18.0 #1038 no CI data
helpdesk_mgmt_stock OCA/helpdesk [18.0][MIG] helpdesk_mgmt_stock: Migration to 18.0 #1008 no CI data
hr_announcement OCA/hr [18.0][MIG] hr_announcement: Migration to 18.0 #1582 no CI data
hr_attendance_autoclose OCA/hr-attendance [18.0][MIG] hr_attendance_autoclose: Migration to 18.0 #228 no CI data
hr_attendance_geolocation OCA/hr-attendance [18.0][MIG] hr_attendance_geolocation: Migration to 18.0 #285 no CI data
hr_attendance_geolocation_required OCA/hr-attendance [18.0][MIG] hr_attendance_geolocation_required: migrate to 18.0 #246 no CI data
hr_attendance_hour_type_report OCA/hr-attendance [18.0][MIG] hr_attendance_hour_type_report: Migration to 18.0 #286 no CI data
hr_attendance_modification_tracking OCA/hr-attendance [18.0][MIG] hr_attendance_modification_tracking: Migration to 18.0 #197 no CI data
hr_attendance_report OCA/hr-attendance [MIG] hr_attendance_report: migrate to 18.0 #245 no CI data
hr_expense_advance_overdue_reminder OCA/hr-expense [18.0][MIG] hr_expense_advance_overdue_reminder: Migration to 18.0 #363 no CI data
hr_expense_journal OCA/hr-expense [18.0][MIG] hr_expense_journal: Migration to 18.0 #300 no CI data
hr_expense_overdue_reminder OCA/hr-expense [18.0][MIG/REF] hr_expense_advance_overdue_reminder #326 no CI data
hr_expense_pay_to_vendor OCA/hr-expense [18.0][MIG] hr_expense_pay_to_vendor: Migration to 18.0 #336 no CI data
hr_holidays_auto_extend OCA/hr-holidays [18.0][MIG] hr_holidays_auto_extend: Migration to 18.0 #184 no CI data
hr_holidays_leave_auto_approve OCA/hr-holidays [18.0][MIG] hr_holidays_leave_auto_approve: Migration to 18.0 #179 no CI data
hr_holidays_public_overtime OCA/hr-holidays [18.0][MIG] hr_holidays_public_overtime: Migration to 18.0 #190 no CI data
hr_holidays_summary_email OCA/hr-holidays [18.0][MIG] hr_holidays_summary_email: Migration to 18.0 #181 no CI data
hr_leave_custom_hour_interval OCA/hr-holidays 18.0 mig hr leave custom hour interval #242 no CI data
hr_leave_custom_hour_interval OCA/hr-holidays [18.0][MIG] hr_leave_custom_hour_interval: Migration to 18.0 #182 no CI data
hr_leave_type_code OCA/hr-holidays [18.0][MIG] hr_leave_type_code: Migration to 18.0 #183 no CI data
hr_operating_unit OCA/operating-unit [18.0][MIG] hr_operating_unit: Migration to 18.0 #732 no CI data
hr_payroll_document OCA/payroll [18.0][MIG] hr_payroll_document: Migration to 18.0 #268 no CI data
hr_payroll_document OCA/payroll [18.0][MIG] hr_payroll_document: Migration to 18.0 #239 no CI data
hr_personal_equipment_request OCA/hr [18.0][MIG]hr_personal_equipment_request: migration to 18.0 #1500 no CI data
hr_personal_equipment_request_tier_validation OCA/hr [18.0][MIG] hr_ personal_equipment_request_tier_validation #1485 no CI data
hr_personal_equipment_stock OCA/hr [MIG] hr_personal_equipment_stock: Migration to 18.0 #1462 no CI data
hr_presence OCA/OpenUpgrade [18.0][OU-ADD] hr_presence: Migrate to 18.0 #5620 no CI data
hr_shift_holidays_public OCA/shift-planning [18.0][MIG] hr_shift_holidays_public: Migration to 18.0 #27 no CI data
hr_utilization_report OCA/timesheet [18.0][MIG] hr_utilization_report: Migration to 18.0 #748 no CI data
hr_work_entry_profile OCA/hr [18.0][MIG] hr_work_entry_profile: Migration to 18.0 #1447 no CI data
html_image_url_extractor OCA/server-tools [18.0][MIG] html_image_url_extractor: Migration to 18.0 #3532 no CI data
image-download OCA/web [MIG] web_widget_image_download: Migration to 18.0 #3439 no CI data
intrastat_product_generic OCA/intrastat-extrastat [18.0][MIG] intrastat_product_generic: Migration to 18.0 #350 no CI data
intrastat_product_hscodes_import OCA/intrastat-extrastat [18.0][MIG] intrastat_product_hscodes_import #311 no CI data
iot_input_oca OCA/iot [18.0][MIG] iot_input_oca #111 no CI data
iot_output_oca OCA/iot [18.0][MIG] iot_output_oca #110 no CI data
iot_template_oca OCA/iot [18.0][mig] iot_template_oca #112 no CI data
ir_config_parameter_multi_company OCA/multi-company [18.0][MIG] ir config parameter multi company #857 no CI data
json_export_engine OCA/server-tools [18.0][MIG] json_export_engine: Migration to 18.0 #3569 no CI data
l10n_be_intrastat_product OCA/l10n-belgium [18.0][MIG] l10n_be_intrastat_product: Migration to 18.0 #264 no CI data
l10n_br_account_nfe OCA/l10n-brazil [18.0][MIG] l10n_br_account_nfe #4630 no CI data
l10n_br_account_renegotiation OCA/l10n-brazil [18.0][MIG] l10n_br_account_renegotiation #4498 no CI data
l10n_br_contract-2 OCA/l10n-brazil [18.0][MIG] l10n_br_contract: Migration to 18.0 #4625 no CI data
l10n_br_contract-2-gabriel OCA/l10n-brazil [18.0][MIG] l10n_br_contract: Migration to 18.0 #4649 no CI data
l10n_br_cte OCA/l10n-brazil [18.0][MIG] l10n_br_cte #4443 no CI data
l10n_br_mdfe OCA/l10n-brazil [18.0][MIG] l10n_br_mdfe #4442 no CI data
l10n_br_purchase OCA/l10n-brazil [18.0][MIG] l10n_br_purchase #4458 no CI data
l10n_br_repair OCA/l10n-brazil [18.0][WIP][MIG] l10n_br_repair: Migration to 18.0 #4525 no CI data
l10n_br_sale_blanket_order OCA/l10n-brazil [18.0][MIG] l10n_br_sale_blanket_order: Migration to 18.0 #4642 no CI data
l10n_br_sped_ecd OCA/l10n-brazil [18.0][MIG] l10n_br_sped_ecd: Migration to 18.0 #4656 no CI data
l10n_br_sped_ecf OCA/l10n-brazil [18.0][ADD] l10n_br_sped_ecf: ECF (Escrituração Contábil Fiscal) #4659 no CI data
l10n_br_sped_efd_icms_ipi OCA/l10n-brazil [18.0][ADD] l10n_br_sped_efd_icms_ipi: EFD ICMS/IPI (SPED Fiscal) #4657 no CI data
l10n_br_sped_efd_pis_cofins OCA/l10n-brazil [18.0][ADD] l10n_br_sped_efd_pis_cofins: EFD Contribuições #4658 no CI data
l10n_br_stock_account OCA/l10n-brazil [18.0][MIG] l10n _br_stock_account #4590 no CI data
l10n_ch_pain_credit_transfer OCA/l10n-switzerland [18.0][MIG] l10n_ch_pain_credit_transfer: Migration to 18.0 with pain09.ch.03 support #787 no CI data
l10n_de_partner_company_type OCA/l10n-germany [18.0][MIG] l10n_de_partner_company_type #244 no CI data
l10n_es_aeat_mod322 OCA/l10n-spain [18.0][MIG] l10n_es_aeat_mod322: Migration to 18.0 #4836 no CI data
l10n_es_aeat_mod592 OCA/l10n-spain [18.0][MIG] l10n_es_aeat_mod592: Migration to 18.0 #4928 no CI data
l10n_es_digital_canon_report OCA/l10n-spain [18.0][MIG] l10n_es_digital_canon_report: Migration to 18.0 #4787 no CI data
l10n_es_pos_by_device OCA/l10n-spain [18.0][MIG] l10n_es_pos_by_device: Migration to version 18.0 #4927 no CI data
l10n_es_verifactu_oca_oss OCA/l10n-spain [18.0][MIG] l10n_es_verifactu_oca_oss: Migration to 18.0 #4614 no CI data
l10n_es_verifactu_pos_oca OCA/l10n-spain [18.0][MIG] l10n_es_verifactu_pos_oca: Migration to 18.0 #4583 no CI data
l10n_fr_fec_background OCA/l10n-france [18.0][MIG] l10n_fr_fec_background: Migration to 18.0 #689 no CI data
l10n_fr_fec_group_sale_purchase OCA/l10n-france [18.0][ADD] l10n_fr_fec_group_sale_purchase #688 no CI data
l10n_fr_fec_oca OCA/l10n-france [18.0][MIG] l10n_fr_fec_oca: Migration to 18.0 #687 no CI data
l10n_fr_hr_rup OCA/l10n-france [18][MIG] l10n_fr_hr_rup #757 no CI data
l10n_it_sct_cbi OCA/l10n-italy [MIG] l10n_it_sct_cbi: Migration to 18.0 #4920 no CI data
l10n_it_sdd_cbi OCA/l10n-italy [18.0] [MIG] l10n_it_sdd_cbi: Migration to 18.0 #5040 no CI data
l10n_jp_summary_invoice_sale_partner OCA/l10n-japan [18.0][MIG] l10n_jp_summary_invoice_order_partner: Migration to 18.0 #93 no CI data
l10n_pt_stock_vehicle_daily OCA/l10n-portugal [18.0][MIG] l10n_pt_stock_vehicle_daily: Migration to 18.0 #153 no CI data
l10n_th_account_tax_filing OCA/l10n-thailand [18.0][MIG] l10n_th_account_tax_filing #588 no CI data
l10n_th_bank_payment_export2 OCA/l10n-thailand [WIP][18.0][MIG] l10n_th_bank_payment_export #534 no CI data
l10n_th_gov_account_asset_management OCA/l10n-thailand [18.0][MIG] l10n_th_gov_account_asset_management: Migration to 18.0 #608 no CI data
l10n_th_gov_hr_expense OCA/l10n-thailand [18.0][MIG] l10n_th_gov_hr_expense: Migration to 18.0 #607 no CI data
l10n_th_gov_purchase_agreement OCA/l10n-thailand [18.0][MIG] l10n_th_gov_purchase_agreement: Migration to 18.0 #605 no CI data
l10n_th_gov_purchase_report OCA/l10n-thailand [18.0][MIG] l10n_th_gov_purchase_report: Migration to 18.0 #610 no CI data
l10n_th_gov_work_acceptance OCA/l10n-thailand [18.0][MIG] l10n_th_gov_work_acceptance: Migration to 18.0 #603 no CI data
l10n_th_promptpay OCA/l10n-thailand [18.0][MIG / REF / IMP] l10n_th_promptpay #591 no CI data
l10n_th_tax_address OCA/l10n-thailand [18.0][MIG] l10n_th_tax_address: Migration to 18.0 #562 no CI data
l10n_us_form_1099-new OCA/l10n-usa [18.0][MIG] l10n_us_form_1099: Migration to 18.0 #144 no CI data
letsencrypt OCA/server-tools [18.0][MIG] letsencrypt #3553 no CI data
mail-mail_visible_email OCA/mail [18.0][MIG] mail_visible_email #214 no CI data
mail_activity_partner OCA/mail [MIG][18.0] mail_activity_partner: Migration to 18.0 #191 no CI data
mail_activity_partner-hda OCA/mail [18][MIG] mail_activity_partner #175 no CI data
mail_activity_reply_creator OCA/mail [18.0][MIG] mail_activity_reply_creator: Migration to 18.0 #26 no CI data
mail_composer_cc_bcc OCA/mail [MIG] mail_composer_cc_bcc: Migration to 18.0 #232 no CI data
mail_composer_cc_bcc_account OCA/mail [18.0][MIG] mail_composer_cc_bcc_account: Migration to 18.0 #4 no CI data
mail_filter_adressee_by_contact OCA/social [DRAFT][18.0][MIG] mail_filter_adressee_by_contact #1760 no CI data
mail_filter_adressee_by_contact_supersede OCA/social [18.0][MIG] mail_filter_adressee_by_contact (supersede) #1841 no CI data
mail_partial_autodelete OCA/social [18.0][MIG] mail_partial_autodelete #1763 no CI data
mail_send_copy OCA/social [18.0][MIG] mail_send_copy #1762 no CI data
mail_template_substitute_account_move OCA/account-financial-tools [18.0][MIG] mail_template_substitute_account_move: Migration to 18.0 #2324 no CI data
maintenance_equipment_image OCA/maintenance [18.0][MIG] maintenance_equipment_image: Migration to 18.0 #516 no CI data
maintenance_equipment_meter OCA/maintenance [18.0][MIG] maintenance_equipment_meter: Migration to 18.0 #571 no CI data
maintenance_equipment_scrap OCA/maintenance [18.0][MIG] maintenance_equipment_scrap: Migration to 18.0 #519 no CI data
maintenance_inspection OCA/maintenance [18.0][MIG] maintenance_inspection: Migration to 18.0 #521 no CI data
maintenance_location OCA/maintenance [18.0][MIG] maintenance_location: Migration to 18.0 #523 no CI data
maintenance_location_hr OCA/maintenance [18.0][MIG] maintenance_location_hr: Migration to 18.0 #573 no CI data
maintenance_request_stage_transition OCA/maintenance [18.0][MIG] maintenance_request_stage_transition: Migration to 18.0 #572 no CI data
maintenance_team_hierarchy OCA/maintenance [18.0][MIG] maintenance_team_hierarchy: Migration to 18.0 #517 no CI data
mass_mailing_contact_active-BAD OCA/mass-mailing [18.0][MIG] mass_mailing_contact_active: Migration to 18.0 #8 no CI data
mass_mailing_unique-BAD OCA/mass-mailing [18.0][MIG] mass_mailing_unique: Migration to 18.0 #5 no CI data
mgmtsystem_evaluation_hr OCA/management-system [18.0][MIG] mgmtsystem_evaluation_hr: Migration to 18.0 #839 no CI data
mis_builder_analytic OCA/mis-builder-contrib [18.0][MIG] mis_builder_analytic: Migration to version 18.0 #61 no CI data
mis_builder_budget_operating_unit OCA/operating-unit [18.0][MIG] mis_builder_budget_operating_unit: Migration to 18.0 #855 no CI data
mis_builder_operating_unit OCA/operating-unit [18.0][MIG] mis builder operating unit: Migration from 15.0 to 18.0 #854 no CI data
module_analysis OCA/server-tools [MIG] module_analysis: Migration to 18.0 #3184 no CI data
mrp_default_workorder_time OCA/manufacture [18.0][MIG] mrp_default_workorder_time: Migration to 18.0 #1672 no CI data
mrp_flattened_bom_xlsx_direct_materials_cost OCA/manufacture-reporting [18.0][MIG] mrp_flattened_bom_xlsx_direct_materials_cost: Migration to 18.0 #147 no CI data
mrp_flattened_bom_xlsx_labour_cost OCA/manufacture-reporting [18.0][MIG] mrp_flattened_bom_xlsx_labour_cost: Migration to 18.0 #148 no CI data
mrp_flattened_bom_xlsx_subcontracting_cost OCA/manufacture-reporting [18.0][MIG] mrp_flattened_bom_xlsx_subcontracting_cost: Migration to 18.0 #149 no CI data
mrp_planned_order_matrix OCA/manufacture [18.0][MIG]mrp_planned_order_matrix #1819 no CI data
mrp_primecontractor_raw_material OCA/manufacture [18.0][MIG] mrp_primecontractor_raw_material: migration to 18.0 #1816 no CI data
mrp_production_request OCA/manufacture [18.0][MIG] mrp_production_request #1552 no CI data
mrp_production_serial_matrix OCA/manufacture [MIG] mrp_production_serial_matrix: Migration to 18.0 #1742 no CI data
mrp_progress_button OCA/manufacture [18.0][MIG] mrp_progress_button: Migration to 18.0 #1729 no CI data
mrp_stock_analytic OCA/account-analytic [18.0][MIG] mrp_stock_analytic: Migration to 18.0 #878 no CI data
mrp_stock_analytic OCA/account-analytic [18.0][MIG] mrp_stock_analytic #854 no CI data
mrp_stock_owner_restriction OCA/manufacture [18.0][MIG] mrp_stock_owner_restriction #1518 no CI data
mrp_subcontractor OCA/manufacture [18.0][MIG] mrp_subcontractor: Migration to 18.0 #1660 no CI data
mrp_unbuild_restore_origin OCA/manufacture [18.0][MIG] mrp_unbuild_restore_origin: Migration to 18.0 #1666 no CI data
mrp_weighing_picking_batch OCA/stock-weighing [18.0][MIG] mrp_weighing_picking_batch: Migration to 18.0 #69 no CI data
odoo_repository_code OCA/module-composition-analysis [18.0][ADD] odoo_repository_code: to scan modules code #148 no CI data
partner_contact_in_several_companies OCA/partner-contact [18.0][MIG] partner_contact_in_several_companies: Migration to 18.0 #2383 no CI data
partner_contact_in_several_companies-BAD OCA/partner-contact [18.0][MIG] partner_contact_in_several_companies: Migration to 18.0 #2131 no CI data
partner_data_vies_populator OCA/partner-contact [WIP][18.0][MIG] partner_data_vies_populator #2373 no CI data
partner_last_invoice_date OCA/account-invoicing [18.0][MIG] partner_last_invoice_date: Migration to 18.0 #2021 no CI data
partner_phone_extension OCA/partner-contact [MIG] partner_phone_extension: Migration to 18.0 #2120 no CI data
payment_monetico OCA/l10n-france [18.0] [ADD] payment_monetico #774 no CI data
pos-fiscalcode OCA/l10n-italy [MIG] l10n_it_pos_fiscalcode: Migration to 18.0 #5146 no CI data
pos_automatic_cashdrawer OCA/pos [18.0][ADD] pos_automatic_cashdrawer #1485 no CI data
pos_customer_comment OCA/pos [18.0][MIG] pos_customer_comment: Migration to 18.0 #1505 no CI data
pos_customer_required OCA/pos [18.0][MIG] pos_customer_required: Migration to 18.0 #1413 no CI data
pos_early_receipt_printing OCA/pos [18.0][MIG] pos_early_receipt_printing #1566 no CI data
pos_edit_order_line OCA/pos [18.0][MIG] pos_edit_order_line: Migration to 18.0 #1293 no CI data
pos_full_refund OCA/pos [18.0] pos_full_refund #1407 no CI data
pos_hide_cost_price_and_margin OCA/pos [18.0][MIG] pos_hide_cost_price_and_margin: Migration to 18.0 #1286 no CI data
pos_order_copy OCA/pos [18.0][MIG] pos_order_copy: Migration to 18.0 #1294 no CI data
pos_order_new_line OCA/pos [18.0][MIG] pos_order_new_line: Migration to 18.0 #1295 no CI data
pos_order_reorder OCA/pos [18.0][MIG] pos_order_reorder: Migration to 18.0 #1297 no CI data
pos_order_report OCA/pos [18.0][MIG] pos_order_report: Migration to 18.0 #1445 no CI data
pos_order_return OCA/pos [18.0][MIG] pos_order_return: Migration to 18.0 #1473 no CI data
pos_order_return_scrap OCA/pos [18.0][ADD] pos_order_return_scrap: Add to 18.0 #1476 no CI data
pos_partner_firstname OCA/pos [18.0][MIG] pos_partner_firstname #1578 no CI data
pos_payment_change OCA/pos [18.0][MIG] pos_payment_change: Migration to 18.0 #1573 no CI data
pos_payment_terminal_return OCA/pos [18.0][ADD] pos_payment_terminal_return #1475 no CI data
pos_product_mergeable_line OCA/pos [18.0][MIG] pos_product_mergeable_line: Migration to 18.0 #1298 no CI data
pos_require_product_quantity OCA/pos [18.0][MIG] pos_require_product_quantity: Migration to 18.0 #1561 no CI data
pos_show_clock OCA/pos [18.0][MIG] pos_show_clock: Migration to 18.0 #1314 no CI data
pos_show_config_name OCA/pos [18.0][MIG] pos_show_config_name #1358 no CI data
pos_ticket_extra_company_info_l10n_fr OCA/pos [18.0][MIG] pos_ticket_extra_company_info_l10n_fr: Migration to 18.0 #1299 no CI data
pos_ticket_send_by_mail OCA/pos [18.0][MIG] pos_ticket_send_by_mail: Migration to 18.0 #1460 no CI data
pos_transfer_account OCA/pos [18.0][MIG] pos_transfer_account: Migration to 18.0 #1459 no CI data
privacy_partner_report OCA/data-protection [18.0][MIG] privacy_partner_report: Migration to 18.0 #85 no CI data
product_abc_classification_sale_stock OCA/product-attribute [18.0][MIG] product_abc_classification_sale_stock #2337 no CI data
product_abc_classification_sale_stock OCA/product-attribute [18.0] [MIG] product_abc_classification_sale_stock #2016 no CI data
product_alias_multi_link OCA/e-commerce [18.0][MIG] product_alias_multi_link #1208 no CI data
product_analytic_purchase OCA/account-analytic [18.0][MIG] product_analytic_purchase : migration to 18.0 #781 no CI data
product_assortment-temp OCA/product-attribute [18.0] migration leftover product_assortment #1908 no CI data
product_attribute_value_dependent_mixin OCA/product-attribute [18.0][MIG] product_attribute_value_dependent_mixin: Migration to 18.0 #2250 no CI data
product_attribute_variant_rules OCA/product-attribute [18.0][MIG] product attribute variant rules #2154 no CI data
product_average_consumption OCA/stock-logistics-warehouse [18.0][MIG] product_average_consumption: Migration to 18.0 #2455 no CI data
product_category_description OCA/product-attribute [18.0][MIG] product_category_description: Migration to 18.0 #1916 no CI data
product_category_hr_department OCA/product-attribute [18.0][MIG] product_category_hr_department: Migration to 18.0 #1917 no CI data
product_category_level OCA/product-attribute [18.0][MIG] product_category_level: Migration to 18.0 #1918 no CI data
product_configurator_purchase OCA/product-configurator [18.0][MIG] Module: product_configurator_purchase #174 no CI data
product_cost_rollup_to_bom OCA/manufacture [18.0][MIG] product_cost_rollup_to_bom: Migration to 18.0 #1811 no CI data
product_document_domain OCA/product-attribute [18.0][MIG] product_document_domain: Migration to 18.0 #1827 no CI data
product_exception OCA/product-attribute [18.0][MIG] product_exception #2161 no CI data
product_history OCA/stock-logistics-warehouse [18.0][ADD] product_history #2456 no CI data
product_import_autocomplete_attribute OCA/product-attribute [18.0][MIG] product_import_autocomplete_attribute #2159 no CI data
product_matrix_show_color OCA/product-variant [18.0][MIG] product_matrix_show_color #422 no CI data
product_mrp_info OCA/manufacture [18.0][MIG] product_mrp_info: Migration to 18.0 #1589 no CI data
product_multi_image OCA/product-attribute [18.0][MIG] product_multi_image: Migration to 18.0 #2253 no CI data
product_multi_image OCA/product-attribute [18.0][MIG] product_multi_image: Migration to 18.0 #2074 no CI data
product_optional_product_quantity OCA/product-attribute [18.0][MIG] product_optional_product_quantity: Migration to 18.0 #1919 no CI data
product_packaging_level_purchasable OCA/product-attribute [18.0][MIG] product_packaging_level_purchasable: Migration to 18.0 #1921 no CI data
product_restricted_type OCA/product-attribute [18.0][MIG] product_restricted_type #2319 no CI data
product_search_multi_value OCA/odoo-pim [18.0][MIG] product_search_multi_value #230 no CI data
product_state_active OCA/product-attribute [18.0][MIG] product_state_active: Migration to 18.0. #2199 no CI data
product_supplierinfo_group OCA/product-attribute [18.0] [MIG] product_supplierinfo_group #2151 no CI data
product_supplierinfo_picking OCA/stock-logistics-workflow [18.0][MIG] product_supplierinfo_picking: Migration to 18.0 #2239 no CI data
product_to_scale_bizerba OCA/product-attribute [18.0][MIG] product_to_scale_bizerba: Migration to 18.0 #2143 no CI data
product_variant_attribute_name_manager OCA/product-attribute [18.0][MIG] product_variant_attribute_name_manager: Migration to 18.0 #2147 no CI data
product_variant_template_reassign OCA/product-variant [18.0][MIG] product_variant_template_reassign: Migration to version 18.0 #456 no CI data
progressbar-gradient-dro OCA/web [18.0][MIG] web_widget_progressbar_gradient #3229 no CI data
project_analytic_code OCA/project [18.0][MIG] project_analytic_code: Migration to 18.0 #1763 no CI data
project_crm_postsale_automation OCA/project 18.0 mig project crm postsale automation #1769 no CI data
project_operating_unit OCA/operating-unit [18.0][MIG] project_operating_unit: Migration to 18.0 #730 no CI data
project_risk OCA/project [MIG] project_risk: Migration to 18.0 #1762 no CI data
project_share OCA/project [18.0] [MIG] project_share: Migration to 18.0 #1695 no CI data
project_task_stage_allow_timesheet OCA/timesheet [18.0][MIG] project_task_stage_allow_timesheet: Migration to 18.0 #888 no CI data
project_wbs OCA/project [18.0][MIG] project_wbs: Migration to 18.0 #1690 no CI data
purchase-minimum-dro OCA/purchase-workflow [MIG] purchase_minimum_amount: Migration to 18.0 #2911 no CI data
purchase_compute_order OCA/purchase-workflow [18.0][ADD] purchase_compute_order: Add to 18.0 #2915 no CI data
purchase_compute_order_min_package OCA/purchase-workflow [18.0][ADD] purchase_compute_order_min_package: Add to 18.0 #2916 no CI data
purchase_date_planned_manual OCA/purchase-workflow [18.0][MIG] purchase_date_planned_manual #2975 no CI data
purchase_deposit_analytic OCA/purchase-workflow [18.0][MIG] purchase_deposit_analytic #3093 no CI data
purchase_invoice_plan_deposit OCA/purchase-workflow [18.0][MIG] purchase_invoice_plan_deposit #3083 no CI data
purchase_line_product_image OCA/purchase-workflow [18.0][MIG] purchase_line_product_image: Migration to 18.0 #3008 no CI data
purchase_location_by_line OCA/purchase-workflow 18.0 mig purchase location by line #2621 no CI data
purchase_merge-BAD OCA/purchase-workflow [18.0] [MIG] purchase_merge: Migration to 18.0 #2671 no CI data
purchase_only_by_packaging OCA/purchase-workflow [MIG] purchase_only_by_packaging: Migration to 18.0 #2729 no CI data
purchase_operating_unit_access_all OCA/operating-unit [18.0][MIG] purchase_operating_unit_access_all: Migration to 18.0 #754 no CI data
purchase_order_import_ubl OCA/edi [18.0][MIG] purchase_order_import_ubl #1361 no CI data
purchase_package_qty OCA/purchase-workflow [18.0][ADD] purchase_package_qty #2892 no CI data
purchase_package_qty OCA/purchase-workflow [18.0][MIG] purchase_package_qty: Migration to 18.0 #2863 no CI data
purchase_packaging_default OCA/purchase-workflow [18.0][MIG] purchase_packaging_default: Migration to 18.0 #2587 no CI data
purchase_quick_intercompany OCA/multi-company [18.0][MIG] purchase_quick_intercompany: Migration to 18.0 #981 no CI data
purchase_requisition_tier_validation OCA/purchase-workflow [18.0][MIG] purchase_requisition_tier_validation: Migration to 18.0 #2939 no CI data
purchase_return OCA/purchase-workflow [18.0][MIG] purchase_return: Migration to 18.0 #2902 no CI data
purchase_sale_lot_intercompany OCA/multi-company [18.0][MIG] purchase_sale_lot_intercompany: Migration to 18.0 #983 no CI data
purchase_sale_note_intercompany OCA/multi-company [18.0][MIG] purchase_sale_note_intercompany: Migration to 18.0 #982 no CI data
purchase_sale_stock_inter_company_mrp OCA/multi-company [18.0][MIG] purchase_sale_stock_inter_company_mrp: Migration to 18.0 #987 no CI data
purchase_sign OCA/purchase-workflow [18.0][MIG] purchase_sign: Migration to 18.0 #2665 no CI data
purchase_stock_picking_return_invoicing_force_invoiced OCA/account-invoicing [18.0][MIG] purchase_stock_picking_return_invoicing_force_invoiced: Migration to 18.0 #2302 no CI data
purchase_supplierinfo_currency OCA/purchase-workflow [18.0][MIG] Migration of module purchase_supplierinfo_currency #2680 no CI data
purchase_variant_configurator OCA/product-variant [18.0][MIG] purchase_variant_configurator: Migration to 18.0 #390 no CI data
purchase_work_acceptance_evaluation OCA/purchase-workflow [18.0][MIG] purchase_work_acceptance_evaluation: Migration to 18.0 #3100 no CI data
purchase_work_acceptance_late_fines OCA/purchase-workflow [18.0][MIG] purchase_work_acceptance_late_fine: Migration to version 18.0 #3098 no CI data
purchase_work_acceptance_tier_validation OCA/purchase-workflow [18.0][MIG] purchase_work_acceptance_tier_validation: Migration to 18.0 #3096 no CI data
quality_control_mrp_oca OCA/manufacture [18.0][MIG] quality_control_mrp_oca: Migration to 18.0 #1736 no CI data
quality_control_product_manufacturer OCA/manufacture [18.0][MIG] quality_control_product_manufacturer: migration to 18.0 #1680 no CI data
report_batch OCA/reporting-engine [18.0][MIG] report_batch #1148 no CI data
report_qweb_signer OCA/reporting-engine [18.0][MIG] report_qweb_signer: Migration to 18.0 #1105 no CI data
res_partner_account_move_line OCA/account-invoicing [18.0][ADD] partner_account_move_line #2158 no CI data
sale_auto_remove_zero_quantity_lines-BAD OCA/sale-workflow [18.0] [MIG] sale_auto_remove_zero_quantity_lines: Migration to 18.0 #3700 no CI data
sale_cancel_confirm OCA/sale-workflow [18.0][MIG] sale_cancel_confirm #3950 no CI data
sale_channel_notification OCA/sale-channel [18.0] [ADD] sale_channel_notification #53 no CI data
sale_channel_notification_async OCA/sale-channel [18.0] [ADD] sale_channel_notification_async #55 no CI data
sale_channel_notification_stock OCA/sale-channel [18.0] [ADD] sale_channel_notification_stock #56 no CI data
sale_commission_margin OCA/commission [18.0] [MIG] sale_commission_margin_oca: Migration to 18.0 + rename #641 no CI data
sale_commission_product_criteria OCA/commission [18.0][MIG] sale_commission_product_criteria_oca: Migration to 18.0 #653 no CI data
sale_delivery_split_date OCA/sale-workflow [MIG] sale_delivery_split_date: Migration to 18.0 #3612 no CI data
sale_exception_holidays_public-BAD OCA/sale-workflow [18.0] [MIG] sale_exception_holidays_public: Migration to 18.0 #3704 no CI data
sale_import_base OCA/sale-channel [18.0][MIG] sale_import_base #43 no CI data
sale_import_rest OCA/sale-channel [18.0][MIG] sale_import_rest #44 no CI data
sale_input_barcode OCA/stock-logistics-barcode [18.0][MIG] sale_input_barcode: Migration to 18.0 #753 no CI data
sale_invoice_date_from_picking_actual_date OCA/account-invoicing [18.0][MIG] sale_invoice_date_from_picking #2304 no CI data
sale_invoice_delivery_state OCA/sale-workflow [18.0][MIG] sale_invoice_delivery_state : Migration to 18.0 #4183 no CI data
sale_line_vendor_comment OCA/sale-workflow [18.0][ADD] sale_line_vendor_comment: New module #4427 no CI data
sale_loyalty_auto_refresh OCA/sale-promotion [18.0][MIG] sale_loyalty_auto_refresh: Migration to 18.0 #347 no CI data
sale_loyalty_auto_refresh OCA/sale-promotion [18.0][MIG] sale_loyalty_auto_refresh: Migration to 18.0 #257 no CI data
sale_no_portal_button OCA/sale-workflow [18.0][MIG] sale_no_portal_button : Migration to 18.0 #4184 no CI data
sale_order_line_date_next_reception OCA/sale-workflow [18.0][MIG] sale_order_line_date_next_reception #4187 no CI data
sale_order_line_display_stock_per_warehouse OCA/sale-workflow [18.0][MIG] sale_order_line_display_stock_per_warehouse #4188 no CI data
sale_order_mass_action/18.0 OCA/sale-workflow [18.0][MIG] sale_order_mass_action: Migration to 18.0 #4130 no CI data
sale_order_qty_change_no_recompute OCA/sale-workflow [18.0][MIG] sale_order_qty_change_no_recompute: Migration to 18.0 #4431 no CI data
sale_order_safe_commitment_date OCA/sale-workflow [18.0][MIG] sale_order_safe_commitment_date: Migration to 18.0 #4086 no CI data
sale_price_compliance OCA/sale-workflow [18.0][MIG] sale_price_compliance #4218 no CI data
sale_pricelist_global_rule OCA/sale-workflow [18.0][MIG] sale_pricelist_global_rule: Migration to 18.0 #4065 no CI data
sale_procurement_group_by_commitment_date OCA/sale-workflow [MIG] sale_procurement_group_by_commitment_date: Migration to 18.0 #4213 no CI data
sale_product_variant_attribute_tax OCA/product-variant [18.0][MIG] sale_product_variant_attribute_tax: Migration to 18.0 #392 no CI data
sale_purchase_inter_company OCA/multi-company [18.0][MIG] sale_purchase_inter_company : Migration to 18.0 #954 no CI data
sale_quick OCA/sale-workflow [18.0][MIG] sale_quick: Migration to 18.0 #4244 no CI data
sale_quotation_number OCA/sale-workflow [19.0][MIG] sale_quotation_number #4420 no CI data
sale_rental OCA/vertical-rental [18.0][MIG] sale_rental #70 no CI data
sale_rental_new OCA/vertical-rental [18.0][MIG] sale_rental: Migration to 18.0 #86 no CI data
sale_report_delivered_price_compliance OCA/sale-reporting [18.0][MIG] sale_report_delivered_price_compliance #359 no CI data
sale_report_salesman OCA/sale-reporting [18.0] [MIG] sale_report_salesman #353 no CI data
sale_restricted_qty OCA/sale-workflow [18.0][MIG][IMP] sale_restricted_qty #3959 no CI data
sale_stock_analytic OCA/account-analytic [18.0][MIG] sale_stock_analytic: Migration to 18.0 #818 no CI data
sale_stock_picking_variable_qty OCA/stock-logistics-workflow [18.0][MIG] sale_stock_picking_variable_qty: Migration to 18.0 #2301 no CI data
sale_stock_reconcile_valuation_kit OCA/sale-workflow [18.0][MIG] sale_stock_reconcile_valuation_kit: Migration to 18.0 #3845 no CI data
sale_stock_warehouse_multicompany OCA/multi-company [18.0] [MIG] sale_stock_warehouse_multicompany: Migration to 18.0 #992 no CI data
sale_stock_warehouse_order_type OCA/sale-workflow [18.0][MIG] sale_stock_warehouse_order_type: Migration to version 18.0 #4305 no CI data
sale_timesheet_project_manual OCA/sale-workflow [18.0][MIG] sale_timesheet_project_manual #4146 no CI data
sale_triple_discount OCA/sale-workflow [18.0][MIG] sale_triple_discount: Migration to 18.0 #4249 no CI data
sale_warehouse_rule OCA/sale-workflow [18.0][MIG] sale_warehouse_rule: Migration to 18.0 #4217 no CI data
sales_team_security_crm OCA/sale-workflow [18.0][MIG] sales_team_security_crm: Migration to 18.0 #3469 no CI data
sales_team_security_sale OCA/sale-workflow [18.0][MIG] sales_team_security_sale: Migration to 18.0 #3466 no CI data
search_engine_image_thumbnail OCA/search-engine [18.0] [MIG] search_engine_image_thumbnail: Migration to 18.0 #228 no CI data
server_action_logging OCA/server-tools [MIG] server_action_logging: Migration to 18.0 #3555 no CI data
server_action_logging OCA/server-tools [18.0] [MIG] server_action_logging: Migration to 18.0 #3073 no CI data
shopinvader_product_alias OCA/e-commerce [18.0][MIG] product_alias (was shopinvader_product_alias) #1206 no CI data
sms_no_alter_body OCA/connector-telephony [18.0][MIG] sms_no_alter_body: Migration to 18.0 #357 no CI data
sms_no_automatic_delete OCA/connector-telephony [18.0][MIG] sms_no_automatic_delete: Migration to 18.0 #362 no CI data
sms_ovh_http OCA/connector-telephony [18.0][MIG] sms_ovh_http: Migration to 18.0 #356 no CI data
social_media_base OCA/social [18.0][MIG] social_media_base: Migration to 18.0 #1769 no CI data
social_media_linkedin OCA/social [18.0][MIG] social_media_linkedin: Migration to 18.0 #1770 no CI data
social_media_x OCA/social [18.0][MIG] social_media_x: Migration to 18.0 #1772 no CI data
stock-move-backdating OCA/stock-logistics-workflow [18.0][MIG] stock_move_backdating #1921 no CI data
stock-picking-notification-dro OCA/stock-logistics-workflow [MIG] stock_picking_status_notification: Migration to 18.0 #2344 no CI data
stock_account_fifo_return_origin OCA/stock-logistics-workflow [18.0][MIG] stock_account_fifo_return_origin: Migration to 18.0 #2255 no CI data
stock_account_operating_unit OCA/operating-unit [18.0][MIG] stock_account_operating_unit #857 no CI data
stock_account_operating_unit OCA/operating-unit [18.0][MIG] stock account operating unit: Migration to 18.0 #769 no CI data
stock_account_quantity_history_location OCA/stock-logistics-reporting [MIG] stock_account_quantity_history_location: migration to 18.0 #487 no CI data
stock_available_mrp OCA/stock-logistics-availability [18.0][MIG] stock_available_mrp: Migration to 18.0 #68 no CI data
stock_average_daily_sale-dro OCA/stock-logistics-reporting [18.0][MIG] stock_average_daily_sale #481 no CI data
stock_barcodes OCA/stock-logistics-barcode [18.0][MIG] stock_barcodes: Migration to v18 #725 no CI data
stock_barcodes_gs1 OCA/stock-logistics-barcode [18.0][MIG] stock_barcodes_gs1: Migration to 18.0 #729 no CI data
stock_barcodes_gs1_expiry OCA/stock-logistics-barcode [18.0][MIG] stock_barcodes_gs1_expiry: Migration to 18.0 #730 no CI data
stock_barcodes_gs1_secondary_unit OCA/stock-logistics-barcode [18.0][MIG] stock_barcodes_gs1_secondary_unit: Migration to 18.0 #756 no CI data
stock_barcodes_picking_batch OCA/stock-logistics-barcode [18.0][MIG] stock_barcodes_picking_batch: Migration to 18.0 #727 no CI data
stock_barcodes_picking_batch_revision OCA/stock-logistics-barcode [18.0][MIG] stock_barcodes_picking_batch_revision: Migration to 18.0 #728 no CI data
stock_customer_deposit OCA/stock-logistics-workflow [18.0][MIG] stock_customer_deposit: Migration to 18.0 #2189 no CI data
stock_customer_deposit_elaboration OCA/stock-logistics-workflow [18.0][MIG] stock_customer_deposit_elaboration: Migration to 18.0 #2190 no CI data
stock_customer_deposit_sale_margin OCA/stock-logistics-workflow [MIG] stock_customer_deposit_sale_margin: Migration to 18.0 #2191 no CI data
stock_exception OCA/stock-logistics-workflow [MIG] stock_exception: Migration to 18.0 #2358 no CI data
stock_inventory_location_state OCA/stock-logistics-warehouse [18.0][MIG] stock_inventory_location_state #2575 no CI data
stock_inventory_user OCA/stock-logistics-warehouse [18.0][MIG] stock_inventory_restriction #2572 no CI data
stock_inventory_valuation_report OCA/stock-logistics-reporting [18.0][MIG] stock_inventory_valuation_report: Migration to 18.0 #488 no CI data
stock_inventory_valuation_report OCA/stock-logistics-reporting [18.0][MIG] stock_inventory_valuation_report #472 no CI data
stock_lot_multi_image OCA/stock-logistics-warehouse [18.0][MIG] stock_lot_multi_image: Migration to 18.0 #2272 no CI data
stock_lot_on_hand_first OCA/stock-logistics-workflow [18.0][MIG] stock_lot_on_hand_first: migrate to 18.0 #2249 no CI data
stock_move_force_reservation OCA/stock-logistics-workflow [18.0]|MIG] stock_move_force_reservation #2176 no CI data
stock_move_free_reservation_reassign OCA/stock-logistics-workflow [18.0][MIG] stock_move_free_reservation_reassign #2320 no CI data
stock_move_variation_report OCA/stock-logistics-reporting [18.0][MIG] stock_move_variation_report: Migration to 18.0 #480 no CI data
stock_mts_mto_rule OCA/stock-logistics-warehouse [18.0] [MIG] stock_mts_mto_rule : migrate to 18.0 #2425 no CI data
stock_orderpoint_manual_procurement_uom OCA/stock-logistics-orderpoint [18.0][MIG] stock_orderpoint_manual_procurement_uom: Migration to 18.0 #87 no CI data
stock_picking_analytic OCA/account-analytic [MIG] stock_picking_analytic: Migration to 18.0 #733 no CI data
stock_picking_batch_account_sale_type OCA/stock-logistics-workflow [18.0][MIG] stock_picking_batch_extended_account_sale_type: Migration to 18.0 and rename to stock_picking_batch_account_sale_type #2288 no CI data
stock_picking_batch_extended-with-setup OCA/stock-logistics-workflow 18.0 mig stock picking batch extended with setup #2174 no CI data
stock_picking_batch_weighing OCA/stock-weighing [18.0][MIG] stock_picking_batch_weighing: Migration to 18.0 #56 no CI data
stock_picking_invoicing_incoterm OCA/account-invoicing [18.0][MIG] stock_picking_invoicing_incoterm: Migration to 18.0 #2328 no CI data
stock_picking_move_line_no_print OCA/stock-logistics-workflow [18.0][MIG] stock_picking_move_line_no_print: Migration to 18.0 #2243 no CI data
stock_picking_origin_state OCA/stock-logistics-workflow [18.0][MIG] stock_picking_origin_state #2381 no CI data
stock_picking_portal OCA/stock-logistics-workflow [18.0][MIG] stock picking portal #2149 no CI data
stock_picking_product_interchangeable OCA/stock-logistics-warehouse [18.0][MIG] stock_picking_product_interchangeable #2581 no CI data
stock_picking_quick OCA/stock-logistics-workflow [DRAFT][18.0][MIG] stock picking quick #2154 no CI data
stock_picking_report_delivery_custom_name OCA/stock-logistics-reporting [18.0][MIG] stock_picking_report_delivery_custom_name #469 no CI data
stock_picking_report_undelivered_product OCA/stock-logistics-reporting [18.0][MIG] stock_picking_report_undelivered_product: Migration to 18.0 #367 no CI data
stock_picking_report_valued_delivery_fee OCA/stock-logistics-reporting [18.0][MIG] stock_picking_report_valued_delivery_fee: Migration to 18.0 #489 no CI data
stock_picking_restrict_cancel_with_orig_move OCA/stock-logistics-workflow [18.0][MIG] stock_picking_restrict_cancel_with_orig_move #2029 no CI data
stock_picking_variable_qty OCA/stock-logistics-workflow [18.0][MIG] stock_picking_variable_qty: Migration to 18.0 #2183 no CI data
stock_picking_variable_qty-2 OCA/stock-logistics-workflow [18.0][MIG] stock_picking_variable_qty: Migration to 18.0 #2302 no CI data
stock_product_template_tags OCA/product-attribute [18.0][MIG] stock_product_template_tags: Migration to 18.0 #1897 no CI data
stock_production_lot_expired_date-BAD OCA/product-attribute [18.0][MIG] stock_production_lot_expired_date: Migration to 18.0 #2123 no CI data
stock_push_delay OCA/stock-logistics-workflow [18.0][MIG] stock_push_delay #2382 no CI data
stock_putaway_last_location OCA/stock-logistics-workflow [18.0][MIG] stock_putaway_last_location #2175 no CI data
stock_quant_history OCA/stock-logistics-reporting [18.0][MIG] stock_quant_history #436 no CI data
stock_quant_manual_assign OCA/stock-logistics-reservation [18][MIG] stock_quant_manual_assign #57 no CI data
stock_quant_manual_assign OCA/stock-logistics-reservation [18.0][MIG] stock_quant_manual_assign: Migration to 18.0 #46 no CI data
stock_reception_discrepancy_distribution OCA/stock-logistics-workflow [18.0][MIG] stock_reception_discrepancy_distribution: Migration to version 18.0 #2359 no CI data
stock_request_analytic OCA/stock-logistics-request [18.0][MIG] stock_request_analytic: Migration to version 18.0 #80 no CI data
stock_reserve_sale OCA/stock-logistics-reservation [MIG] stock_reserve_sale: Migration to 18.0 #54 no CI data
stock_return_empty_package-dro OCA/stock-logistics-workflow [MIG] stock_picking_return_empty_package: Migration to 18.0 #2300 no CI data
stock_scrap_product_report OCA/stock-logistics-workflow [18.0][ADD] stock_scrap_product_report #2159 no CI data
stock_secondary_unit_weighing OCA/stock-weighing [18.0][MIG] stock_secondary_unit_weighing: Migration to version 18.0 #58 no CI data
stock_valuation_no_developer_mode OCA/stock-logistics-workflow [18.0][MIG] stock_valuation_no_developer_mode #2240 no CI data
stock_weighing_auto_create_lot_config OCA/stock-weighing [18.0][MIG] stock_weighing_auto_create_lot_config: Migration to version 18.0 #62 no CI data
stock_weighing_threaded_print OCA/stock-weighing [18.0][MIG] stock_weighing_threaded_print: Migration to 18.0 #57 no CI data
subcontracted_service OCA/purchase-workflow [18.0][MIG] subcontracted_service: Migration to 18.0 #2910 no CI data
survey_answer_generation OCA/survey 18.0 mig survey answer generation #224 no CI data
survey_question_type_binary OCA/survey 18.0 mig survey question type binary #232 no CI data
takeover-l10n_us_form_1099 OCA/l10n-usa [18.0][MIG] Takeover l10n_us_form_1099: Migration to 18.0 #171 no CI data
users_ldap_groups OCA/server-auth [18.0][MIG] users_ldap_groups : Migration to v18 #889 no CI data
views_migration_17 OCA/server-tools [MIG] views_migration_18: Migration to 18.0 #3201 no CI data
web_action_conditionable OCA/web [MIG] web_action_conditionable: Migration to 18.0 #3476 no CI data
web_action_conditionable OCA/web [18.0][MIG] web_action_conditionable #3063 no CI data
web_advanced_search OCA/web [MIG] web_advanced_search: Migration to 18.0 #3477 no CI data
web_apply_field_style OCA/web [MIG] web_apply_field_style: Migration to 18.0 #3478 no CI data
web_assets_warmup OCA/web [18.0][MIG] web_assets_warmup: Migration to 18.0 #3028 no CI data
web_chatter_camera OCA/web [MIG] web_chatter_camera: Migration to 18.0 #3479 no CI data
web_edit_xmlid OCA/web [18.0][ADD] New module web_edit_xmlid #3207 no CI data
web_export_html_as_text OCA/web [18.0][MIG] web_export_html_as_text: Migration to 18.0 #3367 no CI data
web_export_json OCA/web [MIG] web_export_json: Migration to 18.0 #3223 no CI data
web_field_required_invisible_manager OCA/web [WIP][18.0][MIG] web_field_required_invisible_manager: Migration to 18.0 #3072 no CI data
web_field_tooltip OCA/web [18.0][MIG] web_field_tooltip:Migration to 18.0 #3575 no CI data
web_field_tooltip OCA/web [18.0][MIG] web_field_tooltip: Migration to 18.0 #3054 no CI data
web_ir_actions_close_wizard_refresh_view OCA/web [18.0][MIG] web_ir_actions_close_wizard_refresh_view: Migration to 18.0 #3499 no CI data
web_responsive_company_color OCA/web [ADD] web_responsive_company_color #3428 no CI data
web_select_all_companies OCA/web [18.0][MIG] web_select_all_companies: Migration to 18.0 #3340 no CI data
web_widget_bokeh_chart OCA/web [18.0][MIG] web_widget_bokeh_chart: Migration to 18.0 #3100 no CI data
web_widget_char_size OCA/web [MIG] web_widget_char_size: Migration to 18.0 #3421 no CI data
web_widget_image_download OCA/web [18.0][MIG] web_widget_image_download: Migration to 18.0 #3046 no CI data
web_widget_mermaid-squash OCA/web [18.0][MIG] web_widget_mermaid: Migration to 18.0 #3419 no CI data
web_widget_plotly_chart OCA/web [18.0][MIG] web_widget_plotly_chart: Migration from 17 to 18 #3277 no CI data
web_widget_plotly_chart OCA/web [18.0][MIG] web_widget_plotly_chart: Migration to 18.0 #3094 no CI data
web_widget_remaining_days_exact_date OCA/web [18.0][MIG] web_widget_remaining_days_exact_date: Migration to 18.0 #3375 no CI data
web_widget_text_markdown OCA/web [DRAFT][18.0][MIG] web_widget_text_markdown #3381 no CI data
website_analytics_matomo OCA/website [18.0][MIG] website_analytics_matomo: Migration to 18.0 #1107 no CI data
website_apps_store OCA/apps-store [18.0][MIG] website_apps_store #102 no CI data
website_event_external OCA/event [18.0][MIG] website_event_external #501 no CI data
website_helpdesk_mgmt OCA/helpdesk [18.0][MIG] website_helpdesk_mgmt: Migration from 13.0 to 18.0 #1052 no CI data
website_llms OCA/website [18.0][MIG] website_llms: Migration to 18.0 #1202 no CI data
website_product_configurator OCA/product-configurator [18.0][MIG] website_product_configurator: Migration to 18.0 #183 no CI data
website_sale_address_format OCA/e-commerce [18.0][MIG] website_sale_address_format: Migration to 18.0 #1107 no CI data
website_sale_affiliate OCA/e-commerce [18.0][MIG] website_sale_affiliate migration from 16.0 to 18.0 #1228 no CI data
website_sale_payment_term_acquirer OCA/e-commerce [MIG] website_sale_payment_term_acquirer: Migration to 18.0 #1197 no CI data
website_sale_product_pack OCA/product-pack [18.0][MIG] website_sale_product_pack: Migration to 18.0 #194 no CI data
website_sale_product_publish_date OCA/e-commerce [18.0][MIG] website_sale_product_publish_date: Migration to 18.0 #1111 no CI data
website_snippet_country_phone_code_dropdown OCA/website [18.0][MIG] website_snippet_country_phone_code_dropdown: Migration to 18.0 #1172 no CI data

Security Findings

Errors 40

Module Code Message
account_avatax_exemption_base acl-public-write access_portal_res_partner_exemption — Access rule grants write/create on 'model_res_partner_exemption' to the portal/public group 'base.group_portal'
auth_totp_portal acl-public-write access_auth_totp_portal_wizard — Access rule grants write/create/unlink on 'auth_totp.model_auth_totp_wizard' to the portal/public group 'base.group_portal'
base acl-privilege-escalation access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions
bus acl-public-write access_bus_presence_portal — Access rule grants write/create/unlink on 'model_bus_presence' to the portal/public group 'base.group_portal'
calendar rule-public-bypass calendar_attendee_rule_my — Record rule with an always-true domain grants portal/public users access to every record of its model
fieldservice_route acl-public-write access_fsm_route_dayroute_portal — Access rule grants write/create on 'model_fsm_route_dayroute' to the portal/public group 'base.group_portal'
fieldservice_stock acl-public-write access_stock_move_portal — Access rule grants write on 'stock.model_stock_move' to the portal/public group 'base.group_portal'
gamification acl-public-write goal_portal — Access rule grants write on 'gamification.model_gamification_goal' to the portal/public group 'base.group_portal'
gamification acl-public-write badge_user_portal — Access rule grants write/create on 'gamification.model_gamification_badge_user' to the portal/public group 'base.group_portal'
helpdesk_mgmt acl-public-write access_helpdesk_ticket_stage_public — Access rule grants write on 'model_helpdesk_ticket_stage' to the portal/public group 'base.group_public'
l10n_bg_report_theme acl-global-write access_base_document_layout_colors — Access rule grants write/create/unlink on 'model_base_document_layout_colors' to EVERY user (portal/public included): no group is set
mail acl-public-write access_mail_message_portal — Access rule grants write/create/unlink on 'model_mail_message' to the portal/public group 'base.group_portal'
mail acl-public-write access_discuss_channel_member_public — Access rule grants write/create/unlink on 'model_discuss_channel_member' to the portal/public group 'base.group_public'
mail acl-public-write access_discuss_channel_member_portal — Access rule grants write/create/unlink on 'model_discuss_channel_member' to the portal/public group 'base.group_portal'
mrp_subcontracting acl-public-write access_subcontracting_portal_stock_move — Access rule grants write/create on 'stock.model_stock_move' to the portal/public group 'base.group_portal'
mrp_subcontracting acl-public-write access_subcontracting_portal_stock_move_line — Access rule grants write/create/unlink on 'stock.model_stock_move_line' to the portal/public group 'base.group_portal'
mrp_subcontracting acl-public-write access_subcontracting_portal_lot — Access rule grants create on 'stock.model_stock_lot' to the portal/public group 'base.group_portal'
mrp_subcontracting acl-public-write access_subcontracting_portal_production — Access rule grants write on 'mrp.model_mrp_production' to the portal/public group 'base.group_portal'
mrp_subcontracting acl-public-write access_subcontracting_portal_consumption_warning — Access rule grants write/create on 'mrp.model_mrp_consumption_warning' to the portal/public group 'base.group_portal'
mrp_subcontracting acl-public-write access_subcontracting_portal_consumption_warning_line — Access rule grants write/create on 'mrp.model_mrp_consumption_warning_line' to the portal/public group 'base.group_portal'
mrp_subcontracting_account acl-public-write access_subcontracting_portal_analytic_line — Access rule grants write on 'mrp_account.model_account_analytic_line' to the portal/public group 'base.group_portal'
partner_autocomplete acl-public-write access_partner_autocomplete_sync_portal — Access rule grants create on 'model_res_partner_autocomplete_sync' to the portal/public group 'base.group_portal'
password_security acl-public-write access_res_users_pass_history_portal — Access rule grants create on 'model_res_users_pass_history' to the portal/public group 'base.group_portal'
project acl-public-write access_project_sharing_task_portal — Access rule grants write/create on 'model_project_task' to the portal/public group 'base.group_portal'
test_access_rights acl-public-write access_test_access_right_some_obj_public — Access rule grants write/create/unlink on 'model_test_access_right_some_obj' to the portal/public group 'base.group_public'
test_access_rights acl-public-write access_test_access_right_container_public — Access rule grants write/create/unlink on 'model_test_access_right_container' to the portal/public group 'base.group_public'
test_access_rights acl-public-write access_test_access_right_inherits_public — Access rule grants write/create/unlink on 'model_test_access_right_inherits' to the portal/public group 'base.group_public'
test_access_rights acl-public-write access_test_access_right_child_public — Access rule grants write/create/unlink on 'model_test_access_right_child' to the portal/public group 'base.group_public'
test_mail acl-public-write access_mail_test_access_portal — Access rule grants write on 'model_mail_test_access' to the portal/public group 'base.group_portal'
test_mail acl-public-write access_mail_test_public_public — Access rule grants write on 'model_mail_test_public' to the portal/public group 'base.group_public'
website_forum acl-public-write access_forum_post_portal — Access rule grants write/create/unlink on 'model_forum_post' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_post_vote_portal — Access rule grants write/create on 'model_forum_post_vote' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_tag_public — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_public'
website_forum acl-public-write access_forum_tag_portal — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_portal'
website_sale_wishlist acl-public-write access_product_wishlist_portal — Access rule grants write/create/unlink on 'model_product_wishlist' to the portal/public group 'base.group_portal'

Warnings 491

Module Code Message
account rule-group-bypass account_analytic_line_rule_billing_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_analytic_line_rule_readonly_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_rule_group_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_line_rule_group_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_line_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_send_single_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_send_batch_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass ir_rule_res_partner_bank_billing_officers — Record rule with an always-true domain bypasses every other record rule of its model for its group
account route-public-sudo /terms — Unauthenticated endpoint 'TermsController.terms_conditions' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
account_avatax_exemption route-public-sudo /exemption/<int:exemption_id> — Unauthenticated endpoint 'Exemption.get_exemption' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
account_brand acl-global-read res_partner_account_brand_access — Access rule grants read on 'model_res_partner_account_brand' to every user (portal/public included): no group is set
account_payment rule-group-bypass payment_token_billing_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
account_statement_import_online_gocardless route-public-csrf-off /gocardless/response — Public HTTP endpoint 'GocardlessController.gocardless_response' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
account_statement_import_online_gocardless route-public-sudo /gocardless/response — Unauthenticated endpoint 'GocardlessController.gocardless_response' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
ai_oca_bridge route-public-csrf-off /ai/response/<int:execution_id>/<string:token> — Public HTTP endpoint 'AIController.ai_process_response' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
ai_oca_bridge route-public-sudo /ai/response/<int:execution_id>/<string:token> — Unauthenticated endpoint 'AIController.ai_process_response' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
auth_oauth route-auth-none /auth_oauth/signin — Endpoint 'OAuthController.signin' uses auth="none": it runs with no user/session at all
auth_oauth route-auth-none /auth_oauth/oea — Endpoint 'OAuthController.oea' uses auth="none": it runs with no user/session at all
auth_saml route-public-sudo /auth_saml/get_auth_request — Unauthenticated endpoint 'AuthSAMLController.get_auth_request' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_saml route-auth-none /auth_saml/get_auth_request — Endpoint 'AuthSAMLController.get_auth_request' uses auth="none": it runs with no user/session at all
auth_saml route-public-csrf-off /auth_saml/signin — Public HTTP endpoint 'AuthSAMLController.signin' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
auth_saml route-auth-none /auth_saml/signin — Endpoint 'AuthSAMLController.signin' uses auth="none": it runs with no user/session at all
auth_saml route-public-csrf-off /auth_saml/metadata — Public HTTP endpoint 'AuthSAMLController.saml_metadata' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
auth_saml route-public-sudo /auth_saml/metadata — Unauthenticated endpoint 'AuthSAMLController.saml_metadata' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_saml route-auth-none /auth_saml/metadata — Endpoint 'AuthSAMLController.saml_metadata' uses auth="none": it runs with no user/session at all
auth_signup route-public-sudo /web/signup — Unauthenticated endpoint 'AuthSignupHome.web_auth_signup' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
auth_signup route-public-sudo /web/reset_password — Unauthenticated endpoint 'AuthSignupHome.web_auth_reset_password' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
auth_totp route-public-sudo /web/login/totp — Unauthenticated endpoint 'Home.web_totp' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
automation_oca route-public-sudo /automation_oca/track/<int:record_id>/<string:token>/blank.gif — Unauthenticated endpoint 'AutomationOCAController.automation_oca_mail_open' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
automation_oca route-public-sudo /r/<string:code>/au/<int:record_id>/<string:token> — Unauthenticated endpoint 'AutomationOCAController.automation_oca_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
base route-public-csrf-off /xmlrpc/<service> — Public HTTP endpoint 'RPC.xmlrpc_1' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base route-auth-none /xmlrpc/<service> — Endpoint 'RPC.xmlrpc_1' uses auth="none": it runs with no user/session at all
base route-public-csrf-off /xmlrpc/2/<service> — Public HTTP endpoint 'RPC.xmlrpc_2' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base route-auth-none /xmlrpc/2/<service> — Endpoint 'RPC.xmlrpc_2' uses auth="none": it runs with no user/session at all
base route-auth-none /jsonrpc — Endpoint 'RPC.jsonrpc' uses auth="none": it runs with no user/session at all
base_automation route-public-csrf-off /web/hook/<string:rule_uuid> — Public HTTP endpoint 'BaseAutomationController.call_webhook_http' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base_automation route-public-sudo /web/hook/<string:rule_uuid> — Unauthenticated endpoint 'BaseAutomationController.call_webhook_http' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
base_ical route-auth-none /base_ical/<int:calendar_id> — Endpoint 'ICalController.get_ical' uses auth="none": it runs with no user/session at all
base_import_module route-public-csrf-off /base_import_module/login_upload — Public HTTP endpoint 'ImportModule.login_upload' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base_import_module route-auth-none /base_import_module/login_upload — Endpoint 'ImportModule.login_upload' uses auth="none": it runs with no user/session at all
base_vat route-public-csrf-off /base_vat/1/webhook_update_vies — Public HTTP endpoint 'BaseVatWebhookController.webhook_update_vies' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
bus route-public-sudo /bus/has_missed_notifications — Unauthenticated endpoint 'BusController.has_missed_notifications' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
bus route-public-sudo /bus/get_autovacuum_info — Unauthenticated endpoint 'BusController.get_autovacuum_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
bus route-auth-none /websocket/health — Endpoint 'WebsocketController.health' uses auth="none": it runs with no user/session at all
calendar rule-group-bypass calendar_event_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
calendar route-public-sudo /calendar/join_videocall/<string:access_token> — Unauthenticated endpoint 'CalendarController.calendar_join_videocall' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
crm rule-group-bypass crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm rule-group-bypass crm_activity_report_rule_all_activities — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm_salesperson_planner rule-group-bypass all_salesperson_planner_visit — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm_salesperson_planner rule-group-bypass all_salesperson_planner_visit_template — Record rule with an always-true domain bypasses every other record rule of its model for its group
cross_connect_client route-public-sudo /cross_connect_server/<int:server_id> — Unauthenticated endpoint 'CrossConnectController.cross_connect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
crowdfunding route-public-sudo /crowdfunding/<model('crowdfunding.challenge'):challenge>/pay — Unauthenticated endpoint 'Payment.crowdfunding_pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
crowdfunding_public_pledge route-public-sudo /crowdfunding/<model('crowdfunding.challenge'):challenge>/pledge/<int:partner_id> — Unauthenticated endpoint 'CrowdfundingController.pledge_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
digest route-public-csrf-off /digest/<int:digest_id>/unsubscribe_oneclik — Public HTTP endpoint 'DigestController.digest_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
digest route-public-sudo /digest/<int:digest_id>/unsubscribe — Unauthenticated endpoint 'DigestController.digest_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
dms route-public-sudo /my/dms/directory/<int:dms_directory_id> — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_directory' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
dms route-public-sudo /my/dms/file/<int:dms_file_id>/download — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_file_download' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
event route-public-sudo /event/<int:event_id>/my_tickets — Unauthenticated endpoint 'EventController.event_my_tickets' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
fieldservice rule-group-bypass fsm_order_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
helpdesk_mgmt rule-group-bypass helpdesk_ticket_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr rule-group-bypass ir_rule_res_partner_bank_employees — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_appraisal_oca rule-group-bypass hr_appraisal_hr_officer_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_attendance route-public-sudo /hr_attendance/<token> — Unauthenticated endpoint 'HrAttendance.open_kiosk_mode' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
hr_attendance route-public-sudo /hr_attendance/attendance_employee_data — Unauthenticated endpoint 'HrAttendance.employee_attendance_data' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
hr_attendance route-public-sudo /hr_attendance/attendance_barcode_scanned — Unauthenticated endpoint 'HrAttendance.scan_barcode_with_geolocation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
hr_attendance route-public-sudo /hr_attendance/manual_selection — Unauthenticated endpoint 'HrAttendance.manual_selection_with_geolocation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
hr_attendance route-public-sudo /hr_attendance/employees_infos — Unauthenticated endpoint 'HrAttendance.employees_infos' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
hr_attendance route-public-sudo /hr_attendance/is_fresh_db — Unauthenticated endpoint 'HrAttendance.is_fresh_db' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
hr_attendance_reason route-public-sudo /hr_attendance_reason/get_reasons — Unauthenticated endpoint 'HrAttendance.attendance_get_reasons' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
hr_attendance_rfid rule-group-bypass hr_attendance_rfid_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_expense rule-group-bypass ir_rule_hr_expense_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_expense rule-group-bypass ir_rule_hr_expense_sheet_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass hr_leave_rule_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass hr_leave_allocation_rule_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass resource_leaves_base_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass resource_leaves_holidays_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass hr_leave_report_rule_group_holiday_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_homeworking rule-group-bypass homeworking_admin_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_homeworking_calendar rule-group-bypass homeworking_location_wizard_admin_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_personal_equipment_request rule-group-bypass personal_equipment_request_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_personal_equipment_request rule-group-bypass personal_equipment_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_recruitment rule-group-bypass hr_applicant_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_recruitment rule-group-bypass hr_candidate_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_recruitment rule-group-bypass hr_job_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_recruitment rule-group-bypass mail_message_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_recruitment_skills rule-group-bypass hr_applicant_skill_officer_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_resume_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_resume_rule_employee_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_skill_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_skill_rule_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_employee_skill_report_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_timesheet_attendance rule-group-bypass hr_timesheet_attendance_report_rule_approver — Record rule with an always-true domain bypasses every other record rule of its model for its group
html_editor route-public-sudo /web_editor/shape/<module>/<path:filename>, /html_editor/shape/<module>/<path:filename> — Unauthenticated endpoint 'HTML_Editor.shape' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
http_routing route-public-sudo /website/translations/<string:unique> — Unauthenticated endpoint 'Routing.get_website_translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
hw_drivers route-auth-none /hw_proxy/hello — Endpoint 'ProxyController.hello' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/handshake — Endpoint 'ProxyController.handshake' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/status_json — Endpoint 'ProxyController.status_json' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_drivers/action — Endpoint 'DriverController.action' uses auth="none": it runs with no user/session at all
hw_drivers route-public-csrf-off /hw_drivers/check_certificate — Public HTTP endpoint 'DriverController.check_certificate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_drivers route-auth-none /hw_drivers/check_certificate — Endpoint 'DriverController.check_certificate' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_drivers/event — Endpoint 'DriverController.event' uses auth="none": it runs with no user/session at all
hw_drivers route-public-csrf-off /hw_drivers/download_logs — Public HTTP endpoint 'DriverController.download_logs' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_drivers route-auth-none /hw_drivers/download_logs — Endpoint 'DriverController.download_logs' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/scale_read — Endpoint 'ScaleReadHardwareProxy.scale_read' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/default_printer_action — Endpoint 'PrinterController.default_printer_action' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/scanner — Endpoint 'KeyboardUSBController.get_barcode' uses auth="none": it runs with no user/session at all
hw_drivers route-public-csrf-off /hw_proxy/l10n_ke_cu_send — Public HTTP endpoint 'TremolG03Controller.l10n_ke_cu_send' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_drivers route-auth-none /hw_proxy/l10n_ke_cu_send — Endpoint 'TremolG03Controller.l10n_ke_cu_send' uses auth="none": it runs with no user/session at all
hw_drivers route-public-csrf-off /hw_l10n_eg_eta/certificate — Public HTTP endpoint 'EtaUsbController.eta_certificate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_drivers route-auth-none /hw_l10n_eg_eta/certificate — Endpoint 'EtaUsbController.eta_certificate' uses auth="none": it runs with no user/session at all
hw_drivers route-public-csrf-off /hw_l10n_eg_eta/sign — Public HTTP endpoint 'EtaUsbController.eta_sign' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_drivers route-auth-none /hw_l10n_eg_eta/sign — Endpoint 'EtaUsbController.eta_sign' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/customer_facing_display — Endpoint 'DisplayController.customer_facing_display' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /point_of_sale/display, /point_of_sale/display/<string:display_identifier> — Endpoint 'DisplayController.display' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /point_of_sale/iot_devices — Endpoint 'DisplayController.get_iot_devices' uses auth="none": it runs with no user/session at all
hw_escpos route-auth-none /hw_proxy/open_cashbox — Endpoint 'EscposProxy.open_cashbox' uses auth="none": it runs with no user/session at all
hw_escpos route-auth-none /hw_proxy/print_receipt — Endpoint 'EscposProxy.print_receipt' uses auth="none": it runs with no user/session at all
hw_escpos route-auth-none /hw_proxy/print_xml_receipt — Endpoint 'EscposProxy.print_xml_receipt' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_upgrade — Endpoint 'IoTboxHomepage.perform_upgrade' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/get_version — Endpoint 'IoTboxHomepage.check_version' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_flashing_create_partition — Endpoint 'IoTboxHomepage.perform_flashing_create_partition' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_flashing_download_raspios — Endpoint 'IoTboxHomepage.perform_flashing_download_raspios' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_flashing_copy_raspios — Endpoint 'IoTboxHomepage.perform_flashing_copy_raspios' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/restart_odoo_service — Endpoint 'IotBoxOwlHomePage.odoo_service_restart' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/iot_logs — Endpoint 'IotBoxOwlHomePage.get_iot_logs' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/six_payment_terminal_clear — Endpoint 'IotBoxOwlHomePage.clear_six_terminal' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/clear_credential — Endpoint 'IotBoxOwlHomePage.clear_credential' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/wifi_clear — Endpoint 'IotBoxOwlHomePage.clear_wifi_configuration' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/server_clear — Endpoint 'IotBoxOwlHomePage.clear_server_configuration' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/ping — Endpoint 'IotBoxOwlHomePage.ping' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/data — Endpoint 'IotBoxOwlHomePage.get_homepage_data' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/wifi — Endpoint 'IotBoxOwlHomePage.get_available_wifi' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/generate_password — Endpoint 'IotBoxOwlHomePage.generate_password' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/version_info — Endpoint 'IotBoxOwlHomePage.get_version_info' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/log_levels — Endpoint 'IotBoxOwlHomePage.log_levels' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/load_iot_handlers — Endpoint 'IotBoxOwlHomePage.load_iot_log_level' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/clear_iot_handlers — Endpoint 'IotBoxOwlHomePage.clear_iot_handlers' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/six_payment_terminal_add — Endpoint 'IotBoxOwlHomePage.add_six_terminal' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/save_credential — Endpoint 'IotBoxOwlHomePage.save_credential' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/update_wifi — Endpoint 'IotBoxOwlHomePage.update_wifi' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/enable_ngrok — Endpoint 'IotBoxOwlHomePage.enable_remote_connection' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/connect_to_server — Endpoint 'IotBoxOwlHomePage.connect_to_odoo_server' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/log_levels_update — Endpoint 'IotBoxOwlHomePage.update_log_level' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/update_git_tree — Endpoint 'IotBoxOwlHomePage.update_git_tree' uses auth="none": it runs with no user/session at all
im_livechat route-auth-none /im_livechat/font-awesome — Endpoint 'LivechatController.fontawesome' uses auth="none": it runs with no user/session at all
im_livechat route-auth-none /im_livechat/odoo_ui_icons — Endpoint 'LivechatController.odoo_ui_icons' uses auth="none": it runs with no user/session at all
im_livechat route-public-sudo /im_livechat/support/<int:channel_id> — Unauthenticated endpoint 'LivechatController.support_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/loader/<int:channel_id> — Unauthenticated endpoint 'LivechatController.loader' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/init — Unauthenticated endpoint 'LivechatController.livechat_init' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/get_session — Unauthenticated endpoint 'LivechatController.get_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/feedback — Unauthenticated endpoint 'LivechatController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/history — Unauthenticated endpoint 'LivechatController.history_pages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /chatbot/answer/save — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_save_answer' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /chatbot/step/trigger — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_trigger_step' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /chatbot/step/validate_email — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-csrf-off /im_livechat/cors/attachment/upload — Public HTTP endpoint 'LivechatAttachmentController.im_livechat_attachment_upload' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
l10n_bg_city acl-global-read access_res_city_types_read — Access rule grants read on 'model_res_city_types' to every user (portal/public included): no group is set
l10n_dk_nemhandel route-public-csrf-off /nemhandel/webhook/new-message — Public HTTP endpoint 'NemhandelWebhookController.webhook_nemhandel_new_message' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
l10n_dk_nemhandel route-public-sudo /nemhandel/webhook/new-message — Unauthenticated endpoint 'NemhandelWebhookController.webhook_nemhandel_new_message' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_dk_nemhandel route-public-csrf-off /nemhandel/webhook/message-state-update — Public HTTP endpoint 'NemhandelWebhookController.webhook_nemhandel_message_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
l10n_dk_nemhandel route-public-sudo /nemhandel/webhook/message-state-update — Unauthenticated endpoint 'NemhandelWebhookController.webhook_nemhandel_message_update' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_dk_nemhandel route-public-csrf-off /nemhandel/webhook/user-state-update — Public HTTP endpoint 'NemhandelWebhookController.webhook_nemhandel_user_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
l10n_dk_nemhandel route-public-sudo /nemhandel/webhook/user-state-update — Unauthenticated endpoint 'NemhandelWebhookController.webhook_nemhandel_user_update' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_es_aeat_mod347 route-public-sudo /mod347/accept — Unauthenticated endpoint 'Mod347Controller.mod347_accept' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_es_aeat_mod347 route-public-sudo /mod347/reject — Unauthenticated endpoint 'Mod347Controller.mod347_reject' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_fr_pdp route-public-csrf-off /api/signaturit_authentication_status/1/webhooks — Public HTTP endpoint 'IapAuthenticationWebhook.notify_authentication_status' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
l10n_fr_pdp route-public-sudo /api/signaturit_authentication_status/1/webhooks — Unauthenticated endpoint 'IapAuthenticationWebhook.notify_authentication_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_pe_website_sale route-public-sudo /shop/state_infos/<model("res.country.state"):state> — Unauthenticated endpoint 'L10nPEWebsiteSale.state_infos' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_pe_website_sale route-public-sudo /shop/city_infos/<model("res.city"):city> — Unauthenticated endpoint 'L10nPEWebsiteSale.city_infos' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_tw_edi_ecpay route-public-csrf-off /invoice/ecpay/agreed_invoice_allowance/<int:invoice_id> — Public HTTP endpoint 'EcpayInvoiceController.agreed_invoice_allowance' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
link_tracker route-public-sudo /r/<string:code> — Unauthenticated endpoint 'LinkTracker.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/guest/update_name — Unauthenticated endpoint 'GuestController.mail_guest_update_name' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/message/reaction — Unauthenticated endpoint 'MessageReactionController.mail_message_reaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/link_preview — Unauthenticated endpoint 'LinkPreviewController.mail_link_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/link_preview/hide — Unauthenticated endpoint 'LinkPreviewController.mail_link_preview_hide' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/message/post — Unauthenticated endpoint 'ThreadController.mail_message_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/message/update_content — Unauthenticated endpoint 'ThreadController.mail_message_update_content' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/view — Unauthenticated endpoint 'MailController.mail_action_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-csrf-off /mail/unfollow — Public HTTP endpoint 'MailController.mail_action_unfollow' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mail route-public-sudo /mail/unfollow — Unauthenticated endpoint 'MailController.mail_action_unfollow' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/attachment/upload — Unauthenticated endpoint 'AttachmentController.mail_attachment_upload' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/attachment/delete — Unauthenticated endpoint 'AttachmentController.mail_attachment_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /chat/<int:channel_id>/<string:invitation_token> — Unauthenticated endpoint 'PublicPageController.discuss_channel_invitation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /discuss/channel/<int:channel_id>/attachment/<int:attachment_id> — Unauthenticated endpoint 'BinaryController.discuss_channel_attachment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /discuss/channel/<int:channel_id>/image/<int:attachment_id>, /discuss/channel/<int:channel_id>/image/<int:attachment_id>/<int:width>x<int:height> — Unauthenticated endpoint 'BinaryController.fetch_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/rtc/session/notify_call_members — Unauthenticated endpoint 'RtcController.session_call_notify' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/rtc/session/update_and_broadcast — Unauthenticated endpoint 'RtcController.session_update_and_broadcast' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/rtc/channel/join_call — Unauthenticated endpoint 'RtcController.channel_call_join' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/rtc/channel/leave_call — Unauthenticated endpoint 'RtcController.channel_call_leave' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/rtc/channel/cancel_call_invitation — Unauthenticated endpoint 'RtcController.channel_call_cancel_invitation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /discuss/channel/ping — Unauthenticated endpoint 'RtcController.channel_ping' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /discuss/channel/attachments — Unauthenticated endpoint 'ChannelController.load_attachments' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_brand route-auth-none /web/binary/company_logo, /logo, /logo.png — Endpoint 'BrandBinary.company_logo' uses auth="none": it runs with no user/session at all
mail_gateway route-public-csrf-off /gateway/<string:usage>/<string:token>/update — Public HTTP endpoint 'GatewayController.post_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mail_group route-public-sudo /groups — Unauthenticated endpoint 'PortalMailGroup.groups_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-sudo /groups/<model("mail.group"):group>, /groups/<model("mail.group"):group>/page/<int:page> — Unauthenticated endpoint 'PortalMailGroup.group_view_messages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-sudo /groups/<model("mail.group"):group>/<model("mail.group.message"):message> — Unauthenticated endpoint 'PortalMailGroup.group_view_message' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-sudo /groups/<model("mail.group"):group>/<model("mail.group.message"):message>/get_replies — Unauthenticated endpoint 'PortalMailGroup.group_message_get_replies' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-csrf-off /group/<int:group_id>/unsubscribe_oneclick — Public HTTP endpoint 'PortalMailGroup.group_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mail_group route-public-sudo /group/<int:group_id>/unsubscribe_oneclick — Unauthenticated endpoint 'PortalMailGroup.group_unsubscribe_oneclick' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-sudo /group/subscribe-confirm — Unauthenticated endpoint 'PortalMailGroup.group_subscribe_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_plugin route-auth-none /mail_plugin/auth/check_version — Endpoint 'Authenticate.auth_check_version' uses auth="none": it runs with no user/session at all
mail_plugin route-auth-none /mail_client_extension/auth/access_token, /mail_plugin/auth/access_token — Endpoint 'Authenticate.auth_access_token' uses auth="none": it runs with no user/session at all
mail_tracking route-public-sudo /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MailTrackingController.mail_tracking_open' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail_tracking route-auth-none /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Endpoint 'MailTrackingController.mail_tracking_open' uses auth="none": it runs with no user/session at all
mail_tracking_mailgun route-public-sudo /mail/tracking/mailgun/all — Unauthenticated endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail_tracking_mailgun route-auth-none /mail/tracking/mailgun/all — Endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' uses auth="none": it runs with no user/session at all
marketing_card route-public-sudo /cards/<string:card_slug>/card.jpg, /cards/<int:card_id>/card.jpg — Unauthenticated endpoint 'MarketingCardController.card_campaign_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
marketing_card route-public-sudo /cards/<string:card_slug>/preview, /cards/<int:card_id>/preview — Unauthenticated endpoint 'MarketingCardController.card_campaign_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
marketing_card route-public-sudo /cards/<string:card_slug>/redirect, /cards/<int:card_id>/redirect — Unauthenticated endpoint 'MarketingCardController.card_campaign_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-csrf-off /mailing/<int:mailing_id>/unsubscribe_oneclick — Public HTTP endpoint 'MassMailController.mailing_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mass_mailing route-public-sudo /mailing/<int:mailing_id>/confirm_unsubscribe — Unauthenticated endpoint 'MassMailController.mailing_confirm_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/list/update — Unauthenticated endpoint 'MassMailController.mailing_update_list_subscription' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/feedback — Unauthenticated endpoint 'MassMailController.mailing_send_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mail/track/<int:mail_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MassMailController.track_mail_open' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /r/<string:code>/m/<int:mailing_trace_id> — Unauthenticated endpoint 'MassMailController.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/report/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing_report_deactivate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/<int:mailing_id>/view — Unauthenticated endpoint 'MassMailController.mailing_view_in_browser' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/blocklist/add — Unauthenticated endpoint 'MassMailController.mail_blocklist_add' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/blocklist/remove — Unauthenticated endpoint 'MassMailController.mail_blocklist_remove' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing_sms route-public-sudo /sms/<int:mailing_id>/unsubscribe/<string:trace_code> — Unauthenticated endpoint 'MailingSMSController.blacklist_number' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing_sms route-public-sudo /r/<string:code>/s/<int:sms_id_int> — Unauthenticated endpoint 'MailingSMSController.sms_short_link_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
odoo_repository route-public-csrf-off /odoo-repository/data — Public HTTP endpoint 'OdooRepository.index' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
odoo_repository route-public-sudo /odoo-repository/data — Unauthenticated endpoint 'OdooRepository.index' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
odoo_repository route-auth-none /odoo-repository/data — Endpoint 'OdooRepository.index' uses auth="none": it runs with no user/session at all
payment route-public-sudo /payment/pay — Unauthenticated endpoint 'PaymentPortal.payment_pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /payment/confirmation — Unauthenticated endpoint 'PaymentPortal.payment_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-sudo /payment/adyen/payment_methods — Unauthenticated endpoint 'AdyenController.adyen_payment_methods' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-sudo /payment/adyen/payments — Unauthenticated endpoint 'AdyenController.adyen_payments' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-sudo /payment/adyen/payments/details — Unauthenticated endpoint 'AdyenController.adyen_payment_details' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-csrf-off /payment/adyen/return — Public HTTP endpoint 'AdyenController.adyen_return_from_3ds_auth' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_adyen route-public-sudo /payment/adyen/return — Unauthenticated endpoint 'AdyenController.adyen_return_from_3ds_auth' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-csrf-off AdyenController.adyen_webhook — Public HTTP endpoint 'AdyenController.adyen_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_adyen route-public-sudo AdyenController.adyen_webhook — Unauthenticated endpoint 'AdyenController.adyen_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_aps route-public-csrf-off APSController.aps_return_from_checkout — Public HTTP endpoint 'APSController.aps_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_aps route-public-sudo APSController.aps_return_from_checkout — Unauthenticated endpoint 'APSController.aps_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_aps route-public-csrf-off APSController.aps_webhook — Public HTTP endpoint 'APSController.aps_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_aps route-public-sudo APSController.aps_webhook — Unauthenticated endpoint 'APSController.aps_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_asiapay route-public-csrf-off AsiaPayController.asiapay_webhook — Public HTTP endpoint 'AsiaPayController.asiapay_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_asiapay route-public-sudo AsiaPayController.asiapay_webhook — Unauthenticated endpoint 'AsiaPayController.asiapay_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_authorize route-public-sudo /payment/authorize/payment — Unauthenticated endpoint 'AuthorizeController.authorize_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_buckaroo route-public-csrf-off BuckarooController.buckaroo_return_from_checkout — Public HTTP endpoint 'BuckarooController.buckaroo_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_buckaroo route-public-sudo BuckarooController.buckaroo_return_from_checkout — Unauthenticated endpoint 'BuckarooController.buckaroo_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_buckaroo route-public-csrf-off BuckarooController.buckaroo_webhook — Public HTTP endpoint 'BuckarooController.buckaroo_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_buckaroo route-public-sudo BuckarooController.buckaroo_webhook — Unauthenticated endpoint 'BuckarooController.buckaroo_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_custom route-public-csrf-off CustomController.custom_process_transaction — Public HTTP endpoint 'CustomController.custom_process_transaction' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_custom route-public-sudo CustomController.custom_process_transaction — Unauthenticated endpoint 'CustomController.custom_process_transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_demo route-public-sudo PaymentDemoController.demo_simulate_payment — Unauthenticated endpoint 'PaymentDemoController.demo_simulate_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_easypay_oca route-public-sudo /payment/easypay/checkout/success — Unauthenticated endpoint 'EasyPayCheckoutCallbackController.easypay_checkout_success' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_easypay_oca route-public-sudo /payment/easypay/mb_reference/<int:tx_id> — Unauthenticated endpoint 'EasyPayCheckoutCallbackController.easypay_mb_reference' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_easypay_oca route-public-sudo /payment/easypay/checkout/cancel — Unauthenticated endpoint 'EasyPayCheckoutCallbackController.easypay_checkout_cancel' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_easypay_oca route-public-csrf-off /payment/easypay/checkout — Public HTTP endpoint 'EasyPayCheckoutPageController.checkout_page' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_easypay_oca route-public-sudo /payment/easypay/checkout — Unauthenticated endpoint 'EasyPayCheckoutPageController.checkout_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_easypay_oca route-public-csrf-off /payment/easypay/webhook/generic — Public HTTP endpoint 'EasyPayWebhookController._generic_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_easypay_oca route-public-csrf-off /payment/easypay/webhook/authorisation — Public HTTP endpoint 'EasyPayWebhookController._authorisation_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_easypay_oca route-public-csrf-off /payment/easypay/webhook/transaction — Public HTTP endpoint 'EasyPayWebhookController.easypay_transaction_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_easypay_oca route-public-sudo /payment/easypay/webhook/transaction — Unauthenticated endpoint 'EasyPayWebhookController.easypay_transaction_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_easypay_oca route-public-sudo /payment/easypay/create_checkout_session — Unauthenticated endpoint 'EasyPayCheckoutSessionController.create_checkout_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_flutterwave route-public-sudo FlutterwaveController.flutterwave_return_from_checkout — Unauthenticated endpoint 'FlutterwaveController.flutterwave_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_flutterwave route-public-csrf-off FlutterwaveController.flutterwave_webhook — Public HTTP endpoint 'FlutterwaveController.flutterwave_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_flutterwave route-public-sudo FlutterwaveController.flutterwave_webhook — Unauthenticated endpoint 'FlutterwaveController.flutterwave_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_mercado_pago route-public-sudo MercadoPagoController.mercado_pago_return_from_checkout — Unauthenticated endpoint 'MercadoPagoController.mercado_pago_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_mercado_pago route-public-csrf-off MercadoPagoController.mercado_pago_webhook — Public HTTP endpoint 'MercadoPagoController.mercado_pago_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_mercado_pago route-public-sudo MercadoPagoController.mercado_pago_webhook — Unauthenticated endpoint 'MercadoPagoController.mercado_pago_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_mollie route-public-csrf-off MollieController.mollie_return_from_checkout — Public HTTP endpoint 'MollieController.mollie_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_mollie route-public-sudo MollieController.mollie_return_from_checkout — Unauthenticated endpoint 'MollieController.mollie_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_mollie route-public-csrf-off MollieController.mollie_webhook — Public HTTP endpoint 'MollieController.mollie_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_mollie route-public-sudo MollieController.mollie_webhook — Unauthenticated endpoint 'MollieController.mollie_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_nuvei route-public-sudo NuveiController.nuvei_return_from_checkout — Unauthenticated endpoint 'NuveiController.nuvei_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_nuvei route-public-csrf-off NuveiController.nuvei_webhook — Public HTTP endpoint 'NuveiController.nuvei_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_nuvei route-public-sudo NuveiController.nuvei_webhook — Unauthenticated endpoint 'NuveiController.nuvei_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_paypal route-public-sudo PaypalController.paypal_complete_order — Unauthenticated endpoint 'PaypalController.paypal_complete_order' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_paypal route-public-csrf-off PaypalController.paypal_webhook — Public HTTP endpoint 'PaypalController.paypal_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_paypal route-public-sudo PaypalController.paypal_webhook — Unauthenticated endpoint 'PaypalController.paypal_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_razorpay route-public-csrf-off RazorpayController.razorpay_webhook — Public HTTP endpoint 'RazorpayController.razorpay_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_razorpay route-public-sudo RazorpayController.razorpay_webhook — Unauthenticated endpoint 'RazorpayController.razorpay_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_redsys route-public-csrf-off /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Public HTTP endpoint 'RedsysController.redsys_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_redsys route-public-sudo /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Unauthenticated endpoint 'RedsysController.redsys_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe route-public-sudo StripeController.stripe_return — Unauthenticated endpoint 'StripeController.stripe_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe route-public-csrf-off StripeController.stripe_webhook — Public HTTP endpoint 'StripeController.stripe_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_stripe route-public-sudo StripeController.stripe_webhook — Unauthenticated endpoint 'StripeController.stripe_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe route-public-csrf-off StripeController.stripe_apple_pay_get_domain_association_file — Public HTTP endpoint 'StripeController.stripe_apple_pay_get_domain_association_file' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_worldline route-public-sudo WorldlineController.worldline_return_from_checkout — Unauthenticated endpoint 'WorldlineController.worldline_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_worldline route-public-csrf-off WorldlineController.worldline_webhook — Public HTTP endpoint 'WorldlineController.worldline_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_worldline route-public-sudo WorldlineController.worldline_webhook — Unauthenticated endpoint 'WorldlineController.worldline_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_xendit route-public-sudo /payment/xendit/payment — Unauthenticated endpoint 'XenditController.xendit_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_xendit route-public-csrf-off XenditController.xendit_webhook — Public HTTP endpoint 'XenditController.xendit_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_xendit route-public-sudo XenditController.xendit_webhook — Unauthenticated endpoint 'XenditController.xendit_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_xendit route-public-sudo XenditController.xendit_return — Unauthenticated endpoint 'XenditController.xendit_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
point_of_sale rule-group-bypass rule_pos_bank_statement_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
point_of_sale rule-group-bypass rule_pos_bank_statement_line_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
point_of_sale route-public-sudo /pos/ticket — Unauthenticated endpoint 'PosController.invoice_request_screen' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
point_of_sale route-public-sudo /pos/ticket/validate — Unauthenticated endpoint 'PosController.show_ticket_validation_screen' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
point_of_sale route-public-sudo /pos_customer_display/<id_>/<access_token> — Unauthenticated endpoint 'PosCustomerDisplay.pos_customer_display' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
portal route-public-sudo /mail/avatar/mail.message/<int:res_id>/author_avatar/<int:width>x<int:height> — Unauthenticated endpoint 'PortalChatter.portal_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
portal route-public-sudo /portal/chatter_init — Unauthenticated endpoint 'PortalChatter.portal_chatter_init' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
portal route-public-sudo /mail/chatter_fetch — Unauthenticated endpoint 'PortalChatter.portal_message_fetch' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_adyen route-public-sudo /pos_adyen/notification — Unauthenticated endpoint 'PosAdyenController.notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_mercado_pago route-public-csrf-off /pos_mercado_pago/notification — Public HTTP endpoint 'PosMercadoPagoWebhook.notification' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
pos_mercado_pago route-public-sudo /pos_mercado_pago/notification — Unauthenticated endpoint 'PosMercadoPagoWebhook.notification' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
pos_mercado_pago route-auth-none /pos_mercado_pago/notification — Endpoint 'PosMercadoPagoWebhook.notification' uses auth="none": it runs with no user/session at all
pos_online_payment route-public-sudo /pos/pay/<int:pos_order_id> — Unauthenticated endpoint 'PaymentPortal.pos_order_pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_online_payment route-public-sudo /pos/pay/confirmation/<int:pos_order_id> — Unauthenticated endpoint 'PaymentPortal.pos_order_pay_confirmation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_self_order route-public-sudo /pos-self-order/process-order-args/<device_type>/ — Unauthenticated endpoint 'PosSelfOrderController.process_order_args' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_self_order route-public-sudo /pos-self/<config_id>, /pos-self/<config_id>/<path:subpath> — Unauthenticated endpoint 'PosSelfKiosk.start_self_ordering' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_viva_wallet route-public-csrf-off /pos_viva_wallet/notification — Public HTTP endpoint 'PosVivaWalletController.notification' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
pos_viva_wallet route-public-sudo /pos_viva_wallet/notification — Unauthenticated endpoint 'PosVivaWalletController.notification' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
pos_viva_wallet route-auth-none /pos_viva_wallet/notification — Endpoint 'PosVivaWalletController.notification' uses auth="none": it runs with no user/session at all
privacy_consent route-public-sudo /privacy/consent/<any(accept,reject):choice>/<int:consent_id>/<token> — Unauthenticated endpoint 'ConsentController.consent' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
project_update_portal acl-global-read project.access_project_update_portal — Access rule grants read on '?' to every user (portal/public included): no group is set
queue_job route-auth-none /queue_job/runjob — Endpoint 'RunJobController.runjob' uses auth="none": it runs with no user/session at all
report_substitute acl-global-read action_report_substitution_rule_user_access — Access rule grants read on 'model_ir_actions_report_substitution_rule' to every user (portal/public included): no group is set
rma route-public-sudo /my/rma/picking/pdf/<int:rma_id>/<int:picking_id> — Unauthenticated endpoint 'PortalRma.portal_my_rma_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sale rule-group-bypass payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale rule-group-bypass payment_token_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale_gelato route-public-csrf-off GelatoController.gelato_webhook — Public HTTP endpoint 'GelatoController.gelato_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
sale_gelato route-public-sudo GelatoController.gelato_webhook — Unauthenticated endpoint 'GelatoController.gelato_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sale_planner_calendar rule-group-bypass partner_all_documents_follower_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale_report_delivered rule-group-bypass sale_report_delivered_see_all_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale_stock route-public-sudo /my/picking/pdf/<int:picking_id> — Unauthenticated endpoint 'SaleStockPortal.portal_my_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sale_stock route-public-sudo /my/picking/return/pdf/<int:picking_id> — Unauthenticated endpoint 'SaleStockPortal.portal_my_picking_return_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sales_team rule-group-bypass crm_rule_all_salesteam — Record rule with an always-true domain bypasses every other record rule of its model for its group
sms route-public-sudo /sms/status — Unauthenticated endpoint 'SmsController.update_sms_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sms_twilio route-public-csrf-off /sms_twilio/status/<string:uuid> — Public HTTP endpoint 'SmsTwilioController.update_sms_status' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
sms_twilio route-public-sudo /sms_twilio/status/<string:uuid> — Unauthenticated endpoint 'SmsTwilioController.update_sms_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
spreadsheet_dashboard route-public-sudo /dashboard/share/<int:share_id>/<token> — Unauthenticated endpoint 'DashboardShareRoute.share_portal' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
spreadsheet_dashboard route-public-sudo /dashboard/data/<int:share_id>/<token> — Unauthenticated endpoint 'DashboardShareRoute.get_shared_dashboard_data' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
stock_measuring_device_zippcube route-auth-none /stock/zippcube/<string:zippcube_device_name>/measurement — Endpoint 'ZippcubeController.measurement' uses auth="none": it runs with no user/session at all
stock_vertical_lift route-public-csrf-off /vertical-lift — Public HTTP endpoint 'VerticalLiftController.vertical_lift' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
stock_vertical_lift route-public-sudo /vertical-lift — Unauthenticated endpoint 'VerticalLiftController.vertical_lift' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
storage_file rule-group-bypass ir_rule_storage_file_internal — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey route-public-sudo /survey/get_question_image/<string:survey_token>/<string:answer_token>/<int:question_id>/<int:suggested_answer_id> — Unauthenticated endpoint 'Survey.survey_get_question_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
survey route-public-sudo /survey/submit/<string:survey_token>/<string:answer_token> — Unauthenticated endpoint 'Survey.survey_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
test_http route-auth-none /test_http/greeting, /test_http/greeting-none — Endpoint 'TestHttp.greeting_none' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/wsgi_environ — Endpoint 'TestHttp.wsgi_environ' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/echo-http-get — Endpoint 'TestHttp.echo_http_get' uses auth="none": it runs with no user/session at all
test_http route-public-csrf-off /test_http/echo-http-post — Public HTTP endpoint 'TestHttp.echo_http_post' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
test_http route-auth-none /test_http/echo-http-post — Endpoint 'TestHttp.echo_http_post' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/echo-http-csrf — Endpoint 'TestHttp.echo_http_csrf' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/echo-json — Endpoint 'TestHttp.echo_json' uses auth="none": it runs with no user/session at all
test_http route-public-csrf-off /test_http/echo-json-over-http — Public HTTP endpoint 'TestHttp.echo_json_over_http' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
test_http route-auth-none /test_http/echo-json-over-http — Endpoint 'TestHttp.echo_json_over_http' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/cors_http_default — Endpoint 'TestHttp.cors_http' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/cors_http_methods — Endpoint 'TestHttp.cors_http_verbs' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/cors_json — Endpoint 'TestHttp.cors_json' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/ensure_db — Endpoint 'TestHttp.ensure_db_endpoint' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/geoip — Endpoint 'TestHttp.geoip' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/save_session — Endpoint 'TestHttp.touch' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/fail — Endpoint 'TestHttp.fail' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/json_value_error — Endpoint 'TestHttp.json_value_error' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/hide_errors/decorator — Endpoint 'TestHttp.hide_errors_decorator' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/hide_errors/context-manager — Endpoint 'TestHttp.hide_errors_context_manager' uses auth="none": it runs with no user/session at all
test_http route-public-csrf-off /test_http/upload_file — Public HTTP endpoint 'TestHttp.upload_file_retry' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
test_http route-auth-none /test_http/upload_file — Endpoint 'TestHttp.upload_file_retry' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/httprequest_attrs — Endpoint 'TestHttp.request_attrs' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/httprequest_environ — Endpoint 'TestHttp.request_environ' uses auth="none": it runs with no user/session at all
test_website route-public-sudo /test_website/model_item_sudo/<int:record_id> — Unauthenticated endpoint 'WebsiteTest.test_model_item_sudo' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
vault route-public-sudo /vault/inbox/<string:token> — Unauthenticated endpoint 'Controller.vault_inbox' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
vault_share route-public-sudo /vault/share/<string:token> — Unauthenticated endpoint 'Controller.vault_share' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web route-auth-none /web/database/selector — Endpoint 'Database.selector' uses auth="none": it runs with no user/session at all
web route-auth-none /web/database/manager — Endpoint 'Database.manager' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/create — Public HTTP endpoint 'Database.create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/create — Endpoint 'Database.create' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/duplicate — Public HTTP endpoint 'Database.duplicate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/duplicate — Endpoint 'Database.duplicate' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/drop — Public HTTP endpoint 'Database.drop' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/drop — Endpoint 'Database.drop' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/backup — Public HTTP endpoint 'Database.backup' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/backup — Endpoint 'Database.backup' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/restore — Public HTTP endpoint 'Database.restore' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/restore — Endpoint 'Database.restore' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/change_password — Public HTTP endpoint 'Database.change_password' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/change_password — Endpoint 'Database.change_password' uses auth="none": it runs with no user/session at all
web route-auth-none /web/database/list — Endpoint 'Database.list' uses auth="none": it runs with no user/session at all
web route-auth-none /web/filestore/<path:_path> — Endpoint 'Binary.content_filestore' uses auth="none": it runs with no user/session at all
web route-public-sudo /web/assets/<string:unique>/<string:filename> — Unauthenticated endpoint 'Binary.content_assets' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web route-public-sudo /web/image, /web/image/<string:xmlid>, /web/image/<string:xmlid>/<string:filename>, /web/image/<string:xmlid>/<int:width>x<int:height>, /web/image/<string:xmlid>/<int:width>x<int:height>/<string:filename>, /web/image/<string:model>/<int:id>/<string:field>, /web/image/<string:model>/<int:id>/<string:field>/<string:filename>, /web/image/<string:model>/<int:id>/<string:field>/<int:width>x<int:height>, /web/image/<string:model>/<int:id>/<string:field>/<int:width>x<int:height>/<string:filename>, /web/image/<int:id>, /web/image/<int:id>/<string:filename>, /web/image/<int:id>/<int:width>x<int:height>, /web/image/<int:id>/<int:width>x<int:height>/<string:filename>, /web/image/<int:id>-<string:unique>, /web/image/<int:id>-<string:unique>/<string:filename>, /web/image/<int:id>-<string:unique>/<int:width>x<int:height>, /web/image/<int:id>-<string:unique>/<int:width>x<int:height>/<string:filename> — Unauthenticated endpoint 'Binary.content_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web route-auth-none /web/binary/company_logo, /logo, /logo.png — Endpoint 'Binary.company_logo' uses auth="none": it runs with no user/session at all
web route-auth-none /web/sign/get_fonts, /web/sign/get_fonts/<string:fontname> — Endpoint 'Binary.get_fonts' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/authenticate — Endpoint 'Session.authenticate' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/get_lang_list — Endpoint 'Session.get_lang_list' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/logout — Endpoint 'Session.logout' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/bootstrap_translations — Endpoint 'WebClient.bootstrap_translations' uses auth="none": it runs with no user/session at all
web route-public-sudo /web/webclient/translations/<string:unique> — Unauthenticated endpoint 'WebClient.translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web route-auth-none /web/webclient/version_info — Endpoint 'WebClient.version_info' uses auth="none": it runs with no user/session at all
web route-auth-none /web/tests/legacy/mobile — Endpoint 'WebClient.test_mobile_suite' uses auth="none": it runs with no user/session at all
web route-auth-none / — Endpoint 'Home.index' uses auth="none": it runs with no user/session at all
web route-auth-none /web, /odoo, /odoo/<path:subpath>, /scoped_app/<path:subpath> — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all
web route-auth-none /web/login — Endpoint 'Home.web_login' uses auth="none": it runs with no user/session at all
web route-auth-none /web/health — Endpoint 'Home.health' uses auth="none": it runs with no user/session at all
web route-auth-none /robots.txt — Endpoint 'Home.robots' uses auth="none": it runs with no user/session at all
web_editor route-auth-none /web_editor/font_to_img/<icon>, /web_editor/font_to_img/<icon>/<color>, /web_editor/font_to_img/<icon>/<color>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<int:width>x<int:height>, /web_editor/font_to_img/<icon>/<color>/<int:size>/<int:alpha>, /web_editor/font_to_img/<icon>/<color>/<int:width>x<int:height>/<int:alpha>, /web_editor/font_to_img/<icon>/<color>/<bg>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:width>x<int:height>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:width>x<int:height>/<int:alpha> — Endpoint 'Web_Editor.export_icon_to_png' uses auth="none": it runs with no user/session at all
web_pwa_customize route-public-sudo /web/manifest.webmanifest — Unauthenticated endpoint 'WebManifest.webmanifest' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web_unsplash route-public-sudo /web_unsplash/get_app_id — Unauthenticated endpoint 'Web_Unsplash.get_unsplash_app_id' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
webservice route-public-csrf-off /webservice/<int:backend_id>/oauth2/redirect — Public HTTP endpoint 'OAuth2Controller.redirect' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
webservice route-public-sudo /webservice/<int:backend_id>/oauth2/redirect — Unauthenticated endpoint 'OAuth2Controller.redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /sitemap.xml — Unauthenticated endpoint 'Website.sitemap_xml_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/info — Unauthenticated endpoint 'Website.website_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/snippet/filters — Unauthenticated endpoint 'Website.get_dynamic_filter' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/snippet/filter_templates — Unauthenticated endpoint 'Website.get_dynamic_snippet_templates' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/snippet/autocomplete — Unauthenticated endpoint 'Website.autocomplete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /google<string(length=16):key>.html — Unauthenticated endpoint 'Website.google_console_search' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/action/<path_or_xml_id_or_id>, /website/action/<path_or_xml_id_or_id>/<path:path> — Unauthenticated endpoint 'Website.actions_server' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /model/<string:page_name_slugified>, /model/<string:page_name_slugified>/page/<int:page_number>, /model/<string:page_name_slugified>/<string:record_slug> — Unauthenticated endpoint 'ModelPageController.generic_model' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-csrf-off /website/form/<string:model_name> — Public HTTP endpoint 'WebsiteForm.website_form' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
website_altcha route-public-sudo /altcha — Unauthenticated endpoint 'AltchaController.generate_altcha_challenge' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_crm_partner_assign route-public-sudo /partners, /partners/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>, /partners/grade/<model("res.partner.grade"):grade>/page/<int:page>, /partners/country/<model("res.country"):country>, /partners/country/<model("res.country"):country>/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_customer route-public-sudo /customers, /customers/page/<int:page>, /customers/country/<model("res.country"):country>, /customers/country/<model("res.country"):country>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>, /customers/industry/<model("res.partner.industry"):industry>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCustomer.customers' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_customer route-public-sudo /customers/<partner_id> — Unauthenticated endpoint 'WebsiteCustomer.customers_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event rule-group-bypass ir_rule_event_question_event_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_event rule-group-bypass ir_rule_event_question_answer_event_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_event route-public-sudo /event, /event/page/<int:page>, /events, /events/page/<int:page> — Unauthenticated endpoint 'WebsiteEventController.events' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event route-public-sudo /event/<model("event.event"):event>/page/<path:page> — Unauthenticated endpoint 'WebsiteEventController.event_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event route-public-sudo /event/<model("event.event"):event>/registration/success — Unauthenticated endpoint 'WebsiteEventController.event_registration_success' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_booth route-public-sudo /event/booth/check_availability — Unauthenticated endpoint 'WebsiteEventBoothController.check_booths_availability' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_booth route-public-sudo /event/booth_category/get_available_booths — Unauthenticated endpoint 'WebsiteEventBoothController.get_booth_category_available_booths' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_exhibitor route-public-sudo /event/<model("event.event", "[('exhibitor_menu', '=', True)]"):event>/exhibitor/<model("event.sponsor", "[('event_id', '=', event.id)]"):sponsor> — Unauthenticated endpoint 'ExhibitorController.event_exhibitor' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_exhibitor route-public-sudo /event_sponsor/<int:sponsor_id>/read — Unauthenticated endpoint 'ExhibitorController.event_sponsor_read' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_meet route-public-sudo /event/<model('event.event'):event>/meeting_room_create — Unauthenticated endpoint 'WebsiteEventMeetController.create_meeting_room' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_meet route-public-sudo /event/active_langs — Unauthenticated endpoint 'WebsiteEventMeetController.active_langs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_meet route-public-sudo /event/<model('event.event', "[('community_menu', '=', True)]"):event>/meeting_room/<model("event.meeting.room","[('event_id','=',event.id)]"):meeting_room> — Unauthenticated endpoint 'WebsiteEventMeetController.event_meeting_room_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track route-public-sudo /event/<model("event.event", "[('website_track', '=', True)]"):event>/track/<model("event.track", "[('event_id', '=', event.id)]"):track> — Unauthenticated endpoint 'EventTrackController.event_track_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track route-public-sudo /event/<model("event.event"):event>/track_proposal/post — Unauthenticated endpoint 'EventTrackController.event_track_proposal_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track_live route-public-sudo /event_track/get_track_suggestion — Unauthenticated endpoint 'EventTrackLiveController.get_next_track_suggestion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track_quiz route-public-sudo /event_track/quiz/submit — Unauthenticated endpoint 'WebsiteEventTrackQuiz.event_track_quiz_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track_quiz route-public-sudo /event_track/quiz/reset — Unauthenticated endpoint 'WebsiteEventTrackQuiz.quiz_reset' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum rule-group-bypass website_forum_create_website_designer — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/<model("forum.post"):question> — Unauthenticated endpoint 'WebsiteForum.question' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/partner/<int:partner_id> — Unauthenticated endpoint 'WebsiteForum.open_partner' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_google_map route-public-sudo /google_map — Unauthenticated endpoint 'GoogleMap.google_map' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_hr_recruitment rule-group-bypass hr_job_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_hr_recruitment route-public-sudo /jobs, /jobs/page/<int:page> — Unauthenticated endpoint 'WebsiteHrRecruitment.jobs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_hr_recruitment route-public-sudo /website_hr_recruitment/check_recent_application — Unauthenticated endpoint 'WebsiteHrRecruitment.check_recent_application' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_livechat route-public-sudo /livechat/channel/<model("im_livechat.channel"):channel> — Unauthenticated endpoint 'WebsiteLivechat.channel_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail route-public-sudo /website_mail/follow — Unauthenticated endpoint 'WebsiteMail.website_message_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail route-public-sudo /website_mail/is_follower — Unauthenticated endpoint 'WebsiteMail.is_follower' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_group route-public-sudo /group/is_member — Unauthenticated endpoint 'WebsiteMailGroup.group_is_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /website_mass_mailing/is_subscriber — Unauthenticated endpoint 'MassMailController.is_subscriber' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_membership route-public-sudo /members, /members/page/<int:page>, /members/association/<membership_id>, /members/association/<membership_id>/page/<int:page>, /members/country/<int:country_id>, /members/country/<country_name>-<int:country_id>, /members/country/<int:country_id>/page/<int:page>, /members/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<country_name>-<int:country_id>, /members/association/<membership_id>/country/<int:country_id>, /members/association/<membership_id>/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteMembership.members' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_membership route-public-sudo /members/<partner_id> — Unauthenticated endpoint 'WebsiteMembership.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_oca_integrator route-public-sudo /integrators, /integrators/page/<int:page>, /integrators/country/<model("res.country"):country>, /integrators/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteIntegrator.integrators' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_oca_integrator route-public-sudo /integrators/<integrator_id> — Unauthenticated endpoint 'WebsiteIntegrator.integrators_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_oca_integrator route-public-sudo /integrators/<integrator_id>/contributors/country/<model('res.country'):country>, /integrators/<integrator_id>/contributors/country/<model('res.country'):country>/page/<int:page>, /integrators/<integrator_id>/contributors, /integrators/<integrator_id>/contributors/page/<int:page>, /integrators/<integrator_id>/contributors/country/<int:country_id>, /integrators/<integrator_id>/contributors/country/<int:country_id>/page/<int:page>, /integrators/<integrator_id>/contributors/country/<country_name>-<int:country_id>, /integrators/<integrator_id>/contributors/country/<country_name>-<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteIntegrator.integrator_contributors' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_partner route-public-sudo /partners/<partner_id> — Unauthenticated endpoint 'WebsitePartnerPage.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_product_document_download_counter route-public-sudo /shop/<model("product.template"):product_template>/document/<int:document_id>/count — Unauthenticated endpoint 'ProductDocumentDownloadCounterController.product_document_with_counter' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_profile route-public-sudo /profile/avatar/<int:user_id> — Unauthenticated endpoint 'WebsiteProfile.get_user_profile_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_profile route-public-sudo /profile/users, /profile/users/page/<int:page> — Unauthenticated endpoint 'WebsiteProfile.view_all_users_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_profile route-public-sudo /profile/validate_email — Unauthenticated endpoint 'WebsiteProfile.validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop, /shop/page/<int:page>, /shop/category/<model("product.public.category"):category>, /shop/category/<model("product.public.category"):category>/page/<int:page> — Unauthenticated endpoint 'WebsiteSale.shop' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/<model("product.template"):product_template>/document/<int:document_id> — Unauthenticated endpoint 'WebsiteSale.product_document' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/pricelist — Unauthenticated endpoint 'WebsiteSale.pricelist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/cart — Unauthenticated endpoint 'WebsiteSale.cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/address/submit — Unauthenticated endpoint 'WebsiteSale.shop_address_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/update_address — Unauthenticated endpoint 'WebsiteSale.shop_update_address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/payment/validate — Unauthenticated endpoint 'WebsiteSale.shop_payment_validate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/confirmation — Unauthenticated endpoint 'WebsiteSale.shop_payment_confirmation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/print — Unauthenticated endpoint 'WebsiteSale.print_saleorder' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/country_info/<model("res.country"):country> — Unauthenticated endpoint 'WebsiteSale.shop_country_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/products/recently_viewed_delete — Unauthenticated endpoint 'WebsiteSale.products_recently_viewed_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/set_delivery_method — Unauthenticated endpoint 'Delivery.shop_set_delivery_method' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/get_delivery_rate — Unauthenticated endpoint 'Delivery.shop_get_delivery_rate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_autocomplete route-public-sudo /autocomplete/address — Unauthenticated endpoint 'AutoCompleteController._autocomplete_address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_autocomplete route-public-sudo /autocomplete/address_full — Unauthenticated endpoint 'AutoCompleteController._autocomplete_address_full' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_charge_payment_fee route-public-sudo /shop/payment — Unauthenticated endpoint 'WebsiteSaleFee.shop_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_collect route-public-sudo /shop/set_click_and_collect_location — Unauthenticated endpoint 'InStoreDelivery.shop_set_click_and_collect_location' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_financial_risk route-public-csrf-off CreditController.custom_process_transaction — Public HTTP endpoint 'CreditController.custom_process_transaction' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
website_sale_financial_risk route-public-sudo CreditController.custom_process_transaction — Unauthenticated endpoint 'CreditController.custom_process_transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_loyalty route-public-sudo /shop/claimreward — Unauthenticated endpoint 'WebsiteSale.claim_reward' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_loyalty_page route-public-sudo /promotions — Unauthenticated endpoint 'WebsiteSale.promotion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_loyalty_suggestion_wizard route-public-sudo /promotions/<int:program_id>/apply — Unauthenticated endpoint 'WebsiteSaleLoyaltySuggestionWizard.promotion_program_apply' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_loyalty_suggestion_wizard route-public-sudo /website_sale_loyalty_suggestion_wizard/get_defaults — Unauthenticated endpoint 'WebsiteSaleLoyaltySuggestionWizardController.get_default_products' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_loyalty_suggestion_wizard route-public-sudo /website_sale_loyalty_suggestion_wizard/apply — Unauthenticated endpoint 'WebsiteSaleLoyaltySuggestionWizardController.apply_promotion_public' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_mondialrelay route-public-sudo /website_sale_mondialrelay/update_shipping — Unauthenticated endpoint 'MondialRelay.mondial_relay_update_shipping' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_product_assortment route-public-sudo /sale/get_info_assortment_preview — Unauthenticated endpoint 'WebsiteSaleVariantController.get_info_assortment_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_product_brand route-public-sudo /page/product_brands — Unauthenticated endpoint 'WebsiteSale.product_brands' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_stock route-public-sudo /shop/add/stock_notification — Unauthenticated endpoint 'WebsiteSaleStock.add_stock_email_notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_wishlist route-public-sudo /shop/wishlist/add — Unauthenticated endpoint 'WebsiteSaleWishlist.add_to_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_wishlist route-public-sudo /shop/wishlist/remove/<int:wish_id> — Unauthenticated endpoint 'WebsiteSaleWishlist.remove_from_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides rule-group-bypass rule_slide_channel_officer_r — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides rule-group-bypass rule_slide_slide_officer_r — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides rule-group-bypass rule_slide_slide_resource_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides route-public-sudo /slides — Unauthenticated endpoint 'WebsiteSlides.slides_channel_home' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/<int:channel_id>, /slides/<int:channel_id>/category/<int:category_id>, /slides/<int:channel_id>/category/<int:category_id>/page/<int:page>, /slides/<model("slide.channel"):channel>, /slides/<model("slide.channel"):channel>/page/<int:page>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>/page/<int:page>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>/page/<int:page> — Unauthenticated endpoint 'WebsiteSlides.channel' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/channel/join — Unauthenticated endpoint 'WebsiteSlides.slide_channel_join' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/<model("slide.slide"):slide> — Unauthenticated endpoint 'WebsiteSlides.slide_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/like — Unauthenticated endpoint 'WebsiteSlides.slide_like' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/quiz/submit — Unauthenticated endpoint 'WebsiteSlides.slide_quiz_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides_forum rule-group-bypass website_slides_forum_website_slides_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides_forum rule-group-bypass website_slides_forum_website_slides_officer_post — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides_forum rule-group-bypass website_slides_forum_website_slides_officer_tag — Record rule with an always-true domain bypasses every other record rule of its model for its group

Active Pull Requests 242

0 fresh 0 rotting 0 rotten

Module Repository Title Age CI
account-invoice-tax-note OCA/account-invoicing [17.0][MIG] account_invoice_tax_note: Migration to 17.0 #1997 no CI data
account_ecotax_sale_tax OCA/account-fiscal-rule [17.0][MIG] account_ecotax_sale_tax #563 no CI data
account_invoice_check_picking_date OCA/account-invoicing [17.0][MIG] account_invoice_check_picking_date #2116 no CI data
account_invoice_constraint_chronology OCA/account-financial-tools 17.0 mig account invoice constraint chronology #2218 no CI data
account_invoice_constraint_chronology OCA/account-financial-tools [17.0][MIG] account_invoice_constraint_chronology: Migration to 17.0 #1889 no CI data
account_invoice_constraint_chronology_in_date_range-2 OCA/account-financial-tools 17.0 mig account invoice constraint chronology in date range 2 #2219 no CI data
account_invoice_import OCA/edi [17.0][MIG] account_invoice_import: Migration to 17.0 #1295 no CI data
account_invoice_import_invoice2data OCA/edi [17.0][MIG] account_invoice_import_invoice2data: Migration to 17.0 #1301 no CI data
account_invoice_merge OCA/account-invoicing [17.0][MIG] account_invoice_merge: Migration to 17.0 #1632 no CI data
account_invoice_payment_retention OCA/account-invoicing [17.0][MIG] account_invoice_payment_retention: Migration to 17.0 #2034 no CI data
account_invoice_pricelist_sale OCA/account-invoicing [17.0][MIG] account_invoice_pricelist_sale: Migration to 17.0 #1943 no CI data
account_invoice_pricelist_sale OCA/account-invoicing [17.0][MIG] account_invoice_pricelist_sale #1776 no CI data
account_invoice_refund_line_selection2 OCA/account-invoicing [17.0][MIG] account_invoice_refund_line_selection #2197 no CI data
account_invoice_tax_required OCA/account-invoicing [17.0][MIG] account_invoice_tax_required: Migration to 17.0 #2182 no CI data
account_invoice_tree_currency OCA/account-invoicing [17.0][MIG]account_invoice_tree_currency: Migration to 17.0 #2033 no CI data
account_invoice_ubl OCA/edi [17.0][MIG] account_invoice_ubl: Migration to 17.0 #1368 no CI data
account_journal_general_sequence OCA/account-financial-tools [MIG] account_journal_general_sequence #2309 no CI data
account_mail_autosubscribe OCA/account-invoicing [17.0][MIG] account_mail_autosubscribe: Migration to 17.0 #2088 no CI data
account_move_budget OCA/account-financial-tools [MIG] account_move_budget: Migration to 17.0 #2313 no CI data
account_move_line_accounting_description OCA/account-invoicing [17.0][MIG] account_move_line_accounting_description: Migration to 17.0 #2191 no CI data
account_move_reconcile_forbid_cancel OCA/account-reconcile [17.0][MIG] account_move_reconcile_forbid_cancel: Migration to 17.0 #801 no CI data
account_payment_term_partner_holiday OCA/account-payment [17.0][MIG] account_payment_term_partner_holiday: Migration to 17.0 #811 no CI data
account_spread_cost_revenue_enhanced OCA/account-financial-tools [17.0][MIG][IMP] account_spread_cost_revenue_enhanced: Migration to 17.0 #2083 no CI data
account_tax_change OCA/account-invoicing [17.0][MIG] account_tax_change #1714 no CI data
ai_oca_mcp OCA/ai [MIG] ai_oca_mcp: migration to 17.0 #85 no CI data
ai_tool OCA/ai [MIG] ai_tool: Migration to v17.0 #84 no CI data
analytic_tag_dimension OCA/account-analytic [17.0][MIG] analytic_tag_dimension: Migration to 17.0 #756 no CI data
attachment_delete_restrict OCA/server-tools [17.0][MIG] attachment_delete_restrict: Migration to 17.0 #3347 no CI data
attachment_unindex_content-BAD OCA/server-tools [17.0] [MIG] attachment_unindex_content: Migration to 17.0 #3197 no CI data
auth_oauth_environment OCA/server-env [17.0][MIG] auth_oauth_environment: Migration to 17.0 #254 no CI data
barcodes_generator_package OCA/stock-logistics-barcode [17.0][MIG] barcodes_generator_package: Migration to 17.0 #643 no CI data
base-export-async OCA/queue [17.0] [MIG] base_export_async: migrate module #877 no CI data
base_dav OCA/server-backend [MIG] base_dav: Migration to 17.0 #276 no CI data
base_export_async OCA/queue [MIG] base_export_async: Migration to 17.0 #894 no CI data
base_external_dbsource_firebird OCA/server-backend [17.0][MIG] base_external_dbsource_firebird: Migration to 17.0 #395 no CI data
base_multi_image OCA/server-tools [17.0][MIG] base_multi_image: Migration to 17.0 #3063 no CI data
base_remote OCA/server-tools [17.0][BKP] base_remote: backport from 18.0 #3279 no CI data
base_time_window OCA/server-tools [17.0][MIG] base_time_window: Migration to 17.0 #3030 no CI data
base_ubl_payment OCA/edi [17.0][MIG] base_ubl_payment: Migration to 17.0 #1369 no CI data
bc3_importer OCA/vertical-construction [17.0][MIG] bc3_importer: Migration to 17.0 #40 no CI data
bus_alt_connection OCA/server-tools [MIG] bus_alt_connection: Migration to 17.0 #2864 no CI data
calendar_event_link_base OCA/calendar [17.0] [MIG] calendar_event_link_base: Migration to 17.0 #146 no CI data
calendar_event_type_color OCA/calendar [17.0] [MIG] calendar_event_type_color: Migration to 17.0 #147 no CI data
carrier_account_environment OCA/delivery-carrier [17.0][MIG] carrier_account_environment: Migration to 17.0 #959 no CI data
clean-v2 OCA/web [17.0][MIG] web_select_all_companies: Migration to 17.0 #3567 no CI data
commission_delegated_partner OCA/commission [17.0][MIG] commission_delegated_partner: Migration to 17.0 #598 no CI data
connector_ecommerce OCA/connector-ecommerce [MIG][17.0] connector_ecommerce: Migration to 17.0 #80 no CI data
connector_jira_tempo OCA/connector-jira [17.0][WIP][MIG] connector_jira_tempo: Migration to 17.0 #111 no CI data
connector_jira_tempo_base OCA/connector-jira [17.0][WIP][MIG] connector_jira_tempo_base: Migration to 17.0 #110 no CI data
contract_sale_generation OCA/contract [17.0][MIG] contract_sale_generation: Migration to 17.0 #1234 no CI data
currency_rate_inverted OCA/currency [17.0][MIG] currency_rate_inverted #230 no CI data
currency_rate_update_wise OCA/currency [17.0][MIG] currency_rate_update_wise #224 no CI data
currency_rate_update_xe OCA/currency [17.0][FIX] currency_rate_update_xe: send User-Agent and raise on HTTP error #218 no CI data
delivery_carrier_deposit OCA/delivery-carrier [17.0][MIG] delivery_carrier_deposit: Migration to 17.0 #948 no CI data
delivery_carrier_max_weight_constraint OCA/delivery-carrier [17.0][MIG] delivery_carrier_max_weight_constraint: Migration to 17.0 #950 no CI data
delivery_driver_stock_picking_batch OCA/delivery-carrier [17.0][MIG] delivery_driver_stock_picking_batch: Migration to 17.0 #952 no CI data
delivery_dropoff_site OCA/delivery-carrier [17.0][MIG] delivery_dropoff_site: Migration to 17.0 #951 no CI data
delivery_roulier_chronopost_fr OCA/delivery-carrier [17.0][MIG] delivery_roulier_chronopost_fr: Migration to 17.0 #830 no CI data
edi_voxel_stock_picking_oca OCA/edi-voxel [17.0][MIG] edi_voxel_stock_picking_oca: : Migration to 17.0 #9 no CI data
event_contact OCA/event [17.0][MIG] event_contact: Migration to 17.0 #439 no CI data
event_registration_mass_mailing OCA/event [17.0][MIG] event_registration_mass_mailing: Migration to 17.0 #440 no CI data
excel_import_export OCA/server-tools [17.0] mig-excel_import_export #2991 no CI data
excel_import_export_unidecode OCA/server-tools 17.0-mig-excel_import_export_unidecode #3032 no CI data
export_async_schedule OCA/queue [MIG] export_async_schedule: Migration to 17.0 #893 no CI data
fastapi_auth_jwt OCA/rest-framework [17.0][MIG] fastapi_auth_jwt #585 no CI data
fieldservice_account_payment OCA/field-service [17.0] [MIG] fieldservice_account_payment #1490 no CI data
hr_attendance_overtime OCA/hr-attendance [17.0][MIG] hr_attendance_overtime #234 no CI data
hr_attendance_rfid_log OCA/hr-attendance [17.0] [MIG] hr_attendance_rfid_log: Migration to 17.0 #279 no CI data
hr_attendance_validation OCA/hr-attendance [17.0][MIG] hr_attendance_validation #221 no CI data
hr_birthday_welcome_message OCA/hr-attendance [17.0][MIG] hr_birthday_welcome_message: Migration to 17.0 #249 no CI data
hr_course_survey OCA/hr [17.0][MIG] hr_course_survey: Migration to 17.0 #1579 no CI data
hr_expense_pay_to_vendor OCA/hr-expense [17.0][MIG] hr_expense_pay_to_vendor: Migration to 17.0 #335 no CI data
hr_holidays_auto_extend OCA/hr-holidays [17.0] [MIG] hr_holidays_auto_extend: migration to 17.0 #177 no CI data
hr_holidays_leave_auto_approve OCA/hr-holidays [17.0] [MIG] hr_holidays_leave_auto_approve: migration to 17.0 #175 no CI data
hr_holidays_team_manager OCA/hr [17.0][MIG] hr_holidays_team_manager: Migration to 17.0 #1450 no CI data
hr_leave_type_code OCA/hr-holidays [17.0] [MIG] hr_leave_type_code: migration to 17.0 #176 no CI data
hr_planning_resources OCA/resource [17.0][MIG] hr_planning_resources #5 no CI data
hr_timesheet_day_week OCA/timesheet [17.0][MIG] hr_timesheet_day_week: Migration to 17.0 #829 no CI data
hr_timesheet_sheet_policy_direct_manager OCA/timesheet [17.0][MIG] hr_timesheet_sheet_policy_direct_manager: Migration to 17.0 #881 no CI data
hr_utilization_report OCA/timesheet [17.0][MIG] hr_utilization_report: Migration to 17.0 #747 no CI data
html_image_url_extractor OCA/server-tools [17.0][MIG] html_image_url_extractor: Migration to 17.0 #3533 no CI data
ir_filters_multi_company OCA/multi-company [17.0][MIG] ir_filters_multi_company #976 no CI data
l10n_br_sale_commission OCA/l10n-brazil [17.0][MIG] l10n_br_sale_commission: Migration to 17.0 #4537 no CI data
l10n_ec_delivery_note OCA/l10n-ecuador 17.0 mig l10n ec delivery note #79 no CI data
l10n_es_digital_canon OCA/l10n-spain [MIG] l10n_es_digital_canon: Migration to 17.0 #4906 no CI data
l10n_es_digital_canon_website_sale OCA/l10n-spain [17.0][MIG] l10n_es_digital_canon_website_sale: Migration to 17.0 #4904 no CI data
l10n_es_verifactu_oca_oss OCA/l10n-spain [17.0][MIG] l10n_es_verifactu_oca_oss: Migration to 17.0 #4607 no CI data
l10n_es_verifactu_pos_oca OCA/l10n-spain [17.0][MIG] l10n_es_verifactu_pos_oca: Migration to 17.0 #4527 no CI data
l10n_fr_siret_lookup OCA/l10n-france [17.0][MIG] l10n_fr_siret_lookup : Migration to 17.0 #680 no CI data
l10n_jp_summary_invoice OCA/l10n-japan [17.0][MIG] l10n_jp_summary_invoice: Migration to 17.0 #76 no CI data
loyalty_criteria_multi_product OCA/sale-promotion [17.0][MIG] loyalty_criteria_multi_product: Migration to 17.0 #240 no CI data
loyalty_multi_gift OCA/sale-promotion [17.0][MIG] loyalty_multi_gift: Migration to 17.0 #242 no CI data
mail_activity_partner OCA/social [17.0][MIG] mail_activity_partner #1819 no CI data
mail_activity_reply_creator OCA/social [17.0][MIG] mail_activity_reply_creator: Migration to 17.0 #1574 no CI data
mail_activity_validation OCA/social [17.0][MIG] mail_activity_validation: Migration to 17.0 #1336 no CI data
maintenance_purchase OCA/maintenance [17.0][BACKPORT] maintenance_purchase: Backport from 18.0 to 17.0 #552 no CI data
maintenance_purchase_stock OCA/maintenance [17.0][BACKPORT] maintenance_purchase_stock: Backport from 18.0 to 17.0 #553 no CI data
membership_prorate OCA/vertical-association [17.0][MIG] membership_prorate: Migration to 17.0 #194 no CI data
membership_prorate_variable_period OCA/vertical-association [17.0][MIG] membership_prorate_variable_period: Migration to 17.0 #195 no CI data
membership_withdrawal OCA/vertical-association [17.0][MIG] membership_withdrawal: Migration to 17.0 #196 no CI data
mis_builder_budget_product OCA/mis-builder-contrib [17.0][MIG] mis_builder_budget_product: Migration to 17.0 #53 no CI data
mis_builder_total_committed_purchase OCA/mis-builder-contrib [17.0][MIG] mis_builder_total_committed_purchase: Migration to 17.0 #54 no CI data
mrp_account_bom_attribute_match2 OCA/manufacture [17.0][MIG] mrp_account_bom_attribute_match: Migration to 17.0 #1771 no CI data
mrp_bom_version OCA/manufacture [17.0][MIG] mrp_bom_version: Migration to 17.0 #1681 no CI data
mrp_subcontracting_inhibit OCA/manufacture [17.0][BKP]mrp_subcontracting_inhibit: backport from 18.0 #1755 no CI data
outgoing_email_by_model OCA/social [17.0][MIG] outgoing_email_by_model: Migration to 17.0 #1573 no CI data
partner_address_version OCA/partner-contact [17.0][MIG] partner_address_version: Migration to 17.0 #2209 no CI data
partner_auto_archive-BAD OCA/partner-contact [17.0][MIG] partner_auto_archive: Migration to 17.0 #2127 no CI data
partner_contact_in_several_companies OCA/partner-contact [MIG][17.0] mig partner_contact_in_several_companies #2324 no CI data
partner_exception OCA/partner-contact [17.0][MIG] partner_exception #2392 no CI data
partner_last_invoice_date OCA/account-invoicing [17.0][MIG] partner_last_invoice_date: Migration to 17.0 #2020 no CI data
partner_name_hide_parent OCA/partner-contact [17.0][MIG] partner_name_hide_parent #2233 no CI data
partner_supplierinfo_smartbutton OCA/purchase-workflow [17.0][MIG] partner_supplierinfo_smartbutton: Migration to 17.0 #2713 no CI data
pim_base OCA/odoo-pim [17.0][mig] pim_base #240 no CI data
pos_category_multicompany OCA/multi-company [17.0][MIG] pos_category_multicompany: Migration to 17.0 #792 no CI data
pos_edit_order_line OCA/pos [17.0][MIG] pos_edit_order_line: Migration to 17.0 #1300 no CI data
pos_minimize_menu OCA/pos [17.0][MIG] pos_minimize_menu: Migration to 17.0 #1301 no CI data
pos_order_new_line OCA/pos [17.0][MIG] pos_order_new_line: Migration to 17.0 #1302 no CI data
pos_order_remove_line OCA/pos [17.0][MIG] pos_order_remove_line: Migration to 17.0 #1303 no CI data
pos_order_reorder OCA/pos [17.0][MIG] pos_order_reorder: Migration to 17.0 #1304 no CI data
pos_product_mergeable_line OCA/pos [17.0][MIG] pos_product_mergeable_line: Migration to 17.0 #1305 no CI data
pos_product_multi_barcode OCA/pos [17.0][MIG] pos_product_multi_barcode #1379 no CI data
pos_receipt_hide_price OCA/pos [17.0][MIG] pos_receipt_hide_price #1393 no CI data
pos_screen_element_custom_size OCA/pos [17.0][MIG] pos_screen_element_custom_size: Migration to 17.0 #1306 no CI data
pos_supplierinfo_search OCA/pos [17.0][MIG] pos_supplierinfo_search: Migration to 17.0 #1307 no CI data
pos_ticket_extra_company_info_l10n_fr OCA/pos [17.0][MIG] pos_ticket_extra_company_info_l10n_fr: Migration to 17.0 #1308 no CI data
pricelist_brand OCA/brand [17.0][MIG] pricelist_brand: Migration to 17.0 #314 no CI data
product_brand_mrp OCA/brand [17.0][MIG] product_brand_mrp: Migration to 17.0 #226 no CI data
product_brand_stock OCA/brand [17.0][MIG] product_brand_stock: Migration to 17.0 #228 no CI data
product_brand_stock_account OCA/brand [17.0][MIG] product_brand_stock_account: Migration to 17.0 #229 no CI data
product_brand_tag OCA/brand [17.0][MIG] product_brand_tag: Migration to 17.0 #230 no CI data
product_category_hr_department OCA/product-attribute [17.0][MIG] product_category_hr_department: Migration to 17.0 #1924 no CI data
product_category_level OCA/product-attribute [17.0][MIG] product_category_level: Migration to 17.0 #1925 no CI data
product_creation_dynamic_wizard OCA/odoo-pim [17.0][mig] product_creation_dynamic_wizard #241 no CI data
product_main_seller-BAD OCA/purchase-workflow [17.0] [MIG] product_main_seller: Migration to 17.0 #2780 no CI data
product_optional_product_quantity OCA/product-attribute [17.0][MIG] product_optional_product_quantity: Migration to 17.0 #1927 no CI data
product_packaging_calculator_packaging_level OCA/product-attribute [17.0][MIG] product_packaging_calculator_packaging_level #2313 no CI data
product_packaging_level_purchasable OCA/product-attribute [17.0][MIG] product_packaging_level_purchasable: Migration to 17.0 #1929 no CI data
product_replenishment_cost OCA/margin-analysis [17.0][MIG] product_replenishment_cost: Migration to 17.0 #238 no CI data
product_simple_seasonality OCA/product-attribute [17.0][MIG] product_simple_seasonality: Migration to 17.0 #1930 no CI data
product_sold_by_delivery_week OCA/sale-reporting [17.0][MIG] product_sold_by_delivery_week: Migration to 17.0 #312 no CI data
product_standard_margin OCA/margin-analysis [17.0] [MIG] product_standard_margin: Migration to 17.0 #256 no CI data
product_supplierinfo_update_price OCA/purchase-workflow [17.0][MIG] product_supplierinfo_update_price: Migration to 17.0 #2712 no CI data
product_variant_attribute_name_manager_new_update OCA/product-attribute [17.0][MIG] product_variant_attribute_name_manager: Migration to 17.0 #1691 no CI data
product_variant_route_mto OCA/product-attribute [17.0] [MIG] product_variant_route_mto: Migration to 17.0 #2097 no CI data
project_task_recurring_activity OCA/project [17.0][MIG] project_task_recurring_activity: Migration to 17.0 #1671 no CI data
project_task_report OCA/project-reporting [17.0][MIG] project task report #58 no CI data
project_task_report OCA/project-reporting [15.0][MIG] Migration of project_task_report #54 no CI data
project_task_stage_allow_timesheet-hda OCA/timesheet [MIG] project_task_stage_allow_timesheet : 17.0 #830 no CI data
project_task_timesheet_report OCA/project-reporting [17.0][MIG] migration of module project_task_timesheet_report #55 no CI data
project_timesheet_holidays_dynamic_description OCA/timesheet [17.0][MIG] project_timesheet_holidays_dynamic_description #902 no CI data
purchase_analytic_global OCA/purchase-workflow [17.0][MIG] purchase_analytic_global: Migration to 17.0 #2668 no CI data
purchase_order_hide_receipt_status OCA/purchase-workflow [17.0][MIG] purchase_order_hide_receipt_status: Migration to 17.0 #2604 no CI data
purchase_order_owner OCA/purchase-workflow [17.0][MIG] purchase_order_owner: Migration to 17.0 #2662 no CI data
purchase_supplierinfo_currency OCA/purchase-workflow [17.0][MIG] Migration of module purchase_supplierinfo_currency #2456 no CI data
purchase_uninvoiced_amount_force_invoiced_line OCA/purchase-workflow [17.0][MIG] purchase_uninvoiced_amount_force_invoiced_line #2809 no CI data
quality_control_product_manufacturer OCA/manufacture [17.0][MIG] quality_control_product_manufacturer: migration to 17.0 #1679 no CI data
rental_base OCA/vertical-rental [17.0][MIG] rental_base #53 no CI data
rental_check_availability OCA/vertical-rental [17.0][MIG] rental_check_availability #55 no CI data
rental_offday OCA/vertical-rental [17.0][MIG] rental_offday #56 no CI data
rental_pricelist OCA/vertical-rental [17.0][MIG] rental_pricelist #54 no CI data
rental_pricelist_interval OCA/vertical-rental [17.0][MIG] rental_pricelist_interval #57 no CI data
rental_product_pack OCA/vertical-rental [17.0][MIG] rental_product_pack #58 no CI data
rental_timeline OCA/vertical-rental [17.0][MIG] rental_timeline #59 no CI data
report_alternative_layout OCA/l10n-japan [17.0][MIG] report_alternative_layout: Migration to 17.0 #74 no CI data
res_company_category OCA/multi-company [17.0][MIG] res_company_category: Migration to 17.0 #794 no CI data
resource_leaves_geographic OCA/hr-holidays [17.0] [MIG] resource_leaves_geographic: migration to 17.0 #178 no CI data
sale_auto_remove_zero_quantity_lines-BAD OCA/sale-workflow [17.0] [MIG] sale_auto_remove_zero_quantity_lines: Migration to 17.0 #3883 no CI data
sale_channel OCA/sale-channel [17.0][MIG] sale_channel: Migration to 17.0 #26 no CI data
sale_channel_category OCA/sale-channel [17.0][MIG] sale_channel_category: Migration to 17.0 #27 no CI data
sale_channel_product OCA/sale-channel [17.0][MIG] sale_channel_product: Migration to 17.0 #28 no CI data
sale_last_price_info-BAD OCA/sale-workflow [17.0] [MIG] sale_last_price_info: Migration to 17.0 #3806 no CI data
sale_loyalty_auto_refresh OCA/sale-promotion [17.0][MIG] sale_loyalty_auto_refresh: Migration to 17.0 #245 no CI data
sale_loyalty_criteria_multi_product OCA/sale-promotion [17.0][MIG] sale_loyalty_criteria_multi_product: Migration to 17.0 #243 no CI data
sale_loyalty_multi_gift OCA/sale-promotion [17.0][MIG] sale_loyalty_multi_gift: Migration to 17.0 #249 no CI data
sale_loyalty_order_info OCA/sale-promotion [17.0][MIG] sale_loyalty_order_info: Migration to 17.0 #244 no CI data
sale_loyalty_partner OCA/sale-promotion [17.0][MIG] sale_loyalty_partner: Migration to 17.0 #250 no CI data
sale_margin_delivered OCA/margin-analysis [17.0][MIG] sale_margin_delivered: Migration to 17.0 #239 no CI data
sale_margin_delivered_security OCA/margin-analysis [17.0] [MIG] sale_margin_delivered_security #257 no CI data
sale_margin_sync OCA/margin-analysis [17.0][MIG] sale_margin_sync: Migration to 17.0 #241 no CI data
sale_mrp_bom OCA/sale-workflow [17.0][MIG] sale_mrp_bom #3262 no CI data
sale_order_amount_to_invoice OCA/sale-workflow [17.0][MIG] sale_order_amount_to_invoice #3928 no CI data
sale_order_general_discount_triple OCA/sale-workflow [17.0][MIG] sale_order_general_discount_triple: Migration to 17.0 #3235 no CI data
sale_order_line_multi_warehouse OCA/sale-workflow [17.0][MIG] sale_order_line_multi_warehouse #3759 no CI data
sale_order_merge OCA/sale-workflow [17.0][MIG] sale_order_merge #3904 no CI data
sale_order_picking_validation_blocking OCA/sale-workflow [17.0][MIG] sale_stock_picking_validation_blocking: Migrate to 17.0 #3367 no CI data
sale_order_weight OCA/sale-reporting [17.0][MIG] sale_order_weight: Migration to 17.0 #303 no CI data
sale_packaging_report OCA/sale-reporting [17.0][MIG] sale_packaging_report: Migration to 17.0 #308 no CI data
sale_product_variant_attribute_tax OCA/product-variant [17.0][MIG] sale_product_variant_attribute_tax: Migration to 17.0 #384 no CI data
sale_rental OCA/vertical-rental [17.0][MIG] sale_rental #52 no CI data
sale_report_delivered_volume OCA/sale-reporting [17.0][MIG] sale_report_delivered_volume: Migration to 17.0 #310 no CI data
sale_stock_picking_invoicing OCA/account-invoicing [17.0][MIG] sale_stock_picking_invoicing: Migration to 17.0 #2178 no CI data
sale_stock_service_level OCA/sale-workflow [17.0][MIG] sale_stock_service_level #3678 no CI data
sale_stock_warehouse_multicompany OCA/multi-company [17.0][MIG] sale stock warehouse multicompany #915 no CI data
sale_variant_configurator OCA/product-variant [17.0][MIG] sale_variant_configurator: Migration to 17.0 #381 no CI data
scrumr OCA/project-agile [17.0][MIG] project_scrum #45 no CI data
shipment_advice OCA/stock-logistics-transport [17.0] [MIG] shipment_advice #210 no CI data
stock_cycle_count OCA/stock-logistics-warehouse [17.0][MIG] stock_cycle_count: Migration to 17.0 #2475 no CI data
stock_delivery_note OCA/stock-logistics-reporting [17.0] [MIG] stock_delivery_note #479 no CI data
stock_intercompany OCA/multi-company [17.0][MIG] stock_intercompany: Migration to 17.0 #795 no CI data
stock_inventory_count_to_zero OCA/stock-logistics-warehouse [MIG] stock_inventory_count_to_zero: Migration to 17.0 #2605 no CI data
stock_lot_multi_image OCA/stock-logistics-warehouse [17.0][MIG] stock_lot_multi_image: Migration to 17.0 #2271 no CI data
stock_move_common_dest OCA/stock-logistics-warehouse [MIG] stock_move_common_dest: Migration to 17.0 #2606 no CI data
stock_move_line_auto_fill OCA/stock-logistics-workflow [17.0][MIG] stock_move_line_auto_fill #1709 no CI data
stock_mts_mto_mrp_rule OCA/stock-logistics-warehouse [17.0][MIG] stock_mts_mto_mrp_rule: Migration to 17.0 #2241 no CI data
stock_picking_batch_extended OCA/stock-logistics-workflow [17.0][MIG] stock_picking_batch_extended: Migration to version 17.0 #1997 no CI data
stock_picking_batch_report OCA/stock-logistics-reporting [17.0][MIG] stock_picking_batch_report: Migration to 17.0 #387 no CI data
stock_picking_commercial_partner OCA/stock-logistics-warehouse [MIG] stock_picking_commercial_partner: Migration to 17.0 #2607 no CI data
stock_picking_report_header_repeater OCA/stock-logistics-reporting [17.0][MIG] stock_picking_report_header_repeater: Migration to 17.0 #383 no CI data
stock_picking_report_internal_delivery_address OCA/stock-logistics-reporting [17.0][MIG] stock_picking_report_internal_delivery_address: Migration to 17.0 #384 no CI data
stock_picking_report_salesperson OCA/stock-logistics-reporting [17.0][MIG] stock_picking_report_salesperson: Migration to 17.0 #385 no CI data
stock_picking_report_summary OCA/stock-logistics-reporting [17.0][MIG] stock_picking_report_summary: Migration to 17.0 #386 no CI data
stock_production_lot_traceability OCA/stock-logistics-workflow [17.0][MIG] stock_lot_traceability: Migration to 17.0 #1638 no CI data
stock_quant_cost_info OCA/stock-logistics-warehouse [MIG] stock_quant_cost_info: Migration to 17.0 #2608 no CI data
stock_quant_package_dimension_total_weight_from_packaging-2 OCA/stock-logistics-workflow [17.0][mig] stock_quant_package_dimension_total_weight_from_packaging #2265 no CI data
stock_report_quantity_by_location OCA/stock-logistics-reporting [17.0] [MIG] stock_report_quantity_by_location: Migration to 17.0 #344 no CI data
stock_service_level OCA/wms [17.0][MIG] stock_service_level #1003 no CI data
template_content_swapper OCA/server-ux [17.0][MIG] template_content_swapper: Migration to 17.0 #1140 no CI data
web_action_conditionable OCA/web [17.0][MIG] web_action_conditionable: Migration to 17.0 #3557 no CI data
web_dark_mode OCA/web [17.0] [MIG] web_dark_mode: Migration to 17.0 #3099 no CI data
web_dark_theme OCA/web [17.0] [MIG] web_dark_mode: Migration to 17.0 #3548 no CI data
web_disable_export_group OCA/web [17.0][MIG] Migration of web_disable_export_group to 17.0 #3159 no CI data
web_disable_export_group OCA/web [MIG] web disable export group: Migration to 17.0 #2925 no CI data
web_field_required_invisible_manager OCA/web [WIP][17.0][MIG] web_field_required_invisible_manager: Migration to 17.0 #3071 no CI data
web_form_banner OCA/web [17.0][MIG] web_form_banner: Migration to 17.0 #3305 no CI data
web_ir_actions_act_multi OCA/web [17.0][MIG] web_ir_actions_act_multi: Migration to 17.0 #3081 no CI data
web_ir_actions_act_window_message-BAD OCA/web [17.0] [MIG] web_ir_actions_act_window_message: Migration to 17.0 #2812 no CI data
web_notify_channel_message OCA/web [17.0][MIG] web_notify_channel_message #2931 no CI data
web_select_all_companies OCA/web [17.0][MIG] web_select_all_companies: Migration to 17.0 #2834 no CI data
web_select_all_companies OCA/web [MIG] web_select_all_companies: Migration to 17.0 #2798 no CI data
web_sheet_full_width OCA/web [17.0][MIG]web_sheet_full_width Migration to 17.0 #2838 no CI data
web_view_leaflet_map OCA/geospatial [17.0][MIG] web_view_leaflet_map #415 no CI data
web_widget_pattern OCA/web [17.0][MIG] web_widget_pattern: Migration to 17.0 #3154 no CI data
web_widget_remaining_days_exact_date OCA/web [MIG] web_widget_remaining_days_exact_date: Migration to 17.0 #3276 no CI data
website_altcha OCA/website [17.0][MIG] website_altcha #1192 no CI data
website_field_autocomplete OCA/website [17.0][MIG] website_field_autocomplete: Migration to 17.0 #1098 no CI data
website_geoengine OCA/geospatial [MIG] website_geoengine: Migration to 17.0 #443 no CI data
website_sale_address_format OCA/e-commerce [17.0][MIG] website_sale_address_format: Migration to 17.0 #1101 no CI data
website_sale_affiliate/17.0 OCA/e-commerce [17.0][MIG] website_sale_affiliate: Migration to 17.0 #1262 no CI data
website_sale_product_assortment OCA/e-commerce [MIG] [17.0] Migration: website_sale_product_assortment #1171 no CI data
website_sale_slides_multi_qty OCA/e-learning [17.0][MIG] website_sale_slides_multi_qty: Migration to version 17.0 #12 no CI data
website_slides_attendees_completed_time OCA/e-learning [17.0] [MIG] website_slides_attendees_completed_time #20 no CI data

Security Findings

Errors 77

Module Code Message
auth_totp_portal acl-public-write access_auth_totp_portal_wizard — Access rule grants write/create/unlink on 'auth_totp.model_auth_totp_wizard' to the portal/public group 'base.group_portal'
base acl-privilege-escalation access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions
bus acl-public-write access_bus_presence_portal — Access rule grants write/create/unlink on 'model_bus_presence' to the portal/public group 'base.group_portal'
calendar rule-public-bypass calendar_attendee_rule_my — Record rule with an always-true domain grants portal/public users access to every record of its model
delivery_sendcloud_oca acl-global-write access_sendcloud_parcel — Access rule grants write/create/unlink on 'model_sendcloud_parcel' to EVERY user (portal/public included): no group is set
delivery_sendcloud_oca acl-global-write access_sendcloud_parcel_item — Access rule grants write/create/unlink on 'model_sendcloud_parcel_item' to EVERY user (portal/public included): no group is set
delivery_sendcloud_oca acl-global-write access_sendcloud_brand — Access rule grants write/create on 'model_sendcloud_brand' to EVERY user (portal/public included): no group is set
delivery_sendcloud_oca acl-global-write access_sendcloud_parcel_status — Access rule grants write/create on 'model_sendcloud_parcel_status' to EVERY user (portal/public included): no group is set
delivery_sendcloud_oca acl-global-write access_sendcloud_return — Access rule grants write/create on 'model_sendcloud_return' to EVERY user (portal/public included): no group is set
delivery_sendcloud_oca acl-global-write access_sendcloud_return_location — Access rule grants write/create on 'model_sendcloud_return_location' to EVERY user (portal/public included): no group is set
delivery_sendcloud_oca acl-global-write access_sendcloud_invoice — Access rule grants write/create on 'model_sendcloud_invoice' to EVERY user (portal/public included): no group is set
delivery_sendcloud_oca acl-global-write access_sendcloud_invoice_item — Access rule grants write/create/unlink on 'model_sendcloud_invoice_item' to EVERY user (portal/public included): no group is set
delivery_sendcloud_oca acl-global-write access_sendcloud_sender_address — Access rule grants write/create on 'model_sendcloud_sender_address' to EVERY user (portal/public included): no group is set
delivery_sendcloud_oca acl-global-write access_sendcloud_action_webhook — Access rule grants write/create on 'model_sendcloud_action' to EVERY user (portal/public included): no group is set
delivery_sendcloud_oca acl-global-write access_sendcloud_integration — Access rule grants write/create on 'model_sendcloud_integration' to EVERY user (portal/public included): no group is set
delivery_sendcloud_oca acl-global-write access_sendcloud_shipping_method_country — Access rule grants write/create/unlink on 'model_sendcloud_shipping_method_country' to EVERY user (portal/public included): no group is set
delivery_sendcloud_oca acl-global-write access_sendcloud_shipping_method_country_custom — Access rule grants write/create/unlink on 'model_sendcloud_shipping_method_country_custom' to EVERY user (portal/public included): no group is set
fieldservice_route acl-public-write access_fsm_route_dayroute_portal — Access rule grants write/create on 'model_fsm_route_dayroute' to the portal/public group 'base.group_portal'
fieldservice_stock acl-public-write access_stock_move_portal — Access rule grants write on 'stock.model_stock_move' to the portal/public group 'base.group_portal'
gamification acl-public-write goal_portal — Access rule grants write on 'gamification.model_gamification_goal' to the portal/public group 'base.group_portal'
gamification acl-public-write badge_user_portal — Access rule grants write/create on 'gamification.model_gamification_badge_user' to the portal/public group 'base.group_portal'
graphql_demo route-user-csrf-off /graphql/demo — HTTP endpoint 'GraphQLController.graphql' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user
helpdesk_mgmt acl-public-write access_helpdesk_ticket_stage_public — Access rule grants write on 'model_helpdesk_ticket_stage' to the portal/public group 'base.group_public'
l10n_es_atc_mod417 acl-global-write access_l10n_es_atc_mod417_report_manager — Access rule grants write/create/unlink on 'model_l10n_es_atc_mod417_report' to EVERY user (portal/public included): no group is set
l10n_ro_account_anaf_sync route-user-csrf-off /l10n_ro_account_anaf_sync/redirect_anaf/<int:anaf_config_id> — HTTP endpoint 'AccountANAFSyncWeb.redirect_anaf' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user
mail acl-public-write access_mail_message_portal — Access rule grants write/create/unlink on 'model_mail_message' to the portal/public group 'base.group_portal'
mail acl-public-write access_discuss_channel_member_public — Access rule grants write/create/unlink on 'model_discuss_channel_member' to the portal/public group 'base.group_public'
mail acl-public-write access_discuss_channel_member_portal — Access rule grants write/create/unlink on 'model_discuss_channel_member' to the portal/public group 'base.group_portal'
mail acl-public-write access_mail_compose_message_portal — Access rule grants write/create on 'model_mail_compose_message' to the portal/public group 'base.group_portal'
mrp_subcontracting acl-public-write access_subcontracting_portal_stock_move — Access rule grants write/create on 'stock.model_stock_move' to the portal/public group 'base.group_portal'
mrp_subcontracting acl-public-write access_subcontracting_portal_stock_move_line — Access rule grants write/create/unlink on 'stock.model_stock_move_line' to the portal/public group 'base.group_portal'
mrp_subcontracting acl-public-write access_subcontracting_portal_lot — Access rule grants create on 'stock.model_stock_lot' to the portal/public group 'base.group_portal'
mrp_subcontracting acl-public-write access_subcontracting_portal_production — Access rule grants write on 'mrp.model_mrp_production' to the portal/public group 'base.group_portal'
mrp_subcontracting acl-public-write access_subcontracting_portal_consumption_warning — Access rule grants write/create on 'mrp.model_mrp_consumption_warning' to the portal/public group 'base.group_portal'
mrp_subcontracting acl-public-write access_subcontracting_portal_consumption_warning_line — Access rule grants write/create on 'mrp.model_mrp_consumption_warning_line' to the portal/public group 'base.group_portal'
mrp_subcontracting_account acl-public-write access_subcontracting_portal_analytic_line — Access rule grants write on 'mrp_account.model_account_analytic_line' to the portal/public group 'base.group_portal'
partner_aging acl-global-write res_partner_aging_date — Access rule grants write/create/unlink on 'partner_aging.model_res_partner_aging_date' to EVERY user (portal/public included): no group is set
partner_autocomplete acl-public-write access_partner_autocomplete_sync_portal — Access rule grants create on 'model_res_partner_autocomplete_sync' to the portal/public group 'base.group_portal'
password_security acl-public-write access_res_users_pass_history_portal — Access rule grants create on 'model_res_users_pass_history' to the portal/public group 'base.group_portal'
project acl-public-write access_project_sharing_task_portal — Access rule grants write/create on 'model_project_task' to the portal/public group 'base.group_portal'
project_version acl-global-write project_version — Access rule grants write/create/unlink on 'model_project_version' to EVERY user (portal/public included): no group is set
purchase_invoice_plan acl-global-write access_purchase_invoice_plan — Access rule grants write/create/unlink on 'model_purchase_invoice_plan' to EVERY user (portal/public included): no group is set
purchase_invoice_plan acl-global-write access_purchase_create_invoice_plan — Access rule grants write/create/unlink on 'model_purchase_create_invoice_plan' to EVERY user (portal/public included): no group is set
purchase_invoice_plan acl-global-write access_purchase_make_planned_invoice — Access rule grants write/create/unlink on 'model_purchase_make_planned_invoice' to EVERY user (portal/public included): no group is set
report_wkhtmltopdf_param acl-global-write paperformat_parameter_access_employee — Access rule grants create on 'model_report_paperformat_parameter' to EVERY user (portal/public included): no group is set
sale_invoice_plan acl-global-write access_sale_invoice_plan — Access rule grants write/create/unlink on 'model_sale_invoice_plan' to EVERY user (portal/public included): no group is set
sale_invoice_plan acl-global-write access_sale_create_invoice_plan — Access rule grants write/create/unlink on 'model_sale_create_invoice_plan' to EVERY user (portal/public included): no group is set
sale_invoice_plan acl-global-write access_sale_make_planned_invoice — Access rule grants write/create/unlink on 'model_sale_make_planned_invoice' to EVERY user (portal/public included): no group is set
sql_export acl-global-write access_sql_file_wizard — Access rule grants write/create on 'model_sql_file_wizard' to EVERY user (portal/public included): no group is set
stock_reserve_sale acl-global-write stock_reserve_sale.access_sale_stock_reserve — Access rule grants write/create/unlink on 'stock_reserve_sale.model_sale_stock_reserve' to EVERY user (portal/public included): no group is set
stock_reserve_sale acl-global-write stock_reserve_sale.access_sale_stock_reserve_release — Access rule grants write/create/unlink on 'stock_reserve_sale.model_sale_stock_reserve_release' to EVERY user (portal/public included): no group is set
test_access_rights acl-public-write access_test_access_right_some_obj_public — Access rule grants write/create/unlink on 'model_test_access_right_some_obj' to the portal/public group 'base.group_public'
test_access_rights acl-public-write access_test_access_right_container_public — Access rule grants write/create/unlink on 'model_test_access_right_container' to the portal/public group 'base.group_public'
test_access_rights acl-public-write access_test_access_right_inherits_public — Access rule grants write/create/unlink on 'model_test_access_right_inherits' to the portal/public group 'base.group_public'
test_access_rights acl-public-write access_test_access_right_child_public — Access rule grants write/create/unlink on 'model_test_access_right_child' to the portal/public group 'base.group_public'
test_component acl-global-write access_test_component_collection — Access rule grants write/create/unlink on 'model_test_component_collection' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_test_backend — Access rule grants write/create/unlink on 'model_test_backend' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_connector_test_record — Access rule grants write/create/unlink on 'model_connector_test_record' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_connector_test_binding — Access rule grants write/create/unlink on 'model_connector_test_binding' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_no_inherits_binding — Access rule grants write/create/unlink on 'model_no_inherits_binding' to EVERY user (portal/public included): no group is set
test_mail acl-public-write access_mail_test_access_portal — Access rule grants write on 'model_mail_test_access' to the portal/public group 'base.group_portal'
test_queue_job acl-global-write access_test_queue_job — Access rule grants write/create/unlink on 'model_test_queue_job' to EVERY user (portal/public included): no group is set
test_queue_job acl-global-write access_test_queue_channel — Access rule grants write/create/unlink on 'model_test_queue_channel' to EVERY user (portal/public included): no group is set
test_queue_job acl-global-write access_test_related_action — Access rule grants write/create/unlink on 'model_test_related_action' to EVERY user (portal/public included): no group is set
utm acl-public-write access_utm_campaign — Access rule grants create on 'model_utm_campaign' to the portal/public group 'base.group_portal'
utm acl-public-write access_utm_medium — Access rule grants create on 'model_utm_medium' to the portal/public group 'base.group_portal'
utm acl-public-write access_utm_source — Access rule grants create on 'model_utm_source' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_post_portal — Access rule grants write/create/unlink on 'model_forum_post' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_post_vote_portal — Access rule grants write/create on 'model_forum_post_vote' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_tag_public — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_public'
website_forum acl-public-write access_forum_tag_portal — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_portal'
website_sale_wishlist acl-public-write access_product_wishlist_portal — Access rule grants write/create/unlink on 'model_product_wishlist' to the portal/public group 'base.group_portal'

Warnings 499

Module Code Message
account rule-group-bypass account_analytic_line_rule_billing_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_analytic_line_rule_readonly_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_rule_group_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_line_rule_group_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_line_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_send_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass ir_rule_res_partner_bank_billing_officers — Record rule with an always-true domain bypasses every other record rule of its model for its group
account route-public-sudo /terms — Unauthenticated endpoint 'TermsController.terms_conditions' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
account_brand acl-global-read res_partner_account_brand_access — Access rule grants read on 'model_res_partner_account_brand' to every user (portal/public included): no group is set
account_payment rule-group-bypass payment_token_billing_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
account_statement_import_online_gocardless route-public-csrf-off /gocardless/response — Public HTTP endpoint 'GocardlessController.gocardless_response' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
account_statement_import_online_gocardless route-public-sudo /gocardless/response — Unauthenticated endpoint 'GocardlessController.gocardless_response' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
ai_oca_bridge route-public-csrf-off /ai/response/<int:execution_id>/<string:token> — Public HTTP endpoint 'AIController.ai_process_response' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
ai_oca_bridge route-public-sudo /ai/response/<int:execution_id>/<string:token> — Unauthenticated endpoint 'AIController.ai_process_response' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
auth_oauth route-auth-none /auth_oauth/signin — Endpoint 'OAuthController.signin' uses auth="none": it runs with no user/session at all
auth_oauth route-auth-none /auth_oauth/oea — Endpoint 'OAuthController.oea' uses auth="none": it runs with no user/session at all
auth_oauth_autologin route-auth-none /auth/auto_login_redirect_link — Endpoint 'OAuthAutoLogin.auto_login_redirect_link' uses auth="none": it runs with no user/session at all
auth_saml route-public-sudo /auth_saml/get_auth_request — Unauthenticated endpoint 'AuthSAMLController.get_auth_request' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_saml route-auth-none /auth_saml/get_auth_request — Endpoint 'AuthSAMLController.get_auth_request' uses auth="none": it runs with no user/session at all
auth_saml route-public-csrf-off /auth_saml/signin — Public HTTP endpoint 'AuthSAMLController.signin' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
auth_saml route-auth-none /auth_saml/signin — Endpoint 'AuthSAMLController.signin' uses auth="none": it runs with no user/session at all
auth_saml route-public-csrf-off /auth_saml/metadata — Public HTTP endpoint 'AuthSAMLController.saml_metadata' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
auth_saml route-public-sudo /auth_saml/metadata — Unauthenticated endpoint 'AuthSAMLController.saml_metadata' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_saml route-auth-none /auth_saml/metadata — Endpoint 'AuthSAMLController.saml_metadata' uses auth="none": it runs with no user/session at all
auth_signup route-public-sudo /web/signup — Unauthenticated endpoint 'AuthSignupHome.web_auth_signup' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
auth_signup route-public-sudo /web/reset_password — Unauthenticated endpoint 'AuthSignupHome.web_auth_reset_password' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
automation_oca route-public-sudo /automation_oca/track/<int:record_id>/<string:token>/blank.gif — Unauthenticated endpoint 'AutomationOCAController.automation_oca_mail_open' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
automation_oca route-public-sudo /r/<string:code>/au/<int:record_id>/<string:token> — Unauthenticated endpoint 'AutomationOCAController.automation_oca_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
base route-public-csrf-off /xmlrpc/<service> — Public HTTP endpoint 'RPC.xmlrpc_1' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base route-auth-none /xmlrpc/<service> — Endpoint 'RPC.xmlrpc_1' uses auth="none": it runs with no user/session at all
base route-public-csrf-off /xmlrpc/2/<service> — Public HTTP endpoint 'RPC.xmlrpc_2' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base route-auth-none /xmlrpc/2/<service> — Endpoint 'RPC.xmlrpc_2' uses auth="none": it runs with no user/session at all
base route-auth-none /jsonrpc — Endpoint 'RPC.jsonrpc' uses auth="none": it runs with no user/session at all
base_automation route-public-csrf-off /web/hook/<string:rule_uuid> — Public HTTP endpoint 'BaseAutomationController.call_webhook_http' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base_automation route-public-sudo /web/hook/<string:rule_uuid> — Unauthenticated endpoint 'BaseAutomationController.call_webhook_http' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
base_ebill_payment_contract acl-global-read access_ebill_payment_contract_read — Access rule grants read on 'model_ebill_payment_contract' to every user (portal/public included): no group is set
base_import_module route-public-csrf-off /base_import_module/login_upload — Public HTTP endpoint 'ImportModule.login_upload' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base_import_module route-auth-none /base_import_module/login_upload — Endpoint 'ImportModule.login_upload' uses auth="none": it runs with no user/session at all
base_vat route-public-csrf-off /base_vat/1/webhook_update_vies — Public HTTP endpoint 'BaseVatWebhookController.webhook_update_vies' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
bus route-auth-none /websocket/health — Endpoint 'WebsocketController.health' uses auth="none": it runs with no user/session at all
calendar rule-group-bypass calendar_event_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
calendar route-public-sudo /calendar/join_videocall/<string:access_token> — Unauthenticated endpoint 'CalendarController.calendar_join_videocall' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
connector_jira route-auth-none /connector_jira/<int:backend_id>/webhooks/issue — Endpoint 'JiraWebhookController.webhook_issue' uses auth="none": it runs with no user/session at all
connector_jira route-auth-none /connector_jira/<int:backend_id>/webhooks/worklog — Endpoint 'JiraWebhookController.webhook_worklog' uses auth="none": it runs with no user/session at all
crm_salesperson_planner rule-group-bypass all_salesperson_planner_visit — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm_salesperson_planner rule-group-bypass all_salesperson_planner_visit_template — Record rule with an always-true domain bypasses every other record rule of its model for its group
delivery_sendcloud_oca route-public-sudo /shop/sendcloud_integration_webhook/<int:company_id> — Unauthenticated endpoint 'DeliverySendcloud.sendcloud_integration_webhook' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
delivery_sendcloud_oca route-auth-none /shop/sendcloud_integration_webhook/<int:company_id> — Endpoint 'DeliverySendcloud.sendcloud_integration_webhook' uses auth="none": it runs with no user/session at all
digest route-public-csrf-off /digest/<int:digest_id>/unsubscribe_oneclik — Public HTTP endpoint 'DigestController.digest_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
digest route-public-sudo /digest/<int:digest_id>/unsubscribe — Unauthenticated endpoint 'DigestController.digest_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
dms route-public-sudo /my/dms/directory/<int:dms_directory_id> — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_directory' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
dms route-public-sudo /my/dms/file/<int:dms_file_id>/download — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_file_download' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
event route-public-sudo /event/<int:event_id>/my_tickets — Unauthenticated endpoint 'EventController.event_my_tickets' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
fieldservice rule-group-bypass fsm_order_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
fieldservice_account_analytic rule-group-bypass analytic_account_fsm_dispatcher — Record rule with an always-true domain bypasses every other record rule of its model for its group
fieldservice_recurring rule-group-bypass fsm_recurring_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
fieldservice_route rule-group-bypass fsm_route_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
fieldservice_route rule-group-bypass fsm_route_dayroute_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
helpdesk_mgmt rule-group-bypass helpdesk_ticket_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
helpdesk_ticket_partner_response route-public-sudo /mail/chatter_post — Unauthenticated endpoint 'HelpdeskCustomerResponse.portal_chatter_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
hr rule-group-bypass ir_rule_res_partner_bank_employees — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_attendance route-public-sudo /hr_attendance/<token> — Unauthenticated endpoint 'HrAttendance.open_kiosk_mode' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
hr_attendance route-public-sudo /hr_attendance/attendance_employee_data — Unauthenticated endpoint 'HrAttendance.employee_attendance_data' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
hr_attendance route-public-sudo /hr_attendance/attendance_barcode_scanned — Unauthenticated endpoint 'HrAttendance.scan_barcode' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
hr_attendance route-public-sudo /hr_attendance/manual_selection — Unauthenticated endpoint 'HrAttendance.manual_selection_with_geolocation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
hr_attendance_reason route-public-sudo /hr_attendance_reason/get_reasons — Unauthenticated endpoint 'HrAttendance.attendance_get_reasons' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
hr_attendance_rfid rule-group-bypass hr_attendance_rfid_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_expense rule-group-bypass ir_rule_hr_expense_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_expense rule-group-bypass ir_rule_hr_expense_sheet_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass hr_leave_rule_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass hr_leave_allocation_rule_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass resource_leaves_base_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass resource_leaves_holidays_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass hr_leave_report_rule_group_holiday_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_homeworking rule-group-bypass homeworking_admin_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_homeworking rule-group-bypass homeworking_location_wizard_admin_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_personal_equipment_request rule-group-bypass personal_equipment_request_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_personal_equipment_request rule-group-bypass personal_equipment_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_recruitment rule-group-bypass hr_applicant_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_recruitment rule-group-bypass hr_job_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_recruitment rule-group-bypass mail_message_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_recruitment_skills rule-group-bypass hr_applicant_skill_officer_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_resume_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_resume_rule_employee_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_skill_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_skill_rule_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_timesheet_attendance rule-group-bypass hr_timesheet_attendance_report_rule_approver — Record rule with an always-true domain bypasses every other record rule of its model for its group
http_routing route-public-sudo /website/translations/<string:unique> — Unauthenticated endpoint 'Routing.get_website_translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
hw_drivers route-auth-none /hw_proxy/hello — Endpoint 'ProxyController.hello' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/handshake — Endpoint 'ProxyController.handshake' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/status_json — Endpoint 'ProxyController.status_json' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_drivers/action — Endpoint 'DriverController.action' uses auth="none": it runs with no user/session at all
hw_drivers route-public-csrf-off /hw_drivers/check_certificate — Public HTTP endpoint 'DriverController.check_certificate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_drivers route-auth-none /hw_drivers/check_certificate — Endpoint 'DriverController.check_certificate' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_drivers/event — Endpoint 'DriverController.event' uses auth="none": it runs with no user/session at all
hw_drivers route-public-csrf-off /hw_drivers/download_logs — Public HTTP endpoint 'DriverController.download_logs' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_drivers route-auth-none /hw_drivers/download_logs — Endpoint 'DriverController.download_logs' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/scale_read — Endpoint 'ScaleReadOldRoute.scale_read' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/default_printer_action — Endpoint 'PrinterController.default_printer_action' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/scanner — Endpoint 'KeyboardUSBController.get_barcode' uses auth="none": it runs with no user/session at all
hw_drivers route-public-csrf-off /hw_proxy/l10n_ke_cu_send — Public HTTP endpoint 'TremolG03Controller.l10n_ke_cu_send' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_drivers route-auth-none /hw_proxy/l10n_ke_cu_send — Endpoint 'TremolG03Controller.l10n_ke_cu_send' uses auth="none": it runs with no user/session at all
hw_drivers route-public-csrf-off /hw_l10n_eg_eta/certificate — Public HTTP endpoint 'EtaUsbController.eta_certificate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_drivers route-auth-none /hw_l10n_eg_eta/certificate — Endpoint 'EtaUsbController.eta_certificate' uses auth="none": it runs with no user/session at all
hw_drivers route-public-csrf-off /hw_l10n_eg_eta/sign — Public HTTP endpoint 'EtaUsbController.eta_sign' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_drivers route-auth-none /hw_l10n_eg_eta/sign — Endpoint 'EtaUsbController.eta_sign' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/display_refresh — Endpoint 'DisplayController.display_refresh' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/customer_facing_display — Endpoint 'DisplayController.customer_facing_display' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/take_control — Endpoint 'DisplayController.take_control' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/test_ownership — Endpoint 'DisplayController.test_ownership' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /point_of_sale/get_serialized_order, /point_of_sale/get_serialized_order/<string:display_identifier> — Endpoint 'DisplayController.get_serialized_order' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /point_of_sale/display, /point_of_sale/display/<string:display_identifier> — Endpoint 'DisplayController.display' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /point_of_sale/iot_devices — Endpoint 'DisplayController.get_iot_devices' uses auth="none": it runs with no user/session at all
hw_escpos route-auth-none /hw_proxy/open_cashbox — Endpoint 'EscposProxy.open_cashbox' uses auth="none": it runs with no user/session at all
hw_escpos route-auth-none /hw_proxy/print_receipt — Endpoint 'EscposProxy.print_receipt' uses auth="none": it runs with no user/session at all
hw_escpos route-auth-none /hw_proxy/print_xml_receipt — Endpoint 'EscposProxy.print_xml_receipt' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_upgrade — Endpoint 'IoTboxHomepage.perform_upgrade' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/get_version — Endpoint 'IoTboxHomepage.check_version' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_flashing_create_partition — Endpoint 'IoTboxHomepage.perform_flashing_create_partition' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_flashing_download_raspios — Endpoint 'IoTboxHomepage.perform_flashing_download_raspios' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_flashing_copy_raspios — Endpoint 'IoTboxHomepage.perform_flashing_copy_raspios' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/restart_odoo_service — Endpoint 'IotBoxOwlHomePage.odoo_service_restart' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/iot_logs — Endpoint 'IotBoxOwlHomePage.get_iot_logs' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/six_payment_terminal_clear — Endpoint 'IotBoxOwlHomePage.clear_six_terminal' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/clear_credential — Endpoint 'IotBoxOwlHomePage.clear_credential' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/wifi_clear — Endpoint 'IotBoxOwlHomePage.clear_wifi_configuration' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/server_clear — Endpoint 'IotBoxOwlHomePage.clear_server_configuration' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/ping — Endpoint 'IotBoxOwlHomePage.ping' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/data — Endpoint 'IotBoxOwlHomePage.get_homepage_data' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/wifi — Endpoint 'IotBoxOwlHomePage.get_available_wifi' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/generate_password — Endpoint 'IotBoxOwlHomePage.generate_password' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/version_info — Endpoint 'IotBoxOwlHomePage.get_version_info' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/log_levels — Endpoint 'IotBoxOwlHomePage.log_levels' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/load_iot_handlers — Endpoint 'IotBoxOwlHomePage.load_iot_log_level' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/clear_iot_handlers — Endpoint 'IotBoxOwlHomePage.clear_iot_handlers' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/six_payment_terminal_add — Endpoint 'IotBoxOwlHomePage.add_six_terminal' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/save_credential — Endpoint 'IotBoxOwlHomePage.save_credential' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/update_wifi — Endpoint 'IotBoxOwlHomePage.update_wifi' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/enable_ngrok — Endpoint 'IotBoxOwlHomePage.enable_remote_connection' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/connect_to_server — Endpoint 'IotBoxOwlHomePage.connect_to_odoo_server' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/log_levels_update — Endpoint 'IotBoxOwlHomePage.update_log_level' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/update_git_tree — Endpoint 'IotBoxOwlHomePage.update_git_tree' uses auth="none": it runs with no user/session at all
im_livechat route-auth-none /im_livechat/font-awesome — Endpoint 'LivechatController.fontawesome' uses auth="none": it runs with no user/session at all
im_livechat route-auth-none /im_livechat/odoo_ui_icons — Endpoint 'LivechatController.odoo_ui_icons' uses auth="none": it runs with no user/session at all
im_livechat route-public-sudo /im_livechat/support/<int:channel_id> — Unauthenticated endpoint 'LivechatController.support_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/loader/<int:channel_id> — Unauthenticated endpoint 'LivechatController.loader' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/init — Unauthenticated endpoint 'LivechatController.livechat_init' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/operator/<int:operator_id>/avatar — Unauthenticated endpoint 'LivechatController.livechat_operator_get_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/get_session — Unauthenticated endpoint 'LivechatController.get_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/feedback — Unauthenticated endpoint 'LivechatController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/history — Unauthenticated endpoint 'LivechatController.history_pages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/email_livechat_transcript — Unauthenticated endpoint 'LivechatController.email_livechat_transcript' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/visitor_leave_session — Unauthenticated endpoint 'LivechatController.visitor_leave_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /chatbot/restart — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_restart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /chatbot/post_welcome_steps — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_post_welcome_steps' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /chatbot/answer/save — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_save_answer' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /chatbot/step/trigger — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_trigger_step' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /chatbot/step/validate_email — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-csrf-off /im_livechat/cors/attachment/upload — Public HTTP endpoint 'LivechatAttachmentController.im_livechat_attachment_upload' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_input_oca route-public-csrf-off /iot/<serial>/action — Public HTTP endpoint 'CallIot.call_unauthorized_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_input_oca route-public-sudo /iot/<serial>/action — Unauthenticated endpoint 'CallIot.call_unauthorized_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
iot_input_oca route-auth-none /iot/<serial>/action — Endpoint 'CallIot.call_unauthorized_iot' uses auth="none": it runs with no user/session at all
iot_input_oca route-public-csrf-off /iot/<serial>/multi_input — Public HTTP endpoint 'CallIot.call_unauthorized_iot_multi_input' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_input_oca route-public-sudo /iot/<serial>/multi_input — Unauthenticated endpoint 'CallIot.call_unauthorized_iot_multi_input' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
iot_input_oca route-auth-none /iot/<serial>/multi_input — Endpoint 'CallIot.call_unauthorized_iot_multi_input' uses auth="none": it runs with no user/session at all
iot_input_oca route-public-csrf-off /iot/<serial>/check — Public HTTP endpoint 'CallIot.check_unauthorized_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_input_oca route-public-sudo /iot/<serial>/check — Unauthenticated endpoint 'CallIot.check_unauthorized_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
iot_input_oca route-auth-none /iot/<serial>/check — Endpoint 'CallIot.check_unauthorized_iot' uses auth="none": it runs with no user/session at all
iot_template_oca route-public-csrf-off /iot/<serial>/configure — Public HTTP endpoint 'CallIot.configure_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_template_oca route-public-sudo /iot/<serial>/configure — Unauthenticated endpoint 'CallIot.configure_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
iot_template_oca route-auth-none /iot/<serial>/configure — Endpoint 'CallIot.configure_iot' uses auth="none": it runs with no user/session at all
l10n_br_hr_contract acl-global-read access_hr_contract_admission_type — Access rule grants read on 'model_hr_contract_admission_type' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_labor_bond_type — Access rule grants read on 'model_hr_contract_labor_bond_type' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_labor_regime — Access rule grants read on 'model_hr_contract_labor_regime' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_salary_unit — Access rule grants read on 'model_hr_contract_salary_unit' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_resignation_cause — Access rule grants read on 'model_hr_contract_resignation_cause' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_notice_termination — Access rule grants read on 'model_hr_contract_notice_termination' to every user (portal/public included): no group is set
l10n_es_aeat_mod347 route-public-sudo /mod347/accept — Unauthenticated endpoint 'Mod347Controller.mod347_accept' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_es_aeat_mod347 route-public-sudo /mod347/reject — Unauthenticated endpoint 'Mod347Controller.mod347_reject' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_pe_website_sale route-public-sudo /shop/state_infos/<model("res.country.state"):state> — Unauthenticated endpoint 'L10nPEWebsiteSale.state_infos' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_pe_website_sale route-public-sudo /shop/city_infos/<model("res.city"):city> — Unauthenticated endpoint 'L10nPEWebsiteSale.city_infos' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_ro_account_anaf_sync route-public-csrf-off /l10n_ro_account_anaf_sync/anaf_oauth/<int:anaf_config_id> — Public HTTP endpoint 'AccountANAFSyncWeb.get_anaf_oauth_code' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
l10n_ro_account_anaf_sync route-public-sudo /l10n_ro_account_anaf_sync/anaf_oauth/<int:anaf_config_id> — Unauthenticated endpoint 'AccountANAFSyncWeb.get_anaf_oauth_code' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
link_tracker route-public-sudo /r/<string:code> — Unauthenticated endpoint 'LinkTracker.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/guest/update_name — Unauthenticated endpoint 'GuestController.mail_guest_update_name' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/message/reaction — Unauthenticated endpoint 'MessageReactionController.mail_message_add_reaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/link_preview — Unauthenticated endpoint 'LinkPreviewController.mail_link_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/link_preview/delete — Unauthenticated endpoint 'LinkPreviewController.mail_link_preview_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/message/update_content — Unauthenticated endpoint 'ThreadController.mail_message_update_content' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/view — Unauthenticated endpoint 'MailController.mail_action_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-csrf-off /mail/unfollow — Public HTTP endpoint 'MailController.mail_action_unfollow' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mail route-public-sudo /mail/unfollow — Unauthenticated endpoint 'MailController.mail_action_unfollow' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/init_messaging — Unauthenticated endpoint 'WebclientController.mail_init_messaging' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/attachment/upload — Unauthenticated endpoint 'AttachmentController.mail_attachment_upload' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/attachment/delete — Unauthenticated endpoint 'AttachmentController.mail_attachment_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /chat/<int:channel_id>/<string:invitation_token> — Unauthenticated endpoint 'PublicPageController.discuss_channel_invitation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /discuss/channel/<int:channel_id>/partner/<int:partner_id>/avatar_128 — Unauthenticated endpoint 'BinaryController.discuss_channel_partner_avatar_128' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /discuss/channel/<int:channel_id>/guest/<int:guest_id>/avatar_128 — Unauthenticated endpoint 'BinaryController.discuss_channel_guest_avatar_128' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /discuss/channel/<int:channel_id>/attachment/<int:attachment_id> — Unauthenticated endpoint 'BinaryController.discuss_channel_attachment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /discuss/channel/<int:channel_id>/image/<int:attachment_id>, /discuss/channel/<int:channel_id>/image/<int:attachment_id>/<int:width>x<int:height> — Unauthenticated endpoint 'BinaryController.fetch_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/rtc/session/notify_call_members — Unauthenticated endpoint 'RtcController.session_call_notify' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/rtc/session/update_and_broadcast — Unauthenticated endpoint 'RtcController.session_update_and_broadcast' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/rtc/channel/join_call — Unauthenticated endpoint 'RtcController.channel_call_join' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/rtc/channel/leave_call — Unauthenticated endpoint 'RtcController.channel_call_leave' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/rtc/channel/cancel_call_invitation — Unauthenticated endpoint 'RtcController.channel_call_cancel_invitation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /discuss/channel/ping — Unauthenticated endpoint 'RtcController.channel_ping' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /discuss/channel/attachments — Unauthenticated endpoint 'ChannelController.load_attachments' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_gateway route-public-csrf-off /gateway/<string:usage>/<string:token>/update — Public HTTP endpoint 'GatewayController.post_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mail_group route-public-sudo /groups — Unauthenticated endpoint 'PortalMailGroup.groups_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-sudo /groups/<model("mail.group"):group>, /groups/<model("mail.group"):group>/page/<int:page> — Unauthenticated endpoint 'PortalMailGroup.group_view_messages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-sudo /groups/<model("mail.group"):group>/<model("mail.group.message"):message> — Unauthenticated endpoint 'PortalMailGroup.group_view_message' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-sudo /groups/<model("mail.group"):group>/<model("mail.group.message"):message>/get_replies — Unauthenticated endpoint 'PortalMailGroup.group_message_get_replies' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-csrf-off /group/<int:group_id>/unsubscribe_oneclick — Public HTTP endpoint 'PortalMailGroup.group_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mail_group route-public-sudo /group/<int:group_id>/unsubscribe_oneclick — Unauthenticated endpoint 'PortalMailGroup.group_unsubscribe_oneclick' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-sudo /group/subscribe-confirm — Unauthenticated endpoint 'PortalMailGroup.group_subscribe_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_plugin route-auth-none /mail_plugin/auth/check_version — Endpoint 'Authenticate.auth_check_version' uses auth="none": it runs with no user/session at all
mail_plugin route-auth-none /mail_client_extension/auth/access_token, /mail_plugin/auth/access_token — Endpoint 'Authenticate.auth_access_token' uses auth="none": it runs with no user/session at all
mail_template_attachment_per_lang acl-global-read access_attachment_language_everyone — Access rule grants read on 'model_ir_attachment_language' to every user (portal/public included): no group is set
mail_tracking route-public-sudo /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MailTrackingController.mail_tracking_open' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail_tracking route-auth-none /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Endpoint 'MailTrackingController.mail_tracking_open' uses auth="none": it runs with no user/session at all
mail_tracking_mailgun route-public-sudo /mail/tracking/mailgun/all — Unauthenticated endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail_tracking_mailgun route-auth-none /mail/tracking/mailgun/all — Endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' uses auth="none": it runs with no user/session at all
mass_mailing route-public-csrf-off /mailing/<int:mailing_id>/unsubscribe_oneclick — Public HTTP endpoint 'MassMailController.mailing_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mass_mailing route-public-sudo /mailing/<int:mailing_id>/confirm_unsubscribe — Unauthenticated endpoint 'MassMailController.mailing_confirm_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/list/update — Unauthenticated endpoint 'MassMailController.mailing_update_list_subscription' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/feedback — Unauthenticated endpoint 'MassMailController.mailing_send_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mail/track/<int:mail_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MassMailController.track_mail_open' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /r/<string:code>/m/<int:mailing_trace_id> — Unauthenticated endpoint 'MassMailController.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/report/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing_report_deactivate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/blocklist/add — Unauthenticated endpoint 'MassMailController.mail_blocklist_add' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/blocklist/remove — Unauthenticated endpoint 'MassMailController.mail_blocklist_remove' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing_sms route-public-sudo /sms/<int:mailing_id>/unsubscribe/<string:trace_code> — Unauthenticated endpoint 'MailingSMSController.blacklist_number' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing_sms route-public-sudo /r/<string:code>/s/<int:sms_id_int> — Unauthenticated endpoint 'MailingSMSController.sms_short_link_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
partner_external_map acl-global-read access_map_website_read — Access rule grants read on 'model_map_website' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation — Access rule grants read on 'model_res_partner_relation' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation_type — Access rule grants read on 'model_res_partner_relation_type' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation_type_selection — Access rule grants read on 'model_res_partner_relation_type_selection' to every user (portal/public included): no group is set
payment route-public-sudo /payment/status/poll — Unauthenticated endpoint 'PaymentPostProcessing.poll_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /payment/pay — Unauthenticated endpoint 'PaymentPortal.payment_pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /payment/confirmation — Unauthenticated endpoint 'PaymentPortal.payment_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-sudo /payment/adyen/payment_methods — Unauthenticated endpoint 'AdyenController.adyen_payment_methods' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-sudo /payment/adyen/payments — Unauthenticated endpoint 'AdyenController.adyen_payments' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-sudo /payment/adyen/payments/details — Unauthenticated endpoint 'AdyenController.adyen_payment_details' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-csrf-off /payment/adyen/return — Public HTTP endpoint 'AdyenController.adyen_return_from_3ds_auth' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_adyen route-public-sudo /payment/adyen/return — Unauthenticated endpoint 'AdyenController.adyen_return_from_3ds_auth' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-csrf-off AdyenController.adyen_webhook — Public HTTP endpoint 'AdyenController.adyen_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_adyen route-public-sudo AdyenController.adyen_webhook — Unauthenticated endpoint 'AdyenController.adyen_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_alipay route-public-sudo AlipayController.alipay_return_from_checkout — Unauthenticated endpoint 'AlipayController.alipay_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_alipay route-public-csrf-off AlipayController.alipay_webhook — Public HTTP endpoint 'AlipayController.alipay_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_alipay route-public-sudo AlipayController.alipay_webhook — Unauthenticated endpoint 'AlipayController.alipay_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_aps route-public-csrf-off APSController.aps_return_from_checkout — Public HTTP endpoint 'APSController.aps_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_aps route-public-sudo APSController.aps_return_from_checkout — Unauthenticated endpoint 'APSController.aps_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_aps route-public-csrf-off APSController.aps_webhook — Public HTTP endpoint 'APSController.aps_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_aps route-public-sudo APSController.aps_webhook — Unauthenticated endpoint 'APSController.aps_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_asiapay route-public-csrf-off AsiaPayController.asiapay_webhook — Public HTTP endpoint 'AsiaPayController.asiapay_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_asiapay route-public-sudo AsiaPayController.asiapay_webhook — Unauthenticated endpoint 'AsiaPayController.asiapay_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_authorize route-public-sudo /payment/authorize/payment — Unauthenticated endpoint 'AuthorizeController.authorize_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_buckaroo route-public-csrf-off BuckarooController.buckaroo_return_from_checkout — Public HTTP endpoint 'BuckarooController.buckaroo_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_buckaroo route-public-sudo BuckarooController.buckaroo_return_from_checkout — Unauthenticated endpoint 'BuckarooController.buckaroo_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_buckaroo route-public-csrf-off BuckarooController.buckaroo_webhook — Public HTTP endpoint 'BuckarooController.buckaroo_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_buckaroo route-public-sudo BuckarooController.buckaroo_webhook — Unauthenticated endpoint 'BuckarooController.buckaroo_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_custom route-public-csrf-off CustomController.custom_process_transaction — Public HTTP endpoint 'CustomController.custom_process_transaction' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_custom route-public-sudo CustomController.custom_process_transaction — Unauthenticated endpoint 'CustomController.custom_process_transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_demo route-public-sudo PaymentDemoController.demo_simulate_payment — Unauthenticated endpoint 'PaymentDemoController.demo_simulate_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_flutterwave route-public-sudo FlutterwaveController.flutterwave_return_from_checkout — Unauthenticated endpoint 'FlutterwaveController.flutterwave_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_flutterwave route-public-csrf-off FlutterwaveController.flutterwave_webhook — Public HTTP endpoint 'FlutterwaveController.flutterwave_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_flutterwave route-public-sudo FlutterwaveController.flutterwave_webhook — Unauthenticated endpoint 'FlutterwaveController.flutterwave_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_mercado_pago route-public-sudo MercadoPagoController.mercado_pago_return_from_checkout — Unauthenticated endpoint 'MercadoPagoController.mercado_pago_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_mercado_pago route-public-csrf-off MercadoPagoController.mercado_pago_webhook — Public HTTP endpoint 'MercadoPagoController.mercado_pago_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_mercado_pago route-public-sudo MercadoPagoController.mercado_pago_webhook — Unauthenticated endpoint 'MercadoPagoController.mercado_pago_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_mollie route-public-csrf-off MollieController.mollie_return_from_checkout — Public HTTP endpoint 'MollieController.mollie_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_mollie route-public-sudo MollieController.mollie_return_from_checkout — Unauthenticated endpoint 'MollieController.mollie_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_mollie route-public-csrf-off MollieController.mollie_webhook — Public HTTP endpoint 'MollieController.mollie_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_mollie route-public-sudo MollieController.mollie_webhook — Unauthenticated endpoint 'MollieController.mollie_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ogone route-public-csrf-off OgoneController.ogone_return_from_checkout — Public HTTP endpoint 'OgoneController.ogone_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_ogone route-public-sudo OgoneController.ogone_return_from_checkout — Unauthenticated endpoint 'OgoneController.ogone_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_paypal route-public-csrf-off PaypalController.paypal_return_from_checkout — Public HTTP endpoint 'PaypalController.paypal_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_paypal route-public-sudo PaypalController.paypal_return_from_checkout — Unauthenticated endpoint 'PaypalController.paypal_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_paypal route-public-sudo PaypalController.paypal_return_from_canceled_checkout — Unauthenticated endpoint 'PaypalController.paypal_return_from_canceled_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_paypal route-public-csrf-off PaypalController.paypal_webhook — Public HTTP endpoint 'PaypalController.paypal_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_paypal route-public-sudo PaypalController.paypal_webhook — Unauthenticated endpoint 'PaypalController.paypal_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_payulatam route-public-sudo PayuLatamController.payulatam_return_from_checkout — Unauthenticated endpoint 'PayuLatamController.payulatam_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_payulatam route-public-csrf-off PayuLatamController.payulatam_webhook — Public HTTP endpoint 'PayuLatamController.payulatam_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_payulatam route-public-sudo PayuLatamController.payulatam_webhook — Unauthenticated endpoint 'PayuLatamController.payulatam_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_payumoney route-public-csrf-off PayUMoneyController.payumoney_return_from_checkout — Public HTTP endpoint 'PayUMoneyController.payumoney_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_payumoney route-public-sudo PayUMoneyController.payumoney_return_from_checkout — Unauthenticated endpoint 'PayUMoneyController.payumoney_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_razorpay route-public-csrf-off RazorpayController.razorpay_return_from_checkout — Public HTTP endpoint 'RazorpayController.razorpay_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_razorpay route-public-csrf-off RazorpayController.razorpay_webhook — Public HTTP endpoint 'RazorpayController.razorpay_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_razorpay route-public-sudo RazorpayController.razorpay_webhook — Unauthenticated endpoint 'RazorpayController.razorpay_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_redsys route-public-csrf-off /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Public HTTP endpoint 'RedsysController.redsys_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_redsys route-public-sudo /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Unauthenticated endpoint 'RedsysController.redsys_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_sips route-public-csrf-off SipsController.sips_return_from_checkout — Public HTTP endpoint 'SipsController.sips_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_sips route-public-sudo SipsController.sips_return_from_checkout — Unauthenticated endpoint 'SipsController.sips_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_sips route-public-csrf-off SipsController.sips_webhook — Public HTTP endpoint 'SipsController.sips_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_sips route-public-sudo SipsController.sips_webhook — Unauthenticated endpoint 'SipsController.sips_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe route-public-sudo StripeController.stripe_return — Unauthenticated endpoint 'StripeController.stripe_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe route-public-csrf-off StripeController.stripe_webhook — Public HTTP endpoint 'StripeController.stripe_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_stripe route-public-sudo StripeController.stripe_webhook — Unauthenticated endpoint 'StripeController.stripe_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe route-public-csrf-off StripeController.stripe_apple_pay_get_domain_association_file — Public HTTP endpoint 'StripeController.stripe_apple_pay_get_domain_association_file' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_worldline route-public-sudo WorldlineController.worldline_return_from_checkout — Unauthenticated endpoint 'WorldlineController.worldline_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_worldline route-public-csrf-off WorldlineController.worldline_webhook — Public HTTP endpoint 'WorldlineController.worldline_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_worldline route-public-sudo WorldlineController.worldline_webhook — Unauthenticated endpoint 'WorldlineController.worldline_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_xendit route-public-csrf-off XenditController.xendit_webhook — Public HTTP endpoint 'XenditController.xendit_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_xendit route-public-sudo XenditController.xendit_webhook — Unauthenticated endpoint 'XenditController.xendit_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_xendit route-public-sudo XenditController.xendit_return — Unauthenticated endpoint 'XenditController.xendit_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
point_of_sale rule-group-bypass rule_pos_bank_statement_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
point_of_sale rule-group-bypass rule_pos_bank_statement_line_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
point_of_sale route-public-sudo /pos/ticket — Unauthenticated endpoint 'PosController.invoice_request_screen' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
point_of_sale route-public-sudo /pos/ticket/validate — Unauthenticated endpoint 'PosController.show_ticket_validation_screen' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
portal route-public-sudo /mail/avatar/mail.message/<int:res_id>/author_avatar/<int:width>x<int:height> — Unauthenticated endpoint 'PortalChatter.portal_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
portal route-public-sudo /mail/chatter_post — Unauthenticated endpoint 'PortalChatter.portal_chatter_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
portal route-public-sudo /mail/chatter_fetch — Unauthenticated endpoint 'PortalChatter.portal_message_fetch' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_adyen route-public-sudo /pos_adyen/notification — Unauthenticated endpoint 'PosAdyenController.notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_mercado_pago route-public-csrf-off /pos_mercado_pago/notification — Public HTTP endpoint 'PosMercadoPagoWebhook.notification' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
pos_mercado_pago route-public-sudo /pos_mercado_pago/notification — Unauthenticated endpoint 'PosMercadoPagoWebhook.notification' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
pos_mercado_pago route-auth-none /pos_mercado_pago/notification — Endpoint 'PosMercadoPagoWebhook.notification' uses auth="none": it runs with no user/session at all
pos_online_payment route-public-sudo /pos/pay/<int:pos_order_id> — Unauthenticated endpoint 'PaymentPortal.pos_order_pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_online_payment route-public-sudo /pos/pay/confirmation/<int:pos_order_id> — Unauthenticated endpoint 'PaymentPortal.pos_order_pay_confirmation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_self_order route-public-sudo /pos-self/<config_id>, /pos-self/<config_id>/<path:subpath> — Unauthenticated endpoint 'PosSelfKiosk.start_self_ordering' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_self_order route-public-sudo /pos-self/get-category-image/<int:category_id> — Unauthenticated endpoint 'PosSelfKiosk.pos_self_order_get_cat_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_self_order route-public-sudo /menu/get-image/<int:product_id>, /menu/get-image/<int:product_id>/<int:image_size> — Unauthenticated endpoint 'PosSelfKiosk.pos_self_order_get_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_viva_wallet route-public-csrf-off /pos_viva_wallet/notification — Public HTTP endpoint 'PosVivaWalletController.notification' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
pos_viva_wallet route-public-sudo /pos_viva_wallet/notification — Unauthenticated endpoint 'PosVivaWalletController.notification' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
pos_viva_wallet route-auth-none /pos_viva_wallet/notification — Endpoint 'PosVivaWalletController.notification' uses auth="none": it runs with no user/session at all
privacy_consent route-public-sudo /privacy/consent/<any(accept,reject):choice>/<int:consent_id>/<token> — Unauthenticated endpoint 'ConsentController.consent' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
queue_job route-auth-none /queue_job/runjob — Endpoint 'RunJobController.runjob' uses auth="none": it runs with no user/session at all
repair_picking_after_done acl-global-write access_repair_move_transfer_all — Access rule grants write/create/unlink on 'model_repair_move_transfer' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
report_substitute acl-global-read action_report_substitution_rule_user_access — Access rule grants read on 'model_ir_actions_report_substitution_rule' to every user (portal/public included): no group is set
rma route-public-sudo /my/rma/picking/pdf/<int:rma_id>/<int:picking_id> — Unauthenticated endpoint 'PortalRma.portal_my_rma_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sale rule-group-bypass payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale rule-group-bypass payment_token_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale_stock route-public-sudo /my/picking/pdf/<int:picking_id> — Unauthenticated endpoint 'SaleStockPortal.portal_my_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sale_stock route-public-sudo /my/picking/return/pdf/<int:picking_id> — Unauthenticated endpoint 'SaleStockPortal.portal_my_picking_return_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sms route-public-sudo /sms/status — Unauthenticated endpoint 'SmsController.update_sms_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sms_twilio route-public-csrf-off /sms_twilio/status/<string:uuid> — Public HTTP endpoint 'SmsTwilioController.update_sms_status' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
sms_twilio route-public-sudo /sms_twilio/status/<string:uuid> — Unauthenticated endpoint 'SmsTwilioController.update_sms_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
spreadsheet_dashboard route-public-sudo /dashboard/share/<int:share_id>/<token> — Unauthenticated endpoint 'DashboardShareRoute.share_portal' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
spreadsheet_dashboard route-public-sudo /dashboard/data/<int:share_id>/<token> — Unauthenticated endpoint 'DashboardShareRoute.get_shared_dashboard_data' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
survey rule-group-bypass survey_survey_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey rule-group-bypass survey_question_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey rule-group-bypass survey_question_answer_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey rule-group-bypass survey_user_input_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey rule-group-bypass survey_user_input_line_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey route-public-sudo /survey/get_question_image/<string:survey_token>/<string:answer_token>/<int:question_id>/<int:suggested_answer_id> — Unauthenticated endpoint 'Survey.survey_get_question_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
survey route-public-sudo /survey/submit/<string:survey_token>/<string:answer_token> — Unauthenticated endpoint 'Survey.survey_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
test_http route-auth-none /test_http/greeting, /test_http/greeting-none — Endpoint 'TestHttp.greeting_none' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/wsgi_environ — Endpoint 'TestHttp.wsgi_environ' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/echo-http-get — Endpoint 'TestHttp.echo_http_get' uses auth="none": it runs with no user/session at all
test_http route-public-csrf-off /test_http/echo-http-post — Public HTTP endpoint 'TestHttp.echo_http_post' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
test_http route-auth-none /test_http/echo-http-post — Endpoint 'TestHttp.echo_http_post' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/echo-http-csrf — Endpoint 'TestHttp.echo_http_csrf' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/echo-json — Endpoint 'TestHttp.echo_json' uses auth="none": it runs with no user/session at all
test_http route-public-csrf-off /test_http/echo-json-over-http — Public HTTP endpoint 'TestHttp.echo_json_over_http' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
test_http route-auth-none /test_http/echo-json-over-http — Endpoint 'TestHttp.echo_json_over_http' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/cors_http_default — Endpoint 'TestHttp.cors_http' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/cors_http_methods — Endpoint 'TestHttp.cors_http_verbs' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/cors_json — Endpoint 'TestHttp.cors_json' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/ensure_db — Endpoint 'TestHttp.ensure_db_endpoint' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/geoip — Endpoint 'TestHttp.geoip' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/save_session — Endpoint 'TestHttp.touch' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/fail — Endpoint 'TestHttp.fail' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/json_value_error — Endpoint 'TestHttp.json_value_error' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/hide_errors/decorator — Endpoint 'TestHttp.hide_errors_decorator' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/hide_errors/context-manager — Endpoint 'TestHttp.hide_errors_context_manager' uses auth="none": it runs with no user/session at all
test_http route-public-csrf-off /test_http/upload_file — Public HTTP endpoint 'TestHttp.upload_file_retry' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
test_http route-auth-none /test_http/upload_file — Endpoint 'TestHttp.upload_file_retry' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/httprequest_attrs — Endpoint 'TestHttp.request_attrs' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/httprequest_environ — Endpoint 'TestHttp.request_environ' uses auth="none": it runs with no user/session at all
test_website route-public-sudo /test_website/model_item_sudo/<int:record_id> — Unauthenticated endpoint 'WebsiteTest.test_model_item_sudo' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
upgrade_analysis acl-global-read access_upgrade_record — Access rule grants read on 'model_upgrade_record' to every user (portal/public included): no group is set
upgrade_analysis acl-global-read access_upgrade_attribute — Access rule grants read on 'model_upgrade_attribute' to every user (portal/public included): no group is set
web route-auth-none /web/database/selector — Endpoint 'Database.selector' uses auth="none": it runs with no user/session at all
web route-auth-none /web/database/manager — Endpoint 'Database.manager' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/create — Public HTTP endpoint 'Database.create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/create — Endpoint 'Database.create' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/duplicate — Public HTTP endpoint 'Database.duplicate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/duplicate — Endpoint 'Database.duplicate' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/drop — Public HTTP endpoint 'Database.drop' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/drop — Endpoint 'Database.drop' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/backup — Public HTTP endpoint 'Database.backup' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/backup — Endpoint 'Database.backup' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/restore — Public HTTP endpoint 'Database.restore' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/restore — Endpoint 'Database.restore' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/change_password — Public HTTP endpoint 'Database.change_password' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/change_password — Endpoint 'Database.change_password' uses auth="none": it runs with no user/session at all
web route-auth-none /web/database/list — Endpoint 'Database.list' uses auth="none": it runs with no user/session at all
web route-auth-none /web/filestore/<path:_path> — Endpoint 'Binary.content_filestore' uses auth="none": it runs with no user/session at all
web route-public-sudo /web/assets/<string:unique>/<string:filename> — Unauthenticated endpoint 'Binary.content_assets' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web route-public-sudo /web/image, /web/image/<string:xmlid>, /web/image/<string:xmlid>/<string:filename>, /web/image/<string:xmlid>/<int:width>x<int:height>, /web/image/<string:xmlid>/<int:width>x<int:height>/<string:filename>, /web/image/<string:model>/<int:id>/<string:field>, /web/image/<string:model>/<int:id>/<string:field>/<string:filename>, /web/image/<string:model>/<int:id>/<string:field>/<int:width>x<int:height>, /web/image/<string:model>/<int:id>/<string:field>/<int:width>x<int:height>/<string:filename>, /web/image/<int:id>, /web/image/<int:id>/<string:filename>, /web/image/<int:id>/<int:width>x<int:height>, /web/image/<int:id>/<int:width>x<int:height>/<string:filename>, /web/image/<int:id>-<string:unique>, /web/image/<int:id>-<string:unique>/<string:filename>, /web/image/<int:id>-<string:unique>/<int:width>x<int:height>, /web/image/<int:id>-<string:unique>/<int:width>x<int:height>/<string:filename> — Unauthenticated endpoint 'Binary.content_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web route-auth-none /web/binary/company_logo, /logo, /logo.png — Endpoint 'Binary.company_logo' uses auth="none": it runs with no user/session at all
web route-auth-none /web/pivot/check_xlsxwriter — Endpoint 'TableExporter.check_xlsxwriter' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/authenticate — Endpoint 'Session.authenticate' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/get_lang_list — Endpoint 'Session.get_lang_list' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/logout — Endpoint 'Session.logout' uses auth="none": it runs with no user/session at all
web route-public-sudo /web/manifest.webmanifest — Unauthenticated endpoint 'WebManifest.webmanifest' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web route-auth-none /web/webclient/locale/<string:lang> — Endpoint 'WebClient.load_locale' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/bootstrap_translations — Endpoint 'WebClient.bootstrap_translations' uses auth="none": it runs with no user/session at all
web route-public-sudo /web/webclient/translations/<string:unique> — Unauthenticated endpoint 'WebClient.translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web route-auth-none /web/webclient/version_info — Endpoint 'WebClient.version_info' uses auth="none": it runs with no user/session at all
web route-auth-none /web/tests/mobile — Endpoint 'WebClient.test_mobile_suite' uses auth="none": it runs with no user/session at all
web route-auth-none / — Endpoint 'Home.index' uses auth="none": it runs with no user/session at all
web route-auth-none /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all
web route-auth-none /web/login — Endpoint 'Home.web_login' uses auth="none": it runs with no user/session at all
web route-auth-none /web/health — Endpoint 'Home.health' uses auth="none": it runs with no user/session at all
web route-auth-none /robots.txt — Endpoint 'Home.robots' uses auth="none": it runs with no user/session at all
web_editor route-auth-none /web_editor/font_to_img/<icon>, /web_editor/font_to_img/<icon>/<color>, /web_editor/font_to_img/<icon>/<color>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<int:width>x<int:height>, /web_editor/font_to_img/<icon>/<color>/<int:size>/<int:alpha>, /web_editor/font_to_img/<icon>/<color>/<int:width>x<int:height>/<int:alpha>, /web_editor/font_to_img/<icon>/<color>/<bg>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:width>x<int:height>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:width>x<int:height>/<int:alpha> — Endpoint 'Web_Editor.export_icon_to_png' uses auth="none": it runs with no user/session at all
web_editor route-public-sudo /web_editor/shape/<module>/<path:filename> — Unauthenticated endpoint 'Web_Editor.shape' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web_pwa_customize route-public-sudo /web/manifest.webmanifest — Unauthenticated endpoint 'WebManifest.webmanifest' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web_unsplash route-public-sudo /web_unsplash/get_app_id — Unauthenticated endpoint 'Web_Unsplash.get_unsplash_app_id' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
webservice route-public-csrf-off /webservice/<int:backend_id>/oauth2/redirect — Public HTTP endpoint 'OAuth2Controller.redirect' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
webservice route-public-sudo /webservice/<int:backend_id>/oauth2/redirect — Unauthenticated endpoint 'OAuth2Controller.redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /sitemap.xml — Unauthenticated endpoint 'Website.sitemap_xml_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/info — Unauthenticated endpoint 'Website.website_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/snippet/filters — Unauthenticated endpoint 'Website.get_dynamic_filter' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/snippet/filter_templates — Unauthenticated endpoint 'Website.get_dynamic_snippet_templates' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/snippet/autocomplete — Unauthenticated endpoint 'Website.autocomplete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /google<string(length=16):key>.html — Unauthenticated endpoint 'Website.google_console_search' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/action/<path_or_xml_id_or_id>, /website/action/<path_or_xml_id_or_id>/<path:path> — Unauthenticated endpoint 'Website.actions_server' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /model/<string:page_name_slugified>, /model/<string:page_name_slugified>/page/<int:page_number>, /model/<string:page_name_slugified>/<string:record_slug> — Unauthenticated endpoint 'ModelPageController.generic_model' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-csrf-off /website/form/<string:model_name> — Public HTTP endpoint 'WebsiteForm.website_form' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
website_crm_partner_assign route-public-sudo /partners, /partners/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>, /partners/grade/<model("res.partner.grade"):grade>/page/<int:page>, /partners/country/<model("res.country"):country>, /partners/country/<model("res.country"):country>/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_customer route-public-sudo /customers, /customers/page/<int:page>, /customers/country/<model("res.country"):country>, /customers/country/<model("res.country"):country>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>, /customers/industry/<model("res.partner.industry"):industry>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCustomer.customers' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_customer route-public-sudo /customers/<partner_id> — Unauthenticated endpoint 'WebsiteCustomer.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event rule-group-bypass ir_rule_event_question_event_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_event rule-group-bypass ir_rule_event_question_answer_event_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_event route-public-sudo /event, /event/page/<int:page>, /events, /events/page/<int:page> — Unauthenticated endpoint 'WebsiteEventController.events' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event route-public-sudo /event/<model("event.event"):event>/page/<path:page> — Unauthenticated endpoint 'WebsiteEventController.event_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event route-public-sudo /event/<model("event.event"):event>/registration/success — Unauthenticated endpoint 'WebsiteEventController.event_registration_success' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_booth route-public-sudo /event/booth/check_availability — Unauthenticated endpoint 'WebsiteEventBoothController.check_booths_availability' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_booth route-public-sudo /event/booth_category/get_available_booths — Unauthenticated endpoint 'WebsiteEventBoothController.get_booth_category_available_booths' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_exhibitor route-public-sudo /event/<model("event.event", "[('exhibitor_menu', '=', True)]"):event>/exhibitor/<model("event.sponsor", "[('event_id', '=', event.id)]"):sponsor> — Unauthenticated endpoint 'ExhibitorController.event_exhibitor' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_exhibitor route-public-sudo /event_sponsor/<int:sponsor_id>/read — Unauthenticated endpoint 'ExhibitorController.event_sponsor_read' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_meet route-public-sudo /event/<model('event.event'):event>/meeting_room_create — Unauthenticated endpoint 'WebsiteEventMeetController.create_meeting_room' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_meet route-public-sudo /event/active_langs — Unauthenticated endpoint 'WebsiteEventMeetController.active_langs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_meet route-public-sudo /event/<model('event.event', "[('community_menu', '=', True)]"):event>/meeting_room/<model("event.meeting.room","[('event_id','=',event.id)]"):meeting_room> — Unauthenticated endpoint 'WebsiteEventMeetController.event_meeting_room_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track route-public-sudo /event/<model("event.event", "[('website_track', '=', True)]"):event>/track/<model("event.track", "[('event_id', '=', event.id)]"):track> — Unauthenticated endpoint 'EventTrackController.event_track_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track route-public-sudo /event/<model("event.event"):event>/track_proposal/post — Unauthenticated endpoint 'EventTrackController.event_track_proposal_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track_live route-public-sudo /event_track/get_track_suggestion — Unauthenticated endpoint 'EventTrackLiveController.get_next_track_suggestion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track_quiz route-public-sudo /event_track/quiz/submit — Unauthenticated endpoint 'WebsiteEventTrackQuiz.event_track_quiz_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track_quiz route-public-sudo /event_track/quiz/reset — Unauthenticated endpoint 'WebsiteEventTrackQuiz.quiz_reset' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum rule-group-bypass website_forum_create_website_designer — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/<model("forum.post"):question> — Unauthenticated endpoint 'WebsiteForum.question' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/partner/<int:partner_id> — Unauthenticated endpoint 'WebsiteForum.open_partner' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_google_map route-public-sudo /google_map — Unauthenticated endpoint 'GoogleMap.google_map' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_hr_recruitment rule-group-bypass hr_job_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_hr_recruitment route-public-sudo /jobs, /jobs/page/<int:page> — Unauthenticated endpoint 'WebsiteHrRecruitment.jobs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_hr_recruitment route-public-sudo /website_hr_recruitment/check_recent_application — Unauthenticated endpoint 'WebsiteHrRecruitment.check_recent_application' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_livechat route-public-sudo /livechat/channel/<model("im_livechat.channel"):channel> — Unauthenticated endpoint 'WebsiteLivechat.channel_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail route-public-sudo /website_mail/follow — Unauthenticated endpoint 'WebsiteMail.website_message_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail route-public-sudo /website_mail/is_follower — Unauthenticated endpoint 'WebsiteMail.is_follower' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_group route-public-sudo /group/is_member — Unauthenticated endpoint 'WebsiteMailGroup.group_is_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /website_mass_mailing/is_subscriber — Unauthenticated endpoint 'MassMailController.is_subscriber' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /website_mass_mailing/subscribe — Unauthenticated endpoint 'MassMailController.subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_membership route-public-sudo /members, /members/page/<int:page>, /members/association/<membership_id>, /members/association/<membership_id>/page/<int:page>, /members/country/<int:country_id>, /members/country/<country_name>-<int:country_id>, /members/country/<int:country_id>/page/<int:page>, /members/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<country_name>-<int:country_id>, /members/association/<membership_id>/country/<int:country_id>, /members/association/<membership_id>/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteMembership.members' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_membership route-public-sudo /members/<partner_id> — Unauthenticated endpoint 'WebsiteMembership.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_partner route-public-sudo /partners/<partner_id> — Unauthenticated endpoint 'WebsitePartnerPage.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_product_configurator route-public-sudo /website_product_configurator/onchange — Unauthenticated endpoint 'ProductConfigWebsiteSale.onchange' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_product_configurator route-public-sudo /website_product_configurator/save_configuration — Unauthenticated endpoint 'ProductConfigWebsiteSale.save_configuration' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_product_configurator route-public-sudo /product_configurator/product/<model("product.config.session"):cfg_session_id> — Unauthenticated endpoint 'ProductConfigWebsiteSale.cfg_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_profile route-public-sudo /profile/avatar/<int:user_id> — Unauthenticated endpoint 'WebsiteProfile.get_user_profile_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_profile route-public-sudo /profile/users, /profile/users/page/<int:page> — Unauthenticated endpoint 'WebsiteProfile.view_all_users_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_profile route-public-sudo /profile/validate_email — Unauthenticated endpoint 'WebsiteProfile.validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop, /shop/page/<int:page>, /shop/category/<model("product.public.category"):category>, /shop/category/<model("product.public.category"):category>/page/<int:page> — Unauthenticated endpoint 'WebsiteSale.shop' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/<model("product.template"):product_template>/document/<int:document_id> — Unauthenticated endpoint 'WebsiteSale.product_document' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/pricelist — Unauthenticated endpoint 'WebsiteSale.pricelist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/cart — Unauthenticated endpoint 'WebsiteSale.cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/address — Unauthenticated endpoint 'WebsiteSale.address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/cart/update_address — Unauthenticated endpoint 'WebsiteSale.update_cart_address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/payment/validate — Unauthenticated endpoint 'WebsiteSale.shop_payment_validate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/confirmation — Unauthenticated endpoint 'WebsiteSale.shop_payment_confirmation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/print — Unauthenticated endpoint 'WebsiteSale.print_saleorder' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/products/recently_viewed_delete — Unauthenticated endpoint 'WebsiteSale.products_recently_viewed_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/update_carrier — Unauthenticated endpoint 'WebsiteSaleDelivery.update_eshop_carrier' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/carrier_rate_shipment — Unauthenticated endpoint 'WebsiteSaleDelivery.cart_carrier_rate_shipment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_autocomplete route-public-sudo /autocomplete/address — Unauthenticated endpoint 'AutoCompleteController._autocomplete_address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_autocomplete route-public-sudo /autocomplete/address_full — Unauthenticated endpoint 'AutoCompleteController._autocomplete_address_full' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_cart_add_product_xlsx_csv route-public-sudo /shop/cart/import/example — Unauthenticated endpoint 'WebsiteSaleAddProductXlsxCsv.cart_import_example' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_loyalty route-public-sudo /shop/claimreward — Unauthenticated endpoint 'WebsiteSale.claim_reward' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_menu_partner_top_selling route-public-sudo /shop/my_regular_products, /shop/my_regular_products/page/<int:page> — Unauthenticated endpoint 'WebsiteSale.user_regular_products' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_mondialrelay route-public-sudo /website_sale_mondialrelay/update_shipping — Unauthenticated endpoint 'MondialRelay.mondial_relay_update_shipping' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_product_brand route-public-sudo /page/product_brands — Unauthenticated endpoint 'WebsiteSale.product_brands' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_resource_booking route-public-sudo /shop/booking/<int:index>/confirm — Unauthenticated endpoint 'WebsiteSale.booking_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_stock route-public-sudo /shop/add/stock_notification — Unauthenticated endpoint 'WebsiteSale.add_stock_email_notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_wishlist route-public-sudo /shop/wishlist/add — Unauthenticated endpoint 'WebsiteSaleWishlist.add_to_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_wishlist route-public-sudo /shop/wishlist/remove/<int:wish_id> — Unauthenticated endpoint 'WebsiteSaleWishlist.rm_from_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides rule-group-bypass rule_slide_channel_officer_r — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides rule-group-bypass rule_slide_slide_officer_r — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides rule-group-bypass rule_slide_slide_resource_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides route-public-sudo /slides — Unauthenticated endpoint 'WebsiteSlides.slides_channel_home' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/<int:channel_id>, /slides/<int:channel_id>/category/<int:category_id>, /slides/<int:channel_id>/category/<int:category_id>/page/<int:page>, /slides/<model("slide.channel"):channel>, /slides/<model("slide.channel"):channel>/page/<int:page>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>/page/<int:page>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>/page/<int:page> — Unauthenticated endpoint 'WebsiteSlides.channel' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/channel/join — Unauthenticated endpoint 'WebsiteSlides.slide_channel_join' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/<model("slide.slide"):slide> — Unauthenticated endpoint 'WebsiteSlides.slide_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/like — Unauthenticated endpoint 'WebsiteSlides.slide_like' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/quiz/submit — Unauthenticated endpoint 'WebsiteSlides.slide_quiz_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides_forum rule-group-bypass website_slides_forum_website_slides_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides_forum rule-group-bypass website_slides_forum_website_slides_officer_post — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides_forum rule-group-bypass website_slides_forum_website_slides_officer_tag — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_twitter route-public-sudo /website_twitter/get_favorites — Unauthenticated endpoint 'Twitter.get_tweets' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes

Active Pull Requests 115

0 fresh 0 rotting 0 rotten

Module Repository Title Age CI
account_bank_statement_import_online_adyen OCA/bank-statement-import [16.0][MIG] account_statement_import_online_adyen #626 no CI data
account_banking_ach_credit_transfer OCA/l10n-usa [16.0][MIG] account_banking_ach_credit_transfer #130 no CI data
account_banking_ach_discount OCA/l10n-usa [16.0][MIG] account_banking_ach_discount #118 no CI data
account_billing_portal OCA/account-invoicing [16.0][MIG] account_billing_portal: Migration to 16.0 #2350 no CI data
account_cost_center OCA/account-financial-tools [16.0][MIG] account_cost_center: Migration to 16.0 #2013 no CI data
account_fiscal_year OCA/account-financial-tools [MIG] account_fiscal_year: Migration to 16.0 #2311 no CI data
account_invoice_import_invoice2data OCA/edi [MIG] account_invoice_import_invoice2data: Migration to 16.0 #1220 no CI data
account_invoice_line_sequence OCA/account-invoicing [16.0][MIG] account_invoice_line_sequence: Migration to 16.0 #1945 no CI data
account_invoice_line_sequence-BAD OCA/account-invoicing [16.0] [MIG] account_invoice_line_sequence: Migration to 16.0 #2086 no CI data
account_invoice_merge_payment OCA/account-invoicing 16.0 mig account invoice merge payment #2104 no CI data
account_move_budget OCA/account-financial-tools [16.0][MIG] account_move_budget: Migration to 16.0 #2310 no CI data
account_move_exception OCA/account-invoicing [16.0][MIG] account_move_exception: Migration to 16.0 #1824 no CI data
account_move_tier_validation_approver OCA/account-invoicing [16.0] [BACKPORT] account_move_tier_validation_approver from 18.0 #2150 no CI data
account_payment_mode_auto_reconcile OCA/account-reconcile [16.0][MIG] account_payment_mode_auto_reconcile: Migrate to version 16.0 #537 no CI data
account_payment_tier_validation OCA/account-payment [16.0][MIG] account_payment_tier_validation: backport to v16 #859 no CI data
account_receipt_print OCA/account-invoicing [16.0] [MIG+IMP] account_receipt_print: migration to 16.0 and refactor #1895 no CI data
account_reconcile_sale_order OCA/account-reconcile [16.0][MIG] account_reconcile_sale_order: Migration to 16.0 #968 no CI data
account_subsequence_fiscal_year OCA/account-financial-tools [16.0] mig account_subsequence_fiscal_year #1807 no CI data
animal_owner OCA/partner-contact 16.0 mig animal owner #2265 no CI data
attribute_set_completeness OCA/odoo-pim [16.0][MIG] attribute_set_completeness: Migration to 16.0 #189 no CI data
attribute_set_completeness OCA/odoo-pim [16.0][mig] attribute_set_completeness: Migration to 16.0 #162 no CI data
attribute_set_mass_edit OCA/odoo-pim [16.0][MIG] attribute_set_mass_edit: Migration to 16.0 #187 no CI data
attribute_set_searchable OCA/odoo-pim [MIG] attribute_set_searchable: Migration to 16.0 #203 no CI data
attribute_set_searchable OCA/odoo-pim [16.0][MIG] attribute_set_searchable: Migration to 16.0 #188 no CI data
attribute_set_searchable OCA/odoo-pim [16.0][mig] attribute_set_searchable: Migration to 16.0 #163 no CI data
auth_keycloak OCA/server-auth [16.0][MIG] auth_keycloak #900 no CI data
auto_backup_fs_file OCA/server-tools [16.0] [BACKPORT] [MIG] auto_backup_fs_file #3621 no CI data
base_order_by_related OCA/server-tools 16.0-[MIG] base_order_by_related to 16.0 #3288 no CI data
base_time_parameter OCA/server-tools [16.0][MIG] base_time_parameter #2964 no CI data
connector_importer_source_sftp-biss OCA/connector-interfaces [16.0][MIG] connector_importer_source_sftp: Migration to 16.0 #182 no CI data
connector_odoo OCA/connector-odoo2odoo 16.0 mig connector odoo #15 no CI data
contract_brand OCA/brand [16.0][MIG] contract_brand #285 no CI data
currency_rate_inverted OCA/currency [16.0][MIG] currency_rate_inverted #229 no CI data
currency_rate_update_wise OCA/currency [16.0][MIG] currency_rate_update_wise #223 no CI data
delivery_carrier_default_tracking_url OCA/delivery-carrier [16.0][MIG] delivery_carrier_default_tracking_url: Migration to 16.0 #1158 no CI data
delivery_free_fee_removal OCA/delivery-carrier [MIG] delivery_free_fee_removal to 16.0 #1105 no CI data
edi_account_invoice_import OCA/edi-framework [16.0][MIG] edi_account_invoice_import #67 no CI data
fetchmail_incoming_log OCA/server-tools [16.0][MIG] fetchmail_incoming_log, fetchmail_incoming_log_test #2962 no CI data
hotel_reservation OCA/vertical-hotel [WIP][MIG] hotel_reservation: Migration to 16.0 #232 no CI data
hr_attendance_geolocation_required OCA/hr-attendance [16.0][MIG] hr_attendance_geolocation_required: migration to 16.0 #284 no CI data
hr_attendance_hour_type_report OCA/hr-attendance [16.0][MIG]hr_attendance_hour_type_report #237 no CI data
hr_attendance_rfid_log OCA/hr-attendance [16.0] [MIG] hr_attendance_rfid_log: Migration to 16.0 #280 no CI data
hr_expense_petty_cash OCA/hr-expense [16.0][MIG] hr_expense_petty_cash #228 no CI data
hr_holidays_public_overtime OCA/hr-holidays [16.0][MIG] hr_holidays_public_overtime #229 no CI data
hr_shift OCA/shift-planning 16.0 mig hr shift #35 no CI data
hr_utilization_report OCA/timesheet [16.0][MIG] hr_utilization_report: Migration to 16.0 #746 no CI data
l10n_br_nfse_barueri OCA/l10n-brazil [16.0][MIG] l10n_br_nfse_barueri: Migration to 16.0 #4342 no CI data
l10n_br_nfse_paulistana OCA/l10n-brazil [16.0][MIG] l10n_br_nfse_paulistana: Migration to 16.0 #4360 no CI data
l10n_ch_import_cresus OCA/l10n-switzerland [16.0][MIG] l10n_ch_import_cresus #746 no CI data
l10n_de_holidays-BAD OCA/l10n-germany [16.0][MIG] l10n_de_holidays: Migration to 16.0 #210 no CI data
l10n_eu_product_adr OCA/community-data-files [16.0][MIG]: l10n eu product adr: Migration to 16.0 #279 no CI data
l10n_it_fatturapa_out_welfare OCA/l10n-italy [16.0] [MIG] l10n_it_fatturapa_out_welfare #4410 no CI data
mail_alias_with_domain-improved OCA/social [16.0][MIG] mail_alias_with_domain #1797 no CI data
mail_server_by_user OCA/social [16.0][MIG] mail_server_by_user: Migration to 16.0 #1766 no CI data
mgmtsystem_nonconformity_project_try2 OCA/management-system [16.0][MIG] mgmtsystem_nonconformity_project: Migration to 16.0 #748 no CI data
mrp_auto_create_lot OCA/manufacture [16.0][MIG] mrp_auto_create_lot #1709 no CI data
mrp_bom_attribute_match-fix OCA/manufacture [16.0][MIG] mrp_bom_attribute_match #1790 no CI data
partner_country_lang OCA/partner-contact [16.0][MIG] partner_country_lang: Migration to 16.0. #2240 no CI data
partner_priority OCA/partner-contact [16.0][MIG] partner_priority: Migration to 16.0 #2248 no CI data
pim OCA/odoo-pim [MIG] pim: Migration to 16.0 #219 no CI data
pos_customer_required OCA/pos [16.0][MIG] pos customer required: Migration to 16.0 #1423 no CI data
pos_customer_required_fields OCA/pos [16.0][MIG] pos_customer_required_fields: migration to 16.0 #1520 no CI data
pos_full_refund OCA/pos [16.0][MIG] pos_full_refund: Migration to 16.0 #1458 no CI data
pos_hide_empty_category OCA/pos [16.0][mig] pos_hide_empty_category #1511 no CI data
pricelist_brand OCA/brand [16.0][MIG] pricelist_brand #187 no CI data
procurment_mto_analytic OCA/account-analytic [16.0][MIG] procurement_mto_analytic: Migration to 16.0 #637 no CI data
product_attribute_set_completeness OCA/odoo-pim [MIG] product_attribute_set_completeness: Migration to 16.0 #218 no CI data
product_categ_image OCA/product-attribute [16.0][MIG] product_categ_image: Migration to 16.0 #1967 no CI data
product_ingredient OCA/product-attribute [16.0][MIG] product_ingredient: Migration to 16.0 #2277 no CI data
product_multi_price OCA/product-attribute [16.0][MIG] product_multi_price: Migration to 16.0 #1783 no CI data
product_readonly_security OCA/product-attribute [16.0][MIG] backport product_readonly_security #2018 no CI data
product_restricted_type OCA/product-attribute [16.0][MIG] Backport from 17.0 product_restricted_type #2175 no CI data
product_supplierinfo_barcode-reopen OCA/stock-logistics-barcode [MIG] product_supplierinfo_barcode: migration to 16.0 #732 no CI data
project_task_timesheet_report OCA/project-reporting [16.0][MIG] migration of module project_task_timesheet_report #52 no CI data
purchase_operating_unit OCA/operating-unit [16.0][MIG] purchase_operating_unit #595 no CI data
purchase_order_line_description OCA/purchase-workflow [16.0][MIG] purchase_order_line_description: Migration to 16.0 #2864 no CI data
purchase_reception_status_line OCA/purchase-workflow [16.0][MIG] purchase_reception_status_line: Migration to 16.0 #2520 no CI data
purchase_request_operating_unit OCA/operating-unit [16.0] [MIG] purchase_request_operating_unit #640 no CI data
purchase_stock_operating_unit OCA/operating-unit [16.0] Migration of module purchase_stock_operating_unit #615 no CI data
rental_pricelist_interval OCA/vertical-rental [16.0][MIG] rental_pricelist_interval #60 no CI data
sale_commission_pricelist OCA/commission [16.0][MIG][BACKPORT] sale_commission_pricelist: 17.0 -> 16.0 #633 no CI data
sale_expense_manual_reinvoice OCA/hr-expense [16.0][MIG] sale_expense_manual_reinvoice: Migration to 16.0 #296 no CI data
sale_isolated_quotation OCA/sale-workflow [16.0] [MIG] Migration: sale_isolated_quotation #3679 no CI data
sale_margin_delivery_cost OCA/margin-analysis [16.0][MIG] sale_margin_delivery_cost: Migration to 16.0 #191 no CI data
sale_order_restrict_copy_archived_product OCA/sale-workflow [16.0] [MIG] sale_order_restrict_copy_archived_product: Migration to 16.0 #4150 no CI data
sale_order_type_quotation_number OCA/sale-workflow [MIG] sale_order_type_quotation_number: Migration to 16.0 #3450 no CI data
sale_pricelist_global_rule OCA/sale-workflow [16.0][MIG] sale_pricelist_global_rule #3533 no CI data
sale_stock_analytic OCA/account-analytic [16.0][MIG] sale_stock_analytic: Migration to 16.0 #851 no CI data
sales_team_security_crm OCA/sale-workflow [16.0] [MIG] sales_team_security_crm #4222 no CI data
sequence_custom_data OCA/server-tools [MIG][16.0] sequence_custom_data (from 13.0) #2984 no CI data
server_environment_iap OCA/server-env [16.0][MIG] server environment iap #260 no CI data
shopfloor-full-location-reszrvation-dro OCA/wms [16.0][MIG] shopfloor_full_location_reservation #798 no CI data
shopfloor_single_product_transfer OCA/wms [16.0] [MIG] shopfloor_single_product_transfer: Backport from 18.0 #1181 no CI data
shopfloor_single_product_transfer_mobile OCA/wms [16.0] [MIG] shopfloor_single_product_transfer_mobile: Backport from 18.0 #1185 no CI data
slow_statement_logger OCA/server-tools [16.0][mig] slow_statement_logger [WIP] #2868 no CI data
stock_barcodes_gs1 OCA/stock-logistics-barcode [16.0][MIG] stock_barcodes_gs1: Migration to version 16.0 #634 no CI data
stock_move_backdating OCA/stock-logistics-workflow [16.0][MIG] stock_move_backdating #1594 no CI data
stock_move_original_date OCA/stock-logistics-workflow [16.0][MIG] stock_move_original_date: Migration to 16.0 #2262 no CI data
stock_orderpoint_generator OCA/stock-logistics-orderpoint [16.0][MIG]stock_orderpoint_generator: migration to `16.0` #81 no CI data
stock_package_autoload OCA/stock-logistics-warehouse [16.0][MIG] stock_package_autoload: Migration to 16.0 #2582 no CI data
stock_picking_auto_create_package OCA/stock-logistics-workflow [MIG] stock_picking_auto_create_package: Migration to 16.0 #1791 no CI data
stock_reporting_access OCA/stock-logistics-workflow [16.0][MIG] stock_reporting_access: Migration to 16.0 #2379 no CI data
stock_request_analytic OCA/stock-logistics-warehouse [16.0][MIG] stock_request_analytic: Migration to 16.0 #2497 no CI data
stock_valuation_fifo_lot OCA/stock-logistics-workflow [16.0][MIG] stock_valuation_fifo_lot: Migration to 16.0 #1676 no CI data
storage_backend_ftp OCA/storage [16.0][MIG] storage_backend_ftp: Migration to 16.0 #553 no CI data
storage_backend_s3 OCA/storage [16.0][MIG] storage_backend_s3: Migration to 16.0 #552 no CI data
uom_extra_data OCA/product-attribute [16.0][MIG] uom_extra_data: Migration to 16.0 #2110 no CI data
vendor_transport_lead_time OCA/purchase-workflow [16.0][MIG] vendor_transport_lead_time #2917 no CI data
web_responsive_company_color OCA/web [16.0][MIG] web_responsive_company_color: Migration to 16.0 #3185 no CI data
web_widget_url_translatable OCA/web [16.0] [MIG] web_widget_url_translatable: Migration to 16.0 #2486 no CI data
website_altcha OCA/website [16.0][MIG] website_altcha #1190 no CI data
website_event_filter_city OCA/event [16.0][MIG] website_event_filter_city #489 no CI data
website_sale_product_attribute_filter_visibility OCA/e-commerce [16.0][MIG] website_sale_product_attribute_filter_visibility #1196 no CI data
website_sale_resource_booking OCA/e-commerce [16.0][MIG] website_sale_resource_booking #851 no CI data
website_sale_restrict_by_pricelist OCA/e-commerce [16.0][MIG]:website_sale_restrict_by_pricelist #1166 no CI data

Security Findings

Errors 260

Module Code Message
account_avatax_exemption_base acl-global-write access_portal_res_partner_exemption — Access rule grants write/create on 'model_res_partner_exemption' to EVERY user (portal/public included): no group is set
account_invoice_merge acl-global-write access_invoice_merge — Access rule grants write/create/unlink on 'model_invoice_merge' to EVERY user (portal/public included): no group is set
auth_totp_portal acl-public-write access_auth_totp_portal_wizard — Access rule grants write/create/unlink on 'auth_totp.model_auth_totp_wizard' to the portal/public group 'base.group_portal'
base acl-privilege-escalation access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions
base acl-global-write access_ir_ui_view_custom_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_custom' to EVERY user (portal/public included): no group is set
base acl-privilege-escalation access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions
base acl-global-write access_report_layout — Access rule grants write/create/unlink on 'model_report_layout' to EVERY user (portal/public included): no group is set
base_tier_validation acl-global-write access_tier_review — Access rule grants write/create/unlink on 'model_tier_review' to EVERY user (portal/public included): no group is set
base_tier_validation acl-global-write access_comment_wizard — Access rule grants write/create/unlink on 'model_comment_wizard' to EVERY user (portal/public included): no group is set
base_tier_validation_forward acl-global-write access_tier_validation_forward_wizard — Access rule grants write/create/unlink on 'model_tier_validation_forward_wizard' to EVERY user (portal/public included): no group is set
base_user_role acl-global-write access_wizard_groups_into_role — Access rule grants write/create/unlink on 'model_wizard_groups_into_role' to EVERY user (portal/public included): no group is set
bus acl-public-write access_bus_presence_portal — Access rule grants write/create/unlink on 'model_bus_presence' to the portal/public group 'base.group_portal'
calendar rule-public-bypass calendar_attendee_rule_my — Record rule with an always-true domain grants portal/public users access to every record of its model
excel_import_export acl-global-write xlsx_template_user — Access rule grants write/create/unlink on 'model_xlsx_template' to EVERY user (portal/public included): no group is set
excel_import_export acl-global-write xlsx_template_export_user — Access rule grants write/create/unlink on 'model_xlsx_template_export' to EVERY user (portal/public included): no group is set
excel_import_export acl-global-write xlsx_template_import_user — Access rule grants write/create/unlink on 'model_xlsx_template_import' to EVERY user (portal/public included): no group is set
fieldservice_route acl-public-write access_fsm_route_dayroute_portal — Access rule grants write/create on 'model_fsm_route_dayroute' to the portal/public group 'base.group_portal'
fieldservice_stock acl-public-write access_stock_move_portal — Access rule grants write on 'stock.model_stock_move' to the portal/public group 'base.group_portal'
gamification acl-public-write goal_portal — Access rule grants write on 'gamification.model_gamification_goal' to the portal/public group 'base.group_portal'
gamification acl-public-write badge_user_portal — Access rule grants write/create on 'gamification.model_gamification_badge_user' to the portal/public group 'base.group_portal'
graphql_demo route-user-csrf-off /graphql/demo — HTTP endpoint 'GraphQLController.graphql' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user
helpdesk_mgmt acl-public-write access_helpdesk_ticket_stage_public — Access rule grants write on 'model_helpdesk_ticket_stage' to the portal/public group 'base.group_public'
hr_recruitment acl-global-write access_hr_applicant_category — Access rule grants write/create on 'model_hr_applicant_category' to EVERY user (portal/public included): no group is set
l10n_it_central_journal_reportlab acl-global-write access_wizard_giornale_reportlab_manager — Access rule grants write/create/unlink on 'l10n_it_central_journal_reportlab.model_wizard_giornale_reportlab' to EVERY user (portal/public included): no group is set
l10n_it_delivery_note acl-global-write access_stock_delivery_note_confirm_wizard_manager — Access rule grants write/create/unlink on 'l10n_it_delivery_note.model_stock_delivery_note_confirm_wizard' to EVERY user (portal/public included): no group is set
l10n_it_delivery_note acl-global-write access_stock_delivery_note_create_wizard_manager — Access rule grants write/create/unlink on 'l10n_it_delivery_note.model_stock_delivery_note_create_wizard' to EVERY user (portal/public included): no group is set
l10n_it_delivery_note acl-global-write access_stock_delivery_note_select_wizard_manager — Access rule grants write/create/unlink on 'l10n_it_delivery_note.model_stock_delivery_note_select_wizard' to EVERY user (portal/public included): no group is set
l10n_it_delivery_note acl-global-write access_stock_delivery_note_base_wizard_manager — Access rule grants write/create/unlink on 'l10n_it_delivery_note.model_stock_delivery_note_base_wizard' to EVERY user (portal/public included): no group is set
l10n_it_delivery_note acl-global-write access_stock_delivery_note_invoice_wizard_manager — Access rule grants write/create/unlink on 'l10n_it_delivery_note.model_stock_delivery_note_invoice_wizard' to EVERY user (portal/public included): no group is set
l10n_it_intrastat_statement acl-global-write acc_manager_account_intrastat_export_file — Access rule grants write/create/unlink on 'l10n_it_intrastat_statement.model_account_intrastat_export_file' to EVERY user (portal/public included): no group is set
l10n_it_sdi_channel acl-global-write access_wizard_fatturapa_send_to_sdi — Access rule grants write/create/unlink on 'model_wizard_fatturapa_send_to_sdi' to EVERY user (portal/public included): no group is set
l10n_mx_res_partner_csf acl-global-write access_import_csf — Access rule grants write/create/unlink on 'model_import_csf' to EVERY user (portal/public included): no group is set
l10n_ro_account_anaf_sync route-user-csrf-off /l10n_ro_account_anaf_sync/redirect_anaf/<int:anaf_config_id> — HTTP endpoint 'AccountANAFSyncWeb.redirect_anaf' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user
l10n_ro_stock_account_tracking acl-global-write access_l10n_ro_stock_valuation_layer_tracking — Access rule grants write/create/unlink on 'model_l10n_ro_stock_valuation_layer_tracking' to EVERY user (portal/public included): no group is set
mail acl-public-write access_mail_message_portal — Access rule grants write/create/unlink on 'model_mail_message' to the portal/public group 'base.group_portal'
mail acl-public-write access_mail_channel_member_portal — Access rule grants write/create/unlink on 'model_mail_channel_member' to the portal/public group 'base.group_portal'
mail acl-public-write access_mail_compose_message_portal — Access rule grants write/create on 'model_mail_compose_message' to the portal/public group 'base.group_portal'
mrp_subcontracting acl-public-write access_subcontracting_portal_stock_move — Access rule grants write/create on 'stock.model_stock_move' to the portal/public group 'base.group_portal'
mrp_subcontracting acl-public-write access_subcontracting_portal_stock_move_line — Access rule grants write/create/unlink on 'stock.model_stock_move_line' to the portal/public group 'base.group_portal'
mrp_subcontracting acl-public-write access_subcontracting_portal_lot — Access rule grants create on 'stock.model_stock_lot' to the portal/public group 'base.group_portal'
mrp_subcontracting acl-public-write access_subcontracting_portal_production — Access rule grants write on 'mrp.model_mrp_production' to the portal/public group 'base.group_portal'
mrp_subcontracting acl-public-write access_subcontracting_portal_consumption_warning — Access rule grants write/create on 'mrp.model_mrp_consumption_warning' to the portal/public group 'base.group_portal'
mrp_subcontracting acl-public-write access_subcontracting_portal_consumption_warning_line — Access rule grants write/create on 'mrp.model_mrp_consumption_warning_line' to the portal/public group 'base.group_portal'
mrp_subcontracting_account acl-public-write access_subcontracting_portal_analytic_line — Access rule grants write on 'mrp_account.model_account_analytic_line' to the portal/public group 'base.group_portal'
partner_aging acl-global-write res_partner_aging_date — Access rule grants write/create/unlink on 'partner_aging.model_res_partner_aging_date' to EVERY user (portal/public included): no group is set
partner_autocomplete acl-public-write access_partner_autocomplete_sync_portal — Access rule grants create on 'model_res_partner_autocomplete_sync' to the portal/public group 'base.group_portal'
password_security acl-public-write access_res_users_pass_history_portal — Access rule grants create on 'model_res_users_pass_history' to the portal/public group 'base.group_portal'
payment acl-public-write payment_token_portal — Access rule grants write/create/unlink on 'model_payment_token' to the portal/public group 'base.group_portal'
pms acl-public-write user_access_res_partner_portal — Access rule grants write/create/unlink on 'model_res_partner' to the portal/public group 'base.group_portal'
pms acl-public-write user_access_pms_precheckin_portal — Access rule grants write/create/unlink on 'model_pms_checkin_partner' to the portal/public group 'base.group_portal'
pms rule-public-bypass pms_folio_rule_portal — Record rule with an always-true domain grants portal/public users access to every record of its model
pms rule-public-bypass pms_reservation_rule_portal — Record rule with an always-true domain grants portal/public users access to every record of its model
pms rule-public-bypass pms_precheckin_rule_portal — Record rule with an always-true domain grants portal/public users access to every record of its model
pms rule-public-bypass res_partner_rule_portal — Record rule with an always-true domain grants portal/public users access to every record of its model
pms rule-public-bypass res_checkin_partner_rule_portal — Record rule with an always-true domain grants portal/public users access to every record of its model
project acl-public-write access_project_sharing_task_portal — Access rule grants write/create on 'model_project_task' to the portal/public group 'base.group_portal'
project_task_recurring_activity acl-global-write project_recurring_activity — Access rule grants write/create/unlink on 'model_recurring_activity' to EVERY user (portal/public included): no group is set
project_version acl-global-write project_version — Access rule grants write/create/unlink on 'model_project_version' to EVERY user (portal/public included): no group is set
purchase_invoice_plan acl-global-write access_purchase_invoice_plan — Access rule grants write/create/unlink on 'model_purchase_invoice_plan' to EVERY user (portal/public included): no group is set
purchase_invoice_plan acl-global-write access_purchase_create_invoice_plan — Access rule grants write/create/unlink on 'model_purchase_create_invoice_plan' to EVERY user (portal/public included): no group is set
purchase_invoice_plan acl-global-write access_purchase_make_planned_invoice — Access rule grants write/create/unlink on 'model_purchase_make_planned_invoice' to EVERY user (portal/public included): no group is set
purchase_work_acceptance acl-global-write access_work_accepted_date_wizard — Access rule grants write/create/unlink on 'model_work_accepted_date_wizard' to EVERY user (portal/public included): no group is set
purchase_work_acceptance_evaluation acl-global-write access_work_acceptance_evaluation_result — Access rule grants write/create/unlink on 'model_work_acceptance_evaluation_result' to EVERY user (portal/public included): no group is set
report_wkhtmltopdf_param acl-global-write paperformat_parameter_access_employee — Access rule grants create on 'model_report_paperformat_parameter' to EVERY user (portal/public included): no group is set
sale_invoice_plan acl-global-write access_sale_invoice_plan — Access rule grants write/create/unlink on 'model_sale_invoice_plan' to EVERY user (portal/public included): no group is set
sale_invoice_plan acl-global-write access_sale_create_invoice_plan — Access rule grants write/create/unlink on 'model_sale_create_invoice_plan' to EVERY user (portal/public included): no group is set
sale_invoice_plan acl-global-write access_sale_make_planned_invoice — Access rule grants write/create/unlink on 'model_sale_make_planned_invoice' to EVERY user (portal/public included): no group is set
sql_export acl-global-write access_sql_file_wizard — Access rule grants write/create on 'model_sql_file_wizard' to EVERY user (portal/public included): no group is set
stock_picking_portal acl-public-write access_stock_picking_portal — Access rule grants write on 'stock.model_stock_picking' to the portal/public group 'base.group_portal'
test_access_rights acl-global-write access_test_access_right_some_obj — Access rule grants write/create/unlink on 'model_test_access_right_some_obj' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_container — Access rule grants write/create/unlink on 'model_test_access_right_container' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_parent — Access rule grants write/create/unlink on 'model_test_access_right_parent' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_child — Access rule grants write/create/unlink on 'model_test_access_right_child' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_obj_categ — Access rule grants write/create/unlink on 'model_test_access_right_obj_categ' to EVERY user (portal/public included): no group is set
test_action_bindings acl-global-write access_tab_a — Access rule grants write/create/unlink on 'model_tab_a' to EVERY user (portal/public included): no group is set
test_action_bindings acl-global-write access_tab_b — Access rule grants write/create/unlink on 'model_tab_b' to EVERY user (portal/public included): no group is set
test_base_automation acl-global-write access_base_automation_link_test — Access rule grants write/create/unlink on 'model_base_automation_link_test' to EVERY user (portal/public included): no group is set
test_base_automation acl-global-write access_base_automation_linked_test — Access rule grants write/create/unlink on 'model_base_automation_linked_test' to EVERY user (portal/public included): no group is set
test_base_automation acl-global-write access_test_base_automation_project — Access rule grants write/create/unlink on 'model_test_base_automation_project' to EVERY user (portal/public included): no group is set
test_base_automation acl-global-write access_test_base_automation_task — Access rule grants write/create/unlink on 'model_test_base_automation_task' to EVERY user (portal/public included): no group is set
test_component acl-global-write access_test_component_collection — Access rule grants write/create/unlink on 'model_test_component_collection' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_test_backend — Access rule grants write/create/unlink on 'model_test_backend' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_connector_test_record — Access rule grants write/create/unlink on 'model_connector_test_record' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_connector_test_binding — Access rule grants write/create/unlink on 'model_connector_test_binding' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_no_inherits_binding — Access rule grants write/create/unlink on 'model_no_inherits_binding' to EVERY user (portal/public included): no group is set
test_convert acl-global-write access_test_convert_test_model — Access rule grants write/create/unlink on 'model_test_convert_test_model' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_converter_model — Access rule grants write/create/unlink on 'model_test_converter_test_model' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_test_converter_test_model_sub — Access rule grants write/create/unlink on 'model_test_converter_test_model_sub' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_test_converter_monetary — Access rule grants write/create/unlink on 'model_test_converter_monetary' to EVERY user (portal/public included): no group is set
test_exceptions acl-global-write access_test_exceptions_model — Access rule grants write/create/unlink on 'model_test_exceptions_model' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_boolean — Access rule grants write/create/unlink on 'model_export_boolean' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_float — Access rule grants write/create/unlink on 'model_export_float' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_decimal — Access rule grants write/create/unlink on 'model_export_decimal' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string_bounded — Access rule grants write/create/unlink on 'model_export_string_bounded' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string_required — Access rule grants write/create/unlink on 'model_export_string_required' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string — Access rule grants write/create/unlink on 'model_export_string' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_date — Access rule grants write/create/unlink on 'model_export_date' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_datetime — Access rule grants write/create/unlink on 'model_export_datetime' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_text — Access rule grants write/create/unlink on 'model_export_text' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection — Access rule grants write/create/unlink on 'model_export_selection' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection_function — Access rule grants write/create/unlink on 'model_export_selection_function' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2one — Access rule grants write/create/unlink on 'model_export_many2one' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many — Access rule grants write/create/unlink on 'model_export_one2many' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2many — Access rule grants write/create/unlink on 'model_export_many2many' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_function — Access rule grants write/create/unlink on 'model_export_function' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child — Access rule grants write/create/unlink on 'model_export_one2many_child' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_multiple — Access rule grants write/create/unlink on 'model_export_one2many_multiple' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_multiple_child — Access rule grants write/create/unlink on 'model_export_one2many_multiple_child' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child_1 — Access rule grants write/create/unlink on 'model_export_one2many_child_1' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child_2 — Access rule grants write/create/unlink on 'model_export_one2many_child_2' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2many_other — Access rule grants write/create/unlink on 'model_export_many2many_other' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection_withdefault — Access rule grants write/create/unlink on 'model_export_selection_withdefault' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_recursive — Access rule grants write/create/unlink on 'model_export_one2many_recursive' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_unique — Access rule grants write/create/unlink on 'model_export_unique' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_inherits_parent — Access rule grants write/create/unlink on 'model_export_inherits_parent' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_inherits_child — Access rule grants write/create/unlink on 'model_export_inherits_child' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_m2o_str — Access rule grants write/create/unlink on 'model_export_m2o_str' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_m2o_str_child — Access rule grants write/create/unlink on 'model_export_m2o_str_child' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_with_required_field — Access rule grants write/create/unlink on 'model_export_with_required_field' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2one_required_subfield — Access rule grants write/create/unlink on 'model_export_many2one_required_subfield' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_mother — Access rule grants write/create/unlink on 'model_test_inherit_mother' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_daughter — Access rule grants write/create/unlink on 'model_test_inherit_daughter' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_property — Access rule grants write/create/unlink on 'model_test_inherit_property' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_unit — Access rule grants write/create/unlink on 'model_test_unit' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_unit_line — Access rule grants write/create/unlink on 'model_test_unit_line' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_box — Access rule grants write/create/unlink on 'model_test_box' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_pallet — Access rule grants write/create/unlink on 'model_test_pallet' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_another_unit — Access rule grants write/create/unlink on 'model_test_another_unit' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_another_box — Access rule grants write/create/unlink on 'model_test_another_box' to EVERY user (portal/public included): no group is set
test_limits acl-global-write access_test_limits_model — Access rule grants write/create/unlink on 'model_test_limits_model' to EVERY user (portal/public included): no group is set
test_mail acl-global-write access_mail_performance_thread — Access rule grants write/create/unlink on 'model_mail_performance_thread' to EVERY user (portal/public included): no group is set
test_mail acl-public-write access_mail_test_access_portal — Access rule grants write on 'model_mail_test_access' to the portal/public group 'base.group_portal'
test_new_api acl-global-write access_category — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_category' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_discussion — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_discussion' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_message — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_message' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_emailmessage — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_emailmessage' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi_line — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi_line2 — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line2' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi_tag — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_tag' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_creativework_edition — Access rule grants write/create/unlink on 'model_test_new_api_creativework_edition' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_creativework_book — Access rule grants write/create/unlink on 'model_test_new_api_creativework_book' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_creativework_movie — Access rule grants write/create/unlink on 'model_test_new_api_creativework_movie' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_mixed — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_mixed' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_domain_bool — Access rule grants write/create/unlink on 'model_domain_bool' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_foo — Access rule grants write/create/unlink on 'model_test_new_api_foo' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_bar — Access rule grants write/create/unlink on 'model_test_new_api_bar' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_related — Access rule grants write/create/unlink on 'model_test_new_api_related' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_company — Access rule grants write/create/unlink on 'model_test_new_api_company' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_company_attr — Access rule grants write/create/unlink on 'model_test_new_api_company_attr' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_inverse — Access rule grants write/create/unlink on 'model_test_new_api_compute_inverse' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_readonly — Access rule grants write/create/unlink on 'model_test_new_api_compute_readonly' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_multi_compute_inverse — Access rule grants write/create/unlink on 'model_test_new_api_multi_compute_inverse' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_recursive — Access rule grants write/create/unlink on 'model_test_new_api_recursive' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_recursive_tree — Access rule grants write/create/unlink on 'model_test_new_api_recursive_tree' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_recursive_order — Access rule grants write/create/unlink on 'model_test_new_api_recursive_order' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_recursive_line — Access rule grants write/create/unlink on 'model_test_new_api_recursive_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_recursive_task — Access rule grants write/create/unlink on 'model_test_new_api_recursive_task' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_cascade — Access rule grants write/create/unlink on 'model_test_new_api_cascade' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_readwrite — Access rule grants write/create/unlink on 'model_test_new_api_compute_readwrite' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_onchange — Access rule grants write/create/unlink on 'model_test_new_api_compute_onchange' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_onchange_line — Access rule grants write/create/unlink on 'model_test_new_api_compute_onchange_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_dynamic_depends — Access rule grants write/create/unlink on 'model_test_new_api_compute_dynamic_depends' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_unassigned — Access rule grants write/create/unlink on 'model_test_new_api_compute_unassigned' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_one2many — Access rule grants write/create/unlink on 'model_test_new_api_one2many' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_one2many_line — Access rule grants write/create/unlink on 'model_test_new_api_one2many_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_binary_svg — Access rule grants write/create/unlink on 'model_test_new_api_binary_svg' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_base — Access rule grants write/create/unlink on 'model_test_new_api_monetary_base' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_related — Access rule grants write/create/unlink on 'model_test_new_api_monetary_related' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_custom — Access rule grants write/create/unlink on 'model_test_new_api_monetary_custom' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_inherits — Access rule grants write/create/unlink on 'model_test_new_api_monetary_inherits' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_field_with_caps — Access rule grants write/create/unlink on 'model_test_new_api_field_with_caps' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_req_m2o — Access rule grants write/create/unlink on 'model_test_new_api_req_m2o' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_selection — Access rule grants write/create/unlink on 'model_test_new_api_selection' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_attachment — Access rule grants write/create/unlink on 'model_test_new_api_attachment' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_attachment_host — Access rule grants write/create/unlink on 'model_test_new_api_attachment_host' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_image — Access rule grants write/create/unlink on 'model_test_new_api_model_image' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_a — Access rule grants write/create/unlink on 'model_test_new_api_model_a' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_b — Access rule grants write/create/unlink on 'model_test_new_api_model_b' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_parent — Access rule grants write/create/unlink on 'model_test_new_api_model_parent' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_child — Access rule grants write/create/unlink on 'model_test_new_api_model_child' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_child_nocheck — Access rule grants write/create/unlink on 'model_test_new_api_model_child_nocheck' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_display — Access rule grants write/create/unlink on 'model_test_new_api_display' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_active_field — Access rule grants write/create/unlink on 'model_test_new_api_model_active_field' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_many2one_reference — Access rule grants write/create/unlink on 'model_test_new_api_model_many2one_reference' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_inverse_m2o_ref — Access rule grants write/create/unlink on 'model_test_new_api_inverse_m2o_ref' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_binary — Access rule grants write/create/unlink on 'model_test_new_api_model_binary' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_child_m2o — Access rule grants write/create/unlink on 'model_test_new_api_model_child_m2o' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_parent_m2o — Access rule grants write/create/unlink on 'model_test_new_api_model_parent_m2o' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_partner — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_partner' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_order — Access rule grants write/create/unlink on 'model_test_new_api_monetary_order' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_order_line — Access rule grants write/create/unlink on 'model_test_new_api_monetary_order_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_selection_base — Access rule grants write/create/unlink on 'model_test_new_api_model_selection_base' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_selection_required — Access rule grants write/create/unlink on 'model_test_new_api_model_selection_required' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_selection_non_stored — Access rule grants write/create/unlink on 'model_test_new_api_model_selection_non_stored' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_selection_required_for_write_override — Access rule grants write/create/unlink on 'model_test_new_api_model_selection_required_for_write_override' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_move — Access rule grants write/create/unlink on 'model_test_new_api_move' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_move_line — Access rule grants write/create/unlink on 'model_test_new_api_move_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_payment — Access rule grants write/create/unlink on 'model_test_new_api_payment' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_order — Access rule grants write/create/unlink on 'model_test_new_api_order' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_order_line — Access rule grants write/create/unlink on 'model_test_new_api_order_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_shared_cache_compute_parent — Access rule grants write/create/unlink on 'model_test_new_api_model_shared_cache_compute_parent' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_shared_cache_compute_line — Access rule grants write/create/unlink on 'model_test_new_api_model_shared_cache_compute_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_container — Access rule grants write/create/unlink on 'model_test_new_api_compute_container' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_member — Access rule grants write/create/unlink on 'model_test_new_api_compute_member' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_editable — Access rule grants write/create/unlink on 'model_test_new_api_compute_editable' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_editable_line — Access rule grants write/create/unlink on 'model_test_new_api_compute_editable_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_constrained_unlinks — Access rule grants write/create/unlink on 'model_test_new_api_model_constrained_unlinks' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_trigger_left — Access rule grants write/create/unlink on 'model_test_new_api_trigger_left' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_trigger_middle — Access rule grants write/create/unlink on 'model_test_new_api_trigger_middle' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_trigger_right — Access rule grants write/create/unlink on 'model_test_new_api_trigger_right' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_related_translation_1 — Access rule grants write/create/unlink on 'model_test_new_api_related_translation_1' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_related_translation_2 — Access rule grants write/create/unlink on 'model_test_new_api_related_translation_2' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_related_translation_3 — Access rule grants write/create/unlink on 'model_test_new_api_related_translation_3' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_indexed_translation — Access rule grants write/create/unlink on 'model_test_new_api_indexed_translation' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_empty_char — Access rule grants write/create/unlink on 'model_test_new_api_empty_char' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_unlink_container — Access rule grants write/create/unlink on 'model_test_new_api_unlink_container' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_unlink_line — Access rule grants write/create/unlink on 'model_test_new_api_unlink_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_unsearchable_o2m — Access rule grants write/create/unlink on 'model_test_new_api_unsearchable_o2m' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_base — Access rule grants write/create/unlink on 'model_test_performance_base' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_line — Access rule grants write/create/unlink on 'model_test_performance_line' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_tag — Access rule grants write/create/unlink on 'model_test_performance_tag' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_bacon — Access rule grants write/create/unlink on 'model_test_performance_bacon' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_eggs — Access rule grants write/create/unlink on 'model_test_performance_eggs' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_mozzarella — Access rule grants write/create/unlink on 'model_test_performance_mozzarella' to EVERY user (portal/public included): no group is set
test_populate acl-global-write access_test_populate — Access rule grants write/create/unlink on 'model_test_populate' to EVERY user (portal/public included): no group is set
test_populate acl-global-write access_test_populate_category — Access rule grants write/create/unlink on 'model_test_populate_category' to EVERY user (portal/public included): no group is set
test_populate acl-global-write access_test_no_populat — Access rule grants write/create/unlink on 'model_test_no_populate' to EVERY user (portal/public included): no group is set
test_populate acl-global-write access_test_populate_inherit — Access rule grants write/create/unlink on 'model_test_populate_inherit' to EVERY user (portal/public included): no group is set
test_queue_job acl-global-write access_test_queue_job — Access rule grants write/create/unlink on 'model_test_queue_job' to EVERY user (portal/public included): no group is set
test_queue_job acl-global-write access_test_queue_channel — Access rule grants write/create/unlink on 'model_test_queue_channel' to EVERY user (portal/public included): no group is set
test_queue_job acl-global-write access_test_related_action — Access rule grants write/create/unlink on 'model_test_related_action' to EVERY user (portal/public included): no group is set
test_rpc acl-global-write access_test_rpc_model_a — Access rule grants write/create/unlink on 'model_test_rpc_model_a' to EVERY user (portal/public included): no group is set
test_rpc acl-global-write access_test_rpc_model_b — Access rule grants write/create/unlink on 'model_test_rpc_model_b' to EVERY user (portal/public included): no group is set
test_testing_utilities acl-global-write access_model_test_testing_utilities_onchange_count — Access rule grants write/create/unlink on 'model_test_testing_utilities_onchange_count' to EVERY user (portal/public included): no group is set
test_testing_utilities acl-global-write access_test_testing_utilities_onchange_count_sub — Access rule grants write/create/unlink on 'model_test_testing_utilities_onchange_count_sub' to EVERY user (portal/public included): no group is set
test_testing_utilities acl-global-write access_o2m_readonly_subfield_parent — Access rule grants write/create/unlink on 'model_o2m_readonly_subfield_parent' to EVERY user (portal/public included): no group is set
test_testing_utilities acl-global-write access_o2m_readonly_subfield_child — Access rule grants write/create/unlink on 'model_o2m_readonly_subfield_child' to EVERY user (portal/public included): no group is set
test_uninstall acl-global-write access_test_uninstall_model — Access rule grants write/create/unlink on 'model_test_uninstall_model' to EVERY user (portal/public included): no group is set
test_xlsx_export acl-global-write access_export_group_operator — Access rule grants write/create/unlink on 'model_export_group_operator' to EVERY user (portal/public included): no group is set
test_xlsx_export acl-global-write access_export_group_operator_one2many — Access rule grants write/create/unlink on 'model_export_group_operator_one2many' to EVERY user (portal/public included): no group is set
test_xlsx_export acl-global-write access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set
utm acl-global-write access_utm_campaign — Access rule grants create on 'model_utm_campaign' to EVERY user (portal/public included): no group is set
utm acl-global-write access_utm_medium — Access rule grants create on 'model_utm_medium' to EVERY user (portal/public included): no group is set
utm acl-global-write access_utm_source — Access rule grants create on 'model_utm_source' to EVERY user (portal/public included): no group is set
web_editor acl-global-write access_web_editor_converter_test — Access rule grants write/create/unlink on 'model_web_editor_converter_test' to EVERY user (portal/public included): no group is set
web_editor acl-global-write access_web_editor_converter_test_sub — Access rule grants write/create/unlink on 'model_web_editor_converter_test_sub' to EVERY user (portal/public included): no group is set
web_ir_actions_act_multi acl-global-write crud_ir_actions_act_multi — Access rule grants write/create/unlink on 'model_ir_actions_act_multi' to EVERY user (portal/public included): no group is set
web_ir_actions_act_window_message acl-global-write crud_ir_actions_act_window_message — Access rule grants write/create/unlink on 'model_ir_actions_act_window_message' to EVERY user (portal/public included): no group is set
website route-user-csrf-off /website/reset_template — HTTP endpoint 'Website.reset_template' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user
website_forum acl-public-write access_forum_post_portal — Access rule grants write/create/unlink on 'model_forum_post' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_post_vote_portal — Access rule grants write/create on 'model_forum_post_vote' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_tag_public — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_public'
website_forum acl-public-write access_forum_tag_portal — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_portal'
website_sale_wishlist acl-public-write access_product_wishlist_portal — Access rule grants write/create/unlink on 'model_product_wishlist' to the portal/public group 'base.group_portal'

Warnings 676

Module Code Message
account rule-group-bypass account_analytic_line_rule_billing_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_analytic_line_rule_readonly_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_rule_group_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_line_rule_group_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_line_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_invoice_send_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass ir_rule_res_partner_bank_billing_officers — Record rule with an always-true domain bypasses every other record rule of its model for its group
account route-public-sudo /terms — Unauthenticated endpoint 'TermsController.terms_conditions' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
account_avatax_exemption acl-global-read access_portal_exemption_code — Access rule grants read on 'account_avatax_oca.model_exemption_code' to every user (portal/public included): no group is set
account_avatax_exemption route-public-sudo /exemption/<int:exemption_id> — Unauthenticated endpoint 'Exemption.get_exemption' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
account_avatax_exemption_base acl-global-read access_portal_group_of_states — Access rule grants read on 'model_res_partner_group_state' to every user (portal/public included): no group is set
account_avatax_exemption_base acl-global-read access_portal_res_partner_exemption_line — Access rule grants read on 'model_res_partner_exemption_line' to every user (portal/public included): no group is set
account_avatax_exemption_base acl-global-read access_portal_res_partner_exemption_type — Access rule grants read on 'model_res_partner_exemption_type' to every user (portal/public included): no group is set
account_avatax_exemption_base acl-global-read access_portal_res_partner_exemption_business_type — Access rule grants read on 'model_res_partner_exemption_business_type' to every user (portal/public included): no group is set
account_brand acl-global-read res_partner_account_brand_access — Access rule grants read on 'model_res_partner_account_brand' to every user (portal/public included): no group is set
account_cash_deposit acl-global-read cash_unit_read — Access rule grants read on 'model_cash_unit' to every user (portal/public included): no group is set
account_edi acl-global-read access_account_edi_format_readonly — Access rule grants read on 'model_account_edi_format' to every user (portal/public included): no group is set
account_edi acl-global-read access_account_edi_document_readonly — Access rule grants read on 'model_account_edi_document' to every user (portal/public included): no group is set
account_invoice_transmit_method acl-global-read access_transmit_method_read — Access rule grants read on 'model_transmit_method' to every user (portal/public included): no group is set
account_move_transfer_partner acl-global-write access_wizard_account_move_transfer_partner_all — Access rule grants write/create/unlink on 'model_wizard_account_move_transfer_partner' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
account_payment rule-group-bypass payment_transaction_billing_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
account_payment rule-group-bypass payment_token_billing_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
account_statement_import_online_gocardless route-public-csrf-off /gocardless/response — Public HTTP endpoint 'GocardlessController.gocardless_response' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
account_statement_import_online_gocardless route-public-sudo /gocardless/response — Unauthenticated endpoint 'GocardlessController.gocardless_response' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
ai_oca_bridge route-public-csrf-off /ai/response/<int:execution_id>/<string:token> — Public HTTP endpoint 'AIController.ai_process_response' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
ai_oca_bridge route-public-sudo /ai/response/<int:execution_id>/<string:token> — Unauthenticated endpoint 'AIController.ai_process_response' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
ai_oca_mcp route-public-csrf-off /mcp/<string:key> — Public HTTP endpoint 'McpController.mcp_endpoint' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
ai_oca_mcp route-public-sudo /mcp/<string:key> — Unauthenticated endpoint 'McpController.mcp_endpoint' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
ai_oca_mcp route-auth-none /mcp/<string:key> — Endpoint 'McpController.mcp_endpoint' uses auth="none": it runs with no user/session at all
attachment_queue acl-global-read access_attachment_queue_user — Access rule grants read on 'model_attachment_queue' to every user (portal/public included): no group is set
auth_oauth route-auth-none /auth_oauth/signin — Endpoint 'OAuthController.signin' uses auth="none": it runs with no user/session at all
auth_oauth route-auth-none /auth_oauth/oea — Endpoint 'OAuthController.oea' uses auth="none": it runs with no user/session at all
auth_oauth_autologin route-auth-none /auth/auto_login_redirect_link — Endpoint 'OAuthAutoLogin.auto_login_redirect_link' uses auth="none": it runs with no user/session at all
auth_saml route-public-sudo /auth_saml/get_auth_request — Unauthenticated endpoint 'AuthSAMLController.get_auth_request' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_saml route-auth-none /auth_saml/get_auth_request — Endpoint 'AuthSAMLController.get_auth_request' uses auth="none": it runs with no user/session at all
auth_saml route-public-csrf-off /auth_saml/signin — Public HTTP endpoint 'AuthSAMLController.signin' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
auth_saml route-auth-none /auth_saml/signin — Endpoint 'AuthSAMLController.signin' uses auth="none": it runs with no user/session at all
auth_saml route-public-csrf-off /auth_saml/metadata — Public HTTP endpoint 'AuthSAMLController.saml_metadata' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
auth_saml route-public-sudo /auth_saml/metadata — Unauthenticated endpoint 'AuthSAMLController.saml_metadata' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_saml route-auth-none /auth_saml/metadata — Endpoint 'AuthSAMLController.saml_metadata' uses auth="none": it runs with no user/session at all
auth_signup route-public-sudo /web/signup — Unauthenticated endpoint 'AuthSignupHome.web_auth_signup' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
auth_signup route-public-sudo /web/reset_password — Unauthenticated endpoint 'AuthSignupHome.web_auth_reset_password' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
automation_oca route-public-sudo /automation_oca/track/<int:record_id>/<string:token>/blank.gif — Unauthenticated endpoint 'AutomationOCAController.automation_oca_mail_open' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
automation_oca route-public-sudo /r/<string:code>/au/<int:record_id>/<string:token> — Unauthenticated endpoint 'AutomationOCAController.automation_oca_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
base acl-global-read access_res_company_group_user — Access rule grants read on 'model_res_company' to every user (portal/public included): no group is set
base acl-global-read access_res_partner_title_group_partner_manager — Access rule grants read on 'model_res_partner_title' to every user (portal/public included): no group is set
base acl-global-write access_res_users_log_all — Access rule grants create on 'model_res_users_log' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
base acl-global-read paperformat_access_portal — Access rule grants read on 'model_report_paperformat' to every user (portal/public included): no group is set
base route-public-csrf-off /xmlrpc/<service> — Public HTTP endpoint 'RPC.xmlrpc_1' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base route-auth-none /xmlrpc/<service> — Endpoint 'RPC.xmlrpc_1' uses auth="none": it runs with no user/session at all
base route-public-csrf-off /xmlrpc/2/<service> — Public HTTP endpoint 'RPC.xmlrpc_2' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base route-auth-none /xmlrpc/2/<service> — Endpoint 'RPC.xmlrpc_2' uses auth="none": it runs with no user/session at all
base route-auth-none /jsonrpc — Endpoint 'RPC.jsonrpc' uses auth="none": it runs with no user/session at all
base_comment_template acl-global-read access_base_comment_template_user — Access rule grants read on 'model_base_comment_template' to every user (portal/public included): no group is set
base_ebill_payment_contract acl-global-read access_ebill_payment_contract_read — Access rule grants read on 'model_ebill_payment_contract' to every user (portal/public included): no group is set
base_import_module route-public-csrf-off /base_import_module/login_upload — Public HTTP endpoint 'ImportModule.login_upload' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base_import_module route-auth-none /base_import_module/login_upload — Endpoint 'ImportModule.login_upload' uses auth="none": it runs with no user/session at all
base_tier_validation_correction acl-global-read access_tier_correction_user — Access rule grants read on 'model_tier_correction' to every user (portal/public included): no group is set
base_tier_validation_correction acl-global-read access_tier_correction_item_user — Access rule grants read on 'model_tier_correction_item' to every user (portal/public included): no group is set
base_tier_validation_correction acl-global-read access_affected_tier_reviews — Access rule grants read on 'model_affected_tier_reviews' to every user (portal/public included): no group is set
base_unece acl-global-read access_unece_code_list_read — Access rule grants read on 'model_unece_code_list' to every user (portal/public included): no group is set
base_user_locale route-public-sudo /web/webclient/translations/<string:unique> — Unauthenticated endpoint 'WebClient.translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
bus route-auth-none /websocket/health — Endpoint 'WebsocketController.health' uses auth="none": it runs with no user/session at all
bus route-public-sudo /websocket/peek_notifications — Unauthenticated endpoint 'WebsocketController.peek_notifications' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
calendar rule-group-bypass calendar_event_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
calendar route-public-sudo /calendar/join_videocall/<string:access_token> — Unauthenticated endpoint 'CalendarController.calendar_join_videocall' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
cooperator_website route-public-sudo /subscription/get_share_product — Unauthenticated endpoint 'WebsiteSubscription.get_share_product' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
cooperator_website route-public-sudo /subscription/subscribe_share — Unauthenticated endpoint 'WebsiteSubscription.share_subscription' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
crm acl-global-read access_crm_stage — Access rule grants read on 'model_crm_stage' to every user (portal/public included): no group is set
crm rule-group-bypass crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm rule-group-bypass crm_activity_report_rule_all_activities — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm_salesperson_planner rule-group-bypass all_salesperson_planner_visit — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm_salesperson_planner rule-group-bypass all_salesperson_planner_visit_template — Record rule with an always-true domain bypasses every other record rule of its model for its group
cross_connect_client route-public-sudo /cross_connect_server/<int:server_id> — Unauthenticated endpoint 'CrossConnectController.cross_connect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
delivery_deliverea route-public-sudo /deliverea-tracking-webhook — Unauthenticated endpoint 'DelivereaWebhook.order_import_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
digest route-public-csrf-off /digest/<int:digest_id>/unsubscribe_oneclik — Public HTTP endpoint 'DigestController.digest_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
digest route-public-sudo /digest/<int:digest_id>/unsubscribe — Unauthenticated endpoint 'DigestController.digest_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
dms route-public-sudo /my/dms/directory/<int:dms_directory_id> — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_directory' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
dms route-public-sudo /my/dms/file/<int:dms_file_id>/download — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_file_download' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
endpoint_route_handler acl-global-read access_endpoint_route_handler_tool_edit — Access rule grants read on 'model_endpoint_route_handler' to every user (portal/public included): no group is set
endpoint_route_handler acl-global-read access_endpoint_route_handler_edit — Access rule grants read on 'model_endpoint_route_handler_tool' to every user (portal/public included): no group is set
fieldservice rule-group-bypass fsm_order_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
fieldservice_account_analytic rule-group-bypass analytic_account_fsm_dispatcher — Record rule with an always-true domain bypasses every other record rule of its model for its group
github_connector acl-global-read access_github_analysis_rule_reader — Access rule grants read on 'model_github_analysis_rule' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_analysis_rule_group_reader — Access rule grants read on 'model_github_analysis_rule_group' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_organization_reader — Access rule grants read on 'model_github_organization' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_organization_serie_reader — Access rule grants read on 'model_github_organization_serie' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_repository_branch_rule_info_report_reader — Access rule grants read on 'model_github_repository_branch_rule_info_report' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_repository_reader — Access rule grants read on 'model_github_repository' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_repository_branch_reader — Access rule grants read on 'model_github_repository_branch' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_team_reader — Access rule grants read on 'model_github_team' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_team_partner_reader — Access rule grants read on 'model_github_team_partner' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_team_repository_reader — Access rule grants read on 'model_github_team_repository' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_author_reader — Access rule grants read on 'model_odoo_author' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_lib_bin_reader — Access rule grants read on 'model_odoo_lib_bin' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_lib_python_reader — Access rule grants read on 'model_odoo_lib_python' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_license_reader — Access rule grants read on 'model_odoo_license' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_module_reader — Access rule grants read on 'model_odoo_module' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_module_version_reader — Access rule grants read on 'model_odoo_module_version' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_module_version_rule_info_report_reader — Access rule grants read on 'model_odoo_module_version_rule_info_report' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_category_reader — Access rule grants read on 'model_odoo_category' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_manifest_key_reader — Access rule grants read on 'model_odoo_manifest_key' to every user (portal/public included): no group is set
helpdesk_mgmt rule-group-bypass helpdesk_ticket_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
helpdesk_ticket_partner_response route-public-sudo /mail/chatter_post — Unauthenticated endpoint 'HelpdeskCustomerResponse.portal_chatter_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
hr rule-group-bypass ir_rule_res_partner_bank_employees — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_appraisal_oca acl-global-write access_hr_appraisal_all — Access rule grants write/create/unlink on 'model_hr_appraisal' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
hr_appraisal_oca acl-global-write access_hr_appraisal_template_all — Access rule grants write/create/unlink on 'model_hr_appraisal_template' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
hr_appraisal_oca acl-global-write access_send_email_with_template_all — Access rule grants write/create/unlink on 'model_send_email_with_template' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
hr_appraisal_oca acl-global-write access_hr_appraisal_tag_all — Access rule grants write/create/unlink on 'model_hr_appraisal_tag' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
hr_appraisal_oca rule-group-bypass hr_appraisal_hr_officer_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_attendance rule-group-bypass hr_attendance_rule_attendance_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_attendance rule-group-bypass hr_attendance_rule_attendance_overtime_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_attendance_rfid rule-group-bypass hr_attendance_rfid_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_employee_group_overview_readonly rule-group-bypass hr_attendance_view_all_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_expense rule-group-bypass ir_rule_hr_expense_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_expense rule-group-bypass ir_rule_hr_expense_sheet_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass hr_leave_rule_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass hr_leave_allocation_rule_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass resource_leaves_base_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass resource_leaves_holidays_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass hr_leave_report_rule_group_holiday_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_personal_equipment_request rule-group-bypass personal_equipment_request_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_personal_equipment_request rule-group-bypass personal_equipment_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_resume_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_resume_rule_employee_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_skill_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_skill_rule_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_timesheet_attendance rule-group-bypass hr_timesheet_attendance_report_rule_approver — Record rule with an always-true domain bypasses every other record rule of its model for its group
http_routing route-public-sudo /website/translations/<string:unique> — Unauthenticated endpoint 'Routing.get_website_translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
http_routing route-auth-none /web/session/logout — Endpoint 'SessionWebsite.logout' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/hello — Endpoint 'ProxyController.hello' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/handshake — Endpoint 'ProxyController.handshake' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/status_json — Endpoint 'ProxyController.status_json' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_drivers/action — Endpoint 'DriverController.action' uses auth="none": it runs with no user/session at all
hw_drivers route-public-csrf-off /hw_drivers/check_certificate — Public HTTP endpoint 'DriverController.check_certificate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_drivers route-auth-none /hw_drivers/check_certificate — Endpoint 'DriverController.check_certificate' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_drivers/event — Endpoint 'DriverController.event' uses auth="none": it runs with no user/session at all
hw_drivers route-public-csrf-off /hw_drivers/download_logs — Public HTTP endpoint 'DriverController.download_logs' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_drivers route-auth-none /hw_drivers/download_logs — Endpoint 'DriverController.download_logs' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/scale_read — Endpoint 'ScaleReadOldRoute.scale_read' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/default_printer_action — Endpoint 'PrinterController.default_printer_action' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/scanner — Endpoint 'KeyboardUSBController.get_barcode' uses auth="none": it runs with no user/session at all
hw_drivers route-public-csrf-off /hw_proxy/l10n_ke_cu_send — Public HTTP endpoint 'TremolG03Controller.l10n_ke_cu_send' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_drivers route-auth-none /hw_proxy/l10n_ke_cu_send — Endpoint 'TremolG03Controller.l10n_ke_cu_send' uses auth="none": it runs with no user/session at all
hw_drivers route-public-csrf-off /hw_l10n_eg_eta/certificate — Public HTTP endpoint 'EtaUsbController.eta_certificate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_drivers route-auth-none /hw_l10n_eg_eta/certificate — Endpoint 'EtaUsbController.eta_certificate' uses auth="none": it runs with no user/session at all
hw_drivers route-public-csrf-off /hw_l10n_eg_eta/sign — Public HTTP endpoint 'EtaUsbController.eta_sign' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_drivers route-auth-none /hw_l10n_eg_eta/sign — Endpoint 'EtaUsbController.eta_sign' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/display_refresh — Endpoint 'DisplayController.display_refresh' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/customer_facing_display — Endpoint 'DisplayController.customer_facing_display' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/take_control — Endpoint 'DisplayController.take_control' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/test_ownership — Endpoint 'DisplayController.test_ownership' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /point_of_sale/get_serialized_order, /point_of_sale/get_serialized_order/<string:display_identifier> — Endpoint 'DisplayController.get_serialized_order' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /point_of_sale/display, /point_of_sale/display/<string:display_identifier> — Endpoint 'DisplayController.display' uses auth="none": it runs with no user/session at all
hw_escpos route-auth-none /hw_proxy/open_cashbox — Endpoint 'EscposProxy.open_cashbox' uses auth="none": it runs with no user/session at all
hw_escpos route-auth-none /hw_proxy/print_receipt — Endpoint 'EscposProxy.print_receipt' uses auth="none": it runs with no user/session at all
hw_escpos route-auth-none /hw_proxy/print_xml_receipt — Endpoint 'EscposProxy.print_xml_receipt' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none / — Endpoint 'IoTboxHomepage.index' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /list_handlers — Public HTTP endpoint 'IoTboxHomepage.list_handlers' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /list_handlers — Endpoint 'IoTboxHomepage.list_handlers' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /load_iot_handlers — Endpoint 'IoTboxHomepage.load_iot_handlers' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /list_credential — Endpoint 'IoTboxHomepage.list_credential' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /save_credential — Public HTTP endpoint 'IoTboxHomepage.save_credential' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /save_credential — Endpoint 'IoTboxHomepage.save_credential' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /clear_credential — Public HTTP endpoint 'IoTboxHomepage.clear_credential' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /clear_credential — Endpoint 'IoTboxHomepage.clear_credential' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /wifi — Endpoint 'IoTboxHomepage.wifi' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /wifi_connect — Public HTTP endpoint 'IoTboxHomepage.connect_to_wifi' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /wifi_connect — Endpoint 'IoTboxHomepage.connect_to_wifi' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /wifi_clear — Public HTTP endpoint 'IoTboxHomepage.clear_wifi_configuration' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /wifi_clear — Endpoint 'IoTboxHomepage.clear_wifi_configuration' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /server_clear — Public HTTP endpoint 'IoTboxHomepage.clear_server_configuration' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /server_clear — Endpoint 'IoTboxHomepage.clear_server_configuration' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /handlers_clear — Public HTTP endpoint 'IoTboxHomepage.clear_handlers_list' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /handlers_clear — Endpoint 'IoTboxHomepage.clear_handlers_list' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /server_connect — Public HTTP endpoint 'IoTboxHomepage.connect_to_server' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /server_connect — Endpoint 'IoTboxHomepage.connect_to_server' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /steps — Public HTTP endpoint 'IoTboxHomepage.step_by_step_configure_page' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /steps — Endpoint 'IoTboxHomepage.step_by_step_configure_page' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /step_configure — Public HTTP endpoint 'IoTboxHomepage.step_by_step_configure' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /step_configure — Endpoint 'IoTboxHomepage.step_by_step_configure' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /server — Endpoint 'IoTboxHomepage.server' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_posbox_homepage/password — Endpoint 'IoTboxHomepage.view_password' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /remote_connect — Endpoint 'IoTboxHomepage.remote_connect' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /enable_ngrok — Public HTTP endpoint 'IoTboxHomepage.enable_ngrok' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /enable_ngrok — Endpoint 'IoTboxHomepage.enable_ngrok' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /six_payment_terminal — Public HTTP endpoint 'IoTboxHomepage.six_payment_terminal' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /six_payment_terminal — Endpoint 'IoTboxHomepage.six_payment_terminal' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /six_payment_terminal_add — Public HTTP endpoint 'IoTboxHomepage.add_six_payment_terminal' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /six_payment_terminal_add — Endpoint 'IoTboxHomepage.add_six_payment_terminal' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /six_payment_terminal_clear — Public HTTP endpoint 'IoTboxHomepage.clear_six_payment_terminal' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /six_payment_terminal_clear — Endpoint 'IoTboxHomepage.clear_six_payment_terminal' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/upgrade — Endpoint 'IoTboxHomepage.upgrade' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_upgrade — Endpoint 'IoTboxHomepage.perform_upgrade' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/get_version — Endpoint 'IoTboxHomepage.check_version' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_flashing_create_partition — Endpoint 'IoTboxHomepage.perform_flashing_create_partition' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_flashing_download_raspios — Endpoint 'IoTboxHomepage.perform_flashing_download_raspios' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_flashing_copy_raspios — Endpoint 'IoTboxHomepage.perform_flashing_copy_raspios' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /iot_restart_odoo_or_reboot — Endpoint 'IoTboxHomepage.iot_restart_odoo_or_reboot' uses auth="none": it runs with no user/session at all
im_livechat acl-global-read access_livechat_channel — Access rule grants read on 'model_im_livechat_channel' to every user (portal/public included): no group is set
im_livechat acl-global-read access_livechat_channel_rule — Access rule grants read on 'model_im_livechat_channel_rule' to every user (portal/public included): no group is set
im_livechat acl-global-read access_chatbot_script — Access rule grants read on 'model_chatbot_script' to every user (portal/public included): no group is set
im_livechat route-auth-none /im_livechat/load_templates — Endpoint 'LivechatController.load_templates' uses auth="none": it runs with no user/session at all
im_livechat route-public-sudo /im_livechat/support/<int:channel_id> — Unauthenticated endpoint 'LivechatController.support_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/loader/<int:channel_id> — Unauthenticated endpoint 'LivechatController.loader' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/init — Unauthenticated endpoint 'LivechatController.livechat_init' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/operator/<int:operator_id>/avatar — Unauthenticated endpoint 'LivechatController.livechat_operator_get_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/get_session — Unauthenticated endpoint 'LivechatController.get_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/feedback — Unauthenticated endpoint 'LivechatController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/history — Unauthenticated endpoint 'LivechatController.history_pages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/notify_typing — Unauthenticated endpoint 'LivechatController.notify_typing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/email_livechat_transcript — Unauthenticated endpoint 'LivechatController.email_livechat_transcript' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/visitor_leave_session — Unauthenticated endpoint 'LivechatController.visitor_leave_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /chatbot/restart — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_restart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /chatbot/post_welcome_steps — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_post_welcome_steps' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /chatbot/answer/save — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_save_answer' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /chatbot/step/trigger — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_trigger_step' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /chatbot/step/validate_email — Unauthenticated endpoint 'LivechatChatbotScriptController.chatbot_validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
intrastat_product acl-global-read access_intrastat_unit_read — Access rule grants read on 'model_intrastat_unit' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_transaction_read — Access rule grants read on 'model_intrastat_transaction' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_transport_mode_read — Access rule grants read on 'model_intrastat_transport_mode' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_region_read — Access rule grants read on 'model_intrastat_region' to every user (portal/public included): no group is set
iot_input_oca route-public-csrf-off /iot/<serial>/action — Public HTTP endpoint 'CallIot.call_unauthorized_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_input_oca route-public-sudo /iot/<serial>/action — Unauthenticated endpoint 'CallIot.call_unauthorized_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
iot_input_oca route-auth-none /iot/<serial>/action — Endpoint 'CallIot.call_unauthorized_iot' uses auth="none": it runs with no user/session at all
iot_input_oca route-public-csrf-off /iot/<serial>/multi_input — Public HTTP endpoint 'CallIot.call_unauthorized_iot_multi_input' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_input_oca route-public-sudo /iot/<serial>/multi_input — Unauthenticated endpoint 'CallIot.call_unauthorized_iot_multi_input' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
iot_input_oca route-auth-none /iot/<serial>/multi_input — Endpoint 'CallIot.call_unauthorized_iot_multi_input' uses auth="none": it runs with no user/session at all
iot_input_oca route-public-csrf-off /iot/<serial>/check — Public HTTP endpoint 'CallIot.check_unauthorized_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_input_oca route-public-sudo /iot/<serial>/check — Unauthenticated endpoint 'CallIot.check_unauthorized_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
iot_input_oca route-auth-none /iot/<serial>/check — Endpoint 'CallIot.check_unauthorized_iot' uses auth="none": it runs with no user/session at all
iot_template_oca route-public-csrf-off /iot/<serial>/configure — Public HTTP endpoint 'CallIot.configure_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_template_oca route-public-sudo /iot/<serial>/configure — Unauthenticated endpoint 'CallIot.configure_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
iot_template_oca route-auth-none /iot/<serial>/configure — Endpoint 'CallIot.configure_iot' uses auth="none": it runs with no user/session at all
l10n_ar_afipws acl-global-read access_afipws_connection_user — Access rule grants read on 'model_afipws_connection' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_deficiency — Access rule grants read on 'model_hr_deficiency' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_identity_type — Access rule grants read on 'model_hr_identity_type' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_civil_certificate_type — Access rule grants read on 'model_hr_civil_certificate_type' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_ethnicity — Access rule grants read on 'model_hr_ethnicity' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_admission_type — Access rule grants read on 'model_hr_contract_admission_type' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_labor_bond_type — Access rule grants read on 'model_hr_contract_labor_bond_type' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_labor_regime — Access rule grants read on 'model_hr_contract_labor_regime' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_salary_unit — Access rule grants read on 'model_hr_contract_salary_unit' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_resignation_cause — Access rule grants read on 'model_hr_contract_resignation_cause' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_notice_termination — Access rule grants read on 'model_hr_contract_notice_termination' to every user (portal/public included): no group is set
l10n_ec acl-global-read access_l10n_ec_sri_payment_public — Access rule grants read on 'model_l10n_ec_sri_payment' to every user (portal/public included): no group is set
l10n_es_aeat_mod347 route-public-sudo /mod347/accept — Unauthenticated endpoint 'Mod347Controller.mod347_accept' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_es_aeat_mod347 route-public-sudo /mod347/reject — Unauthenticated endpoint 'Mod347Controller.mod347_reject' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_it_account_tax_kind acl-global-read access_account_tax_kind_user — Access rule grants read on 'model_account_tax_kind' to every user (portal/public included): no group is set
l10n_ro_account_anaf_sync route-public-csrf-off /l10n_ro_account_anaf_sync/anaf_oauth/<int:anaf_config_id> — Public HTTP endpoint 'AccountANAFSyncWeb.get_anaf_oauth_code' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
l10n_ro_account_anaf_sync route-public-sudo /l10n_ro_account_anaf_sync/anaf_oauth/<int:anaf_config_id> — Unauthenticated endpoint 'AccountANAFSyncWeb.get_anaf_oauth_code' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_th_account_tax acl-global-read access_personal_income_tax_user — Access rule grants read on 'model_personal_income_tax' to every user (portal/public included): no group is set
l10n_th_account_tax acl-global-read access_personal_income_tax_rate_user — Access rule grants read on 'model_personal_income_tax_rate' to every user (portal/public included): no group is set
letsencrypt route-auth-none /.well-known/acme-challenge/<filename> — Endpoint 'Letsencrypt.acme_challenge' uses auth="none": it runs with no user/session at all
link_tracker route-public-sudo /r/<string:code> — Unauthenticated endpoint 'LinkTracker.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail acl-global-write access_publisher_warranty_contract_all — Access rule grants write/create/unlink on 'model_publisher_warranty_contract' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
mail route-public-sudo /mail/chat_post — Unauthenticated endpoint 'MailChatController.mail_chat_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/chat_history — Unauthenticated endpoint 'MailChatController.mail_chat_history' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/view — Unauthenticated endpoint 'MailController.mail_action_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /chat/<int:channel_id>/<string:invitation_token> — Unauthenticated endpoint 'DiscussController.discuss_channel_invitation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/channel/<int:channel_id>/partner/<int:partner_id>/avatar_128 — Unauthenticated endpoint 'DiscussController.mail_channel_partner_avatar_128' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/channel/<int:channel_id>/guest/<int:guest_id>/avatar_128 — Unauthenticated endpoint 'DiscussController.mail_channel_guest_avatar_128' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/init_messaging — Unauthenticated endpoint 'DiscussController.mail_init_messaging' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/message/update_content — Unauthenticated endpoint 'DiscussController.mail_message_update_content' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/attachment/delete — Unauthenticated endpoint 'DiscussController.mail_attachment_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/message/add_reaction — Unauthenticated endpoint 'DiscussController.mail_message_add_reaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/message/remove_reaction — Unauthenticated endpoint 'DiscussController.mail_message_remove_reaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/channel/add_guest_as_member — Unauthenticated endpoint 'DiscussController.mail_channel_add_guest_as_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/rtc/session/notify_call_members — Unauthenticated endpoint 'DiscussController.session_call_notify' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/rtc/session/update_and_broadcast — Unauthenticated endpoint 'DiscussController.session_update_and_broadcast' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/guest/update_name — Unauthenticated endpoint 'DiscussController.mail_guest_update_name' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/link_preview — Unauthenticated endpoint 'DiscussController.mail_link_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/link_preview/delete — Unauthenticated endpoint 'DiscussController.mail_link_preview_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_gateway route-public-csrf-off /gateway/<string:usage>/<string:token>/update — Public HTTP endpoint 'GatewayController.post_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mail_group route-public-sudo /groups — Unauthenticated endpoint 'PortalMailGroup.groups_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-sudo /groups/<model("mail.group"):group>, /groups/<model("mail.group"):group>/page/<int:page> — Unauthenticated endpoint 'PortalMailGroup.group_view_messages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-sudo /groups/<model("mail.group"):group>/<model("mail.group.message"):message> — Unauthenticated endpoint 'PortalMailGroup.group_view_message' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-sudo /groups/<model("mail.group"):group>/<model("mail.group.message"):message>/get_replies — Unauthenticated endpoint 'PortalMailGroup.group_message_get_replies' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-csrf-off /group/<int:group_id>/unsubscribe_oneclick — Public HTTP endpoint 'PortalMailGroup.group_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mail_group route-public-sudo /group/<int:group_id>/unsubscribe_oneclick — Unauthenticated endpoint 'PortalMailGroup.group_unsubscribe_oneclick' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-sudo /group/subscribe-confirm — Unauthenticated endpoint 'PortalMailGroup.group_subscribe_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_plugin route-auth-none /mail_plugin/auth/check_version — Endpoint 'Authenticate.auth_check_version' uses auth="none": it runs with no user/session at all
mail_plugin route-auth-none /mail_client_extension/auth/access_token, /mail_plugin/auth/access_token — Endpoint 'Authenticate.auth_access_token' uses auth="none": it runs with no user/session at all
mail_template_attachment_i18n acl-global-read access_attachment_language_everyone — Access rule grants read on 'model_ir_attachment_language' to every user (portal/public included): no group is set
mail_tracking route-public-sudo /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MailTrackingController.mail_tracking_open' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail_tracking route-auth-none /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Endpoint 'MailTrackingController.mail_tracking_open' uses auth="none": it runs with no user/session at all
mail_tracking_mailgun route-public-sudo /mail/tracking/mailgun/all — Unauthenticated endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail_tracking_mailgun route-auth-none /mail/tracking/mailgun/all — Endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' uses auth="none": it runs with no user/session at all
mass acl-global-read access_mass_request_type_user — Access rule grants read on 'model_mass_request_type' to every user (portal/public included): no group is set
mass_mailing route-public-csrf-off /mail/mailing/<int:mailing_id>/unsubscribe_oneclick — Public HTTP endpoint 'MassMailController.mailing_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mass_mailing route-public-sudo /mailing/<int:mailing_id>/confirm_unsubscribe — Unauthenticated endpoint 'MassMailController.mailing_confirm_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mail/mailing/<int:mailing_id>/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mail/mailing/unsubscribe — Unauthenticated endpoint 'MassMailController.unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/feedback — Unauthenticated endpoint 'MassMailController.send_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mail/track/<int:mail_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MassMailController.track_mail_open' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /r/<string:code>/m/<int:mailing_trace_id> — Unauthenticated endpoint 'MassMailController.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/report/unsubscribe — Unauthenticated endpoint 'MassMailController.turn_off_mailing_reports' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/<int:mailing_id>/view — Unauthenticated endpoint 'MassMailController.view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/blacklist/check — Unauthenticated endpoint 'MassMailController.blacklist_check' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/blacklist/add — Unauthenticated endpoint 'MassMailController.blacklist_add' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/blacklist/remove — Unauthenticated endpoint 'MassMailController.blacklist_remove' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing_sms route-public-sudo /sms/<int:mailing_id>/unsubscribe/<string:trace_code> — Unauthenticated endpoint 'MailingSMSController.blacklist_number' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing_sms route-public-sudo /r/<string:code>/s/<int:sms_sms_id> — Unauthenticated endpoint 'MailingSMSController.sms_short_link_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
membership acl-global-read access_membership_membership_line — Access rule grants read on 'model_membership_membership_line' to every user (portal/public included): no group is set
odoo_repository route-public-csrf-off /odoo-repository/data — Public HTTP endpoint 'OdooRepository.index' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
odoo_repository route-public-sudo /odoo-repository/data — Unauthenticated endpoint 'OdooRepository.index' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
odoo_repository route-auth-none /odoo-repository/data — Endpoint 'OdooRepository.index' uses auth="none": it runs with no user/session at all
operating_unit acl-global-read access_account_operating_unit_user — Access rule grants read on 'model_operating_unit' to every user (portal/public included): no group is set
partner_external_map acl-global-read access_map_website_read — Access rule grants read on 'model_map_website' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation — Access rule grants read on 'model_res_partner_relation' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation_type — Access rule grants read on 'model_res_partner_relation_type' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation_type_selection — Access rule grants read on 'model_res_partner_relation_type_selection' to every user (portal/public included): no group is set
partner_stage acl-global-read access_partner_stage_read — Access rule grants read on 'model_res_partner_stage' to every user (portal/public included): no group is set
payment route-public-sudo /payment/status/poll — Unauthenticated endpoint 'PaymentPostProcessing.poll_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /payment/pay — Unauthenticated endpoint 'PaymentPortal.payment_pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /payment/confirmation — Unauthenticated endpoint 'PaymentPortal.payment_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-sudo /payment/adyen/provider_info — Unauthenticated endpoint 'AdyenController.adyen_provider_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-sudo /payment/adyen/payment_methods — Unauthenticated endpoint 'AdyenController.adyen_payment_methods' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-sudo /payment/adyen/payments — Unauthenticated endpoint 'AdyenController.adyen_payments' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-sudo /payment/adyen/payment_details — Unauthenticated endpoint 'AdyenController.adyen_payment_details' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-csrf-off /payment/adyen/return — Public HTTP endpoint 'AdyenController.adyen_return_from_3ds_auth' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_adyen route-public-sudo /payment/adyen/return — Unauthenticated endpoint 'AdyenController.adyen_return_from_3ds_auth' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-sudo AdyenController.adyen_webhook — Unauthenticated endpoint 'AdyenController.adyen_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_alipay route-public-sudo AlipayController.alipay_return_from_checkout — Unauthenticated endpoint 'AlipayController.alipay_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_alipay route-public-csrf-off AlipayController.alipay_webhook — Public HTTP endpoint 'AlipayController.alipay_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_alipay route-public-sudo AlipayController.alipay_webhook — Unauthenticated endpoint 'AlipayController.alipay_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_aps route-public-csrf-off APSController.aps_return_from_checkout — Public HTTP endpoint 'APSController.aps_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_aps route-public-sudo APSController.aps_return_from_checkout — Unauthenticated endpoint 'APSController.aps_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_aps route-public-csrf-off APSController.aps_webhook — Public HTTP endpoint 'APSController.aps_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_aps route-public-sudo APSController.aps_webhook — Unauthenticated endpoint 'APSController.aps_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_asiapay route-public-csrf-off AsiaPayController.asiapay_webhook — Public HTTP endpoint 'AsiaPayController.asiapay_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_asiapay route-public-sudo AsiaPayController.asiapay_webhook — Unauthenticated endpoint 'AsiaPayController.asiapay_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_authorize route-public-sudo /payment/authorize/get_provider_info — Unauthenticated endpoint 'AuthorizeController.authorize_get_provider_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_authorize route-public-sudo /payment/authorize/payment — Unauthenticated endpoint 'AuthorizeController.authorize_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_buckaroo route-public-csrf-off BuckarooController.buckaroo_return_from_checkout — Public HTTP endpoint 'BuckarooController.buckaroo_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_buckaroo route-public-sudo BuckarooController.buckaroo_return_from_checkout — Unauthenticated endpoint 'BuckarooController.buckaroo_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_buckaroo route-public-csrf-off BuckarooController.buckaroo_webhook — Public HTTP endpoint 'BuckarooController.buckaroo_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_buckaroo route-public-sudo BuckarooController.buckaroo_webhook — Unauthenticated endpoint 'BuckarooController.buckaroo_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_custom route-public-csrf-off CustomController.custom_process_transaction — Public HTTP endpoint 'CustomController.custom_process_transaction' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_custom route-public-sudo CustomController.custom_process_transaction — Unauthenticated endpoint 'CustomController.custom_process_transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_demo route-public-sudo PaymentDemoController.demo_simulate_payment — Unauthenticated endpoint 'PaymentDemoController.demo_simulate_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_flutterwave route-public-sudo FlutterwaveController.flutterwave_return_from_checkout — Unauthenticated endpoint 'FlutterwaveController.flutterwave_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_flutterwave route-public-csrf-off FlutterwaveController.flutterwave_webhook — Public HTTP endpoint 'FlutterwaveController.flutterwave_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_flutterwave route-public-sudo FlutterwaveController.flutterwave_webhook — Unauthenticated endpoint 'FlutterwaveController.flutterwave_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_mercado_pago route-public-sudo MercadoPagoController.mercado_pago_return_from_checkout — Unauthenticated endpoint 'MercadoPagoController.mercado_pago_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_mercado_pago route-public-csrf-off MercadoPagoController.mercado_pago_webhook — Public HTTP endpoint 'MercadoPagoController.mercado_pago_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_mercado_pago route-public-sudo MercadoPagoController.mercado_pago_webhook — Unauthenticated endpoint 'MercadoPagoController.mercado_pago_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_mollie route-public-csrf-off MollieController.mollie_return_from_checkout — Public HTTP endpoint 'MollieController.mollie_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_mollie route-public-sudo MollieController.mollie_return_from_checkout — Unauthenticated endpoint 'MollieController.mollie_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_mollie route-public-csrf-off MollieController.mollie_webhook — Public HTTP endpoint 'MollieController.mollie_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_mollie route-public-sudo MollieController.mollie_webhook — Unauthenticated endpoint 'MollieController.mollie_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ogone route-public-csrf-off OgoneController.ogone_return_from_checkout — Public HTTP endpoint 'OgoneController.ogone_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_ogone route-public-sudo OgoneController.ogone_return_from_checkout — Unauthenticated endpoint 'OgoneController.ogone_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_paypal route-public-csrf-off PaypalController.paypal_return_from_checkout — Public HTTP endpoint 'PaypalController.paypal_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_paypal route-public-sudo PaypalController.paypal_return_from_checkout — Unauthenticated endpoint 'PaypalController.paypal_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_paypal route-public-csrf-off PaypalController.paypal_webhook — Public HTTP endpoint 'PaypalController.paypal_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_paypal route-public-sudo PaypalController.paypal_webhook — Unauthenticated endpoint 'PaypalController.paypal_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_payulatam route-public-sudo PayuLatamController.payulatam_return_from_checkout — Unauthenticated endpoint 'PayuLatamController.payulatam_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_payulatam route-public-csrf-off PayuLatamController.payulatam_webhook — Public HTTP endpoint 'PayuLatamController.payulatam_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_payulatam route-public-sudo PayuLatamController.payulatam_webhook — Unauthenticated endpoint 'PayuLatamController.payulatam_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_payumoney route-public-csrf-off PayUMoneyController.payumoney_return_from_checkout — Public HTTP endpoint 'PayUMoneyController.payumoney_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_payumoney route-public-sudo PayUMoneyController.payumoney_return_from_checkout — Unauthenticated endpoint 'PayUMoneyController.payumoney_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_razorpay route-public-csrf-off RazorpayController.razorpay_return_from_checkout — Public HTTP endpoint 'RazorpayController.razorpay_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_razorpay route-public-sudo RazorpayController.razorpay_return_from_checkout — Unauthenticated endpoint 'RazorpayController.razorpay_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_razorpay route-public-csrf-off RazorpayController.razorpay_webhook — Public HTTP endpoint 'RazorpayController.razorpay_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_razorpay route-public-sudo RazorpayController.razorpay_webhook — Unauthenticated endpoint 'RazorpayController.razorpay_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_redsys route-public-csrf-off /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Public HTTP endpoint 'RedsysController.redsys_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_redsys route-public-sudo /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Unauthenticated endpoint 'RedsysController.redsys_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_sips route-public-csrf-off SipsController.sips_return_from_checkout — Public HTTP endpoint 'SipsController.sips_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_sips route-public-sudo SipsController.sips_return_from_checkout — Unauthenticated endpoint 'SipsController.sips_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_sips route-public-csrf-off SipsController.sips_webhook — Public HTTP endpoint 'SipsController.sips_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_sips route-public-sudo SipsController.sips_webhook — Unauthenticated endpoint 'SipsController.sips_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe route-public-csrf-off StripeController.stripe_return_from_checkout — Public HTTP endpoint 'StripeController.stripe_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_stripe route-public-sudo StripeController.stripe_return_from_checkout — Unauthenticated endpoint 'StripeController.stripe_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe route-public-csrf-off StripeController.stripe_return_from_validation — Public HTTP endpoint 'StripeController.stripe_return_from_validation' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_stripe route-public-sudo StripeController.stripe_return_from_validation — Unauthenticated endpoint 'StripeController.stripe_return_from_validation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe route-public-sudo StripeController.stripe_webhook — Unauthenticated endpoint 'StripeController.stripe_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe route-public-csrf-off StripeController.stripe_apple_pay_get_domain_association_file — Public HTTP endpoint 'StripeController.stripe_apple_pay_get_domain_association_file' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_worldline route-public-sudo WorldlineController.worldline_return_from_checkout — Unauthenticated endpoint 'WorldlineController.worldline_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_worldline route-public-csrf-off WorldlineController.worldline_webhook — Public HTTP endpoint 'WorldlineController.worldline_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_worldline route-public-sudo WorldlineController.worldline_webhook — Unauthenticated endpoint 'WorldlineController.worldline_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pingen route-public-csrf-off /pingen/letter_issues — Public HTTP endpoint 'PingenController.letter_issues' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
pingen route-auth-none /pingen/letter_issues — Endpoint 'PingenController.letter_issues' uses auth="none": it runs with no user/session at all
pingen route-public-csrf-off /pingen/sent_letters — Public HTTP endpoint 'PingenController.sent_letters' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
pingen route-auth-none /pingen/sent_letters — Endpoint 'PingenController.sent_letters' uses auth="none": it runs with no user/session at all
pingen route-public-csrf-off /pingen/undeliverable_letters — Public HTTP endpoint 'PingenController.undeliverable_letters' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
pingen route-auth-none /pingen/undeliverable_letters — Endpoint 'PingenController.undeliverable_letters' uses auth="none": it runs with no user/session at all
pms route-public-sudo /my/folios, /my/folios/page/<int:page> — Unauthenticated endpoint 'PortalFolio.portal_my_folios' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pms route-public-sudo /my/reservations, /my/reservations/page/<int:page> — Unauthenticated endpoint 'PortalReservation.portal_my_reservations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
point_of_sale rule-group-bypass rule_pos_bank_statement_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
point_of_sale rule-group-bypass rule_pos_bank_statement_line_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
point_of_sale route-public-sudo /pos/ticket/validate — Unauthenticated endpoint 'PosController.show_ticket_validation_screen' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
portal route-public-sudo /mail/avatar/mail.message/<int:res_id>/author_avatar/<int:width>x<int:height> — Unauthenticated endpoint 'PortalChatter.portal_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
portal route-public-sudo /mail/chatter_post — Unauthenticated endpoint 'PortalChatter.portal_chatter_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
portal route-public-sudo /mail/chatter_fetch — Unauthenticated endpoint 'PortalChatter.portal_message_fetch' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_adyen route-public-sudo /pos_adyen/notification — Unauthenticated endpoint 'PosAdyenController.notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_mercury acl-global-read access_pos_mercury_mercury_transaction — Access rule grants read on 'model_pos_mercury_mercury_transaction' to every user (portal/public included): no group is set
printing_simple_configuration acl-global-read print_conf_user — Access rule grants read on 'model_print_config' to every user (portal/public included): no group is set
printing_simple_configuration acl-global-read printer_user — Access rule grants read on 'model_printer' to every user (portal/public included): no group is set
privacy_consent route-public-sudo /privacy/consent/<any(accept,reject):choice>/<int:consent_id>/<token> — Unauthenticated endpoint 'ConsentController.consent' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
product_brand acl-global-read access_product_brand_public — Access rule grants read on 'model_product_brand' to every user (portal/public included): no group is set
product_brand_tag acl-global-read access_product_brand_tag_public — Access rule grants read on 'model_product_brand_tag' to every user (portal/public included): no group is set
product_harmonized_system acl-global-read access_hs_code_read — Access rule grants read on 'model_hs_code' to every user (portal/public included): no group is set
product_price_category acl-global-read access_product_price_category_user — Access rule grants read on 'model_product_price_category' to every user (portal/public included): no group is set
product_print_category acl-global-read ir_model_access_product_print_category_rule_user — Access rule grants read on 'product_print_category.model_product_print_category_rule' to every user (portal/public included): no group is set
product_state acl-global-read access_product_state_public — Access rule grants read on 'model_product_state' to every user (portal/public included): no group is set
project_update_portal acl-global-read project.access_project_update_portal — Access rule grants read on '?' to every user (portal/public included): no group is set
purchase_manual_delivery acl-global-write create_stock_picking_wizard_all — Access rule grants write/create/unlink on 'model_create_stock_picking_wizard' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
purchase_manual_delivery acl-global-write create_stock_picking_wizard_line_all — Access rule grants write/create/unlink on 'model_create_stock_picking_wizard_line' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
purchase_work_acceptance_evaluation acl-global-read access_work_acceptance_evaluation_report — Access rule grants read on 'model_work_acceptance_evaluation_report' to every user (portal/public included): no group is set
queue_job route-auth-none /queue_job/runjob — Endpoint 'RunJobController.runjob' uses auth="none": it runs with no user/session at all
repair_picking_after_done acl-global-write access_repair_move_transfer_all — Access rule grants write/create/unlink on 'model_repair_move_transfer' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
report_substitute acl-global-read action_report_substitution_rule_user_access — Access rule grants read on 'model_ir_actions_report_substitution_rule' to every user (portal/public included): no group is set
res_company_category acl-global-read access_res_company_category_user — Access rule grants read on 'model_res_company_category' to every user (portal/public included): no group is set
rma route-public-sudo /my/rma/picking/pdf/<int:rma_id>/<int:picking_id> — Unauthenticated endpoint 'PortalRma.portal_my_rma_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sale rule-group-bypass payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale rule-group-bypass payment_token_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale_manual_delivery acl-global-write access_manual_delivery_all — Access rule grants write/create/unlink on 'model_manual_delivery' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
sale_manual_delivery acl-global-write access_manual_delivery_line_all — Access rule grants write/create/unlink on 'model_manual_delivery_line' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
sale_planner_calendar rule-group-bypass partner_all_documents_follower_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale_report_delivered rule-group-bypass sale_report_delivered_see_all_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale_stock route-public-sudo /my/picking/pdf/<int:picking_id> — Unauthenticated endpoint 'SaleStockPortal.portal_my_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sales_team rule-group-bypass crm_rule_all_salesteam — Record rule with an always-true domain bypasses every other record rule of its model for its group
shopfloor_base acl-global-read access_shopfloor_app_users — Access rule grants read on 'model_shopfloor_app' to every user (portal/public included): no group is set
sql_request_abstract route-auth-none /web/static/lib/ace/mode-pgsql.js — Endpoint 'SqlRequestAbstractWebClient.call_mode_pgsql_file' uses auth="none": it runs with no user/session at all
stay acl-global-read access_stay_date_label_user — Access rule grants read on 'model_stay_date_label' to every user (portal/public included): no group is set
storage_file acl-global-read access_storage_file_read_public — Access rule grants read on 'model_storage_file' to every user (portal/public included): no group is set
survey rule-group-bypass survey_survey_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey rule-group-bypass survey_question_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey rule-group-bypass survey_question_answer_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey rule-group-bypass survey_user_input_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey rule-group-bypass survey_user_input_line_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey route-public-sudo /survey/get_question_image/<string:survey_token>/<string:answer_token>/<int:question_id>/<int:suggested_answer_id> — Unauthenticated endpoint 'Survey.survey_get_question_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
test_http route-auth-none /test_http/greeting, /test_http/greeting-none — Endpoint 'TestHttp.greeting_none' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/wsgi_environ — Endpoint 'TestHttp.wsgi_environ' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/echo-http-get — Endpoint 'TestHttp.echo_http_get' uses auth="none": it runs with no user/session at all
test_http route-public-csrf-off /test_http/echo-http-post — Public HTTP endpoint 'TestHttp.echo_http_post' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
test_http route-auth-none /test_http/echo-http-post — Endpoint 'TestHttp.echo_http_post' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/echo-http-csrf — Endpoint 'TestHttp.echo_http_csrf' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/echo-json — Endpoint 'TestHttp.echo_json' uses auth="none": it runs with no user/session at all
test_http route-public-csrf-off /test_http/echo-json-over-http — Public HTTP endpoint 'TestHttp.echo_json_over_http' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
test_http route-auth-none /test_http/echo-json-over-http — Endpoint 'TestHttp.echo_json_over_http' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/cors_http_default — Endpoint 'TestHttp.cors_http' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/cors_http_methods — Endpoint 'TestHttp.cors_http_verbs' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/cors_json — Endpoint 'TestHttp.cors_json' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/ensure_db — Endpoint 'TestHttp.ensure_db_endpoint' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/geoip — Endpoint 'TestHttp.geoip' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/save_session — Endpoint 'TestHttp.touch' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/fail — Endpoint 'TestHttp.fail' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/json_value_error — Endpoint 'TestHttp.json_value_error' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/hide_errors/decorator — Endpoint 'TestHttp.hide_errors_decorator' uses auth="none": it runs with no user/session at all
test_http route-auth-none /test_http/hide_errors/context-manager — Endpoint 'TestHttp.hide_errors_context_manager' uses auth="none": it runs with no user/session at all
test_http route-public-csrf-off /test_http/upload_file — Public HTTP endpoint 'TestHttp.upload_file_retry' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
test_http route-auth-none /test_http/upload_file — Endpoint 'TestHttp.upload_file_retry' uses auth="none": it runs with no user/session at all
test_new_api acl-global-write access_decimal_precision_test_all — Access rule grants write/create/unlink on 'model_decimal_precision_test' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
test_new_api acl-global-read access_test_new_api_precompute — Access rule grants read on 'model_test_new_api_precompute' to every user (portal/public included): no group is set
test_new_api acl-global-read access_test_new_api_precompute_line — Access rule grants read on 'model_test_new_api_precompute_line' to every user (portal/public included): no group is set
test_new_api acl-global-read access_test_new_api_precompute_combo — Access rule grants read on 'model_test_new_api_precompute_combo' to every user (portal/public included): no group is set
test_new_api acl-global-read access_test_new_api_precompute_editable — Access rule grants read on 'model_test_new_api_precompute_editable' to every user (portal/public included): no group is set
test_new_api acl-global-read access_test_new_api_precompute_readonly — Access rule grants read on 'model_test_new_api_precompute_readonly' to every user (portal/public included): no group is set
test_new_api acl-global-read access_test_new_api_precompute_required — Access rule grants read on 'model_test_new_api_precompute_required' to every user (portal/public included): no group is set
test_new_api acl-global-read access_test_new_api_precompute_monetary — Access rule grants read on 'model_test_new_api_precompute_monetary' to every user (portal/public included): no group is set
test_new_api acl-global-read access_test_new_api_prefetch — Access rule grants read on 'model_test_new_api_prefetch' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_on_date — Access rule grants read on 'model_test_read_group_on_date' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_aggregate_boolean — Access rule grants read on 'model_test_read_group_aggregate_boolean' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_aggregate — Access rule grants read on 'model_test_read_group_aggregate' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_on_selection — Access rule grants read on 'model_test_read_group_on_selection' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_fill_temporal — Access rule grants read on 'model_test_read_group_fill_temporal' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_order — Access rule grants read on 'model_test_read_group_order' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_order_line — Access rule grants read on 'model_test_read_group_order_line' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_user — Access rule grants read on 'model_test_read_group_user' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_task — Access rule grants read on 'model_test_read_group_task' to every user (portal/public included): no group is set
test_search_panel acl-global-read access_test_search_panel_source_model — Access rule grants read on 'model_test_search_panel_source_model' to every user (portal/public included): no group is set
test_search_panel acl-global-read access_test_search_panel_category_target_model — Access rule grants read on 'model_test_search_panel_category_target_model' to every user (portal/public included): no group is set
test_search_panel acl-global-read access_test_search_panel_category_target_model_no_parent_name — Access rule grants read on 'model_test_search_panel_category_target_model_no_parent_name' to every user (portal/public included): no group is set
test_search_panel acl-global-read access_test_search_panel_filter_target_model — Access rule grants read on 'model_test_search_panel_filter_target_model' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_a — Access rule grants read on 'model_test_testing_utilities_a' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_readonly — Access rule grants read on 'model_test_testing_utilities_readonly' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_c — Access rule grants read on 'model_test_testing_utilities_c' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_d — Access rule grants read on 'model_test_testing_utilities_d' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_e — Access rule grants read on 'model_test_testing_utilities_e' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_f — Access rule grants read on 'model_test_testing_utilities_f' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_g — Access rule grants read on 'model_test_testing_utilities_g' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_m2o — Access rule grants read on 'model_test_testing_utilities_m2o' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_default — Access rule grants read on 'model_test_testing_utilities_default' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_parent — Access rule grants read on 'model_test_testing_utilities_parent' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_sub — Access rule grants read on 'model_test_testing_utilities_sub' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_sub2 — Access rule grants read on 'model_test_testing_utilities_sub2' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_sub3 — Access rule grants read on 'model_test_testing_utilities_sub3' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_recursive — Access rule grants read on 'model_test_testing_utilities_recursive' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_onchange_parent — Access rule grants read on 'model_test_testing_utilities_onchange_parent' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_onchange_line — Access rule grants read on 'model_test_testing_utilities_onchange_line' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_req_bool — Access rule grants read on 'model_test_testing_utilities_req_bool' to every user (portal/public included): no group is set
test_website acl-global-read access_test_model — Access rule grants read on 'model_test_model' to every user (portal/public included): no group is set
test_website acl-global-read access_test_model_multi_website — Access rule grants read on 'model_test_model_multi_website' to every user (portal/public included): no group is set
test_website route-public-sudo /test_website/model_item/<int:record_id> — Unauthenticated endpoint 'WebsiteTest.test_model_item' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
upgrade_analysis acl-global-read access_upgrade_record — Access rule grants read on 'model_upgrade_record' to every user (portal/public included): no group is set
upgrade_analysis acl-global-read access_upgrade_attribute — Access rule grants read on 'model_upgrade_attribute' to every user (portal/public included): no group is set
vault route-public-sudo /vault/inbox/<string:token> — Unauthenticated endpoint 'Controller.vault_inbox' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
vault_share route-public-sudo /vault/share/<string:token> — Unauthenticated endpoint 'Controller.vault_share' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web route-auth-none /web/database/selector — Endpoint 'Database.selector' uses auth="none": it runs with no user/session at all
web route-auth-none /web/database/manager — Endpoint 'Database.manager' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/create — Public HTTP endpoint 'Database.create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/create — Endpoint 'Database.create' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/duplicate — Public HTTP endpoint 'Database.duplicate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/duplicate — Endpoint 'Database.duplicate' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/drop — Public HTTP endpoint 'Database.drop' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/drop — Endpoint 'Database.drop' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/backup — Public HTTP endpoint 'Database.backup' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/backup — Endpoint 'Database.backup' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/restore — Public HTTP endpoint 'Database.restore' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/restore — Endpoint 'Database.restore' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/change_password — Public HTTP endpoint 'Database.change_password' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/change_password — Endpoint 'Database.change_password' uses auth="none": it runs with no user/session at all
web route-auth-none /web/database/list — Endpoint 'Database.list' uses auth="none": it runs with no user/session at all
web route-auth-none /web/filestore/<path:_path> — Endpoint 'Binary.content_filestore' uses auth="none": it runs with no user/session at all
web route-public-sudo /web/assets/debug/<string:filename>, /web/assets/debug/<path:extra>/<string:filename>, /web/assets/<int:id>/<string:filename>, /web/assets/<int:id>-<string:unique>/<string:filename>, /web/assets/<int:id>-<string:unique>/<path:extra>/<string:filename> — Unauthenticated endpoint 'Binary.content_assets' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web route-public-sudo /web/image, /web/image/<string:xmlid>, /web/image/<string:xmlid>/<string:filename>, /web/image/<string:xmlid>/<int:width>x<int:height>, /web/image/<string:xmlid>/<int:width>x<int:height>/<string:filename>, /web/image/<string:model>/<int:id>/<string:field>, /web/image/<string:model>/<int:id>/<string:field>/<string:filename>, /web/image/<string:model>/<int:id>/<string:field>/<int:width>x<int:height>, /web/image/<string:model>/<int:id>/<string:field>/<int:width>x<int:height>/<string:filename>, /web/image/<int:id>, /web/image/<int:id>/<string:filename>, /web/image/<int:id>/<int:width>x<int:height>, /web/image/<int:id>/<int:width>x<int:height>/<string:filename>, /web/image/<int:id>-<string:unique>, /web/image/<int:id>-<string:unique>/<string:filename>, /web/image/<int:id>-<string:unique>/<int:width>x<int:height>, /web/image/<int:id>-<string:unique>/<int:width>x<int:height>/<string:filename> — Unauthenticated endpoint 'Binary.content_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web route-auth-none /web/binary/company_logo, /logo, /logo.png — Endpoint 'Binary.company_logo' uses auth="none": it runs with no user/session at all
web route-auth-none /web/pivot/check_xlsxwriter — Endpoint 'TableExporter.check_xlsxwriter' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/authenticate — Endpoint 'Session.authenticate' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/get_lang_list — Endpoint 'Session.get_lang_list' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/logout — Endpoint 'Session.logout' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/locale/<string:lang> — Endpoint 'WebClient.load_locale' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/bootstrap_translations — Endpoint 'WebClient.bootstrap_translations' uses auth="none": it runs with no user/session at all
web route-public-sudo /web/webclient/translations/<string:unique> — Unauthenticated endpoint 'WebClient.translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web route-auth-none /web/webclient/version_info — Endpoint 'WebClient.version_info' uses auth="none": it runs with no user/session at all
web route-auth-none /web/tests/mobile — Endpoint 'WebClient.test_mobile_suite' uses auth="none": it runs with no user/session at all
web route-auth-none /web/benchmarks — Endpoint 'WebClient.benchmarks' uses auth="none": it runs with no user/session at all
web route-auth-none / — Endpoint 'Home.index' uses auth="none": it runs with no user/session at all
web route-auth-none /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all
web route-auth-none /web/login — Endpoint 'Home.web_login' uses auth="none": it runs with no user/session at all
web route-auth-none /web/health — Endpoint 'Home.health' uses auth="none": it runs with no user/session at all
web_editor route-auth-none /web_editor/font_to_img/<icon>, /web_editor/font_to_img/<icon>/<color>, /web_editor/font_to_img/<icon>/<color>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<int:width>x<int:height>, /web_editor/font_to_img/<icon>/<color>/<int:size>/<int:alpha>, /web_editor/font_to_img/<icon>/<color>/<int:width>x<int:height>/<int:alpha>, /web_editor/font_to_img/<icon>/<color>/<bg>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:width>x<int:height>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:width>x<int:height>/<int:alpha> — Endpoint 'Web_Editor.export_icon_to_png' uses auth="none": it runs with no user/session at all
web_editor route-public-sudo /web_editor/shape/<module>/<path:filename> — Unauthenticated endpoint 'Web_Editor.shape' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web_tour acl-global-read access_web_tour_tour — Access rule grants read on 'model_web_tour_tour' to every user (portal/public included): no group is set
web_unsplash route-public-sudo /web_unsplash/get_app_id — Unauthenticated endpoint 'Web_Unsplash.get_unsplash_app_id' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
webservice route-public-csrf-off /webservice/<int:backend_id>/oauth2/redirect — Public HTTP endpoint 'OAuth2Controller.redirect' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
webservice route-public-sudo /webservice/<int:backend_id>/oauth2/redirect — Unauthenticated endpoint 'OAuth2Controller.redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website acl-global-read access_website_public — Access rule grants read on 'website.model_website' to every user (portal/public included): no group is set
website acl-global-read access_website_menu — Access rule grants read on 'model_website_menu' to every user (portal/public included): no group is set
website acl-global-read access_seo_public — Access rule grants read on 'model_website_seo_metadata' to every user (portal/public included): no group is set
website route-public-sudo /sitemap.xml — Unauthenticated endpoint 'Website.sitemap_xml_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/info — Unauthenticated endpoint 'Website.website_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/snippet/filters — Unauthenticated endpoint 'Website.get_dynamic_filter' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/snippet/filter_templates — Unauthenticated endpoint 'Website.get_dynamic_snippet_templates' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/snippet/autocomplete — Unauthenticated endpoint 'Website.autocomplete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /google<string(length=16):key>.html — Unauthenticated endpoint 'Website.google_console_search' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/action/<path_or_xml_id_or_id>, /website/action/<path_or_xml_id_or_id>/<path:path> — Unauthenticated endpoint 'Website.actions_server' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-csrf-off /website/form/<string:model_name> — Public HTTP endpoint 'WebsiteForm.website_form' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
website_blog acl-global-read blog_tag — Access rule grants read on 'model_blog_tag' to every user (portal/public included): no group is set
website_crm_partner_assign route-public-sudo /partners, /partners/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>, /partners/grade/<model("res.partner.grade"):grade>/page/<int:page>, /partners/country/<model("res.country"):country>, /partners/country/<model("res.country"):country>/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_crm_partner_assign route-public-sudo /partners/<partner_id> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_customer acl-global-read res_partner_tag_sale_manager — Access rule grants read on 'model_res_partner_tag' to every user (portal/public included): no group is set
website_customer route-public-sudo /customers, /customers/page/<int:page>, /customers/country/<model("res.country"):country>, /customers/country/<model("res.country"):country>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>, /customers/industry/<model("res.partner.industry"):industry>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCustomer.customers' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_customer route-public-sudo /customers/<partner_id> — Unauthenticated endpoint 'WebsiteCustomer.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event acl-global-read access_event_event — Access rule grants read on 'model_event_event' to every user (portal/public included): no group is set
website_event acl-global-read access_event_event_ticket — Access rule grants read on 'event.model_event_event_ticket' to every user (portal/public included): no group is set
website_event acl-global-read access_event_tag_category — Access rule grants read on 'event.model_event_tag_category' to every user (portal/public included): no group is set
website_event acl-global-read access_event_tag — Access rule grants read on 'event.model_event_tag' to every user (portal/public included): no group is set
website_event acl-global-read access_website_event_menu — Access rule grants read on 'model_website_event_menu' to every user (portal/public included): no group is set
website_event route-public-sudo /event, /event/page/<int:page>, /events, /events/page/<int:page> — Unauthenticated endpoint 'WebsiteEventController.events' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event route-public-sudo /event/<model("event.event"):event>/page/<path:page> — Unauthenticated endpoint 'WebsiteEventController.event_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event route-public-sudo /event/<model("event.event"):event>/registration/success — Unauthenticated endpoint 'WebsiteEventController.event_registration_success' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_booth acl-global-read access_event_booth_category — Access rule grants read on 'event_booth.model_event_booth_category' to every user (portal/public included): no group is set
website_event_booth route-public-sudo /event/<model("event.event"):event>/booth — Unauthenticated endpoint 'WebsiteEventBoothController.event_booth_main' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_booth route-public-sudo /event/<model("event.event"):event>/booth/register_form — Unauthenticated endpoint 'WebsiteEventBoothController.event_booth_contact_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_booth route-public-sudo /event/booth/check_availability — Unauthenticated endpoint 'WebsiteEventBoothController.check_booths_availability' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_booth route-public-sudo /event/booth_category/get_available_booths — Unauthenticated endpoint 'WebsiteEventBoothController.get_booth_category_available_booths' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_exhibitor acl-global-read access_event_sponsor_type_public — Access rule grants read on 'model_event_sponsor_type' to every user (portal/public included): no group is set
website_event_exhibitor acl-global-read access_event_sponsor_public — Access rule grants read on 'model_event_sponsor' to every user (portal/public included): no group is set
website_event_exhibitor route-public-sudo /event/<model("event.event", "[('exhibitor_menu', '=', True)]"):event>/exhibitor/<model("event.sponsor", "[('event_id', '=', event.id)]"):sponsor> — Unauthenticated endpoint 'ExhibitorController.event_exhibitor' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_meet acl-global-read access_event_meeting_room — Access rule grants read on 'model_event_meeting_room' to every user (portal/public included): no group is set
website_event_meet route-public-sudo /event/<model('event.event'):event>/meeting_room_create — Unauthenticated endpoint 'WebsiteEventMeetController.create_meeting_room' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_meet route-public-sudo /event/active_langs — Unauthenticated endpoint 'WebsiteEventMeetController.active_langs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_meet route-public-sudo /event/<model('event.event', "[('community_menu', '=', True)]"):event>/meeting_room/<model("event.meeting.room","[('event_id','=',event.id)]"):meeting_room> — Unauthenticated endpoint 'WebsiteEventMeetController.event_meeting_room_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_questions acl-global-read access_event_question — Access rule grants read on 'model_event_question' to every user (portal/public included): no group is set
website_event_questions acl-global-read access_event_question_answer — Access rule grants read on 'model_event_question_answer' to every user (portal/public included): no group is set
website_event_questions rule-group-bypass ir_rule_event_question_event_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_event_questions rule-group-bypass ir_rule_event_question_answer_event_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_event_track acl-global-read access_event_track — Access rule grants read on 'model_event_track' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_tag — Access rule grants read on 'model_event_track_tag' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_location — Access rule grants read on 'model_event_track_location' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_stage — Access rule grants read on 'model_event_track_stage' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_tag_category — Access rule grants read on 'model_event_track_tag_category' to every user (portal/public included): no group is set
website_event_track route-public-sudo /event/<model("event.event", "[('website_track', '=', True)]"):event>/track/<model("event.track", "[('event_id', '=', event.id)]"):track> — Unauthenticated endpoint 'EventTrackController.event_track_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track route-public-sudo /event/<model("event.event"):event>/track_proposal/post — Unauthenticated endpoint 'EventTrackController.event_track_proposal_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track_live route-public-sudo /event_track/get_track_suggestion — Unauthenticated endpoint 'EventTrackLiveController.get_next_track_suggestion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track_quiz route-public-sudo /event_track/quiz/submit — Unauthenticated endpoint 'WebsiteEventTrackQuiz.event_track_quiz_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track_quiz route-public-sudo /event_track/quiz/reset — Unauthenticated endpoint 'WebsiteEventTrackQuiz.quiz_reset' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum acl-global-read access_forum_forum — Access rule grants read on 'model_forum_forum' to every user (portal/public included): no group is set
website_forum rule-group-bypass website_forum_create_website_designer — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/<model("forum.post", "[('forum_id','=',forum.id),('parent_id','=',False),('can_view', '=', True)]"):question> — Unauthenticated endpoint 'WebsiteForum.question' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/partner/<int:partner_id> — Unauthenticated endpoint 'WebsiteForum.open_partner' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_google_map route-public-sudo /google_map — Unauthenticated endpoint 'GoogleMap.google_map' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_hr_recruitment acl-global-read access_hr_job_public — Access rule grants read on 'hr.model_hr_job' to every user (portal/public included): no group is set
website_hr_recruitment rule-group-bypass hr_job_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_hr_recruitment route-public-sudo /jobs, /jobs/country/<model("res.country"):country>, /jobs/department/<model("hr.department"):department>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>, /jobs/office/<int:office_id>, /jobs/country/<model("res.country"):country>/office/<int:office_id>, /jobs/department/<model("hr.department"):department>/office/<int:office_id>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>/office/<int:office_id>, /jobs/employment_type/<int:contract_type_id>, /jobs/country/<model("res.country"):country>/employment_type/<int:contract_type_id>, /jobs/department/<model("hr.department"):department>/employment_type/<int:contract_type_id>, /jobs/office/<int:office_id>/employment_type/<int:contract_type_id>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>/employment_type/<int:contract_type_id>, /jobs/country/<model("res.country"):country>/office/<int:office_id>/employment_type/<int:contract_type_id>, /jobs/department/<model("hr.department"):department>/office/<int:office_id>/employment_type/<int:contract_type_id>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>/office/<int:office_id>/employment_type/<int:contract_type_id> — Unauthenticated endpoint 'WebsiteHrRecruitment.jobs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_livechat acl-global-read access_im_livechat_channel_public — Access rule grants read on 'im_livechat.model_im_livechat_channel' to every user (portal/public included): no group is set
website_livechat route-public-sudo /livechat/channel/<model("im_livechat.channel"):channel> — Unauthenticated endpoint 'WebsiteLivechat.channel_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail route-public-sudo /website_mail/follow — Unauthenticated endpoint 'WebsiteMail.website_message_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail route-public-sudo /website_mail/is_follower — Unauthenticated endpoint 'WebsiteMail.is_follower' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_group route-public-sudo /group/is_member — Unauthenticated endpoint 'WebsiteMailGroup.group_is_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /website_mass_mailing/is_subscriber — Unauthenticated endpoint 'MassMailController.is_subscriber' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /website_mass_mailing/subscribe — Unauthenticated endpoint 'MassMailController.subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_membership route-public-sudo /members, /members/page/<int:page>, /members/association/<membership_id>, /members/association/<membership_id>/page/<int:page>, /members/country/<int:country_id>, /members/country/<country_name>-<int:country_id>, /members/country/<int:country_id>/page/<int:page>, /members/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<country_name>-<int:country_id>, /members/association/<membership_id>/country/<int:country_id>, /members/association/<membership_id>/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteMembership.members' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_membership route-public-sudo /members/<partner_id> — Unauthenticated endpoint 'WebsiteMembership.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_partner route-public-sudo /partners/<partner_id> — Unauthenticated endpoint 'WebsitePartnerPage.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_payment route-public-sudo /donation/get_provider_fees — Unauthenticated endpoint 'PaymentPortal.get_provider_fees' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_profile route-public-sudo /profile/avatar/<int:user_id> — Unauthenticated endpoint 'WebsiteProfile.get_user_profile_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_profile route-public-sudo /profile/users, /profile/users/page/<int:page> — Unauthenticated endpoint 'WebsiteProfile.view_all_users_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_profile route-public-sudo /profile/validate_email — Unauthenticated endpoint 'WebsiteProfile.validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale acl-global-read access_product_product_public — Access rule grants read on 'product.model_product_product' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_template_public — Access rule grants read on 'product.model_product_template' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_category_public — Access rule grants read on 'product.model_product_category' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_tag_public — Access rule grants read on 'product.model_product_tag' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_public_category_public — Access rule grants read on 'model_product_public_category' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_pricelist_public — Access rule grants read on 'product.model_product_pricelist' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_pricelist_item_public — Access rule grants read on 'product.model_product_pricelist_item' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_ribbon_public — Access rule grants read on 'website_sale.model_product_ribbon' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_public — Access rule grants read on 'product.model_product_attribute' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_value_public — Access rule grants read on 'product.model_product_attribute_value' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_product_attribute — Access rule grants read on 'product.model_product_template_attribute_value' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_product_attribute_custom_value — Access rule grants read on 'sale.model_product_attribute_custom_value' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_template_attribute_exclusion — Access rule grants read on 'product.model_product_template_attribute_exclusion' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_template_attribute_line_public — Access rule grants read on 'product.model_product_template_attribute_line' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_image_public — Access rule grants read on 'model_product_image' to every user (portal/public included): no group is set
website_sale acl-global-read access_ecom_extra_fields_public — Access rule grants read on 'model_website_sale_extra_field' to every user (portal/public included): no group is set
website_sale acl-global-read access_website_base_unit_public — Access rule grants read on 'model_website_base_unit' to every user (portal/public included): no group is set
website_sale route-public-sudo /shop, /shop/page/<int:page>, /shop/category/<model("product.public.category"):category>, /shop/category/<model("product.public.category"):category>/page/<int:page> — Unauthenticated endpoint 'WebsiteSale.shop' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/pricelist — Unauthenticated endpoint 'WebsiteSale.pricelist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/cart — Unauthenticated endpoint 'WebsiteSale.cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/address — Unauthenticated endpoint 'WebsiteSale.address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/checkout — Unauthenticated endpoint 'WebsiteSale.checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/payment/get_status/<int:sale_order_id> — Unauthenticated endpoint 'WebsiteSale.shop_payment_get_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/payment/validate — Unauthenticated endpoint 'WebsiteSale.shop_payment_validate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/confirmation — Unauthenticated endpoint 'WebsiteSale.shop_payment_confirmation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/print — Unauthenticated endpoint 'WebsiteSale.print_saleorder' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/products/recently_viewed_delete — Unauthenticated endpoint 'WebsiteSale.products_recently_viewed_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_autocomplete route-public-sudo /autocomplete/address — Unauthenticated endpoint 'AutoCompleteController._autocomplete_address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_autocomplete route-public-sudo /autocomplete/address_full — Unauthenticated endpoint 'AutoCompleteController._autocomplete_address_full' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_comparison acl-global-read access_product_attribute_category_public — Access rule grants read on 'model_product_attribute_category' to every user (portal/public included): no group is set
website_sale_delivery route-public-sudo /shop/carrier_rate_shipment — Unauthenticated endpoint 'WebsiteSaleDelivery.cart_carrier_rate_shipment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_delivery_mondialrelay route-public-sudo /website_sale_delivery_mondialrelay/update_shipping — Unauthenticated endpoint 'MondialRelay.mondial_relay_update_shipping' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_digital route-public-sudo /my/orders/<int:order_id> — Unauthenticated endpoint 'WebsiteSaleDigital.portal_order_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_digital route-public-sudo /my/download — Unauthenticated endpoint 'WebsiteSaleDigital.download_attachment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_financial_risk route-public-csrf-off CreditController.custom_process_transaction — Public HTTP endpoint 'CreditController.custom_process_transaction' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
website_sale_financial_risk route-public-sudo CreditController.custom_process_transaction — Unauthenticated endpoint 'CreditController.custom_process_transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_loyalty route-public-sudo /shop/claimreward — Unauthenticated endpoint 'WebsiteSale.claim_reward' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_loyalty_page route-public-sudo /promotions — Unauthenticated endpoint 'WebsiteSale.promotion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_loyalty_suggestion_wizard route-public-sudo /promotions/<int:program_id>/apply — Unauthenticated endpoint 'WebsiteSaleLoyaltySuggestionWizard.promotion_program_apply' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_loyalty_suggestion_wizard route-public-sudo /website_sale_loyalty_suggestion_wizard/get_defaults — Unauthenticated endpoint 'WebsiteSaleLoyaltySuggestionWizardController.get_default_products' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_loyalty_suggestion_wizard route-public-sudo /website_sale_loyalty_suggestion_wizard/apply — Unauthenticated endpoint 'WebsiteSaleLoyaltySuggestionWizardController.apply_promotion_public' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_product_assortment route-public-sudo /sale/get_info_assortment_preview — Unauthenticated endpoint 'WebsiteSaleVariantController.get_info_assortment_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_product_brand route-public-sudo /page/product_brands — Unauthenticated endpoint 'WebsiteSale.product_brands' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_product_minimal_price route-public-sudo /sale/get_combination_info_minimal_price — Unauthenticated endpoint 'WebsiteSaleVariantController.get_combination_info_minimal_price' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_stock route-public-sudo /shop/add/stock_notification — Unauthenticated endpoint 'WebsiteSale.add_stock_email_notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_stock_list_preview route-public-sudo /sale/get_combination_info_stock_preview — Unauthenticated endpoint 'WebsiteSaleVariantController.get_combination_info_stock_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_wishlist route-public-sudo /shop/wishlist/add — Unauthenticated endpoint 'WebsiteSaleWishlist.add_to_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_wishlist route-public-sudo /shop/wishlist/remove/<model("product.wishlist"):wish> — Unauthenticated endpoint 'WebsiteSaleWishlist.rm_from_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides rule-group-bypass rule_slide_channel_officer_r — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides rule-group-bypass rule_slide_slide_officer_r — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides rule-group-bypass rule_slide_slide_resource_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides route-public-sudo /slides — Unauthenticated endpoint 'WebsiteSlides.slides_channel_home' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/<model("slide.channel"):channel>, /slides/<model("slide.channel"):channel>/page/<int:page>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>/page/<int:page>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>/page/<int:page> — Unauthenticated endpoint 'WebsiteSlides.channel' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/channel/join — Unauthenticated endpoint 'WebsiteSlides.slide_channel_join' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/<model("slide.slide"):slide> — Unauthenticated endpoint 'WebsiteSlides.slide_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/like — Unauthenticated endpoint 'WebsiteSlides.slide_like' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/quiz/submit — Unauthenticated endpoint 'WebsiteSlides.slide_quiz_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /mail/chatter_post — Unauthenticated endpoint 'SlidesPortalChatter.portal_chatter_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides_forum rule-group-bypass website_slides_forum_website_slides_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides_forum rule-group-bypass website_slides_forum_website_slides_officer_post — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides_forum rule-group-bypass website_slides_forum_website_slides_officer_tag — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_twitter acl-global-read access_website_twitter_tweet_public — Access rule grants read on 'website_twitter.model_website_twitter_tweet' to every user (portal/public included): no group is set
website_twitter route-public-sudo /website_twitter/get_favorites — Unauthenticated endpoint 'Twitter.get_tweets' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes

Active Pull Requests 23

0 fresh 0 rotting 0 rotten

Module Repository Title Age CI
account_budget_oca OCA/account-budgeting [MIG] account_budget_oca 15.0 #56 no CI data
account_budget_oca OCA/account-budgeting 15.0 mig account budget oca #55 no CI data
account_consolidation_oca OCA/account-consolidation [15.0][MIG] account_consolidation_oca #43 no CI data
base_deterministic_session_gc OCA/server-tools [15.0] [MIG] base_deterministic_session_gc: migration to 15.0 #3006 no CI data
base_force_record_noupdate OCA/server-tools [15.0][MIG] base_force_record_noupdate: Backport to 15.0 #2952 no CI data
base_group_backend OCA/server-backend [15.0][MIG] base_group_backend: Migration to 15.0 #359 no CI data
base_rest_auth_jwt OCA/rest-framework [15.0][MIG] base_rest_auth_jwt: Migration to 15.0 #237 no CI data
base_video_link-BAD OCA/server-tools [15.0] [MIG] base_video_link: Migration to 15.0 #2930 no CI data
bus_alt_connection OCA/server-tools [MIG] bus_alt_connection: Migration to 15.0 #2856 no CI data
connector_ecommerce OCA/connector-ecommerce [15.0][MIG] connector_ecommerce #70 no CI data
currency_rate_inverted OCA/currency [15.0][MIG] currency_rate_inverted #228 no CI data
currency_rate_update_wise OCA/currency [15.0][MIG] currency_rate_update_wise #222 no CI data
hr_timesheet_purchase_order-BAD OCA/timesheet [15.0][MIG] hr_timesheet_purchase_order: Migration to 15.0 #814 no CI data
hr_utilization_report OCA/timesheet [15.0][MIG] hr_utilization_report: Migration to 15.0 #745 no CI data
passport_expiration OCA/vertical-travel [15.0][mig] passport_expiration #60 no CI data
pricelist_brand OCA/brand [15.0][MIG] pricelist_brand: Migration to 15.0 #313 no CI data
product_operating_unit OCA/operating-unit [15.0][MIG] product_operating_unit: Migration to 15.0 #492 no CI data
project_task_report OCA/project-reporting [15.0] Migration of project_task_report #47 no CI data
project_task_timesheet_report OCA/project-reporting [15.0] Migration of project_task_timesheet_report #45 #48 no CI data
purchase_request_to_requisition_operating_unit OCA/operating-unit [15.0][MIG] purchase_request_to_requisition_operating_unit #554 no CI data
sale_operating_unit_sequence OCA/operating-unit [15.0][MIG]sale_operating_unit_sequence #490 no CI data
web_field_required_invisible_manager OCA/web [15.0][MIG] web_field_required_invisible_manager: Migration to 15.0 #3193 no CI data
web_form_banner OCA/web [15.0][MIG] web_form_banner: Migration to 15.0 #3287 no CI data

Security Findings

Errors 239

Module Code Message
account_avatax_exemption_base acl-global-write access_portal_res_partner_exemption — Access rule grants write/create on 'model_res_partner_exemption' to EVERY user (portal/public included): no group is set
account_invoice_merge acl-global-write access_invoice_merge — Access rule grants write/create/unlink on 'model_invoice_merge' to EVERY user (portal/public included): no group is set
auth_totp_portal acl-public-write access_auth_totp_portal_wizard — Access rule grants write/create/unlink on 'auth_totp.model_auth_totp_wizard' to the portal/public group 'base.group_portal'
base acl-privilege-escalation access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions
base acl-global-write access_ir_ui_view_custom_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_custom' to EVERY user (portal/public included): no group is set
base acl-privilege-escalation access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions
base acl-global-write access_report_layout — Access rule grants write/create/unlink on 'model_report_layout' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_template — Access rule grants write/create/unlink on 'model_custom_info_template' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_property — Access rule grants write/create/unlink on 'model_custom_info_property' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_value — Access rule grants write/create/unlink on 'model_custom_info_value' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_option — Access rule grants write/create/unlink on 'model_custom_info_option' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_category — Access rule grants write/create/unlink on 'model_custom_info_category' to EVERY user (portal/public included): no group is set
base_tier_validation acl-global-write access_tier_review — Access rule grants write/create/unlink on 'model_tier_review' to EVERY user (portal/public included): no group is set
base_tier_validation acl-global-write access_comment_wizard — Access rule grants write/create/unlink on 'model_comment_wizard' to EVERY user (portal/public included): no group is set
base_tier_validation_forward acl-global-write access_tier_validation_forward_wizard — Access rule grants write/create/unlink on 'model_tier_validation_forward_wizard' to EVERY user (portal/public included): no group is set
base_user_role acl-global-write access_wizard_groups_into_role — Access rule grants write/create/unlink on 'model_wizard_groups_into_role' to EVERY user (portal/public included): no group is set
bus acl-public-write access_bus_presence_portal — Access rule grants write/create/unlink on 'model_bus_presence' to the portal/public group 'base.group_portal'
calendar rule-public-bypass calendar_attendee_rule_my — Record rule with an always-true domain grants portal/public users access to every record of its model
crm_won_reason acl-global-write access_crm_lead_won — Access rule grants write/create/unlink on 'model_crm_lead_won' to EVERY user (portal/public included): no group is set
excel_import_export acl-global-write xlsx_template_user — Access rule grants write/create/unlink on 'model_xlsx_template' to EVERY user (portal/public included): no group is set
excel_import_export acl-global-write xlsx_template_export_user — Access rule grants write/create/unlink on 'model_xlsx_template_export' to EVERY user (portal/public included): no group is set
excel_import_export acl-global-write xlsx_template_import_user — Access rule grants write/create/unlink on 'model_xlsx_template_import' to EVERY user (portal/public included): no group is set
fieldservice_route acl-public-write access_fsm_route_dayroute_portal — Access rule grants write/create on 'model_fsm_route_dayroute' to the portal/public group 'base.group_portal'
fieldservice_stock acl-public-write access_stock_move_portal — Access rule grants write on 'stock.model_stock_move' to the portal/public group 'base.group_portal'
gamification acl-public-write goal_portal — Access rule grants write on 'gamification.model_gamification_goal' to the portal/public group 'base.group_portal'
gamification acl-public-write badge_user_portal — Access rule grants write/create on 'gamification.model_gamification_badge_user' to the portal/public group 'base.group_portal'
graphql_demo route-user-csrf-off /graphql/demo — HTTP endpoint 'GraphQLController.graphql' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user
helpdesk_mgmt acl-public-write access_helpdesk_ticket_stage_public — Access rule grants write on 'model_helpdesk_ticket_stage' to the portal/public group 'base.group_public'
hr_expense_portal acl-public-write access_hr_expense_portal — Access rule grants write on 'hr_expense.model_hr_expense' to the portal/public group 'base.group_portal'
hr_recruitment acl-global-write access_hr_applicant_category — Access rule grants write/create on 'model_hr_applicant_category' to EVERY user (portal/public included): no group is set
l10n_br_hr acl-global-write access_hr_employee_dependent — Access rule grants write/create/unlink on 'model_hr_employee_dependent' to EVERY user (portal/public included): no group is set
l10n_ro_account_anaf_sync route-user-csrf-off /l10n_ro_account_anaf_sync/redirect_anaf/<int:anaf_config_id> — HTTP endpoint 'AccountANAFSyncWeb.redirect_anaf' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user
l10n_ro_stock_account acl-global-write access_l10n_ro_stock_valuation_layer_tracking — Access rule grants write/create/unlink on 'model_l10n_ro_stock_valuation_layer_tracking' to EVERY user (portal/public included): no group is set
l10n_th_bank_payment_export acl-global-write access_bank_export_format — Access rule grants write/create/unlink on 'model_bank_export_format' to EVERY user (portal/public included): no group is set
l10n_th_bank_payment_export acl-global-write access_bank_export_format_line — Access rule grants write/create/unlink on 'model_bank_export_format_line' to EVERY user (portal/public included): no group is set
l10n_th_gov_account_asset_management acl-global-write access_account_asset_location_user — Access rule grants write on 'model_account_asset_location' to EVERY user (portal/public included): no group is set
l10n_th_gov_purchase_report acl-global-write access_purchase_report_wizard — Access rule grants write/create/unlink on 'model_purchase_report_wizard' to EVERY user (portal/public included): no group is set
l10n_th_gov_purchase_report acl-global-write access_non_purchase_report_wizard — Access rule grants write/create/unlink on 'model_non_purchase_report_wizard' to EVERY user (portal/public included): no group is set
l10n_th_gov_purchase_report acl-global-write access_purchase_tracking_report_wizard — Access rule grants write/create/unlink on 'model_purchase_tracking_report_wizard' to EVERY user (portal/public included): no group is set
l10n_th_gov_purchase_report acl-global-write access_purchase_tracking_report_view — Access rule grants write/create/unlink on 'model_purchase_tracking_report_view' to EVERY user (portal/public included): no group is set
mail acl-public-write access_mail_message_portal — Access rule grants write/create/unlink on 'model_mail_message' to the portal/public group 'base.group_portal'
mail acl-public-write access_mail_channel_partner_portal — Access rule grants write/create/unlink on 'model_mail_channel_partner' to the portal/public group 'base.group_portal'
mail acl-public-write access_mail_compose_message_portal — Access rule grants write/create on 'model_mail_compose_message' to the portal/public group 'base.group_portal'
partner_aging acl-global-write res_partner_aging_date — Access rule grants write/create/unlink on 'partner_aging.model_res_partner_aging_date' to EVERY user (portal/public included): no group is set
partner_autocomplete acl-public-write access_partner_autocomplete_sync_portal — Access rule grants create on 'model_res_partner_autocomplete_sync' to the portal/public group 'base.group_portal'
payment acl-public-write payment_token_portal — Access rule grants write/create/unlink on 'model_payment_token' to the portal/public group 'base.group_portal'
project acl-public-write access_project_sharing_task_portal — Access rule grants write/create on 'model_project_task' to the portal/public group 'base.group_portal'
purchase_invoice_plan acl-global-write access_purchase_invoice_plan — Access rule grants write/create/unlink on 'model_purchase_invoice_plan' to EVERY user (portal/public included): no group is set
purchase_invoice_plan acl-global-write access_purchase_create_invoice_plan — Access rule grants write/create/unlink on 'model_purchase_create_invoice_plan' to EVERY user (portal/public included): no group is set
purchase_invoice_plan acl-global-write access_purchase_make_planned_invoice — Access rule grants write/create/unlink on 'model_purchase_make_planned_invoice' to EVERY user (portal/public included): no group is set
purchase_work_acceptance acl-global-write access_work_accepted_date_wizard — Access rule grants write/create/unlink on 'model_work_accepted_date_wizard' to EVERY user (portal/public included): no group is set
purchase_work_acceptance_evaluation acl-global-write access_work_acceptance_evaluation_result — Access rule grants write/create/unlink on 'model_work_acceptance_evaluation_result' to EVERY user (portal/public included): no group is set
purchase_work_acceptance_invoice_plan acl-global-write access_select_work_acceptance_invoice_plan_wizard — Access rule grants write/create/unlink on 'model_select_work_acceptance_invoice_plan_wizard' to EVERY user (portal/public included): no group is set
purchase_work_acceptance_invoice_plan acl-global-write access_select_work_acceptance_invoice_plan_qty — Access rule grants write/create/unlink on 'model_select_work_acceptance_invoice_plan_qty' to EVERY user (portal/public included): no group is set
report_wkhtmltopdf_param acl-global-write paperformat_parameter_access_employee — Access rule grants create on 'model_report_paperformat_parameter' to EVERY user (portal/public included): no group is set
sale_credit_point acl-global-write access_credit_point_history — Access rule grants write/create/unlink on 'model_credit_point_history' to EVERY user (portal/public included): no group is set
sale_credit_point acl-privilege-escalation credit_points_access_res_users — Access rule grants write on security model 'base.model_res_users' to group 'sale_credit_point.group_manage_credit_point': members can escalate their own permissions
sale_invoice_plan acl-global-write access_sale_invoice_plan — Access rule grants write/create/unlink on 'model_sale_invoice_plan' to EVERY user (portal/public included): no group is set
sale_invoice_plan acl-global-write access_sale_create_invoice_plan — Access rule grants write/create/unlink on 'model_sale_create_invoice_plan' to EVERY user (portal/public included): no group is set
sale_invoice_plan acl-global-write access_sale_make_planned_invoice — Access rule grants write/create/unlink on 'model_sale_make_planned_invoice' to EVERY user (portal/public included): no group is set
sql_export acl-global-write access_sql_file_wizard — Access rule grants write/create on 'model_sql_file_wizard' to EVERY user (portal/public included): no group is set
storage_image_backend_migration acl-global-write access_storage_image_backend_migration_wizard — Access rule grants write/create/unlink on 'model_storage_image_backend_migration_wizard' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_some_obj — Access rule grants write/create/unlink on 'model_test_access_right_some_obj' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_container — Access rule grants write/create/unlink on 'model_test_access_right_container' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_parent — Access rule grants write/create/unlink on 'model_test_access_right_parent' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_obj_categ — Access rule grants write/create/unlink on 'model_test_access_right_obj_categ' to EVERY user (portal/public included): no group is set
test_action_bindings acl-global-write access_tab_a — Access rule grants write/create/unlink on 'model_tab_a' to EVERY user (portal/public included): no group is set
test_action_bindings acl-global-write access_tab_b — Access rule grants write/create/unlink on 'model_tab_b' to EVERY user (portal/public included): no group is set
test_base_automation acl-global-write access_base_automation_link_test — Access rule grants write/create/unlink on 'model_base_automation_link_test' to EVERY user (portal/public included): no group is set
test_base_automation acl-global-write access_base_automation_linked_test — Access rule grants write/create/unlink on 'model_base_automation_linked_test' to EVERY user (portal/public included): no group is set
test_base_automation acl-global-write access_test_base_automation_project — Access rule grants write/create/unlink on 'model_test_base_automation_project' to EVERY user (portal/public included): no group is set
test_base_automation acl-global-write access_test_base_automation_task — Access rule grants write/create/unlink on 'model_test_base_automation_task' to EVERY user (portal/public included): no group is set
test_component acl-global-write access_test_component_collection — Access rule grants write/create/unlink on 'model_test_component_collection' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_test_backend — Access rule grants write/create/unlink on 'model_test_backend' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_connector_test_record — Access rule grants write/create/unlink on 'model_connector_test_record' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_connector_test_binding — Access rule grants write/create/unlink on 'model_connector_test_binding' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_no_inherits_binding — Access rule grants write/create/unlink on 'model_no_inherits_binding' to EVERY user (portal/public included): no group is set
test_convert acl-global-write access_test_convert_test_model — Access rule grants write/create/unlink on 'model_test_convert_test_model' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_converter_model — Access rule grants write/create/unlink on 'model_test_converter_test_model' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_test_converter_test_model_sub — Access rule grants write/create/unlink on 'model_test_converter_test_model_sub' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_test_converter_monetary — Access rule grants write/create/unlink on 'model_test_converter_monetary' to EVERY user (portal/public included): no group is set
test_exceptions acl-global-write access_test_exceptions_model — Access rule grants write/create/unlink on 'model_test_exceptions_model' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_boolean — Access rule grants write/create/unlink on 'model_export_boolean' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_float — Access rule grants write/create/unlink on 'model_export_float' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_decimal — Access rule grants write/create/unlink on 'model_export_decimal' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string_bounded — Access rule grants write/create/unlink on 'model_export_string_bounded' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string_required — Access rule grants write/create/unlink on 'model_export_string_required' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string — Access rule grants write/create/unlink on 'model_export_string' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_date — Access rule grants write/create/unlink on 'model_export_date' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_datetime — Access rule grants write/create/unlink on 'model_export_datetime' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_text — Access rule grants write/create/unlink on 'model_export_text' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection — Access rule grants write/create/unlink on 'model_export_selection' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection_function — Access rule grants write/create/unlink on 'model_export_selection_function' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2one — Access rule grants write/create/unlink on 'model_export_many2one' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many — Access rule grants write/create/unlink on 'model_export_one2many' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2many — Access rule grants write/create/unlink on 'model_export_many2many' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_function — Access rule grants write/create/unlink on 'model_export_function' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child — Access rule grants write/create/unlink on 'model_export_one2many_child' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_multiple — Access rule grants write/create/unlink on 'model_export_one2many_multiple' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_multiple_child — Access rule grants write/create/unlink on 'model_export_one2many_multiple_child' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child_1 — Access rule grants write/create/unlink on 'model_export_one2many_child_1' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child_2 — Access rule grants write/create/unlink on 'model_export_one2many_child_2' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2many_other — Access rule grants write/create/unlink on 'model_export_many2many_other' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection_withdefault — Access rule grants write/create/unlink on 'model_export_selection_withdefault' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_recursive — Access rule grants write/create/unlink on 'model_export_one2many_recursive' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_unique — Access rule grants write/create/unlink on 'model_export_unique' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_inherits_parent — Access rule grants write/create/unlink on 'model_export_inherits_parent' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_inherits_child — Access rule grants write/create/unlink on 'model_export_inherits_child' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_m2o_str — Access rule grants write/create/unlink on 'model_export_m2o_str' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_m2o_str_child — Access rule grants write/create/unlink on 'model_export_m2o_str_child' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_mother — Access rule grants write/create/unlink on 'model_test_inherit_mother' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_daughter — Access rule grants write/create/unlink on 'model_test_inherit_daughter' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_property — Access rule grants write/create/unlink on 'model_test_inherit_property' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_unit — Access rule grants write/create/unlink on 'model_test_unit' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_unit_line — Access rule grants write/create/unlink on 'model_test_unit_line' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_box — Access rule grants write/create/unlink on 'model_test_box' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_pallet — Access rule grants write/create/unlink on 'model_test_pallet' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_another_unit — Access rule grants write/create/unlink on 'model_test_another_unit' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_another_box — Access rule grants write/create/unlink on 'model_test_another_box' to EVERY user (portal/public included): no group is set
test_limits acl-global-write access_test_limits_model — Access rule grants write/create/unlink on 'model_test_limits_model' to EVERY user (portal/public included): no group is set
test_mail acl-global-write access_mail_performance_thread — Access rule grants write/create/unlink on 'model_mail_performance_thread' to EVERY user (portal/public included): no group is set
test_mail acl-public-write access_mail_test_container_portal — Access rule grants write on 'model_mail_test_container' to the portal/public group 'base.group_portal'
test_new_api acl-global-write access_category — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_category' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_discussion — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_discussion' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_message — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_message' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_emailmessage — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_emailmessage' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi_line — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi_line2 — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line2' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi_tag — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_tag' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_creativework_edition — Access rule grants write/create/unlink on 'model_test_new_api_creativework_edition' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_creativework_book — Access rule grants write/create/unlink on 'model_test_new_api_creativework_book' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_creativework_movie — Access rule grants write/create/unlink on 'model_test_new_api_creativework_movie' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_mixed — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_mixed' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_domain_bool — Access rule grants write/create/unlink on 'model_domain_bool' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_foo — Access rule grants write/create/unlink on 'model_test_new_api_foo' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_bar — Access rule grants write/create/unlink on 'model_test_new_api_bar' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_related — Access rule grants write/create/unlink on 'model_test_new_api_related' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_company — Access rule grants write/create/unlink on 'model_test_new_api_company' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_company_attr — Access rule grants write/create/unlink on 'model_test_new_api_company_attr' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_inverse — Access rule grants write/create/unlink on 'model_test_new_api_compute_inverse' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_readonly — Access rule grants write/create/unlink on 'model_test_new_api_compute_readonly' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_multi_compute_inverse — Access rule grants write/create/unlink on 'model_test_new_api_multi_compute_inverse' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_recursive — Access rule grants write/create/unlink on 'model_test_new_api_recursive' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_recursive_tree — Access rule grants write/create/unlink on 'model_test_new_api_recursive_tree' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_cascade — Access rule grants write/create/unlink on 'model_test_new_api_cascade' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_readwrite — Access rule grants write/create/unlink on 'model_test_new_api_compute_readwrite' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_onchange — Access rule grants write/create/unlink on 'model_test_new_api_compute_onchange' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_onchange_line — Access rule grants write/create/unlink on 'model_test_new_api_compute_onchange_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_dynamic_depends — Access rule grants write/create/unlink on 'model_test_new_api_compute_dynamic_depends' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_unassigned — Access rule grants write/create/unlink on 'model_test_new_api_compute_unassigned' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_one2many — Access rule grants write/create/unlink on 'model_test_new_api_one2many' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_one2many_line — Access rule grants write/create/unlink on 'model_test_new_api_one2many_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_binary_svg — Access rule grants write/create/unlink on 'model_test_new_api_binary_svg' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_base — Access rule grants write/create/unlink on 'model_test_new_api_monetary_base' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_related — Access rule grants write/create/unlink on 'model_test_new_api_monetary_related' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_custom — Access rule grants write/create/unlink on 'model_test_new_api_monetary_custom' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_inherits — Access rule grants write/create/unlink on 'model_test_new_api_monetary_inherits' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_field_with_caps — Access rule grants write/create/unlink on 'model_test_new_api_field_with_caps' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_req_m2o — Access rule grants write/create/unlink on 'model_test_new_api_req_m2o' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_selection — Access rule grants write/create/unlink on 'model_test_new_api_selection' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_attachment — Access rule grants write/create/unlink on 'model_test_new_api_attachment' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_attachment_host — Access rule grants write/create/unlink on 'model_test_new_api_attachment_host' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_image — Access rule grants write/create/unlink on 'model_test_new_api_model_image' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_a — Access rule grants write/create/unlink on 'model_test_new_api_model_a' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_b — Access rule grants write/create/unlink on 'model_test_new_api_model_b' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_parent — Access rule grants write/create/unlink on 'model_test_new_api_model_parent' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_child — Access rule grants write/create/unlink on 'model_test_new_api_model_child' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_child_nocheck — Access rule grants write/create/unlink on 'model_test_new_api_model_child_nocheck' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_display — Access rule grants write/create/unlink on 'model_test_new_api_display' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_active_field — Access rule grants write/create/unlink on 'model_test_new_api_model_active_field' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_many2one_reference — Access rule grants write/create/unlink on 'model_test_new_api_model_many2one_reference' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_inverse_m2o_ref — Access rule grants write/create/unlink on 'model_test_new_api_inverse_m2o_ref' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_binary — Access rule grants write/create/unlink on 'model_test_new_api_model_binary' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_child_m2o — Access rule grants write/create/unlink on 'model_test_new_api_model_child_m2o' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_parent_m2o — Access rule grants write/create/unlink on 'model_test_new_api_model_parent_m2o' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_order — Access rule grants write/create/unlink on 'model_test_new_api_monetary_order' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_order_line — Access rule grants write/create/unlink on 'model_test_new_api_monetary_order_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_selection_base — Access rule grants write/create/unlink on 'model_test_new_api_model_selection_base' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_selection_required — Access rule grants write/create/unlink on 'model_test_new_api_model_selection_required' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_selection_non_stored — Access rule grants write/create/unlink on 'model_test_new_api_model_selection_non_stored' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_selection_required_for_write_override — Access rule grants write/create/unlink on 'model_test_new_api_model_selection_required_for_write_override' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_move — Access rule grants write/create/unlink on 'model_test_new_api_move' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_move_line — Access rule grants write/create/unlink on 'model_test_new_api_move_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_payment — Access rule grants write/create/unlink on 'model_test_new_api_payment' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_order — Access rule grants write/create/unlink on 'model_test_new_api_order' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_order_line — Access rule grants write/create/unlink on 'model_test_new_api_order_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_shared_cache_compute_parent — Access rule grants write/create/unlink on 'model_test_new_api_model_shared_cache_compute_parent' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_shared_cache_compute_line — Access rule grants write/create/unlink on 'model_test_new_api_model_shared_cache_compute_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_container — Access rule grants write/create/unlink on 'model_test_new_api_compute_container' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_member — Access rule grants write/create/unlink on 'model_test_new_api_compute_member' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_editable — Access rule grants write/create/unlink on 'model_test_new_api_compute_editable' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_editable_line — Access rule grants write/create/unlink on 'model_test_new_api_compute_editable_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_constrained_unlinks — Access rule grants write/create/unlink on 'model_test_new_api_model_constrained_unlinks' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_trigger_left — Access rule grants write/create/unlink on 'model_test_new_api_trigger_left' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_trigger_middle — Access rule grants write/create/unlink on 'model_test_new_api_trigger_middle' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_trigger_right — Access rule grants write/create/unlink on 'model_test_new_api_trigger_right' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_base — Access rule grants write/create/unlink on 'model_test_performance_base' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_line — Access rule grants write/create/unlink on 'model_test_performance_line' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_tag — Access rule grants write/create/unlink on 'model_test_performance_tag' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_bacon — Access rule grants write/create/unlink on 'model_test_performance_bacon' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_eggs — Access rule grants write/create/unlink on 'model_test_performance_eggs' to EVERY user (portal/public included): no group is set
test_populate acl-global-write access_test_populate — Access rule grants write/create/unlink on 'model_test_populate' to EVERY user (portal/public included): no group is set
test_populate acl-global-write access_test_populate_category — Access rule grants write/create/unlink on 'model_test_populate_category' to EVERY user (portal/public included): no group is set
test_populate acl-global-write access_test_no_populat — Access rule grants write/create/unlink on 'model_test_no_populate' to EVERY user (portal/public included): no group is set
test_populate acl-global-write access_test_populate_inherit — Access rule grants write/create/unlink on 'model_test_populate_inherit' to EVERY user (portal/public included): no group is set
test_queue_job acl-global-write access_test_queue_job — Access rule grants write/create/unlink on 'model_test_queue_job' to EVERY user (portal/public included): no group is set
test_queue_job acl-global-write access_test_queue_channel — Access rule grants write/create/unlink on 'model_test_queue_channel' to EVERY user (portal/public included): no group is set
test_queue_job acl-global-write access_test_related_action — Access rule grants write/create/unlink on 'model_test_related_action' to EVERY user (portal/public included): no group is set
test_rpc acl-global-write access_test_rpc_model_a — Access rule grants write/create/unlink on 'model_test_rpc_model_a' to EVERY user (portal/public included): no group is set
test_rpc acl-global-write access_test_rpc_model_b — Access rule grants write/create/unlink on 'model_test_rpc_model_b' to EVERY user (portal/public included): no group is set
test_testing_utilities acl-global-write access_model_test_testing_utilities_onchange_count — Access rule grants write/create/unlink on 'model_test_testing_utilities_onchange_count' to EVERY user (portal/public included): no group is set
test_testing_utilities acl-global-write access_test_testing_utilities_onchange_count_sub — Access rule grants write/create/unlink on 'model_test_testing_utilities_onchange_count_sub' to EVERY user (portal/public included): no group is set
test_testing_utilities acl-global-write access_o2m_readonly_subfield_parent — Access rule grants write/create/unlink on 'model_o2m_readonly_subfield_parent' to EVERY user (portal/public included): no group is set
test_testing_utilities acl-global-write access_o2m_readonly_subfield_child — Access rule grants write/create/unlink on 'model_o2m_readonly_subfield_child' to EVERY user (portal/public included): no group is set
test_uninstall acl-global-write access_test_uninstall_model — Access rule grants write/create/unlink on 'model_test_uninstall_model' to EVERY user (portal/public included): no group is set
test_xlsx_export acl-global-write access_export_group_operator — Access rule grants write/create/unlink on 'model_export_group_operator' to EVERY user (portal/public included): no group is set
test_xlsx_export acl-global-write access_export_group_operator_one2many — Access rule grants write/create/unlink on 'model_export_group_operator_one2many' to EVERY user (portal/public included): no group is set
test_xlsx_export acl-global-write access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set
utm acl-global-write access_utm_campaign — Access rule grants create on 'model_utm_campaign' to EVERY user (portal/public included): no group is set
utm acl-global-write access_utm_medium — Access rule grants create on 'model_utm_medium' to EVERY user (portal/public included): no group is set
utm acl-global-write access_utm_source — Access rule grants create on 'model_utm_source' to EVERY user (portal/public included): no group is set
web_editor acl-global-write access_web_editor_converter_test — Access rule grants write/create/unlink on 'model_web_editor_converter_test' to EVERY user (portal/public included): no group is set
web_editor acl-global-write access_web_editor_converter_test_sub — Access rule grants write/create/unlink on 'model_web_editor_converter_test_sub' to EVERY user (portal/public included): no group is set
web_ir_actions_act_multi acl-global-write crud_ir_actions_act_multi — Access rule grants write/create/unlink on 'model_ir_actions_act_multi' to EVERY user (portal/public included): no group is set
web_ir_actions_act_window_message acl-global-write crud_ir_actions_act_window_message — Access rule grants write/create/unlink on 'model_ir_actions_act_window_message' to EVERY user (portal/public included): no group is set
website route-user-csrf-off /website/reset_template — HTTP endpoint 'Website.reset_template' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user
website_crm_partner_assign acl-public-write partner_access_crm_lead — Access rule grants write on 'crm.model_crm_lead' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_post_portal — Access rule grants write/create/unlink on 'model_forum_post' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_post_vote_portal — Access rule grants write/create on 'model_forum_post_vote' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_tag_public — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_public'
website_forum acl-public-write access_forum_tag_portal — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_portal'
website_sale_wishlist acl-public-write access_product_wishlist_portal — Access rule grants write/create/unlink on 'model_product_wishlist' to the portal/public group 'base.group_portal'
website_snippet_dynamic_link acl-global-write website_dynamic_link_access — Access rule grants write/create/unlink on 'model_website_dynamic_link' to EVERY user (portal/public included): no group is set

Warnings 569

Module Code Message
account rule-group-bypass account_analytic_line_rule_billing_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_rule_group_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_line_rule_group_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_line_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_invoice_send_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group
account route-public-sudo /terms — Unauthenticated endpoint 'TermsController.terms_conditions' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
account_avatax_exemption_base acl-global-read access_portal_group_of_states — Access rule grants read on 'model_res_partner_group_state' to every user (portal/public included): no group is set
account_avatax_exemption_base acl-global-read access_portal_res_partner_exemption_line — Access rule grants read on 'model_res_partner_exemption_line' to every user (portal/public included): no group is set
account_avatax_exemption_base acl-global-read access_portal_res_partner_exemption_type — Access rule grants read on 'model_res_partner_exemption_type' to every user (portal/public included): no group is set
account_avatax_exemption_base acl-global-read access_portal_res_partner_exemption_business_type — Access rule grants read on 'model_res_partner_exemption_business_type' to every user (portal/public included): no group is set
account_brand acl-global-read res_partner_account_brand_access — Access rule grants read on 'model_res_partner_account_brand' to every user (portal/public included): no group is set
account_edi acl-global-read access_account_edi_format_readonly — Access rule grants read on 'model_account_edi_format' to every user (portal/public included): no group is set
account_edi acl-global-read access_account_edi_document_readonly — Access rule grants read on 'model_account_edi_document' to every user (portal/public included): no group is set
account_invoice_transmit_method acl-global-read access_transmit_method_read — Access rule grants read on 'model_transmit_method' to every user (portal/public included): no group is set
account_statement_import_online_gocardless route-public-csrf-off /gocardless/response — Public HTTP endpoint 'GocardlessController.gocardless_response' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
account_statement_import_online_gocardless route-public-sudo /gocardless/response — Unauthenticated endpoint 'GocardlessController.gocardless_response' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
auth_oauth route-public-sudo /auth_oauth/signin — Unauthenticated endpoint 'OAuthController.signin' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_oauth route-auth-none /auth_oauth/signin — Endpoint 'OAuthController.signin' uses auth="none": it runs with no user/session at all
auth_oauth route-auth-none /auth_oauth/oea — Endpoint 'OAuthController.oea' uses auth="none": it runs with no user/session at all
auth_oauth_autologin route-auth-none /auth/auto_login_redirect_link — Endpoint 'OAuthAutoLogin.auto_login_redirect_link' uses auth="none": it runs with no user/session at all
auth_saml route-public-sudo /auth_saml/get_auth_request — Unauthenticated endpoint 'AuthSAMLController.get_auth_request' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_saml route-auth-none /auth_saml/get_auth_request — Endpoint 'AuthSAMLController.get_auth_request' uses auth="none": it runs with no user/session at all
auth_saml route-public-csrf-off /auth_saml/signin — Public HTTP endpoint 'AuthSAMLController.signin' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
auth_saml route-public-sudo /auth_saml/signin — Unauthenticated endpoint 'AuthSAMLController.signin' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_saml route-auth-none /auth_saml/signin — Endpoint 'AuthSAMLController.signin' uses auth="none": it runs with no user/session at all
auth_saml route-public-csrf-off /auth_saml/metadata — Public HTTP endpoint 'AuthSAMLController.saml_metadata' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
auth_saml route-public-sudo /auth_saml/metadata — Unauthenticated endpoint 'AuthSAMLController.saml_metadata' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_saml route-auth-none /auth_saml/metadata — Endpoint 'AuthSAMLController.saml_metadata' uses auth="none": it runs with no user/session at all
auth_saml route-auth-none /web/session/logout — Endpoint 'Session.logout' uses auth="none": it runs with no user/session at all
auth_signup route-public-sudo /web/signup — Unauthenticated endpoint 'AuthSignupHome.web_auth_signup' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
auth_signup route-public-sudo /web/reset_password — Unauthenticated endpoint 'AuthSignupHome.web_auth_reset_password' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
base acl-global-read access_res_company_group_user — Access rule grants read on 'model_res_company' to every user (portal/public included): no group is set
base acl-global-read access_res_partner_title_group_partner_manager — Access rule grants read on 'model_res_partner_title' to every user (portal/public included): no group is set
base acl-global-write access_res_users_log_all — Access rule grants create on 'model_res_users_log' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
base acl-global-read paperformat_access_portal — Access rule grants read on 'model_report_paperformat' to every user (portal/public included): no group is set
base route-public-csrf-off /xmlrpc/<service> — Public HTTP endpoint 'RPC.xmlrpc_1' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base route-auth-none /xmlrpc/<service> — Endpoint 'RPC.xmlrpc_1' uses auth="none": it runs with no user/session at all
base route-public-csrf-off /xmlrpc/2/<service> — Public HTTP endpoint 'RPC.xmlrpc_2' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base route-auth-none /xmlrpc/2/<service> — Endpoint 'RPC.xmlrpc_2' uses auth="none": it runs with no user/session at all
base route-auth-none /jsonrpc — Endpoint 'RPC.jsonrpc' uses auth="none": it runs with no user/session at all
base_comment_template acl-global-read access_base_comment_template_user — Access rule grants read on 'model_base_comment_template' to every user (portal/public included): no group is set
base_ical route-auth-none /base_ical/<int:calendar_id> — Endpoint 'ICalController.get_ical' uses auth="none": it runs with no user/session at all
base_import_module route-public-csrf-off /base_import_module/login_upload — Public HTTP endpoint 'ImportModule.login_upload' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base_import_module route-auth-none /base_import_module/login_upload — Endpoint 'ImportModule.login_upload' uses auth="none": it runs with no user/session at all
base_multi_branch_company acl-global-read access_res_branch_user — Access rule grants read on 'model_res_branch' to every user (portal/public included): no group is set
base_unece acl-global-read access_unece_code_list_read — Access rule grants read on 'model_unece_code_list' to every user (portal/public included): no group is set
bus route-auth-none /longpolling/health — Endpoint 'BusController.health' uses auth="none": it runs with no user/session at all
calendar rule-group-bypass calendar_event_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
connector_jira route-auth-none /connector_jira/webhooks/issue — Endpoint 'JiraWebhookController.webhook_issue' uses auth="none": it runs with no user/session at all
connector_jira route-auth-none /connector_jira/webhooks/worklog — Endpoint 'JiraWebhookController.webhook_worklog' uses auth="none": it runs with no user/session at all
crm acl-global-read access_crm_stage — Access rule grants read on 'model_crm_stage' to every user (portal/public included): no group is set
crm rule-group-bypass crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm rule-group-bypass crm_activity_report_rule_all_activities — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm_salesperson_planner rule-group-bypass all_salesperson_planner_visit — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm_salesperson_planner rule-group-bypass all_salesperson_planner_visit_template — Record rule with an always-true domain bypasses every other record rule of its model for its group
digest route-public-csrf-off /digest/<int:digest_id>/unsubscribe_oneclik — Public HTTP endpoint 'DigestController.digest_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
digest route-public-sudo /digest/<int:digest_id>/unsubscribe — Unauthenticated endpoint 'DigestController.digest_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
dms route-public-sudo /my/dms/directory/<int:dms_directory_id> — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_directory' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
dms route-public-sudo /my/dms/file/<int:dms_file_id>/download — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_file_download' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
fieldservice rule-group-bypass fsm_order_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
fieldservice_account_analytic rule-group-bypass analytic_account_fsm_dispatcher — Record rule with an always-true domain bypasses every other record rule of its model for its group
fieldservice_route rule-group-bypass fsm_route_own_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
fieldservice_route rule-group-bypass fsm_route_dayroute_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
fieldservice_website_sale route-public-sudo /fieldservice/get_route_info — Unauthenticated endpoint 'FieldServiceController.get_route_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
fieldservice_website_sale route-public-sudo /fieldservice/get_enabled_days — Unauthenticated endpoint 'FieldServiceController.get_enabled_days' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
fieldservice_website_sale route-public-sudo /fieldservice/get_blackout_days — Unauthenticated endpoint 'FieldServiceController.get_blackout_days' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
github_connector acl-global-read access_github_analysis_rule_reader — Access rule grants read on 'model_github_analysis_rule' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_analysis_rule_group_reader — Access rule grants read on 'model_github_analysis_rule_group' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_organization_reader — Access rule grants read on 'model_github_organization' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_organization_serie_reader — Access rule grants read on 'model_github_organization_serie' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_repository_branch_rule_info_report_reader — Access rule grants read on 'model_github_repository_branch_rule_info_report' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_repository_reader — Access rule grants read on 'model_github_repository' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_repository_branch_reader — Access rule grants read on 'model_github_repository_branch' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_team_reader — Access rule grants read on 'model_github_team' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_team_partner_reader — Access rule grants read on 'model_github_team_partner' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_team_repository_reader — Access rule grants read on 'model_github_team_repository' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_author_reader — Access rule grants read on 'model_odoo_author' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_lib_bin_reader — Access rule grants read on 'model_odoo_lib_bin' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_lib_python_reader — Access rule grants read on 'model_odoo_lib_python' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_license_reader — Access rule grants read on 'model_odoo_license' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_module_reader — Access rule grants read on 'model_odoo_module' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_module_version_reader — Access rule grants read on 'model_odoo_module_version' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_module_version_rule_info_report_reader — Access rule grants read on 'model_odoo_module_version_rule_info_report' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_category_reader — Access rule grants read on 'model_odoo_category' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_manifest_key_reader — Access rule grants read on 'model_odoo_manifest_key' to every user (portal/public included): no group is set
helpdesk_mgmt rule-group-bypass helpdesk_ticket_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_attendance rule-group-bypass hr_attendance_rule_attendance_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_attendance rule-group-bypass hr_attendance_rule_attendance_overtime_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_attendance_rfid rule-group-bypass hr_attendance_rfid_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_expense rule-group-bypass ir_rule_hr_expense_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_expense rule-group-bypass ir_rule_hr_expense_sheet_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_expense_advance_overdue_reminder acl-global-read access_hr_advance_overdue_reminder_user — Access rule grants read on 'model_hr_advance_overdue_reminder' to every user (portal/public included): no group is set
hr_holidays rule-group-bypass hr_leave_rule_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass hr_leave_allocation_rule_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass resource_leaves_base_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass resource_leaves_holidays_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass hr_leave_report_rule_group_holiday_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_personal_equipment_request rule-group-bypass personal_equipment_request_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_personal_equipment_request rule-group-bypass personal_equipment_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_resume_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_resume_rule_employee_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_skill_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_skill_rule_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
http_routing route-public-sudo /website/translations/<string:unique> — Unauthenticated endpoint 'Routing.get_website_translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
http_routing route-auth-none /web/session/logout — Endpoint 'SessionWebsite.logout' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/hello — Endpoint 'ProxyController.hello' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/handshake — Endpoint 'ProxyController.handshake' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/status_json — Endpoint 'ProxyController.status_json' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_drivers/action — Endpoint 'DriverController.action' uses auth="none": it runs with no user/session at all
hw_drivers route-public-csrf-off /hw_drivers/check_certificate — Public HTTP endpoint 'DriverController.check_certificate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_drivers route-auth-none /hw_drivers/check_certificate — Endpoint 'DriverController.check_certificate' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_drivers/event — Endpoint 'DriverController.event' uses auth="none": it runs with no user/session at all
hw_drivers route-public-csrf-off /hw_drivers/box/connect — Public HTTP endpoint 'DriverController.connect_box' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_drivers route-auth-none /hw_drivers/box/connect — Endpoint 'DriverController.connect_box' uses auth="none": it runs with no user/session at all
hw_drivers route-public-csrf-off /hw_drivers/download_logs — Public HTTP endpoint 'DriverController.download_logs' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_drivers route-auth-none /hw_drivers/download_logs — Endpoint 'DriverController.download_logs' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/scanner — Endpoint 'KeyboardUSBController.get_barcode' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/default_printer_action — Endpoint 'PrinterController.default_printer_action' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/scale_read — Endpoint 'ScaleReadOldRoute.scale_read' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/display_refresh — Endpoint 'DisplayController.display_refresh' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/customer_facing_display — Endpoint 'DisplayController.customer_facing_display' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/take_control — Endpoint 'DisplayController.take_control' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/test_ownership — Endpoint 'DisplayController.test_ownership' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /point_of_sale/get_serialized_order, /point_of_sale/get_serialized_order/<string:display_identifier> — Endpoint 'DisplayController.get_serialized_order' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /point_of_sale/display, /point_of_sale/display/<string:display_identifier> — Endpoint 'DisplayController.display' uses auth="none": it runs with no user/session at all
hw_escpos route-auth-none /hw_proxy/open_cashbox — Endpoint 'EscposProxy.open_cashbox' uses auth="none": it runs with no user/session at all
hw_escpos route-auth-none /hw_proxy/print_receipt — Endpoint 'EscposProxy.print_receipt' uses auth="none": it runs with no user/session at all
hw_escpos route-auth-none /hw_proxy/print_xml_receipt — Endpoint 'EscposProxy.print_xml_receipt' uses auth="none": it runs with no user/session at all
hw_l10n_eg_eta route-public-csrf-off /hw_l10n_eg_eta/certificate — Public HTTP endpoint 'EtaUsbController.eta_certificate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_l10n_eg_eta route-auth-none /hw_l10n_eg_eta/certificate — Endpoint 'EtaUsbController.eta_certificate' uses auth="none": it runs with no user/session at all
hw_l10n_eg_eta route-public-csrf-off /hw_l10n_eg_eta/sign — Public HTTP endpoint 'EtaUsbController.eta_sign' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_l10n_eg_eta route-auth-none /hw_l10n_eg_eta/sign — Endpoint 'EtaUsbController.eta_sign' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none / — Endpoint 'IoTboxHomepage.index' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /list_handlers — Public HTTP endpoint 'IoTboxHomepage.list_handlers' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /list_handlers — Endpoint 'IoTboxHomepage.list_handlers' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /load_iot_handlers — Endpoint 'IoTboxHomepage.load_iot_handlers' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /list_credential — Endpoint 'IoTboxHomepage.list_credential' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /save_credential — Public HTTP endpoint 'IoTboxHomepage.save_credential' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /save_credential — Endpoint 'IoTboxHomepage.save_credential' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /clear_credential — Public HTTP endpoint 'IoTboxHomepage.clear_credential' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /clear_credential — Endpoint 'IoTboxHomepage.clear_credential' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /wifi — Endpoint 'IoTboxHomepage.wifi' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /wifi_connect — Public HTTP endpoint 'IoTboxHomepage.connect_to_wifi' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /wifi_connect — Endpoint 'IoTboxHomepage.connect_to_wifi' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /wifi_clear — Public HTTP endpoint 'IoTboxHomepage.clear_wifi_configuration' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /wifi_clear — Endpoint 'IoTboxHomepage.clear_wifi_configuration' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /server_clear — Public HTTP endpoint 'IoTboxHomepage.clear_server_configuration' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /server_clear — Endpoint 'IoTboxHomepage.clear_server_configuration' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /handlers_clear — Public HTTP endpoint 'IoTboxHomepage.clear_handlers_list' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /handlers_clear — Endpoint 'IoTboxHomepage.clear_handlers_list' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /server_connect — Public HTTP endpoint 'IoTboxHomepage.connect_to_server' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /server_connect — Endpoint 'IoTboxHomepage.connect_to_server' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /steps — Public HTTP endpoint 'IoTboxHomepage.step_by_step_configure_page' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /steps — Endpoint 'IoTboxHomepage.step_by_step_configure_page' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /step_configure — Public HTTP endpoint 'IoTboxHomepage.step_by_step_configure' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /step_configure — Endpoint 'IoTboxHomepage.step_by_step_configure' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /server — Endpoint 'IoTboxHomepage.server' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /remote_connect — Endpoint 'IoTboxHomepage.remote_connect' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /enable_ngrok — Public HTTP endpoint 'IoTboxHomepage.enable_ngrok' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /enable_ngrok — Endpoint 'IoTboxHomepage.enable_ngrok' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /six_payment_terminal — Public HTTP endpoint 'IoTboxHomepage.six_payment_terminal' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /six_payment_terminal — Endpoint 'IoTboxHomepage.six_payment_terminal' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /six_payment_terminal_add — Public HTTP endpoint 'IoTboxHomepage.add_six_payment_terminal' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /six_payment_terminal_add — Endpoint 'IoTboxHomepage.add_six_payment_terminal' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /six_payment_terminal_clear — Public HTTP endpoint 'IoTboxHomepage.clear_six_payment_terminal' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /six_payment_terminal_clear — Endpoint 'IoTboxHomepage.clear_six_payment_terminal' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/upgrade — Endpoint 'IoTboxHomepage.upgrade' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_upgrade — Endpoint 'IoTboxHomepage.perform_upgrade' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/get_version — Endpoint 'IoTboxHomepage.check_version' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_flashing_create_partition — Endpoint 'IoTboxHomepage.perform_flashing_create_partition' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_flashing_download_raspios — Endpoint 'IoTboxHomepage.perform_flashing_download_raspios' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_flashing_copy_raspios — Endpoint 'IoTboxHomepage.perform_flashing_copy_raspios' uses auth="none": it runs with no user/session at all
im_livechat acl-global-read access_livechat_channel — Access rule grants read on 'model_im_livechat_channel' to every user (portal/public included): no group is set
im_livechat acl-global-read access_livechat_channel_rule — Access rule grants read on 'model_im_livechat_channel_rule' to every user (portal/public included): no group is set
im_livechat route-auth-none /im_livechat/load_templates — Endpoint 'LivechatController.load_templates' uses auth="none": it runs with no user/session at all
im_livechat route-public-sudo /im_livechat/support/<int:channel_id> — Unauthenticated endpoint 'LivechatController.support_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/loader/<int:channel_id> — Unauthenticated endpoint 'LivechatController.loader' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/init — Unauthenticated endpoint 'LivechatController.livechat_init' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/get_session — Unauthenticated endpoint 'LivechatController.get_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/feedback — Unauthenticated endpoint 'LivechatController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/history — Unauthenticated endpoint 'LivechatController.history_pages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/notify_typing — Unauthenticated endpoint 'LivechatController.notify_typing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/email_livechat_transcript — Unauthenticated endpoint 'LivechatController.email_livechat_transcript' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/visitor_leave_session — Unauthenticated endpoint 'LivechatController.visitor_leave_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
intrastat_product acl-global-read access_intrastat_unit_read — Access rule grants read on 'model_intrastat_unit' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_transaction_read — Access rule grants read on 'model_intrastat_transaction' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_transport_mode_read — Access rule grants read on 'model_intrastat_transport_mode' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_region_read — Access rule grants read on 'model_intrastat_region' to every user (portal/public included): no group is set
iot_input_oca route-public-csrf-off /iot/<serial>/action — Public HTTP endpoint 'CallIot.call_unauthorized_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_input_oca route-public-sudo /iot/<serial>/action — Unauthenticated endpoint 'CallIot.call_unauthorized_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
iot_input_oca route-auth-none /iot/<serial>/action — Endpoint 'CallIot.call_unauthorized_iot' uses auth="none": it runs with no user/session at all
iot_input_oca route-public-csrf-off /iot/<serial>/multi_input — Public HTTP endpoint 'CallIot.call_unauthorized_iot_multi_input' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_input_oca route-public-sudo /iot/<serial>/multi_input — Unauthenticated endpoint 'CallIot.call_unauthorized_iot_multi_input' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
iot_input_oca route-auth-none /iot/<serial>/multi_input — Endpoint 'CallIot.call_unauthorized_iot_multi_input' uses auth="none": it runs with no user/session at all
iot_input_oca route-public-csrf-off /iot/<serial>/check — Public HTTP endpoint 'CallIot.check_unauthorized_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_input_oca route-public-sudo /iot/<serial>/check — Unauthenticated endpoint 'CallIot.check_unauthorized_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
iot_input_oca route-auth-none /iot/<serial>/check — Endpoint 'CallIot.check_unauthorized_iot' uses auth="none": it runs with no user/session at all
iot_template_oca route-public-csrf-off /iot/<serial>/configure — Public HTTP endpoint 'CallIot.configure_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_template_oca route-public-sudo /iot/<serial>/configure — Unauthenticated endpoint 'CallIot.configure_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
iot_template_oca route-auth-none /iot/<serial>/configure — Endpoint 'CallIot.configure_iot' uses auth="none": it runs with no user/session at all
l10n_br_hr acl-global-read access_hr_deficiency — Access rule grants read on 'model_hr_deficiency' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_identity_type — Access rule grants read on 'model_hr_identity_type' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_civil_certificate_type — Access rule grants read on 'model_hr_civil_certificate_type' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_dependent_type — Access rule grants read on 'model_hr_dependent_type' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_ethnicity — Access rule grants read on 'model_hr_ethnicity' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_educational_attainment — Access rule grants read on 'model_hr_educational_attainment' to every user (portal/public included): no group is set
l10n_ec acl-global-read access_l10n_ec_sri_payment_public — Access rule grants read on 'model_l10n_ec_sri_payment' to every user (portal/public included): no group is set
l10n_ee_reporting acl-global-read access_l10n_ee_reporting_kmd_inf — Access rule grants read on 'model_l10n_ee_reporting_kmd_inf' to every user (portal/public included): no group is set
l10n_ee_reporting acl-global-read access_l10n_ee_reporting_vies_declaration — Access rule grants read on 'model_l10n_ee_reporting_vies_declaration' to every user (portal/public included): no group is set
l10n_es_aeat_mod347 route-public-sudo /mod347/accept — Unauthenticated endpoint 'Mod347Controller.mod347_accept' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_es_aeat_mod347 route-public-sudo /mod347/reject — Unauthenticated endpoint 'Mod347Controller.mod347_reject' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_in acl-global-read access_l10n_in_account_invoice_report — Access rule grants read on 'model_l10n_in_account_invoice_report' to every user (portal/public included): no group is set
l10n_in acl-global-read access_l10n_in_advances_payment_report — Access rule grants read on 'model_l10n_in_advances_payment_report' to every user (portal/public included): no group is set
l10n_in acl-global-read access_l10n_in_advances_payment_adjustment_report — Access rule grants read on 'model_l10n_in_advances_payment_adjustment_report' to every user (portal/public included): no group is set
l10n_in acl-global-read access_l10n_in_product_hsn_report — Access rule grants read on 'model_l10n_in_product_hsn_report' to every user (portal/public included): no group is set
l10n_in acl-global-read access_l10n_in_exempted_report — Access rule grants read on 'model_l10n_in_exempted_report' to every user (portal/public included): no group is set
l10n_ro_account_anaf_sync route-public-csrf-off /l10n_ro_account_anaf_sync/anaf_oauth/<int:anaf_config_id> — Public HTTP endpoint 'AccountANAFSyncWeb.get_anaf_oauth_code' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
l10n_ro_account_anaf_sync route-public-sudo /l10n_ro_account_anaf_sync/anaf_oauth/<int:anaf_config_id> — Unauthenticated endpoint 'AccountANAFSyncWeb.get_anaf_oauth_code' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_th_account_tax acl-global-read access_personal_income_tax_user — Access rule grants read on 'model_personal_income_tax' to every user (portal/public included): no group is set
l10n_th_account_tax acl-global-read access_personal_income_tax_rate_user — Access rule grants read on 'model_personal_income_tax_rate' to every user (portal/public included): no group is set
l10n_th_gov_purchase_report acl-global-read access_purchase_report_view — Access rule grants read on 'model_purchase_report_view' to every user (portal/public included): no group is set
letsencrypt route-auth-none /.well-known/acme-challenge/<filename> — Endpoint 'Letsencrypt.acme_challenge' uses auth="none": it runs with no user/session at all
link_tracker route-public-sudo /r/<string:code> — Unauthenticated endpoint 'LinkTracker.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail acl-global-write access_publisher_warranty_contract_all — Access rule grants write/create/unlink on 'model_publisher_warranty_contract' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
mail route-public-sudo /mail/chat_post — Unauthenticated endpoint 'MailChatController.mail_chat_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/chat_history — Unauthenticated endpoint 'MailChatController.mail_chat_history' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/view — Unauthenticated endpoint 'MailController.mail_action_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /chat/<int:channel_id>/<string:invitation_token> — Unauthenticated endpoint 'DiscussController.discuss_channel_invitation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/channel/<int:channel_id>/partner/<int:partner_id>/avatar_128 — Unauthenticated endpoint 'DiscussController.mail_channel_partner_avatar_128' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/channel/<int:channel_id>/guest/<int:guest_id>/avatar_128 — Unauthenticated endpoint 'DiscussController.mail_channel_guest_avatar_128' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/init_messaging — Unauthenticated endpoint 'DiscussController.mail_init_messaging' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/message/update_content — Unauthenticated endpoint 'DiscussController.mail_message_update_content' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/attachment/delete — Unauthenticated endpoint 'DiscussController.mail_attachment_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/message/add_reaction — Unauthenticated endpoint 'DiscussController.mail_message_add_reaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/message/remove_reaction — Unauthenticated endpoint 'DiscussController.mail_message_remove_reaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/channel/add_guest_as_member — Unauthenticated endpoint 'DiscussController.mail_channel_add_guest_as_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/rtc/session/notify_call_members — Unauthenticated endpoint 'DiscussController.session_call_notify' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/rtc/session/update_and_broadcast — Unauthenticated endpoint 'DiscussController.session_update_and_broadcast' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/guest/update_name — Unauthenticated endpoint 'DiscussController.mail_guest_update_name' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-sudo /groups — Unauthenticated endpoint 'PortalMailGroup.groups_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-sudo /groups/<model("mail.group"):group>, /groups/<model("mail.group"):group>/page/<int:page> — Unauthenticated endpoint 'PortalMailGroup.group_view_messages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-sudo /groups/<model("mail.group"):group>/<model("mail.group.message"):message> — Unauthenticated endpoint 'PortalMailGroup.group_view_message' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-sudo /groups/<model("mail.group"):group>/<model("mail.group.message"):message>/get_replies — Unauthenticated endpoint 'PortalMailGroup.group_message_get_replies' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-csrf-off /group/<int:group_id>/unsubscribe_oneclick — Public HTTP endpoint 'PortalMailGroup.group_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mail_group route-public-sudo /group/<int:group_id>/unsubscribe_oneclick — Unauthenticated endpoint 'PortalMailGroup.group_unsubscribe_oneclick' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_group route-public-sudo /group/subscribe-confirm — Unauthenticated endpoint 'PortalMailGroup.group_subscribe_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_plugin route-auth-none /mail_client_extension/auth/access_token, /mail_plugin/auth/access_token — Endpoint 'Authenticate.auth_access_token' uses auth="none": it runs with no user/session at all
mail_tracking route-public-csrf-off /mail/tracking/all/<string:db>, /mail/tracking/event/<string:db>/<string:event_type> — Public HTTP endpoint 'MailTrackingController.mail_tracking_event' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mail_tracking route-auth-none /mail/tracking/all/<string:db>, /mail/tracking/event/<string:db>/<string:event_type> — Endpoint 'MailTrackingController.mail_tracking_event' uses auth="none": it runs with no user/session at all
mail_tracking route-public-sudo /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MailTrackingController.mail_tracking_open' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail_tracking route-auth-none /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Endpoint 'MailTrackingController.mail_tracking_open' uses auth="none": it runs with no user/session at all
mail_tracking_mailgun route-public-sudo /mail/tracking/mailgun/all — Unauthenticated endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail_tracking_mailgun route-auth-none /mail/tracking/mailgun/all — Endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' uses auth="none": it runs with no user/session at all
mass_mailing route-public-csrf-off /mail/mailing/<int:mailing_id>/unsubscribe_oneclick — Public HTTP endpoint 'MassMailController.mailing_unsubscribe_oneclick' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mass_mailing route-public-sudo /mail/mailing/<int:mailing_id>/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mail/mailing/unsubscribe — Unauthenticated endpoint 'MassMailController.unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mail/track/<int:mail_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MassMailController.track_mail_open' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/<int:mailing_id>/view — Unauthenticated endpoint 'MassMailController.view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /r/<string:code>/m/<int:mailing_trace_id> — Unauthenticated endpoint 'MassMailController.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/blacklist/check — Unauthenticated endpoint 'MassMailController.blacklist_check' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/blacklist/add — Unauthenticated endpoint 'MassMailController.blacklist_add' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/blacklist/remove — Unauthenticated endpoint 'MassMailController.blacklist_remove' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/feedback — Unauthenticated endpoint 'MassMailController.send_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing_sms route-public-sudo /sms/<int:mailing_id>/unsubscribe/<string:trace_code> — Unauthenticated endpoint 'MailingSMSController.blacklist_number' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing_sms route-public-sudo /r/<string:code>/s/<int:sms_sms_id> — Unauthenticated endpoint 'MailingSMSController.sms_short_link_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
membership acl-global-read access_membership_membership_line — Access rule grants read on 'model_membership_membership_line' to every user (portal/public included): no group is set
monitoring route-public-sudo /monitoring/<string:token> — Unauthenticated endpoint 'MonitoringHome.monitoring' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
monitoring route-auth-none /monitoring/<string:token> — Endpoint 'MonitoringHome.monitoring' uses auth="none": it runs with no user/session at all
operating_unit acl-global-read access_account_operating_unit_user — Access rule grants read on 'model_operating_unit' to every user (portal/public included): no group is set
partner_external_map acl-global-read access_map_website_read — Access rule grants read on 'model_map_website' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation — Access rule grants read on 'model_res_partner_relation' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation_type — Access rule grants read on 'model_res_partner_relation_type' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation_type_selection — Access rule grants read on 'model_res_partner_relation_type_selection' to every user (portal/public included): no group is set
partner_stage acl-global-read access_partner_stage_read — Access rule grants read on 'model_res_partner_stage' to every user (portal/public included): no group is set
password_security route-auth-none /password_security/estimate — Endpoint 'PasswordSecurityHome.estimate' uses auth="none": it runs with no user/session at all
payment rule-group-bypass payment_transaction_billing_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
payment rule-group-bypass payment_token_billing_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
payment route-public-sudo /payment/status/poll — Unauthenticated endpoint 'PaymentPostProcessing.poll_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /payment/pay — Unauthenticated endpoint 'PaymentPortal.payment_pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /payment/confirmation — Unauthenticated endpoint 'PaymentPortal.payment_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-sudo /payment/adyen/acquirer_info — Unauthenticated endpoint 'AdyenController.adyen_acquirer_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-sudo /payment/adyen/payment_methods — Unauthenticated endpoint 'AdyenController.adyen_payment_methods' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-sudo /payment/adyen/payments — Unauthenticated endpoint 'AdyenController.adyen_payments' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-sudo /payment/adyen/payment_details — Unauthenticated endpoint 'AdyenController.adyen_payment_details' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-csrf-off /payment/adyen/return — Public HTTP endpoint 'AdyenController.adyen_return_from_redirect' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_adyen route-public-sudo /payment/adyen/return — Unauthenticated endpoint 'AdyenController.adyen_return_from_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-sudo /payment/adyen/notification — Unauthenticated endpoint 'AdyenController.adyen_notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_alipay route-public-sudo AlipayController.alipay_return_from_redirect — Unauthenticated endpoint 'AlipayController.alipay_return_from_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_alipay route-public-csrf-off AlipayController.alipay_notify — Public HTTP endpoint 'AlipayController.alipay_notify' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_alipay route-public-sudo AlipayController.alipay_notify — Unauthenticated endpoint 'AlipayController.alipay_notify' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_authorize route-public-sudo /payment/authorize/get_acquirer_info — Unauthenticated endpoint 'AuthorizeController.authorize_get_acquirer_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_authorize route-public-sudo /payment/authorize/payment — Unauthenticated endpoint 'AuthorizeController.authorize_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_buckaroo route-public-csrf-off BuckarooController.buckaroo_return_from_redirect — Public HTTP endpoint 'BuckarooController.buckaroo_return_from_redirect' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_buckaroo route-public-sudo BuckarooController.buckaroo_return_from_redirect — Unauthenticated endpoint 'BuckarooController.buckaroo_return_from_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_mollie route-public-csrf-off MollieController.mollie_return — Public HTTP endpoint 'MollieController.mollie_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_mollie route-public-sudo MollieController.mollie_return — Unauthenticated endpoint 'MollieController.mollie_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_mollie route-public-csrf-off MollieController.mollie_notify — Public HTTP endpoint 'MollieController.mollie_notify' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_mollie route-public-sudo MollieController.mollie_notify — Unauthenticated endpoint 'MollieController.mollie_notify' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ogone route-public-csrf-off OgoneController.ogone_return_from_redirect — Public HTTP endpoint 'OgoneController.ogone_return_from_redirect' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_ogone route-public-sudo OgoneController.ogone_return_from_redirect — Unauthenticated endpoint 'OgoneController.ogone_return_from_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_paypal route-public-csrf-off PaypalController.paypal_dpn — Public HTTP endpoint 'PaypalController.paypal_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_paypal route-public-sudo PaypalController.paypal_dpn — Unauthenticated endpoint 'PaypalController.paypal_dpn' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_paypal route-public-csrf-off PaypalController.paypal_ipn — Public HTTP endpoint 'PaypalController.paypal_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_paypal route-public-sudo PaypalController.paypal_ipn — Unauthenticated endpoint 'PaypalController.paypal_ipn' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_payulatam route-public-sudo PayuLatamController.payulatam_return — Unauthenticated endpoint 'PayuLatamController.payulatam_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_payulatam route-public-csrf-off PayuLatamController.payulatam_webhook — Public HTTP endpoint 'PayuLatamController.payulatam_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_payulatam route-public-sudo PayuLatamController.payulatam_webhook — Unauthenticated endpoint 'PayuLatamController.payulatam_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_payumoney route-public-csrf-off PayUMoneyController.payumoney_return — Public HTTP endpoint 'PayUMoneyController.payumoney_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_payumoney route-public-sudo PayUMoneyController.payumoney_return — Unauthenticated endpoint 'PayUMoneyController.payumoney_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_redsys route-public-csrf-off /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Public HTTP endpoint 'RedsysController.redsys_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_redsys route-public-sudo /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Unauthenticated endpoint 'RedsysController.redsys_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_sips route-public-csrf-off SipsController.sips_dpn — Public HTTP endpoint 'SipsController.sips_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_sips route-public-sudo SipsController.sips_dpn — Unauthenticated endpoint 'SipsController.sips_dpn' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_sips route-public-csrf-off SipsController.sips_ipn — Public HTTP endpoint 'SipsController.sips_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_sips route-public-sudo SipsController.sips_ipn — Unauthenticated endpoint 'SipsController.sips_ipn' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe route-public-csrf-off StripeController.stripe_return_from_checkout — Public HTTP endpoint 'StripeController.stripe_return_from_checkout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_stripe route-public-sudo StripeController.stripe_return_from_checkout — Unauthenticated endpoint 'StripeController.stripe_return_from_checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe route-public-csrf-off StripeController.stripe_return_from_validation — Public HTTP endpoint 'StripeController.stripe_return_from_validation' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_stripe route-public-sudo StripeController.stripe_return_from_validation — Unauthenticated endpoint 'StripeController.stripe_return_from_validation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe route-public-sudo StripeController.stripe_webhook — Unauthenticated endpoint 'StripeController.stripe_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_test route-public-sudo /payment/test/simulate_payment — Unauthenticated endpoint 'PaymentTestController.test_simulate_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_transfer route-public-csrf-off TransferController.transfer_form_feedback — Public HTTP endpoint 'TransferController.transfer_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_transfer route-public-sudo TransferController.transfer_form_feedback — Unauthenticated endpoint 'TransferController.transfer_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
point_of_sale rule-group-bypass rule_pos_bank_statement_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
point_of_sale rule-group-bypass rule_pos_bank_statement_line_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
point_of_sale rule-group-bypass rule_pos_cashbox_line_accountant — Record rule with an always-true domain bypasses every other record rule of its model for its group
portal route-public-sudo /mail/chatter_post — Unauthenticated endpoint 'PortalChatter.portal_chatter_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
portal route-public-sudo /mail/chatter_fetch — Unauthenticated endpoint 'PortalChatter.portal_message_fetch' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
portal route-public-sudo /web — Unauthenticated endpoint 'Home.web_client' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
portal route-auth-none /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all
pos_adyen route-public-sudo /pos_adyen/notification — Unauthenticated endpoint 'PosAdyenController.notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_mercury acl-global-read access_pos_mercury_mercury_transaction — Access rule grants read on 'model_pos_mercury_mercury_transaction' to every user (portal/public included): no group is set
privacy_consent route-public-sudo /privacy/consent/<any(accept,reject):choice>/<int:consent_id>/<token> — Unauthenticated endpoint 'ConsentController.consent' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
product_brand acl-global-read access_product_brand_public — Access rule grants read on 'model_product_brand' to every user (portal/public included): no group is set
product_harmonized_system acl-global-read access_hs_code_read — Access rule grants read on 'model_hs_code' to every user (portal/public included): no group is set
product_state acl-global-read access_product_state_public — Access rule grants read on 'model_product_state' to every user (portal/public included): no group is set
product_variant_configurator_manual_creation acl-global-write access_wizard_product_variant_configurator_manual_creation_all — Access rule grants write/create/unlink on 'model_wizard_product_variant_configurator_manual_creation' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
product_variant_configurator_manual_creation acl-global-write access_wizard_product_variant_configurator_manual_creation_line_all — Access rule grants write/create/unlink on 'model_wizard_product_variant_configurator_manual_creation_line' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
purchase_work_acceptance_evaluation acl-global-read access_work_acceptance_evaluation_report — Access rule grants read on 'model_work_acceptance_evaluation_report' to every user (portal/public included): no group is set
queue_job route-auth-none /queue_job/runjob — Endpoint 'RunJobController.runjob' uses auth="none": it runs with no user/session at all
rating route-public-sudo /rate/<string:token>/<int:rate> — Unauthenticated endpoint 'Rating.action_open_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
rating route-public-sudo /rate/<string:token>/submit_feedback — Unauthenticated endpoint 'Rating.action_submit_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
rma route-public-sudo /my/rma/picking/pdf/<int:rma_id>/<int:picking_id> — Unauthenticated endpoint 'PortalRma.portal_my_rma_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sale rule-group-bypass payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale rule-group-bypass payment_token_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale_coupon_selection_wizard route-public-sudo /sale_coupon_selection_wizard/configure — Unauthenticated endpoint 'CouponSelectionWizardController.configure_promotion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sale_missing_tracking rule-group-bypass sale_missing_tracking_manager_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale_missing_tracking rule-group-bypass sale_missing_tracking_exception_manager_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale_planner_calendar rule-group-bypass partner_all_documents_follower_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale_report_delivered rule-group-bypass sale_report_delivered_see_all_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale_stock_invoice_plan acl-global-read access_stock_scrap_sale_invoice_plan_ — Access rule grants read on 'stock.model_stock_scrap' to every user (portal/public included): no group is set
sales_team rule-group-bypass crm_rule_all_salesteam — Record rule with an always-true domain bypasses every other record rule of its model for its group
storage_file acl-global-read access_storage_file_read_public — Access rule grants read on 'model_storage_file' to every user (portal/public included): no group is set
survey rule-group-bypass survey_survey_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey rule-group-bypass survey_question_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey rule-group-bypass survey_question_answer_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey rule-group-bypass survey_user_input_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey rule-group-bypass survey_user_input_line_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey route-public-sudo /survey/get_background_image/<string:survey_token>/<string:answer_token> — Unauthenticated endpoint 'Survey.survey_get_background' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
survey route-public-sudo /survey/get_question_image/<string:survey_token>/<string:answer_token>/<int:question_id>/<int:suggested_answer_id> — Unauthenticated endpoint 'Survey.survey_get_question_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
test_http route-public-csrf-off /test_http/upload_file — Public HTTP endpoint 'HttpTest.upload_file_retry' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
test_http route-auth-none /test_http/upload_file — Endpoint 'HttpTest.upload_file_retry' uses auth="none": it runs with no user/session at all
test_new_api acl-global-write access_decimal_precision_test_all — Access rule grants write/create/unlink on 'model_decimal_precision_test' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
test_read_group acl-global-read access_test_read_group_on_date — Access rule grants read on 'model_test_read_group_on_date' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_aggregate_boolean — Access rule grants read on 'model_test_read_group_aggregate_boolean' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_aggregate — Access rule grants read on 'model_test_read_group_aggregate' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_on_selection — Access rule grants read on 'model_test_read_group_on_selection' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_fill_temporal — Access rule grants read on 'model_test_read_group_fill_temporal' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_order — Access rule grants read on 'model_test_read_group_order' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_order_line — Access rule grants read on 'model_test_read_group_order_line' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_user — Access rule grants read on 'model_test_read_group_user' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_task — Access rule grants read on 'model_test_read_group_task' to every user (portal/public included): no group is set
test_search_panel acl-global-read access_test_search_panel_source_model — Access rule grants read on 'model_test_search_panel_source_model' to every user (portal/public included): no group is set
test_search_panel acl-global-read access_test_search_panel_category_target_model — Access rule grants read on 'model_test_search_panel_category_target_model' to every user (portal/public included): no group is set
test_search_panel acl-global-read access_test_search_panel_category_target_model_no_parent_name — Access rule grants read on 'model_test_search_panel_category_target_model_no_parent_name' to every user (portal/public included): no group is set
test_search_panel acl-global-read access_test_search_panel_filter_target_model — Access rule grants read on 'model_test_search_panel_filter_target_model' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_a — Access rule grants read on 'model_test_testing_utilities_a' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_readonly — Access rule grants read on 'model_test_testing_utilities_readonly' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_c — Access rule grants read on 'model_test_testing_utilities_c' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_d — Access rule grants read on 'model_test_testing_utilities_d' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_e — Access rule grants read on 'model_test_testing_utilities_e' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_f — Access rule grants read on 'model_test_testing_utilities_f' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_g — Access rule grants read on 'model_test_testing_utilities_g' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_m2o — Access rule grants read on 'model_test_testing_utilities_m2o' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_default — Access rule grants read on 'model_test_testing_utilities_default' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_parent — Access rule grants read on 'model_test_testing_utilities_parent' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_sub — Access rule grants read on 'model_test_testing_utilities_sub' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_sub2 — Access rule grants read on 'model_test_testing_utilities_sub2' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_sub3 — Access rule grants read on 'model_test_testing_utilities_sub3' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_recursive — Access rule grants read on 'model_test_testing_utilities_recursive' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_onchange_parent — Access rule grants read on 'model_test_testing_utilities_onchange_parent' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_onchange_line — Access rule grants read on 'model_test_testing_utilities_onchange_line' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_req_bool — Access rule grants read on 'model_test_testing_utilities_req_bool' to every user (portal/public included): no group is set
test_website acl-global-read access_test_model — Access rule grants read on 'model_test_model' to every user (portal/public included): no group is set
upgrade_analysis acl-global-read access_upgrade_record — Access rule grants read on 'model_upgrade_record' to every user (portal/public included): no group is set
upgrade_analysis acl-global-read access_upgrade_attribute — Access rule grants read on 'model_upgrade_attribute' to every user (portal/public included): no group is set
vault route-public-sudo /vault/inbox/<string:token> — Unauthenticated endpoint 'Controller.vault_inbox' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
vault_share route-public-sudo /vault/share/<string:token> — Unauthenticated endpoint 'Controller.vault_share' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web route-auth-none / — Endpoint 'Home.index' uses auth="none": it runs with no user/session at all
web route-auth-none /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all
web route-auth-none /web/login — Endpoint 'Home.web_login' uses auth="none": it runs with no user/session at all
web route-auth-none /web/health — Endpoint 'Home.health' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/locale/<string:lang> — Endpoint 'WebClient.load_locale' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/qweb/<string:unique> — Endpoint 'WebClient.qweb' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/bootstrap_translations — Endpoint 'WebClient.bootstrap_translations' uses auth="none": it runs with no user/session at all
web route-public-sudo /web/webclient/translations/<string:unique> — Unauthenticated endpoint 'WebClient.translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web route-auth-none /web/webclient/version_info — Endpoint 'WebClient.version_info' uses auth="none": it runs with no user/session at all
web route-auth-none /web/tests/mobile — Endpoint 'WebClient.test_mobile_suite' uses auth="none": it runs with no user/session at all
web route-auth-none /web/benchmarks — Endpoint 'WebClient.benchmarks' uses auth="none": it runs with no user/session at all
web route-auth-none /web/database/selector — Endpoint 'Database.selector' uses auth="none": it runs with no user/session at all
web route-auth-none /web/database/manager — Endpoint 'Database.manager' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/create — Public HTTP endpoint 'Database.create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/create — Endpoint 'Database.create' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/duplicate — Public HTTP endpoint 'Database.duplicate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/duplicate — Endpoint 'Database.duplicate' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/drop — Public HTTP endpoint 'Database.drop' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/drop — Endpoint 'Database.drop' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/backup — Public HTTP endpoint 'Database.backup' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/backup — Endpoint 'Database.backup' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/restore — Public HTTP endpoint 'Database.restore' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/restore — Endpoint 'Database.restore' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/change_password — Public HTTP endpoint 'Database.change_password' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/change_password — Endpoint 'Database.change_password' uses auth="none": it runs with no user/session at all
web route-auth-none /web/database/list — Endpoint 'Database.list' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/get_session_info — Endpoint 'Session.get_session_info' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/authenticate — Endpoint 'Session.authenticate' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/get_lang_list — Endpoint 'Session.get_lang_list' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/logout — Endpoint 'Session.logout' uses auth="none": it runs with no user/session at all
web route-public-sudo /web/assets/debug/<string:filename>, /web/assets/debug/<path:extra>/<string:filename>, /web/assets/<int:id>/<string:filename>, /web/assets/<int:id>-<string:unique>/<string:filename>, /web/assets/<int:id>-<string:unique>/<path:extra>/<string:filename> — Unauthenticated endpoint 'Binary.content_assets' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web route-auth-none /web/binary/company_logo, /logo, /logo.png — Endpoint 'Binary.company_logo' uses auth="none": it runs with no user/session at all
web route-auth-none /web/pivot/check_xlsxwriter — Endpoint 'TableExporter.check_xlsxwriter' uses auth="none": it runs with no user/session at all
web_editor route-auth-none /web_editor/font_to_img/<icon>, /web_editor/font_to_img/<icon>/<color>, /web_editor/font_to_img/<icon>/<color>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<int:width>x<int:height>, /web_editor/font_to_img/<icon>/<color>/<int:size>/<int:alpha>, /web_editor/font_to_img/<icon>/<color>/<int:width>x<int:height>/<int:alpha>, /web_editor/font_to_img/<icon>/<color>/<bg>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:width>x<int:height>, /web_editor/font_to_img/<icon>/<color>/<bg>/<int:width>x<int:height>/<int:alpha> — Endpoint 'Web_Editor.export_icon_to_png' uses auth="none": it runs with no user/session at all
web_editor route-public-sudo /web_editor/shape/<module>/<path:filename> — Unauthenticated endpoint 'Web_Editor.shape' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web_tour acl-global-read access_web_tour_tour — Access rule grants read on 'model_web_tour_tour' to every user (portal/public included): no group is set
web_unsplash route-public-sudo /web_unsplash/get_app_id — Unauthenticated endpoint 'Web_Unsplash.get_unsplash_app_id' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website acl-global-read access_website_public — Access rule grants read on 'website.model_website' to every user (portal/public included): no group is set
website acl-global-read access_website_menu — Access rule grants read on 'model_website_menu' to every user (portal/public included): no group is set
website acl-global-read access_seo_public — Access rule grants read on 'model_website_seo_metadata' to every user (portal/public included): no group is set
website route-public-sudo / — Unauthenticated endpoint 'Website.index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /sitemap.xml — Unauthenticated endpoint 'Website.sitemap_xml_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/info — Unauthenticated endpoint 'Website.website_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/snippet/filters — Unauthenticated endpoint 'Website.get_dynamic_filter' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/snippet/filter_templates — Unauthenticated endpoint 'Website.get_dynamic_snippet_templates' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/snippet/autocomplete — Unauthenticated endpoint 'Website.autocomplete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /google<string(length=16):key>.html — Unauthenticated endpoint 'Website.google_console_search' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/action/<path_or_xml_id_or_id>, /website/action/<path_or_xml_id_or_id>/<path:path> — Unauthenticated endpoint 'Website.actions_server' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-csrf-off /website/form/<string:model_name> — Public HTTP endpoint 'WebsiteForm.website_form' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
website_blog acl-global-read blog_tag — Access rule grants read on 'model_blog_tag' to every user (portal/public included): no group is set
website_crm_partner_assign route-public-sudo /partners, /partners/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>, /partners/grade/<model("res.partner.grade"):grade>/page/<int:page>, /partners/country/<model("res.country"):country>, /partners/country/<model("res.country"):country>/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_crm_partner_assign route-public-sudo /partners/<partner_id> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_customer acl-global-read res_partner_tag_sale_manager — Access rule grants read on 'model_res_partner_tag' to every user (portal/public included): no group is set
website_customer route-public-sudo /customers, /customers/page/<int:page>, /customers/country/<model("res.country"):country>, /customers/country/<model("res.country"):country>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>, /customers/industry/<model("res.partner.industry"):industry>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCustomer.customers' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_customer route-public-sudo /customers/<partner_id> — Unauthenticated endpoint 'WebsiteCustomer.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event acl-global-read access_event_event — Access rule grants read on 'model_event_event' to every user (portal/public included): no group is set
website_event acl-global-read access_event_event_ticket — Access rule grants read on 'event.model_event_event_ticket' to every user (portal/public included): no group is set
website_event acl-global-read access_event_tag_category — Access rule grants read on 'event.model_event_tag_category' to every user (portal/public included): no group is set
website_event acl-global-read access_event_tag — Access rule grants read on 'event.model_event_tag' to every user (portal/public included): no group is set
website_event acl-global-read access_website_event_menu — Access rule grants read on 'model_website_event_menu' to every user (portal/public included): no group is set
website_event route-public-sudo /event, /event/page/<int:page>, /events, /events/page/<int:page> — Unauthenticated endpoint 'WebsiteEventController.events' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event route-public-sudo /event/<model("event.event"):event>/registration/success — Unauthenticated endpoint 'WebsiteEventController.event_registration_success' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_booth route-public-sudo /event/<model("event.event"):event>/booth — Unauthenticated endpoint 'WebsiteEventBoothController.event_booth_main' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_booth route-public-sudo /event/<model("event.event"):event>/booth/register_form — Unauthenticated endpoint 'WebsiteEventBoothController.event_booth_contact_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_booth route-public-sudo /event/<model("event.event"):event>/booth/success — Unauthenticated endpoint 'WebsiteEventBoothController.event_booth_registration_complete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_booth route-public-sudo /event/booth/check_availability — Unauthenticated endpoint 'WebsiteEventBoothController.check_booths_availability' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_booth route-public-sudo /event/booth_category/get_available_booths — Unauthenticated endpoint 'WebsiteEventBoothController.get_booth_category_available_booths' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_exhibitor acl-global-read access_event_sponsor_type_public — Access rule grants read on 'model_event_sponsor_type' to every user (portal/public included): no group is set
website_event_exhibitor acl-global-read access_event_sponsor_public — Access rule grants read on 'model_event_sponsor' to every user (portal/public included): no group is set
website_event_exhibitor route-public-sudo /event/<model("event.event", "[('exhibitor_menu', '=', True)]"):event>/exhibitor/<model("event.sponsor", "[('event_id', '=', event.id)]"):sponsor> — Unauthenticated endpoint 'ExhibitorController.event_exhibitor' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_meet acl-global-read access_event_meeting_room — Access rule grants read on 'model_event_meeting_room' to every user (portal/public included): no group is set
website_event_meet route-public-sudo /event/<model('event.event'):event>/meeting_room_create — Unauthenticated endpoint 'WebsiteEventMeetController.create_meeting_room' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_meet route-public-sudo /event/active_langs — Unauthenticated endpoint 'WebsiteEventMeetController.active_langs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_meet route-public-sudo /event/<model('event.event', "[('community_menu', '=', True)]"):event>/meeting_room/<model("event.meeting.room","[('event_id','=',event.id)]"):meeting_room> — Unauthenticated endpoint 'WebsiteEventMeetController.event_meeting_room_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_questions acl-global-read access_event_question — Access rule grants read on 'model_event_question' to every user (portal/public included): no group is set
website_event_questions acl-global-read access_event_question_answer — Access rule grants read on 'model_event_question_answer' to every user (portal/public included): no group is set
website_event_questions rule-group-bypass ir_rule_event_question_event_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_event_questions rule-group-bypass ir_rule_event_question_answer_event_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_event_sale acl-global-read access_event_event_ticket — Access rule grants read on 'event.model_event_event_ticket' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track — Access rule grants read on 'model_event_track' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_tag — Access rule grants read on 'model_event_track_tag' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_location — Access rule grants read on 'model_event_track_location' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_stage — Access rule grants read on 'model_event_track_stage' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_tag_category — Access rule grants read on 'model_event_track_tag_category' to every user (portal/public included): no group is set
website_event_track route-public-sudo /event/<model("event.event", "[('website_track', '=', True)]"):event>/track/<model("event.track", "[('event_id', '=', event.id)]"):track> — Unauthenticated endpoint 'EventTrackController.event_track_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track route-public-sudo /event/<model("event.event"):event>/track_proposal/post — Unauthenticated endpoint 'EventTrackController.event_track_proposal_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track_live route-public-sudo /event_track/get_track_suggestion — Unauthenticated endpoint 'EventTrackLiveController.get_next_track_suggestion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track_quiz route-public-sudo /event_track/quiz/submit — Unauthenticated endpoint 'WebsiteEventTrackQuiz.event_track_quiz_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track_quiz route-public-sudo /event_track/quiz/reset — Unauthenticated endpoint 'WebsiteEventTrackQuiz.quiz_reset' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum acl-global-read access_forum_forum — Access rule grants read on 'model_forum_forum' to every user (portal/public included): no group is set
website_forum rule-group-bypass website_forum_create_website_designer — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/<model("forum.post", "[('forum_id','=',forum.id),('parent_id','=',False),('can_view', '=', True)]"):question> — Unauthenticated endpoint 'WebsiteForum.question' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/partner/<int:partner_id> — Unauthenticated endpoint 'WebsiteForum.open_partner' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_google_map route-public-sudo /google_map — Unauthenticated endpoint 'GoogleMap.google_map' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_hr_recruitment acl-global-read access_hr_job_public — Access rule grants read on 'hr.model_hr_job' to every user (portal/public included): no group is set
website_hr_recruitment rule-group-bypass hr_job_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_hr_recruitment route-public-sudo /jobs, /jobs/country/<model("res.country"):country>, /jobs/department/<model("hr.department"):department>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>, /jobs/office/<int:office_id>, /jobs/country/<model("res.country"):country>/office/<int:office_id>, /jobs/department/<model("hr.department"):department>/office/<int:office_id>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>/office/<int:office_id> — Unauthenticated endpoint 'WebsiteHrRecruitment.jobs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_livechat acl-global-read access_im_livechat_channel_public — Access rule grants read on 'im_livechat.model_im_livechat_channel' to every user (portal/public included): no group is set
website_livechat route-public-sudo /livechat/channel/<model("im_livechat.channel"):channel> — Unauthenticated endpoint 'WebsiteLivechat.channel_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail route-public-sudo /website_mail/follow — Unauthenticated endpoint 'WebsiteMail.website_message_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail route-public-sudo /website_mail/is_follower — Unauthenticated endpoint 'WebsiteMail.is_follower' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_group route-public-sudo /group/is_member — Unauthenticated endpoint 'WebsiteMailGroup.group_is_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /website_mass_mailing/is_subscriber — Unauthenticated endpoint 'MassMailController.is_subscriber' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /website_mass_mailing/subscribe — Unauthenticated endpoint 'MassMailController.subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_membership route-public-sudo /members, /members/page/<int:page>, /members/association/<membership_id>, /members/association/<membership_id>/page/<int:page>, /members/country/<int:country_id>, /members/country/<country_name>-<int:country_id>, /members/country/<int:country_id>/page/<int:page>, /members/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<country_name>-<int:country_id>, /members/association/<membership_id>/country/<int:country_id>, /members/association/<membership_id>/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteMembership.members' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_membership route-public-sudo /members/<partner_id> — Unauthenticated endpoint 'WebsiteMembership.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_partner route-public-sudo /partners/<partner_id> — Unauthenticated endpoint 'WebsitePartnerPage.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_payment route-public-sudo /donation/get_acquirer_fees — Unauthenticated endpoint 'PaymentPortal.get_acquirer_fees' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_profile route-public-sudo /profile/avatar/<int:user_id> — Unauthenticated endpoint 'WebsiteProfile.get_user_profile_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_profile route-public-sudo /profile/users, /profile/users/page/<int:page> — Unauthenticated endpoint 'WebsiteProfile.view_all_users_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_profile route-public-sudo /profile/validate_email — Unauthenticated endpoint 'WebsiteProfile.validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale acl-global-read access_product_product_public — Access rule grants read on 'product.model_product_product' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_template_public — Access rule grants read on 'product.model_product_template' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_category_public — Access rule grants read on 'product.model_product_category' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_public_category_public — Access rule grants read on 'model_product_public_category' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_pricelist_public — Access rule grants read on 'product.model_product_pricelist' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_pricelist_item_public — Access rule grants read on 'product.model_product_pricelist_item' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_ribbon_public — Access rule grants read on 'website_sale.model_product_ribbon' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_public — Access rule grants read on 'product.model_product_attribute' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_value_public — Access rule grants read on 'product.model_product_attribute_value' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_product_attribute — Access rule grants read on 'product.model_product_template_attribute_value' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_product_attribute_custom_value — Access rule grants read on 'sale.model_product_attribute_custom_value' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_template_attribute_exclusion — Access rule grants read on 'product.model_product_template_attribute_exclusion' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_template_attribute_line_public — Access rule grants read on 'product.model_product_template_attribute_line' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_image_public — Access rule grants read on 'model_product_image' to every user (portal/public included): no group is set
website_sale acl-global-read access_ecom_extra_fields_public — Access rule grants read on 'model_website_sale_extra_field' to every user (portal/public included): no group is set
website_sale acl-global-read access_website_base_unit_public — Access rule grants read on 'model_website_base_unit' to every user (portal/public included): no group is set
website_sale route-public-sudo /shop/pricelist — Unauthenticated endpoint 'WebsiteSale.pricelist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/cart — Unauthenticated endpoint 'WebsiteSale.cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/address — Unauthenticated endpoint 'WebsiteSale.address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/checkout — Unauthenticated endpoint 'WebsiteSale.checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/payment/get_status/<int:sale_order_id> — Unauthenticated endpoint 'WebsiteSale.shop_payment_get_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/payment/validate — Unauthenticated endpoint 'WebsiteSale.shop_payment_validate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/confirmation — Unauthenticated endpoint 'WebsiteSale.shop_payment_confirmation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/products/recently_viewed_delete — Unauthenticated endpoint 'WebsiteSale.products_recently_viewed_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_charge_payment_fee route-public-sudo /shop/payment — Unauthenticated endpoint 'WebsiteSaleFee.shop_payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_comparison acl-global-read access_product_attribute_category_public — Access rule grants read on 'model_product_attribute_category' to every user (portal/public included): no group is set
website_sale_coupon_page route-public-sudo /promotions — Unauthenticated endpoint 'WebsiteSale.promotion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_coupon_selection_wizard route-public-sudo /promotions/<int:program_id>/apply — Unauthenticated endpoint 'WebsiteSaleCouponWizard.promotion_program_apply' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_delivery route-public-sudo /shop/carrier_rate_shipment — Unauthenticated endpoint 'WebsiteSaleDelivery.cart_carrier_rate_shipment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_delivery_mondialrelay route-public-sudo /website_sale_delivery_mondialrelay/update_shipping — Unauthenticated endpoint 'MondialRelay.mondial_relay_update_shipping' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_digital route-public-sudo /my/orders/<int:order_id> — Unauthenticated endpoint 'WebsiteSaleDigital.portal_order_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_digital route-public-sudo /my/download — Unauthenticated endpoint 'WebsiteSaleDigital.download_attachment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_gift_card route-public-sudo /shop/pay_with_gift_card — Unauthenticated endpoint 'GiftCardController.add_gift_card' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_menu_partner_top_selling route-public-sudo /shop/my_regular_products, /shop/my_regular_products/page/<int:page> — Unauthenticated endpoint 'WebsiteSale.user_regular_products' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_order_cancel route-public-sudo /cancel/confirm — Unauthenticated endpoint 'SaleOrderCancel.confirm_cancel_sale_order' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_product_assortment route-public-sudo /sale/get_info_assortment_preview — Unauthenticated endpoint 'WebsiteSaleVariantController.get_info_assortment_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_product_brand route-public-sudo /page/product_brands — Unauthenticated endpoint 'WebsiteSale.product_brands' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_product_minimal_price route-public-sudo /sale/get_combination_info_minimal_price — Unauthenticated endpoint 'WebsiteSaleVariantController.get_combination_info_minimal_price' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_resource_booking route-public-sudo /shop/booking/<int:index>/confirm — Unauthenticated endpoint 'WebsiteSale.booking_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_stock_list_preview route-public-sudo /sale/get_combination_info_stock_preview — Unauthenticated endpoint 'WebsiteSaleVariantController.get_combination_info_stock_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_wishlist route-public-sudo /shop/wishlist/add — Unauthenticated endpoint 'WebsiteSaleWishlist.add_to_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_wishlist route-public-sudo /shop/wishlist/remove/<model("product.wishlist"):wish> — Unauthenticated endpoint 'WebsiteSaleWishlist.rm_from_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides rule-group-bypass rule_slide_channel_officer_r — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides rule-group-bypass rule_slide_slide_officer_r — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides rule-group-bypass rule_slide_slide_resource_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides route-public-sudo /slides — Unauthenticated endpoint 'WebsiteSlides.slides_channel_home' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/<model("slide.channel"):channel>, /slides/<model("slide.channel"):channel>/page/<int:page>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>/page/<int:page>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>/page/<int:page> — Unauthenticated endpoint 'WebsiteSlides.channel' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/channel/join — Unauthenticated endpoint 'WebsiteSlides.slide_channel_join' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/<model("slide.slide"):slide> — Unauthenticated endpoint 'WebsiteSlides.slide_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/<int:slide_id>/get_image — Unauthenticated endpoint 'WebsiteSlides.slide_get_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/like — Unauthenticated endpoint 'WebsiteSlides.slide_like' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/quiz/submit — Unauthenticated endpoint 'WebsiteSlides.slide_quiz_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/embed/<int:slide_id> — Unauthenticated endpoint 'WebsiteSlides.slides_embed' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /mail/chatter_post — Unauthenticated endpoint 'SlidesPortalChatter.portal_chatter_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides_forum rule-group-bypass website_slides_forum_website_slides_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides_forum rule-group-bypass website_slides_forum_website_slides_officer_post — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides_forum rule-group-bypass website_slides_forum_website_slides_officer_tag — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_twitter acl-global-read access_website_twitter_tweet_public — Access rule grants read on 'website_twitter.model_website_twitter_tweet' to every user (portal/public included): no group is set
website_twitter route-public-sudo /website_twitter/get_favorites — Unauthenticated endpoint 'Twitter.get_tweets' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes

Active Pull Requests 29

0 fresh 0 rotting 0 rotten

Module Repository Title Age CI
account_analytic_default_account OCA/account-analytic [14.0][MIG] account_analytic_default_account: Migration to 14.0 #495 no CI data
account_fiscal_position_rule OCA/account-fiscal-rule [14.0][MIG] account_fiscal_position_rule #356 no CI data
account_invoice_analytic_search OCA/account-invoicing [MIG] account_invoice_analytic_search to 14.0 #2091 no CI data
account_statement_import_online_qonto OCA/bank-statement-import [14.0][MIG] account_bank_statement_import_online_qonto #962 no CI data
confirmation_wizard OCA/server-ux [MIG] confirmation_wizard: Migration to 14.0 #1265 no CI data
delivery_roulier_dpd_fr OCA/delivery-carrier [14.0][ADD] delivery_roulier_dpd_fr #1174 no CI data
l10n_be_cooperator_website_national_number OCA/cooperative [14.0][MIG] l10n_be_cooperator_website_national_number #70 no CI data
l10n_fr_cooperator OCA/cooperative [14.0][MIG] l10n_fr_cooperator: migration to 14.0 #109 no CI data
mail_alias_with_domain OCA/social [14.0][MIG] mig_mail_alias_with_domain #1800 no CI data
mail_company_aware_sender OCA/social [14.0][MIG] mail_company_aware_sender #1799 no CI data
mail_footer_notified_partner OCA/social [MIG][14.0][mail_footer_notified_partner] Migration to v14 with renaming of module #855 no CI data
maintenance_stock OCA/maintenance [14.0][MIG] maintenance_stock: Migration to 14.0 #347 no CI data
mis_builder_budget_tier_validation OCA/mis-builder-contrib [14.0][MIG] mis_builder_budget_tier_validation: Migration to 14.0 #60 no CI data
mrp_production_request-mrp_request OCA/OpenUpgrade [14.0][MIG] mrp_production_request -> mrp_request #2618 no CI data
pos_multiple_control OCA/pos [14.0] [mig] pos_multiple_control #677 no CI data
pricelist_brand OCA/brand [14.0][MIG] - migration pricelist brand to 14.0 #122 no CI data
pricelist_brand OCA/brand [14.0][MIG] pricelist_brand: Migration to 14.0 #312 no CI data
project_task_timesheet_report OCA/project-reporting [14.0] Migration of project_task_timesheet_report #45 no CI data
purchase_order_analytic_search OCA/purchase-workflow [14.0][MIG] purchase_order_analytic_search #1430 no CI data
purchase_order_no_zero_price OCA/purchase-workflow [MIG] purchase_order_no_zero_price: Migration to 14.0 #3017 no CI data
purchase_stock_cost_update OCA/purchase-workflow [MIG] purchase_stock_cost_update: Migration to 14.0 #3021 no CI data
sale_invoice_group_method-reopen OCA/sale-workflow [MIG] sale_invoice_group_method: Migration to 14.0 #4352 no CI data
sale_order_action_invoice_create_hook-reopen OCA/sale-workflow [MIG]sale_order_action_invoice_create_hook: migration to 14.0 #4353 no CI data
sale_stock_cancel_restriction OCA/sale-workflow [14.0][MIG] sale_stock_cancel_restriction #3644 no CI data
sale_timesheet_task_exclude OCA/timesheet [14.0] [mig] sale_timesheet_task_exclude #440 no CI data
stock_warehouse_security OCA/stock-logistics-warehouse [14.0][MIG] stock_warehouse_security #2602 no CI data
web_widget_char_switchcase OCA/web [14.0][MIG] web_widget_char_switchcase #3043 no CI data
website_field_autocomplete2 OCA/website [14.0] [MIG] website_field_autocomplete: Migration to 14.0 #1087 no CI data
website_sale_affiliate OCA/e-commerce [14.0][MIG] website_sale_affiliate: Migration to version 14.0 #874 no CI data

Security Findings

Errors 254

Module Code Message
account_avatax_exemption_base acl-global-write access_portal_res_partner_exemption — Access rule grants write/create on 'model_res_partner_exemption' to EVERY user (portal/public included): no group is set
account_chart_update acl-global-write access_wizard_update_charts_accounts — Access rule grants write/create/unlink on 'model_wizard_update_charts_accounts' to EVERY user (portal/public included): no group is set
account_chart_update acl-global-write access_wizard_update_charts_accounts_account — Access rule grants write/create/unlink on 'model_wizard_update_charts_accounts_account' to EVERY user (portal/public included): no group is set
account_chart_update acl-global-write access_wizard_tax_matching — Access rule grants write/create/unlink on 'model_wizard_tax_matching' to EVERY user (portal/public included): no group is set
account_chart_update acl-global-write access_wizard_fp_matching — Access rule grants write/create/unlink on 'model_wizard_fp_matching' to EVERY user (portal/public included): no group is set
account_chart_update acl-global-write access_wizard_account_matching — Access rule grants write/create/unlink on 'model_wizard_account_matching' to EVERY user (portal/public included): no group is set
account_chart_update acl-global-write access_wizard_update_charts_accounts_tax — Access rule grants write/create/unlink on 'model_wizard_update_charts_accounts_tax' to EVERY user (portal/public included): no group is set
account_chart_update acl-global-write access_wizard_matching — Access rule grants write/create/unlink on 'model_wizard_matching' to EVERY user (portal/public included): no group is set
account_chart_update acl-global-write access_wizard_update_charts_accounts_fiscal_position — Access rule grants write/create/unlink on 'model_wizard_update_charts_accounts_fiscal_position' to EVERY user (portal/public included): no group is set
account_chart_update acl-global-write access_wizard_account_groupo_matching — Access rule grants write/create/unlink on 'model_wizard_account_group_matching' to EVERY user (portal/public included): no group is set
account_chart_update acl-global-write access_wizard_update_charts_accounts_account_group — Access rule grants write/create/unlink on 'model_wizard_update_charts_accounts_account_group' to EVERY user (portal/public included): no group is set
attachment_db_by_checksum acl-public-write access_ir_attachment_portal — Access rule grants create on 'model_ir_attachment_content' to the portal/public group 'base.group_portal'
auth_totp_portal acl-public-write access_auth_totp_portal_wizard — Access rule grants write/create/unlink on 'auth_totp.model_auth_totp_wizard' to the portal/public group 'base.group_portal'
base acl-privilege-escalation access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions
base acl-global-write access_ir_ui_view_custom_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_custom' to EVERY user (portal/public included): no group is set
base acl-privilege-escalation access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions
base acl-global-write access_report_layout — Access rule grants write/create/unlink on 'model_report_layout' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_template — Access rule grants write/create/unlink on 'model_custom_info_template' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_property — Access rule grants write/create/unlink on 'model_custom_info_property' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_value — Access rule grants write/create/unlink on 'model_custom_info_value' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_option — Access rule grants write/create/unlink on 'model_custom_info_option' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_category — Access rule grants write/create/unlink on 'model_custom_info_category' to EVERY user (portal/public included): no group is set
base_tier_validation acl-global-write access_tier_review — Access rule grants write/create/unlink on 'model_tier_review' to EVERY user (portal/public included): no group is set
base_tier_validation acl-global-write access_comment_wizard — Access rule grants write/create/unlink on 'model_comment_wizard' to EVERY user (portal/public included): no group is set
base_tier_validation_forward acl-global-write access_tier_validation_forward_wizard — Access rule grants write/create/unlink on 'model_tier_validation_forward_wizard' to EVERY user (portal/public included): no group is set
bi_view_editor acl-global-write access_bve_view_everyone — Access rule grants write/create/unlink on 'bi_view_editor.model_bve_view' to EVERY user (portal/public included): no group is set
bi_view_editor acl-global-write access_bve_view_line — Access rule grants write/create/unlink on 'model_bve_view_line' to EVERY user (portal/public included): no group is set
bus acl-public-write access_bus_presence_portal — Access rule grants write/create/unlink on 'model_bus_presence' to the portal/public group 'base.group_portal'
calendar rule-public-bypass calendar_attendee_rule_my — Record rule with an always-true domain grants portal/public users access to every record of its model
excel_import_export acl-global-write xlsx_template_user — Access rule grants write/create/unlink on 'model_xlsx_template' to EVERY user (portal/public included): no group is set
excel_import_export acl-global-write xlsx_template_export_user — Access rule grants write/create/unlink on 'model_xlsx_template_export' to EVERY user (portal/public included): no group is set
excel_import_export acl-global-write xlsx_template_import_user — Access rule grants write/create/unlink on 'model_xlsx_template_import' to EVERY user (portal/public included): no group is set
fieldservice_route acl-public-write access_fsm_route_dayroute_portal — Access rule grants write/create on 'model_fsm_route_dayroute' to the portal/public group 'base.group_portal'
fieldservice_stock acl-public-write access_stock_move_portal — Access rule grants write on 'stock.model_stock_move' to the portal/public group 'base.group_portal'
gamification acl-public-write goal_portal — Access rule grants write on 'gamification.model_gamification_goal' to the portal/public group 'base.group_portal'
gamification acl-public-write badge_user_portal — Access rule grants write/create on 'gamification.model_gamification_badge_user' to the portal/public group 'base.group_portal'
graphql_demo route-user-csrf-off /graphql/demo — HTTP endpoint 'GraphQLController.graphql' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user
helpdesk_mgmt acl-public-write access_helpdesk_ticket_stage_public — Access rule grants write on 'model_helpdesk_ticket_stage' to the portal/public group 'base.group_public'
hr_recruitment acl-global-write access_hr_applicant_category — Access rule grants write/create on 'model_hr_applicant_category' to EVERY user (portal/public included): no group is set
l10n_br_hr acl-global-write access_hr_employee_dependent — Access rule grants write/create/unlink on 'model_hr_employee_dependent' to EVERY user (portal/public included): no group is set
l10n_it_central_journal acl-global-write access_wizard_giornale_manager — Access rule grants write/create/unlink on 'l10n_it_central_journal.model_wizard_giornale' to EVERY user (portal/public included): no group is set
l10n_it_central_journal_reportlab acl-global-write access_wizard_giornale_reportlab_manager — Access rule grants write/create/unlink on 'l10n_it_central_journal_reportlab.model_wizard_giornale_reportlab' to EVERY user (portal/public included): no group is set
l10n_it_delivery_note acl-global-write access_stock_delivery_note_confirm_wizard_manager — Access rule grants write/create/unlink on 'l10n_it_delivery_note.model_stock_delivery_note_confirm_wizard' to EVERY user (portal/public included): no group is set
l10n_it_delivery_note acl-global-write access_stock_delivery_note_create_wizard_manager — Access rule grants write/create/unlink on 'l10n_it_delivery_note.model_stock_delivery_note_create_wizard' to EVERY user (portal/public included): no group is set
l10n_it_delivery_note acl-global-write access_stock_delivery_note_select_wizard_manager — Access rule grants write/create/unlink on 'l10n_it_delivery_note.model_stock_delivery_note_select_wizard' to EVERY user (portal/public included): no group is set
l10n_it_delivery_note acl-global-write access_stock_delivery_note_base_wizard_manager — Access rule grants write/create/unlink on 'l10n_it_delivery_note.model_stock_delivery_note_base_wizard' to EVERY user (portal/public included): no group is set
l10n_it_delivery_note acl-global-write access_stock_delivery_note_invoice_wizard_manager — Access rule grants write/create/unlink on 'l10n_it_delivery_note.model_stock_delivery_note_invoice_wizard' to EVERY user (portal/public included): no group is set
l10n_it_intrastat_statement acl-global-write acc_manager_account_intrastat_export_file — Access rule grants write/create/unlink on 'l10n_it_intrastat_statement.model_account_intrastat_export_file' to EVERY user (portal/public included): no group is set
l10n_it_sdi_channel acl-global-write access_wizard_fatturapa_send_to_sdi — Access rule grants write/create/unlink on 'model_wizard_fatturapa_send_to_sdi' to EVERY user (portal/public included): no group is set
l10n_ro_account_anaf_sync route-user-csrf-off /l10n_ro_account_anaf_sync/redirect_anaf/<int:anaf_config_id> — HTTP endpoint 'AccountANAFSyncWeb.redirect_anaf' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user
l10n_ro_stock_account acl-global-write access_l10n_ro_stock_valuation_layer_tracking — Access rule grants write/create/unlink on 'model_l10n_ro_stock_valuation_layer_tracking' to EVERY user (portal/public included): no group is set
mail acl-public-write access_mail_message_portal — Access rule grants write/create/unlink on 'model_mail_message' to the portal/public group 'base.group_portal'
mail acl-public-write access_mail_channel_partner_portal — Access rule grants write/create/unlink on 'model_mail_channel_partner' to the portal/public group 'base.group_portal'
mail acl-public-write access_mail_compose_message_portal — Access rule grants write/create on 'model_mail_compose_message' to the portal/public group 'base.group_portal'
partner_aging acl-global-write res_partner_aging_date — Access rule grants write/create/unlink on 'partner_aging.model_res_partner_aging_date' to EVERY user (portal/public included): no group is set
partner_autocomplete acl-public-write access_partner_autocomplete_sync_portal — Access rule grants create on 'model_res_partner_autocomplete_sync' to the portal/public group 'base.group_portal'
payment acl-public-write payment_method_portal — Access rule grants write/create/unlink on 'model_payment_token' to the portal/public group 'base.group_portal'
pms acl-public-write user_access_res_partner_portal — Access rule grants write/create/unlink on 'model_res_partner' to the portal/public group 'base.group_portal'
pms acl-public-write user_access_pms_precheckin_portal — Access rule grants write/create/unlink on 'model_pms_checkin_partner' to the portal/public group 'base.group_portal'
pms rule-public-bypass pms_folio_rule_portal — Record rule with an always-true domain grants portal/public users access to every record of its model
pms rule-public-bypass pms_reservation_rule_portal — Record rule with an always-true domain grants portal/public users access to every record of its model
pms rule-public-bypass pms_precheckin_rule_portal — Record rule with an always-true domain grants portal/public users access to every record of its model
pms rule-public-bypass res_partner_rule_portal — Record rule with an always-true domain grants portal/public users access to every record of its model
pms rule-public-bypass res_checkin_partner_rule_portal — Record rule with an always-true domain grants portal/public users access to every record of its model
project_gtd acl-global-write access_project_timebox_empty_wizard — Access rule grants write/create/unlink on 'model_project_timebox_empty' to EVERY user (portal/public included): no group is set
project_gtd acl-global-write access_project_timebox_fill_plan_wizard — Access rule grants write/create/unlink on 'model_project_timebox_fill_plan' to EVERY user (portal/public included): no group is set
project_task_recurring_activity acl-global-write project_recurring_activity — Access rule grants write/create/unlink on 'model_recurring_activity' to EVERY user (portal/public included): no group is set
purchase_invoice_plan acl-global-write access_purchase_invoice_plan — Access rule grants write/create/unlink on 'model_purchase_invoice_plan' to EVERY user (portal/public included): no group is set
purchase_invoice_plan acl-global-write access_purchase_create_invoice_plan — Access rule grants write/create/unlink on 'model_purchase_create_invoice_plan' to EVERY user (portal/public included): no group is set
purchase_invoice_plan acl-global-write access_purchase_make_planned_invoice — Access rule grants write/create/unlink on 'model_purchase_make_planned_invoice' to EVERY user (portal/public included): no group is set
purchase_work_acceptance acl-global-write access_work_accepted_date_wizard — Access rule grants write/create/unlink on 'model_work_accepted_date_wizard' to EVERY user (portal/public included): no group is set
purchase_work_acceptance_evaluation acl-global-write access_work_acceptance_evaluation_result — Access rule grants write/create/unlink on 'model_work_acceptance_evaluation_result' to EVERY user (portal/public included): no group is set
purchase_work_acceptance_invoice_plan acl-global-write access_select_work_acceptance_invoice_plan_wizard — Access rule grants write/create/unlink on 'model_select_work_acceptance_invoice_plan_wizard' to EVERY user (portal/public included): no group is set
purchase_work_acceptance_invoice_plan acl-global-write access_select_work_acceptance_invoice_plan_qty — Access rule grants write/create/unlink on 'model_select_work_acceptance_invoice_plan_qty' to EVERY user (portal/public included): no group is set
report_wkhtmltopdf_param acl-global-write paperformat_parameter_access_employee — Access rule grants create on 'model_report_paperformat_parameter' to EVERY user (portal/public included): no group is set
sale_invoice_plan acl-global-write access_sale_invoice_plan — Access rule grants write/create/unlink on 'model_sale_invoice_plan' to EVERY user (portal/public included): no group is set
sale_invoice_plan acl-global-write access_sale_create_invoice_plan — Access rule grants write/create/unlink on 'model_sale_create_invoice_plan' to EVERY user (portal/public included): no group is set
sale_invoice_plan acl-global-write access_sale_make_planned_invoice — Access rule grants write/create/unlink on 'model_sale_make_planned_invoice' to EVERY user (portal/public included): no group is set
sql_export acl-global-write access_sql_file_wizard — Access rule grants write/create on 'model_sql_file_wizard' to EVERY user (portal/public included): no group is set
storage_image_backend_migration acl-global-write access_storage_image_backend_migration_wizard — Access rule grants write/create/unlink on 'model_storage_image_backend_migration_wizard' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_some_obj — Access rule grants write/create/unlink on 'model_test_access_right_some_obj' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_container — Access rule grants write/create/unlink on 'model_test_access_right_container' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_parent — Access rule grants write/create/unlink on 'model_test_access_right_parent' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_obj_categ — Access rule grants write/create/unlink on 'model_test_access_right_obj_categ' to EVERY user (portal/public included): no group is set
test_action_bindings acl-global-write access_tab_a — Access rule grants write/create/unlink on 'model_tab_a' to EVERY user (portal/public included): no group is set
test_action_bindings acl-global-write access_tab_b — Access rule grants write/create/unlink on 'model_tab_b' to EVERY user (portal/public included): no group is set
test_base_automation acl-global-write access_base_automation_link_test — Access rule grants write/create/unlink on 'model_base_automation_link_test' to EVERY user (portal/public included): no group is set
test_base_automation acl-global-write access_base_automation_linked_test — Access rule grants write/create/unlink on 'model_base_automation_linked_test' to EVERY user (portal/public included): no group is set
test_base_automation acl-global-write access_test_base_automation_project — Access rule grants write/create/unlink on 'model_test_base_automation_project' to EVERY user (portal/public included): no group is set
test_base_automation acl-global-write access_test_base_automation_task — Access rule grants write/create/unlink on 'model_test_base_automation_task' to EVERY user (portal/public included): no group is set
test_component acl-global-write access_test_component_collection — Access rule grants write/create/unlink on 'model_test_component_collection' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_test_backend — Access rule grants write/create/unlink on 'model_test_backend' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_connector_test_record — Access rule grants write/create/unlink on 'model_connector_test_record' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_connector_test_binding — Access rule grants write/create/unlink on 'model_connector_test_binding' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_no_inherits_binding — Access rule grants write/create/unlink on 'model_no_inherits_binding' to EVERY user (portal/public included): no group is set
test_convert acl-global-write access_test_convert_test_model — Access rule grants write/create/unlink on 'model_test_convert_test_model' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_converter_model — Access rule grants write/create/unlink on 'model_test_converter_test_model' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_test_converter_test_model_sub — Access rule grants write/create/unlink on 'model_test_converter_test_model_sub' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_test_converter_monetary — Access rule grants write/create/unlink on 'model_test_converter_monetary' to EVERY user (portal/public included): no group is set
test_exceptions acl-global-write access_test_exceptions_model — Access rule grants write/create/unlink on 'model_test_exceptions_model' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_boolean — Access rule grants write/create/unlink on 'model_export_boolean' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_float — Access rule grants write/create/unlink on 'model_export_float' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_decimal — Access rule grants write/create/unlink on 'model_export_decimal' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string_bounded — Access rule grants write/create/unlink on 'model_export_string_bounded' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string_required — Access rule grants write/create/unlink on 'model_export_string_required' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string — Access rule grants write/create/unlink on 'model_export_string' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_date — Access rule grants write/create/unlink on 'model_export_date' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_datetime — Access rule grants write/create/unlink on 'model_export_datetime' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_text — Access rule grants write/create/unlink on 'model_export_text' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection — Access rule grants write/create/unlink on 'model_export_selection' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection_function — Access rule grants write/create/unlink on 'model_export_selection_function' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2one — Access rule grants write/create/unlink on 'model_export_many2one' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many — Access rule grants write/create/unlink on 'model_export_one2many' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2many — Access rule grants write/create/unlink on 'model_export_many2many' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_function — Access rule grants write/create/unlink on 'model_export_function' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child — Access rule grants write/create/unlink on 'model_export_one2many_child' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_multiple — Access rule grants write/create/unlink on 'model_export_one2many_multiple' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_multiple_child — Access rule grants write/create/unlink on 'model_export_one2many_multiple_child' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child_1 — Access rule grants write/create/unlink on 'model_export_one2many_child_1' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child_2 — Access rule grants write/create/unlink on 'model_export_one2many_child_2' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2many_other — Access rule grants write/create/unlink on 'model_export_many2many_other' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection_withdefault — Access rule grants write/create/unlink on 'model_export_selection_withdefault' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_recursive — Access rule grants write/create/unlink on 'model_export_one2many_recursive' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_unique — Access rule grants write/create/unlink on 'model_export_unique' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_inherits_parent — Access rule grants write/create/unlink on 'model_export_inherits_parent' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_inherits_child — Access rule grants write/create/unlink on 'model_export_inherits_child' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_m2o_str — Access rule grants write/create/unlink on 'model_export_m2o_str' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_m2o_str_child — Access rule grants write/create/unlink on 'model_export_m2o_str_child' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_mother — Access rule grants write/create/unlink on 'model_test_inherit_mother' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_daughter — Access rule grants write/create/unlink on 'model_test_inherit_daughter' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_property — Access rule grants write/create/unlink on 'model_test_inherit_property' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_unit — Access rule grants write/create/unlink on 'model_test_unit' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_unit_line — Access rule grants write/create/unlink on 'model_test_unit_line' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_box — Access rule grants write/create/unlink on 'model_test_box' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_pallet — Access rule grants write/create/unlink on 'model_test_pallet' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_another_unit — Access rule grants write/create/unlink on 'model_test_another_unit' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_another_box — Access rule grants write/create/unlink on 'model_test_another_box' to EVERY user (portal/public included): no group is set
test_limits acl-global-write access_test_limits_model — Access rule grants write/create/unlink on 'model_test_limits_model' to EVERY user (portal/public included): no group is set
test_mail acl-global-write access_mail_performance_thread — Access rule grants write/create/unlink on 'model_mail_performance_thread' to EVERY user (portal/public included): no group is set
test_mail acl-public-write access_mail_test_container_portal — Access rule grants write on 'model_mail_test_container' to the portal/public group 'base.group_portal'
test_new_api acl-global-write access_category — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_category' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_discussion — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_discussion' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_message — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_message' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_emailmessage — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_emailmessage' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi_line — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi_line2 — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line2' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi_tag — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_tag' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_creativework_edition — Access rule grants write/create/unlink on 'model_test_new_api_creativework_edition' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_creativework_book — Access rule grants write/create/unlink on 'model_test_new_api_creativework_book' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_creativework_movie — Access rule grants write/create/unlink on 'model_test_new_api_creativework_movie' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_mixed — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_mixed' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_domain_bool — Access rule grants write/create/unlink on 'model_domain_bool' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_foo — Access rule grants write/create/unlink on 'model_test_new_api_foo' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_bar — Access rule grants write/create/unlink on 'model_test_new_api_bar' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_related — Access rule grants write/create/unlink on 'model_test_new_api_related' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_company — Access rule grants write/create/unlink on 'model_test_new_api_company' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_company_attr — Access rule grants write/create/unlink on 'model_test_new_api_company_attr' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_inverse — Access rule grants write/create/unlink on 'model_test_new_api_compute_inverse' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_readonly — Access rule grants write/create/unlink on 'model_test_new_api_compute_readonly' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_multi_compute_inverse — Access rule grants write/create/unlink on 'model_test_new_api_multi_compute_inverse' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_recursive — Access rule grants write/create/unlink on 'model_test_new_api_recursive' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_recursive_tree — Access rule grants write/create/unlink on 'model_test_new_api_recursive_tree' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_cascade — Access rule grants write/create/unlink on 'model_test_new_api_cascade' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_readwrite — Access rule grants write/create/unlink on 'model_test_new_api_compute_readwrite' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_onchange — Access rule grants write/create/unlink on 'model_test_new_api_compute_onchange' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_onchange_line — Access rule grants write/create/unlink on 'model_test_new_api_compute_onchange_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_dynamic_depends — Access rule grants write/create/unlink on 'model_test_new_api_compute_dynamic_depends' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_unassigned — Access rule grants write/create/unlink on 'model_test_new_api_compute_unassigned' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_one2many — Access rule grants write/create/unlink on 'model_test_new_api_one2many' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_one2many_line — Access rule grants write/create/unlink on 'model_test_new_api_one2many_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_binary_svg — Access rule grants write/create/unlink on 'model_test_new_api_binary_svg' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_base — Access rule grants write/create/unlink on 'model_test_new_api_monetary_base' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_related — Access rule grants write/create/unlink on 'model_test_new_api_monetary_related' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_custom — Access rule grants write/create/unlink on 'model_test_new_api_monetary_custom' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_inherits — Access rule grants write/create/unlink on 'model_test_new_api_monetary_inherits' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_field_with_caps — Access rule grants write/create/unlink on 'model_test_new_api_field_with_caps' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_req_m2o — Access rule grants write/create/unlink on 'model_test_new_api_req_m2o' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_selection — Access rule grants write/create/unlink on 'model_test_new_api_selection' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_attachment — Access rule grants write/create/unlink on 'model_test_new_api_attachment' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_attachment_host — Access rule grants write/create/unlink on 'model_test_new_api_attachment_host' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_image — Access rule grants write/create/unlink on 'model_test_new_api_model_image' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_a — Access rule grants write/create/unlink on 'model_test_new_api_model_a' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_b — Access rule grants write/create/unlink on 'model_test_new_api_model_b' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_parent — Access rule grants write/create/unlink on 'model_test_new_api_model_parent' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_child — Access rule grants write/create/unlink on 'model_test_new_api_model_child' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_child_nocheck — Access rule grants write/create/unlink on 'model_test_new_api_model_child_nocheck' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_display — Access rule grants write/create/unlink on 'model_test_new_api_display' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_active_field — Access rule grants write/create/unlink on 'model_test_new_api_model_active_field' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_many2one_reference — Access rule grants write/create/unlink on 'model_test_new_api_model_many2one_reference' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_inverse_m2o_ref — Access rule grants write/create/unlink on 'model_test_new_api_inverse_m2o_ref' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_binary — Access rule grants write/create/unlink on 'model_test_new_api_model_binary' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_child_m2o — Access rule grants write/create/unlink on 'model_test_new_api_model_child_m2o' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_parent_m2o — Access rule grants write/create/unlink on 'model_test_new_api_model_parent_m2o' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_order — Access rule grants write/create/unlink on 'model_test_new_api_monetary_order' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_order_line — Access rule grants write/create/unlink on 'model_test_new_api_monetary_order_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_selection_base — Access rule grants write/create/unlink on 'model_test_new_api_model_selection_base' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_selection_required — Access rule grants write/create/unlink on 'model_test_new_api_model_selection_required' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_selection_non_stored — Access rule grants write/create/unlink on 'model_test_new_api_model_selection_non_stored' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_selection_required_for_write_override — Access rule grants write/create/unlink on 'model_test_new_api_model_selection_required_for_write_override' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_move — Access rule grants write/create/unlink on 'model_test_new_api_move' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_move_line — Access rule grants write/create/unlink on 'model_test_new_api_move_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_payment — Access rule grants write/create/unlink on 'model_test_new_api_payment' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_order — Access rule grants write/create/unlink on 'model_test_new_api_order' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_order_line — Access rule grants write/create/unlink on 'model_test_new_api_order_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_shared_cache_compute_parent — Access rule grants write/create/unlink on 'model_test_new_api_model_shared_cache_compute_parent' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_shared_cache_compute_line — Access rule grants write/create/unlink on 'model_test_new_api_model_shared_cache_compute_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_container — Access rule grants write/create/unlink on 'model_test_new_api_compute_container' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_member — Access rule grants write/create/unlink on 'model_test_new_api_compute_member' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_editable — Access rule grants write/create/unlink on 'model_test_new_api_compute_editable' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_editable_line — Access rule grants write/create/unlink on 'model_test_new_api_compute_editable_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_trigger_left — Access rule grants write/create/unlink on 'model_test_new_api_trigger_left' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_trigger_middle — Access rule grants write/create/unlink on 'model_test_new_api_trigger_middle' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_trigger_right — Access rule grants write/create/unlink on 'model_test_new_api_trigger_right' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_base — Access rule grants write/create/unlink on 'model_test_performance_base' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_line — Access rule grants write/create/unlink on 'model_test_performance_line' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_tag — Access rule grants write/create/unlink on 'model_test_performance_tag' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_bacon — Access rule grants write/create/unlink on 'model_test_performance_bacon' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_eggs — Access rule grants write/create/unlink on 'model_test_performance_eggs' to EVERY user (portal/public included): no group is set
test_populate acl-global-write access_test_populate — Access rule grants write/create/unlink on 'model_test_populate' to EVERY user (portal/public included): no group is set
test_populate acl-global-write access_test_populate_category — Access rule grants write/create/unlink on 'model_test_populate_category' to EVERY user (portal/public included): no group is set
test_populate acl-global-write access_test_no_populat — Access rule grants write/create/unlink on 'model_test_no_populate' to EVERY user (portal/public included): no group is set
test_populate acl-global-write access_test_populate_inherit — Access rule grants write/create/unlink on 'model_test_populate_inherit' to EVERY user (portal/public included): no group is set
test_queue_job acl-global-write access_test_queue_job — Access rule grants write/create/unlink on 'model_test_queue_job' to EVERY user (portal/public included): no group is set
test_queue_job acl-global-write access_test_queue_channel — Access rule grants write/create/unlink on 'model_test_queue_channel' to EVERY user (portal/public included): no group is set
test_queue_job acl-global-write access_test_related_action — Access rule grants write/create/unlink on 'model_test_related_action' to EVERY user (portal/public included): no group is set
test_rpc acl-global-write access_test_rpc_model_a — Access rule grants write/create/unlink on 'model_test_rpc_model_a' to EVERY user (portal/public included): no group is set
test_rpc acl-global-write access_test_rpc_model_b — Access rule grants write/create/unlink on 'model_test_rpc_model_b' to EVERY user (portal/public included): no group is set
test_testing_utilities acl-global-write access_model_test_testing_utilities_onchange_count — Access rule grants write/create/unlink on 'model_test_testing_utilities_onchange_count' to EVERY user (portal/public included): no group is set
test_testing_utilities acl-global-write access_test_testing_utilities_onchange_count_sub — Access rule grants write/create/unlink on 'model_test_testing_utilities_onchange_count_sub' to EVERY user (portal/public included): no group is set
test_testing_utilities acl-global-write access_o2m_readonly_subfield_parent — Access rule grants write/create/unlink on 'model_o2m_readonly_subfield_parent' to EVERY user (portal/public included): no group is set
test_testing_utilities acl-global-write access_o2m_readonly_subfield_child — Access rule grants write/create/unlink on 'model_o2m_readonly_subfield_child' to EVERY user (portal/public included): no group is set
test_uninstall acl-global-write access_test_uninstall_model — Access rule grants write/create/unlink on 'model_test_uninstall_model' to EVERY user (portal/public included): no group is set
test_xlsx_export acl-global-write access_export_group_operator — Access rule grants write/create/unlink on 'model_export_group_operator' to EVERY user (portal/public included): no group is set
test_xlsx_export acl-global-write access_export_group_operator_one2many — Access rule grants write/create/unlink on 'model_export_group_operator_one2many' to EVERY user (portal/public included): no group is set
test_xlsx_export acl-global-write access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set
test_xlsx_export acl-global-write access_export_computed_binary — Access rule grants write/create/unlink on 'model_export_computed_binary' to EVERY user (portal/public included): no group is set
utm acl-global-write access_utm_campaign — Access rule grants create on 'model_utm_campaign' to EVERY user (portal/public included): no group is set
utm acl-global-write access_utm_medium — Access rule grants create on 'model_utm_medium' to EVERY user (portal/public included): no group is set
utm acl-global-write access_utm_source — Access rule grants create on 'model_utm_source' to EVERY user (portal/public included): no group is set
web_editor acl-global-write access_web_editor_converter_test — Access rule grants write/create/unlink on 'model_web_editor_converter_test' to EVERY user (portal/public included): no group is set
web_editor acl-global-write access_web_editor_converter_test_sub — Access rule grants write/create/unlink on 'model_web_editor_converter_test_sub' to EVERY user (portal/public included): no group is set
website route-user-csrf-off /website/reset_template — HTTP endpoint 'Website.reset_template' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user
website_crm_partner_assign acl-public-write partner_access_crm_lead — Access rule grants write on 'crm.model_crm_lead' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_post_portal — Access rule grants write/create/unlink on 'model_forum_post' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_post_vote_portal — Access rule grants write/create on 'model_forum_post_vote' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_tag_public — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_public'
website_forum acl-public-write access_forum_tag_portal — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_portal'
website_sale_wishlist acl-public-write access_product_wishlist_portal — Access rule grants write/create/unlink on 'model_product_wishlist' to the portal/public group 'base.group_portal'

Warnings 574

Module Code Message
account rule-group-bypass account_analytic_line_rule_billing_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_rule_group_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_line_rule_group_readonly — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_move_line_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group
account rule-group-bypass account_invoice_send_rule_group_invoice — Record rule with an always-true domain bypasses every other record rule of its model for its group
account_avatax_exemption acl-global-read access_portal_exemption_code — Access rule grants read on 'account_avatax_oca.model_exemption_code' to every user (portal/public included): no group is set
account_avatax_exemption route-public-sudo /exemption/<int:exemption_id> — Unauthenticated endpoint 'Exemption.get_exemption' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
account_avatax_exemption_base acl-global-read access_portal_group_of_states — Access rule grants read on 'model_res_partner_group_state' to every user (portal/public included): no group is set
account_avatax_exemption_base acl-global-read access_portal_res_partner_exemption_line — Access rule grants read on 'model_res_partner_exemption_line' to every user (portal/public included): no group is set
account_avatax_exemption_base acl-global-read access_portal_res_partner_exemption_type — Access rule grants read on 'model_res_partner_exemption_type' to every user (portal/public included): no group is set
account_avatax_exemption_base acl-global-read access_portal_res_partner_exemption_business_type — Access rule grants read on 'model_res_partner_exemption_business_type' to every user (portal/public included): no group is set
account_brand acl-global-read res_partner_account_brand_access — Access rule grants read on 'model_res_partner_account_brand' to every user (portal/public included): no group is set
account_cash_deposit acl-global-read cash_unit_read — Access rule grants read on 'model_cash_unit' to every user (portal/public included): no group is set
account_consolidation_oca acl-global-read access_company_consolidation_profile — Access rule grants read on 'model_company_consolidation_profile' to every user (portal/public included): no group is set
account_edi acl-global-read access_account_edi_format_readonly — Access rule grants read on 'model_account_edi_format' to every user (portal/public included): no group is set
account_edi acl-global-read access_account_edi_document_readonly — Access rule grants read on 'model_account_edi_document' to every user (portal/public included): no group is set
account_invoice_transmit_method acl-global-read access_transmit_method_read — Access rule grants read on 'model_transmit_method' to every user (portal/public included): no group is set
account_move_transfer_partner acl-global-write access_wizard_account_move_transfer_partner_all — Access rule grants write/create/unlink on 'model_wizard_account_move_transfer_partner' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
account_payment route-public-sudo /invoice/pay/<int:invoice_id>/form_tx — Unauthenticated endpoint 'PaymentPortal.invoice_pay_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
account_payment route-public-sudo /invoice/pay/<int:invoice_id>/s2s_token_tx — Unauthenticated endpoint 'PaymentPortal.invoice_pay_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
attachment_queue acl-global-read access_attachment_queue_user — Access rule grants read on 'model_attachment_queue' to every user (portal/public included): no group is set
auth_oauth route-public-sudo /auth_oauth/signin — Unauthenticated endpoint 'OAuthController.signin' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_oauth route-auth-none /auth_oauth/signin — Endpoint 'OAuthController.signin' uses auth="none": it runs with no user/session at all
auth_oauth route-auth-none /auth_oauth/oea — Endpoint 'OAuthController.oea' uses auth="none": it runs with no user/session at all
auth_oidc route-public-sudo /web/session/logout — Unauthenticated endpoint 'OpenIDLogout.logout' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_oidc route-auth-none /web/session/logout — Endpoint 'OpenIDLogout.logout' uses auth="none": it runs with no user/session at all
auth_saml route-public-sudo /auth_saml/get_auth_request — Unauthenticated endpoint 'AuthSAMLController.get_auth_request' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_saml route-auth-none /auth_saml/get_auth_request — Endpoint 'AuthSAMLController.get_auth_request' uses auth="none": it runs with no user/session at all
auth_saml route-public-csrf-off /auth_saml/signin — Public HTTP endpoint 'AuthSAMLController.signin' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
auth_saml route-public-sudo /auth_saml/signin — Unauthenticated endpoint 'AuthSAMLController.signin' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_saml route-auth-none /auth_saml/signin — Endpoint 'AuthSAMLController.signin' uses auth="none": it runs with no user/session at all
auth_saml route-public-csrf-off /auth_saml/metadata — Public HTTP endpoint 'AuthSAMLController.saml_metadata' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
auth_saml route-public-sudo /auth_saml/metadata — Unauthenticated endpoint 'AuthSAMLController.saml_metadata' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_saml route-auth-none /auth_saml/metadata — Endpoint 'AuthSAMLController.saml_metadata' uses auth="none": it runs with no user/session at all
auth_signup route-public-sudo /web/signup — Unauthenticated endpoint 'AuthSignupHome.web_auth_signup' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
auth_signup route-public-sudo /web/reset_password — Unauthenticated endpoint 'AuthSignupHome.web_auth_reset_password' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
base acl-global-read access_res_company_group_user — Access rule grants read on 'model_res_company' to every user (portal/public included): no group is set
base acl-global-read access_res_partner_title_group_partner_manager — Access rule grants read on 'model_res_partner_title' to every user (portal/public included): no group is set
base acl-global-write access_res_users_log_all — Access rule grants create on 'model_res_users_log' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
base acl-global-read paperformat_access_portal — Access rule grants read on 'model_report_paperformat' to every user (portal/public included): no group is set
base route-public-csrf-off /xmlrpc/<service> — Public HTTP endpoint 'RPC.xmlrpc_1' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base route-auth-none /xmlrpc/<service> — Endpoint 'RPC.xmlrpc_1' uses auth="none": it runs with no user/session at all
base route-public-csrf-off /xmlrpc/2/<service> — Public HTTP endpoint 'RPC.xmlrpc_2' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base route-auth-none /xmlrpc/2/<service> — Endpoint 'RPC.xmlrpc_2' uses auth="none": it runs with no user/session at all
base route-auth-none /jsonrpc — Endpoint 'RPC.jsonrpc' uses auth="none": it runs with no user/session at all
base_comment_template acl-global-read access_base_comment_template_user — Access rule grants read on 'model_base_comment_template' to every user (portal/public included): no group is set
base_ebill_payment_contract acl-global-read access_ebill_payment_contract_read — Access rule grants read on 'model_ebill_payment_contract' to every user (portal/public included): no group is set
base_import_module route-public-csrf-off /base_import_module/login_upload — Public HTTP endpoint 'ImportModule.login_upload' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base_import_module route-auth-none /base_import_module/login_upload — Endpoint 'ImportModule.login_upload' uses auth="none": it runs with no user/session at all
base_tier_validation_correction acl-global-read access_tier_correction_user — Access rule grants read on 'model_tier_correction' to every user (portal/public included): no group is set
base_tier_validation_correction acl-global-read access_tier_correction_item_user — Access rule grants read on 'model_tier_correction_item' to every user (portal/public included): no group is set
base_tier_validation_correction acl-global-read access_affected_tier_reviews — Access rule grants read on 'model_affected_tier_reviews' to every user (portal/public included): no group is set
base_unece acl-global-read access_unece_code_list_read — Access rule grants read on 'model_unece_code_list' to every user (portal/public included): no group is set
calendar rule-group-bypass calendar_event_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
cooperator_website route-public-sudo /subscription/get_share_product — Unauthenticated endpoint 'WebsiteSubscription.get_share_product' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
cooperator_website route-public-sudo /subscription/subscribe_share — Unauthenticated endpoint 'WebsiteSubscription.share_subscription' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
crm acl-global-read access_crm_stage — Access rule grants read on 'model_crm_stage' to every user (portal/public included): no group is set
crm rule-group-bypass crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm rule-group-bypass crm_activity_report_rule_all_activities — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm_phone rule-group-bypass all_crm_phonecall_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
crowdfunding route-public-sudo /crowdfunding/<model('crowdfunding.challenge'):challenge>/pay — Unauthenticated endpoint 'Payment.crowdfunding_pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
dms route-public-sudo /my/dms/directory/<int:dms_directory_id> — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_directory' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
dms route-public-sudo /my/dms/file/<int:dms_file_id>/download — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_file_download' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
document_page_portal rule-group-bypass knowledge_user_document_page_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
endpoint_route_handler acl-global-read access_endpoint_route_handler_tool_edit — Access rule grants read on 'model_endpoint_route_handler' to every user (portal/public included): no group is set
endpoint_route_handler acl-global-read access_endpoint_route_handler_edit — Access rule grants read on 'model_endpoint_route_handler_tool' to every user (portal/public included): no group is set
event acl-global-read access_event_event_portal — Access rule grants read on 'model_event_event' to every user (portal/public included): no group is set
fieldservice rule-group-bypass fsm_order_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
fieldservice_account_analytic rule-group-bypass analytic_account_fsm_dispatcher — Record rule with an always-true domain bypasses every other record rule of its model for its group
fieldservice_activity rule-group-bypass fsm_activity_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
github_connector acl-global-read access_github_analysis_rule_reader — Access rule grants read on 'model_github_analysis_rule' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_analysis_rule_group_reader — Access rule grants read on 'model_github_analysis_rule_group' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_organization_reader — Access rule grants read on 'model_github_organization' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_organization_serie_reader — Access rule grants read on 'model_github_organization_serie' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_repository_branch_rule_info_report_reader — Access rule grants read on 'model_github_repository_branch_rule_info_report' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_repository_reader — Access rule grants read on 'model_github_repository' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_repository_branch_reader — Access rule grants read on 'model_github_repository_branch' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_team_reader — Access rule grants read on 'model_github_team' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_team_partner_reader — Access rule grants read on 'model_github_team_partner' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_team_repository_reader — Access rule grants read on 'model_github_team_repository' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_author_reader — Access rule grants read on 'model_odoo_author' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_lib_bin_reader — Access rule grants read on 'model_odoo_lib_bin' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_lib_python_reader — Access rule grants read on 'model_odoo_lib_python' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_license_reader — Access rule grants read on 'model_odoo_license' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_module_reader — Access rule grants read on 'model_odoo_module' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_module_version_reader — Access rule grants read on 'model_odoo_module_version' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_module_version_rule_info_report_reader — Access rule grants read on 'model_odoo_module_version_rule_info_report' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_category_reader — Access rule grants read on 'model_odoo_category' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_manifest_key_reader — Access rule grants read on 'model_odoo_manifest_key' to every user (portal/public included): no group is set
helpdesk_mgmt rule-group-bypass helpdesk_ticket_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_attendance rule-group-bypass hr_attendance_rule_attendance_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_attendance_rfid rule-group-bypass hr_attendance_rfid_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_expense rule-group-bypass ir_rule_hr_expense_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_expense rule-group-bypass ir_rule_hr_expense_sheet_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass hr_leave_rule_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass hr_leave_allocation_rule_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass resource_leaves_base_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass resource_leaves_holidays_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays_security rule-group-bypass hr_leave_report_rule_group_holiday_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_personal_equipment_request rule-group-bypass personal_equipment_request_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_personal_equipment_request rule-group-bypass personal_equipment_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_resume_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_resume_rule_employee_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_skill_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_skill_rule_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
http_routing route-public-sudo /website/translations/<string:unique> — Unauthenticated endpoint 'Routing.get_website_translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
hw_drivers route-auth-none /hw_proxy/hello — Endpoint 'ProxyController.hello' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/handshake — Endpoint 'ProxyController.handshake' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/status_json — Endpoint 'ProxyController.status_json' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_drivers/action — Endpoint 'DriverController.action' uses auth="none": it runs with no user/session at all
hw_drivers route-public-csrf-off /hw_drivers/check_certificate — Public HTTP endpoint 'DriverController.check_certificate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_drivers route-auth-none /hw_drivers/check_certificate — Endpoint 'DriverController.check_certificate' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_drivers/event — Endpoint 'DriverController.event' uses auth="none": it runs with no user/session at all
hw_drivers route-public-csrf-off /hw_drivers/box/connect — Public HTTP endpoint 'DriverController.connect_box' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_drivers route-auth-none /hw_drivers/box/connect — Endpoint 'DriverController.connect_box' uses auth="none": it runs with no user/session at all
hw_drivers route-public-csrf-off /hw_drivers/download_logs — Public HTTP endpoint 'DriverController.download_logs' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_drivers route-auth-none /hw_drivers/download_logs — Endpoint 'DriverController.download_logs' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/scanner — Endpoint 'KeyboardUSBController.get_barcode' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/default_printer_action — Endpoint 'PrinterController.default_printer_action' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/scale_read — Endpoint 'ScaleReadOldRoute.scale_read' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/display_refresh — Endpoint 'DisplayController.display_refresh' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/customer_facing_display — Endpoint 'DisplayController.customer_facing_display' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/take_control — Endpoint 'DisplayController.take_control' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/test_ownership — Endpoint 'DisplayController.test_ownership' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /point_of_sale/get_serialized_order, /point_of_sale/get_serialized_order/<string:display_identifier> — Endpoint 'DisplayController.get_serialized_order' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /point_of_sale/display, /point_of_sale/display/<string:display_identifier> — Endpoint 'DisplayController.display' uses auth="none": it runs with no user/session at all
hw_escpos route-auth-none /hw_proxy/open_cashbox — Endpoint 'EscposProxy.open_cashbox' uses auth="none": it runs with no user/session at all
hw_escpos route-auth-none /hw_proxy/print_receipt — Endpoint 'EscposProxy.print_receipt' uses auth="none": it runs with no user/session at all
hw_escpos route-auth-none /hw_proxy/print_xml_receipt — Endpoint 'EscposProxy.print_xml_receipt' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none / — Endpoint 'IoTboxHomepage.index' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /list_handlers — Public HTTP endpoint 'IoTboxHomepage.list_handlers' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /list_handlers — Endpoint 'IoTboxHomepage.list_handlers' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /load_iot_handlers — Endpoint 'IoTboxHomepage.load_iot_handlers' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /list_credential — Endpoint 'IoTboxHomepage.list_credential' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /save_credential — Public HTTP endpoint 'IoTboxHomepage.save_credential' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /save_credential — Endpoint 'IoTboxHomepage.save_credential' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /clear_credential — Public HTTP endpoint 'IoTboxHomepage.clear_credential' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /clear_credential — Endpoint 'IoTboxHomepage.clear_credential' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /wifi — Endpoint 'IoTboxHomepage.wifi' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /wifi_connect — Public HTTP endpoint 'IoTboxHomepage.connect_to_wifi' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /wifi_connect — Endpoint 'IoTboxHomepage.connect_to_wifi' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /wifi_clear — Public HTTP endpoint 'IoTboxHomepage.clear_wifi_configuration' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /wifi_clear — Endpoint 'IoTboxHomepage.clear_wifi_configuration' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /server_clear — Public HTTP endpoint 'IoTboxHomepage.clear_server_configuration' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /server_clear — Endpoint 'IoTboxHomepage.clear_server_configuration' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /handlers_clear — Public HTTP endpoint 'IoTboxHomepage.clear_handlers_list' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /handlers_clear — Endpoint 'IoTboxHomepage.clear_handlers_list' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /server_connect — Public HTTP endpoint 'IoTboxHomepage.connect_to_server' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /server_connect — Endpoint 'IoTboxHomepage.connect_to_server' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /steps — Public HTTP endpoint 'IoTboxHomepage.step_by_step_configure_page' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /steps — Endpoint 'IoTboxHomepage.step_by_step_configure_page' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /step_configure — Public HTTP endpoint 'IoTboxHomepage.step_by_step_configure' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /step_configure — Endpoint 'IoTboxHomepage.step_by_step_configure' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /server — Endpoint 'IoTboxHomepage.server' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /remote_connect — Endpoint 'IoTboxHomepage.remote_connect' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /enable_ngrok — Public HTTP endpoint 'IoTboxHomepage.enable_ngrok' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /enable_ngrok — Endpoint 'IoTboxHomepage.enable_ngrok' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /six_payment_terminal — Public HTTP endpoint 'IoTboxHomepage.six_payment_terminal' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /six_payment_terminal — Endpoint 'IoTboxHomepage.six_payment_terminal' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /six_payment_terminal_add — Public HTTP endpoint 'IoTboxHomepage.add_six_payment_terminal' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /six_payment_terminal_add — Endpoint 'IoTboxHomepage.add_six_payment_terminal' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /six_payment_terminal_clear — Public HTTP endpoint 'IoTboxHomepage.clear_six_payment_terminal' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /six_payment_terminal_clear — Endpoint 'IoTboxHomepage.clear_six_payment_terminal' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/upgrade — Endpoint 'IoTboxHomepage.upgrade' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_upgrade — Endpoint 'IoTboxHomepage.perform_upgrade' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/get_version — Endpoint 'IoTboxHomepage.check_version' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_flashing_create_partition — Endpoint 'IoTboxHomepage.perform_flashing_create_partition' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_flashing_download_raspios — Endpoint 'IoTboxHomepage.perform_flashing_download_raspios' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_flashing_copy_raspios — Endpoint 'IoTboxHomepage.perform_flashing_copy_raspios' uses auth="none": it runs with no user/session at all
im_livechat acl-global-read access_livechat_channel — Access rule grants read on 'model_im_livechat_channel' to every user (portal/public included): no group is set
im_livechat acl-global-read access_livechat_channel_rule — Access rule grants read on 'model_im_livechat_channel_rule' to every user (portal/public included): no group is set
im_livechat route-auth-none /im_livechat/load_templates — Endpoint 'LivechatController.load_templates' uses auth="none": it runs with no user/session at all
im_livechat route-public-sudo /im_livechat/support/<int:channel_id> — Unauthenticated endpoint 'LivechatController.support_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/loader/<int:channel_id> — Unauthenticated endpoint 'LivechatController.loader' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/init — Unauthenticated endpoint 'LivechatController.livechat_init' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/get_session — Unauthenticated endpoint 'LivechatController.get_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/feedback — Unauthenticated endpoint 'LivechatController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/history — Unauthenticated endpoint 'LivechatController.history_pages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/notify_typing — Unauthenticated endpoint 'LivechatController.notify_typing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/email_livechat_transcript — Unauthenticated endpoint 'LivechatController.email_livechat_transcript' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/visitor_leave_session — Unauthenticated endpoint 'LivechatController.visitor_leave_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
intrastat_product acl-global-read access_intrastat_unit_read — Access rule grants read on 'model_intrastat_unit' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_transaction_read — Access rule grants read on 'model_intrastat_transaction' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_transport_mode_read — Access rule grants read on 'model_intrastat_transport_mode' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_region_read — Access rule grants read on 'model_intrastat_region' to every user (portal/public included): no group is set
iot_input_oca route-public-csrf-off /iot/<serial>/action — Public HTTP endpoint 'CallIot.call_unauthorized_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_input_oca route-public-sudo /iot/<serial>/action — Unauthenticated endpoint 'CallIot.call_unauthorized_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
iot_input_oca route-auth-none /iot/<serial>/action — Endpoint 'CallIot.call_unauthorized_iot' uses auth="none": it runs with no user/session at all
iot_input_oca route-public-csrf-off /iot/<serial>/multi_input — Public HTTP endpoint 'CallIot.call_unauthorized_iot_multi_input' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_input_oca route-public-sudo /iot/<serial>/multi_input — Unauthenticated endpoint 'CallIot.call_unauthorized_iot_multi_input' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
iot_input_oca route-auth-none /iot/<serial>/multi_input — Endpoint 'CallIot.call_unauthorized_iot_multi_input' uses auth="none": it runs with no user/session at all
iot_input_oca route-public-csrf-off /iot/<serial>/check — Public HTTP endpoint 'CallIot.check_unauthorized_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_input_oca route-public-sudo /iot/<serial>/check — Unauthenticated endpoint 'CallIot.check_unauthorized_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
iot_input_oca route-auth-none /iot/<serial>/check — Endpoint 'CallIot.check_unauthorized_iot' uses auth="none": it runs with no user/session at all
iot_template_oca route-public-csrf-off /iot/<serial>/configure — Public HTTP endpoint 'CallIot.configure_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_template_oca route-public-sudo /iot/<serial>/configure — Unauthenticated endpoint 'CallIot.configure_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
iot_template_oca route-auth-none /iot/<serial>/configure — Endpoint 'CallIot.configure_iot' uses auth="none": it runs with no user/session at all
l10n_ar_afipws acl-global-read access_afipws_connection_user — Access rule grants read on 'model_afipws_connection' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_deficiency — Access rule grants read on 'model_hr_deficiency' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_identity_type — Access rule grants read on 'model_hr_identity_type' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_civil_certificate_type — Access rule grants read on 'model_hr_civil_certificate_type' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_dependent_type — Access rule grants read on 'model_hr_dependent_type' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_ethnicity — Access rule grants read on 'model_hr_ethnicity' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_educational_attainment — Access rule grants read on 'model_hr_educational_attainment' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_admission_type — Access rule grants read on 'model_hr_contract_admission_type' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_labor_bond_type — Access rule grants read on 'model_hr_contract_labor_bond_type' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_labor_regime — Access rule grants read on 'model_hr_contract_labor_regime' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_salary_unit — Access rule grants read on 'model_hr_contract_salary_unit' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_resignation_cause — Access rule grants read on 'model_hr_contract_resignation_cause' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_notice_termination — Access rule grants read on 'model_hr_contract_notice_termination' to every user (portal/public included): no group is set
l10n_br_website_sale route-public-sudo /shop/address — Unauthenticated endpoint 'L10nBrWebsiteSale.address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_br_website_sale route-public-sudo /l10n_br/zip_search_public — Unauthenticated endpoint 'L10nBrWebsiteSale.zip_search' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_ee_reporting acl-global-read access_l10n_ee_reporting_kmd_inf — Access rule grants read on 'model_l10n_ee_reporting_kmd_inf' to every user (portal/public included): no group is set
l10n_ee_reporting acl-global-read access_l10n_ee_reporting_vies_declaration — Access rule grants read on 'model_l10n_ee_reporting_vies_declaration' to every user (portal/public included): no group is set
l10n_es_aeat_mod347 route-public-sudo /mod347/accept — Unauthenticated endpoint 'Mod347Controller.mod347_accept' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_es_aeat_mod347 route-public-sudo /mod347/reject — Unauthenticated endpoint 'Mod347Controller.mod347_reject' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_eu_service acl-global-read access_l10n_eu_service_service_tax_rate_user — Access rule grants read on 'model_l10n_eu_service_service_tax_rate' to every user (portal/public included): no group is set
l10n_in acl-global-read access_l10n_in_account_invoice_report — Access rule grants read on 'model_l10n_in_account_invoice_report' to every user (portal/public included): no group is set
l10n_in acl-global-read access_l10n_in_advances_payment_report — Access rule grants read on 'model_l10n_in_advances_payment_report' to every user (portal/public included): no group is set
l10n_in acl-global-read access_l10n_in_advances_payment_adjustment_report — Access rule grants read on 'model_l10n_in_advances_payment_adjustment_report' to every user (portal/public included): no group is set
l10n_in acl-global-read access_l10n_in_product_hsn_report — Access rule grants read on 'model_l10n_in_product_hsn_report' to every user (portal/public included): no group is set
l10n_in acl-global-read access_l10n_in_exempted_report — Access rule grants read on 'model_l10n_in_exempted_report' to every user (portal/public included): no group is set
l10n_it_account_tax_kind acl-global-read access_account_tax_kind_user — Access rule grants read on 'model_account_tax_kind' to every user (portal/public included): no group is set
l10n_ro_account_anaf_sync route-public-csrf-off /l10n_ro_account_anaf_sync/anaf_oauth/<int:anaf_config_id> — Public HTTP endpoint 'AccountANAFSyncWeb.get_anaf_oauth_code' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
l10n_ro_account_anaf_sync route-public-sudo /l10n_ro_account_anaf_sync/anaf_oauth/<int:anaf_config_id> — Unauthenticated endpoint 'AccountANAFSyncWeb.get_anaf_oauth_code' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
letsencrypt route-auth-none /.well-known/acme-challenge/<filename> — Endpoint 'Letsencrypt.acme_challenge' uses auth="none": it runs with no user/session at all
link_tracker route-public-sudo /r/<string:code> — Unauthenticated endpoint 'LinkTracker.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail acl-global-write access_publisher_warranty_contract_all — Access rule grants write/create/unlink on 'model_publisher_warranty_contract' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
mail route-public-sudo /mail/view — Unauthenticated endpoint 'MailController.mail_action_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/<string:res_model>/<int:res_id>/avatar/<int:partner_id> — Unauthenticated endpoint 'MailController.avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/chat_post — Unauthenticated endpoint 'MailChatController.mail_chat_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/chat_history — Unauthenticated endpoint 'MailChatController.mail_chat_history' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_allow_portal_internal_note route-public-sudo /mail/chatter_post — Unauthenticated endpoint 'PortalChatterExt.portal_chatter_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_client_extension route-auth-none /mail_client_extension/auth/access_token — Endpoint 'MailClientExtensionController.auth_access_token' uses auth="none": it runs with no user/session at all
mail_tracking route-public-csrf-off /mail/tracking/all/<string:db>, /mail/tracking/event/<string:db>/<string:event_type> — Public HTTP endpoint 'MailTrackingController.mail_tracking_event' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mail_tracking route-auth-none /mail/tracking/all/<string:db>, /mail/tracking/event/<string:db>/<string:event_type> — Endpoint 'MailTrackingController.mail_tracking_event' uses auth="none": it runs with no user/session at all
mail_tracking route-public-sudo /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MailTrackingController.mail_tracking_open' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail_tracking route-auth-none /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Endpoint 'MailTrackingController.mail_tracking_open' uses auth="none": it runs with no user/session at all
mail_tracking_mailgun route-public-sudo /mail/tracking/mailgun/all — Unauthenticated endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail_tracking_mailgun route-auth-none /mail/tracking/mailgun/all — Endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' uses auth="none": it runs with no user/session at all
mass acl-global-read access_mass_request_type_user — Access rule grants read on 'model_mass_request_type' to every user (portal/public included): no group is set
mass_mailing route-public-sudo /mail/mailing/<int:mailing_id>/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mail/mailing/unsubscribe — Unauthenticated endpoint 'MassMailController.unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mail/track/<int:mail_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MassMailController.track_mail_open' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/<int:mailing_id>/view — Unauthenticated endpoint 'MassMailController.view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /r/<string:code>/m/<int:mailing_trace_id> — Unauthenticated endpoint 'MassMailController.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/blacklist/check — Unauthenticated endpoint 'MassMailController.blacklist_check' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/blacklist/add — Unauthenticated endpoint 'MassMailController.blacklist_add' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/blacklist/remove — Unauthenticated endpoint 'MassMailController.blacklist_remove' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/feedback — Unauthenticated endpoint 'MassMailController.send_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing_sms route-public-sudo /sms/<int:mailing_id>/unsubscribe/<string:trace_code> — Unauthenticated endpoint 'MailingSMSController.blacklist_number' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing_sms route-public-sudo /r/<string:code>/s/<int:sms_sms_id> — Unauthenticated endpoint 'MailingSMSController.sms_short_link_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing_subscription_email route-public-sudo /mail/mailing/contact/<int:res_id>/unsubscribe — Unauthenticated endpoint 'MassMailSubscriptionEmailController.mailing_contact_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
membership acl-global-read access_membership_membership_line — Access rule grants read on 'model_membership_membership_line' to every user (portal/public included): no group is set
operating_unit acl-global-read access_account_operating_unit_user — Access rule grants read on 'model_operating_unit' to every user (portal/public included): no group is set
partner_external_map acl-global-read access_map_website_read — Access rule grants read on 'model_map_website' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation — Access rule grants read on 'model_res_partner_relation' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation_type — Access rule grants read on 'model_res_partner_relation_type' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation_type_selection — Access rule grants read on 'model_res_partner_relation_type_selection' to every user (portal/public included): no group is set
partner_stage acl-global-read access_partner_stage_read — Access rule grants read on 'model_res_partner_stage' to every user (portal/public included): no group is set
password_security route-auth-none /password_security/estimate — Endpoint 'PasswordSecurityHome.estimate' uses auth="none": it runs with no user/session at all
payment rule-group-bypass payment_transaction_billing_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
payment rule-group-bypass payment_token_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
payment route-public-sudo /payment/process — Unauthenticated endpoint 'PaymentProcessing.payment_status_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /payment/process/poll — Unauthenticated endpoint 'PaymentProcessing.payment_status_poll' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /website_payment/pay — Unauthenticated endpoint 'WebsitePayment.pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /website_payment/transaction/<string:reference>/<string:amount>/<string:currency_id>, /website_payment/transaction/v2/<string:amount>/<string:currency_id>/<path:reference>, /website_payment/transaction/v2/<string:amount>/<string:currency_id>/<path:reference>/<int:partner_id> — Unauthenticated endpoint 'WebsitePayment.transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /website_payment/token/<string:reference>/<string:amount>/<string:currency_id>, /website_payment/token/v2/<string:amount>/<string:currency_id>/<path:reference>, /website_payment/token/v2/<string:amount>/<string:currency_id>/<path:reference>/<int:partner_id> — Unauthenticated endpoint 'WebsitePayment.payment_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /website_payment/confirm — Unauthenticated endpoint 'WebsitePayment.confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-csrf-off /payment/adyen/return — Public HTTP endpoint 'AdyenController.adyen_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_adyen route-public-sudo /payment/adyen/return — Unauthenticated endpoint 'AdyenController.adyen_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-csrf-off /payment/adyen/notification — Public HTTP endpoint 'AdyenController.adyen_notification' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_adyen route-public-sudo /payment/adyen/notification — Unauthenticated endpoint 'AdyenController.adyen_notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_alipay route-public-csrf-off /payment/alipay/notify — Public HTTP endpoint 'AlipayController.alipay_notify' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_authorize route-public-csrf-off /payment/authorize/return/, /payment/authorize/cancel/ — Public HTTP endpoint 'AuthorizeController.authorize_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_authorize route-public-sudo /payment/authorize/return/, /payment/authorize/cancel/ — Unauthenticated endpoint 'AuthorizeController.authorize_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_authorize route-public-sudo /payment/authorize/s2s/create_json_3ds — Unauthenticated endpoint 'AuthorizeController.authorize_s2s_create_json_3ds' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_bacen_pix route-public-csrf-off /payment/bacenpix/feedback — Public HTTP endpoint 'PaymentController.transfer_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_bacen_pix route-public-sudo /payment/bacenpix/feedback — Unauthenticated endpoint 'PaymentController.transfer_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_bacen_pix route-public-sudo /webhook/<string:tx_reference> — Unauthenticated endpoint 'PaymentController.bacenpix_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_buckaroo route-public-csrf-off /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Public HTTP endpoint 'BuckarooController.buckaroo_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_buckaroo route-public-sudo /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Unauthenticated endpoint 'BuckarooController.buckaroo_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ingenico route-public-csrf-off /payment/ogone/accept, /payment/ogone/test/accept, /payment/ogone/decline, /payment/ogone/test/decline, /payment/ogone/exception, /payment/ogone/test/exception, /payment/ogone/cancel, /payment/ogone/test/cancel — Public HTTP endpoint 'OgoneController.ogone_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_ingenico route-public-sudo /payment/ogone/accept, /payment/ogone/test/accept, /payment/ogone/decline, /payment/ogone/test/decline, /payment/ogone/exception, /payment/ogone/test/exception, /payment/ogone/cancel, /payment/ogone/test/cancel — Unauthenticated endpoint 'OgoneController.ogone_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ingenico route-public-sudo /payment/ogone/s2s/create_json_3ds — Unauthenticated endpoint 'OgoneController.ogone_s2s_create_json_3ds' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ingenico route-public-csrf-off /payment/ogone/s2s/create — Public HTTP endpoint 'OgoneController.ogone_s2s_create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_ingenico route-public-sudo /payment/ogone/s2s/create — Unauthenticated endpoint 'OgoneController.ogone_s2s_create' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ingenico route-public-sudo /payment/ogone/validate/accept, /payment/ogone/validate/decline, /payment/ogone/validate/exception — Unauthenticated endpoint 'OgoneController.ogone_validation_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ingenico route-public-csrf-off /payment/ogone/s2s/feedback — Public HTTP endpoint 'OgoneController.feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_ingenico route-public-sudo /payment/ogone/s2s/feedback — Unauthenticated endpoint 'OgoneController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_odoo_by_adyen route-public-sudo /payment/odoo_adyen/notification — Unauthenticated endpoint 'OdooByAdyenController.odoo_adyen_notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_paypal route-public-csrf-off /payment/paypal/ipn/ — Public HTTP endpoint 'PaypalController.paypal_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_paypal route-public-csrf-off /payment/paypal/dpn — Public HTTP endpoint 'PaypalController.paypal_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_paypal route-public-csrf-off /payment/paypal/cancel — Public HTTP endpoint 'PaypalController.paypal_cancel' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_payulatam route-public-csrf-off /payment/payulatam/response — Public HTTP endpoint 'PayuLatamController.payulatam_response' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_payulatam route-public-sudo /payment/payulatam/response — Unauthenticated endpoint 'PayuLatamController.payulatam_response' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_payulatam route-public-csrf-off /payment/payulatam/webhook — Public HTTP endpoint 'PayuLatamController.payulatam_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_payulatam route-public-sudo /payment/payulatam/webhook — Unauthenticated endpoint 'PayuLatamController.payulatam_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_payumoney route-public-csrf-off /payment/payumoney/return, /payment/payumoney/cancel, /payment/payumoney/error — Public HTTP endpoint 'PayuMoneyController.payu_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_payumoney route-public-sudo /payment/payumoney/return, /payment/payumoney/cancel, /payment/payumoney/error — Unauthenticated endpoint 'PayuMoneyController.payu_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_redsys route-public-csrf-off /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Public HTTP endpoint 'RedsysController.redsys_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_redsys route-public-sudo /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Unauthenticated endpoint 'RedsysController.redsys_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_sips route-public-csrf-off /payment/sips/ipn/ — Public HTTP endpoint 'SipsController.sips_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_sips route-public-csrf-off /payment/sips/dpn — Public HTTP endpoint 'SipsController.sips_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_stripe route-public-sudo /payment/stripe/success, /payment/stripe/cancel — Unauthenticated endpoint 'StripeController.stripe_success' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe route-public-sudo /payment/stripe/s2s/process_payment_intent — Unauthenticated endpoint 'StripeController.stripe_s2s_process_payment_intent' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe route-public-sudo /payment/stripe/s2s/process_payment_error — Unauthenticated endpoint 'StripeController.stripe_s2s_process_payment_error' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe route-public-sudo /payment/stripe/webhook — Unauthenticated endpoint 'StripeController.stripe_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_transfer route-public-csrf-off /payment/transfer/feedback — Public HTTP endpoint 'TransferController.transfer_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_transfer route-public-sudo /payment/transfer/feedback — Unauthenticated endpoint 'TransferController.transfer_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pms route-public-sudo /folio/pay/<int:folio_id>/form_tx — Unauthenticated endpoint 'PortalFolio.folio_pay_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pms route-public-sudo /my/folios, /my/folios/page/<int:page> — Unauthenticated endpoint 'PortalFolio.portal_my_folios' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pms route-public-sudo /my/reservations, /my/reservations/page/<int:page> — Unauthenticated endpoint 'PortalReservation.portal_my_reservations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pms route-public-csrf-off /my/folios/<int:folio_id>/reservations — Public HTTP endpoint 'PortalPrecheckin.portal_precheckin_folio' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
pms route-public-csrf-off /my/folios/<int:folio_id>/reservations/<int:reservation_id>/checkins — Public HTTP endpoint 'PortalPrecheckin.portal_precheckin_reservation' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
pms route-public-sudo /my/folios/<int:folio_id>/reservations/<int:reservation_id>/checkins — Unauthenticated endpoint 'PortalPrecheckin.portal_precheckin_reservation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pms route-public-csrf-off /my/folios/<int:folio_id>/reservations/<int:reservation_id>/checkins/<int:checkin_partner_id> — Public HTTP endpoint 'PortalPrecheckin.portal_precheckin' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
pms route-public-csrf-off /my/folios/<int:folio_id>/reservations/<int:reservation_id>/checkins/<int:checkin_partner_id>/submit — Public HTTP endpoint 'PortalPrecheckin.portal_precheckin_submit' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
pms route-public-sudo /my/folios/<int:folio_id>/reservations/<int:reservation_id>/checkins/<int:checkin_partner_id>/submit — Unauthenticated endpoint 'PortalPrecheckin.portal_precheckin_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pms route-public-csrf-off /my/folios/<int:folio_id>/invitations — Public HTTP endpoint 'PortalPrecheckin.portal_precheckin_invitation' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
pms route-public-sudo /my/precheckin/send_invitation — Unauthenticated endpoint 'PortalPrecheckin.portal_precheckin_folio_send_invitation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
point_of_sale rule-group-bypass rule_pos_bank_statement_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
point_of_sale rule-group-bypass rule_pos_bank_statement_line_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
point_of_sale rule-group-bypass rule_pos_cashbox_line_accountant — Record rule with an always-true domain bypasses every other record rule of its model for its group
portal route-public-sudo /mail/chatter_post — Unauthenticated endpoint 'PortalChatter.portal_chatter_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
portal route-public-sudo /mail/chatter_fetch — Unauthenticated endpoint 'PortalChatter.portal_message_fetch' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
portal route-public-sudo /web — Unauthenticated endpoint 'Home.web_client' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
portal route-auth-none /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all
pos_adyen route-public-sudo /pos_adyen/notification — Unauthenticated endpoint 'PosAdyenController.notification' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
pos_adyen route-auth-none /pos_adyen/notification — Endpoint 'PosAdyenController.notification' uses auth="none": it runs with no user/session at all
pos_mercury acl-global-read access_pos_mercury_mercury_transaction — Access rule grants read on 'model_pos_mercury_mercury_transaction' to every user (portal/public included): no group is set
privacy_consent route-public-sudo /privacy/consent/<any(accept,reject):choice>/<int:consent_id>/<token> — Unauthenticated endpoint 'ConsentController.consent' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
product_brand acl-global-read access_product_brand_public — Access rule grants read on 'model_product_brand' to every user (portal/public included): no group is set
product_brand_social_responsibility acl-global-read access_product_brand_tag_csr_public — Access rule grants read on 'model_product_brand_tag_csr' to every user (portal/public included): no group is set
product_brand_tag acl-global-read access_product_brand_tag_public — Access rule grants read on 'model_product_brand_tag' to every user (portal/public included): no group is set
product_harmonized_system acl-global-read access_hs_code_read — Access rule grants read on 'model_hs_code' to every user (portal/public included): no group is set
product_state acl-global-read access_product_state_public — Access rule grants read on 'model_product_state' to every user (portal/public included): no group is set
product_variant_configurator_manual_creation acl-global-write access_wizard_product_variant_configurator_manual_creation_all — Access rule grants write/create/unlink on 'model_wizard_product_variant_configurator_manual_creation' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
product_variant_configurator_manual_creation acl-global-write access_wizard_product_variant_configurator_manual_creation_line_all — Access rule grants write/create/unlink on 'model_wizard_product_variant_configurator_manual_creation_line' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
purchase_manual_delivery acl-global-write create_stock_picking_wizard_all — Access rule grants write/create/unlink on 'model_create_stock_picking_wizard' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
purchase_manual_delivery acl-global-write create_stock_picking_wizard_line_all — Access rule grants write/create/unlink on 'model_create_stock_picking_wizard_line' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
purchase_work_acceptance_evaluation acl-global-read access_work_acceptance_evaluation_report — Access rule grants read on 'model_work_acceptance_evaluation_report' to every user (portal/public included): no group is set
queue_job route-auth-none /queue_job/runjob — Endpoint 'RunJobController.runjob' uses auth="none": it runs with no user/session at all
rating route-public-sudo /rate/<string:token>/<int:rate> — Unauthenticated endpoint 'Rating.action_open_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
rating route-public-sudo /rate/<string:token>/submit_feedback — Unauthenticated endpoint 'Rating.action_submit_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
repair_picking_after_done acl-global-write access_repair_move_transfer_all — Access rule grants write/create/unlink on 'model_repair_move_transfer' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
rma route-public-sudo /my/rma/picking/pdf/<int:rma_id>/<int:picking_id> — Unauthenticated endpoint 'PortalRma.portal_my_rma_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sale rule-group-bypass payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale rule-group-bypass payment_token_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale rule-group-bypass payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale route-public-sudo /my/orders/<int:order_id>/transaction/ — Unauthenticated endpoint 'CustomerPortal.payment_transaction_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sale route-public-sudo /my/orders/<int:order_id>/transaction/token — Unauthenticated endpoint 'CustomerPortal.payment_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sale_invoice_plan acl-global-read access_stock_scrap_sale_invoice_plan_ — Access rule grants read on 'stock.model_stock_scrap' to every user (portal/public included): no group is set
sale_manual_delivery acl-global-write access_manual_delivery_all — Access rule grants write/create/unlink on 'model_manual_delivery' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
sale_manual_delivery acl-global-write access_manual_delivery_line_all — Access rule grants write/create/unlink on 'model_manual_delivery_line' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
sale_purchase_requisition rule-group-bypass purchaseperson_purchase_requisition_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale_purchase_requisition rule-group-bypass purchaseperson_purchase_requisition_line_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale_purchase_requisition rule-group-bypass purchaseperson_purchase_order_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sales_team rule-group-bypass crm_rule_all_salesteam — Record rule with an always-true domain bypasses every other record rule of its model for its group
shopfloor_base acl-global-read access_shopfloor_app_users — Access rule grants read on 'model_shopfloor_app' to every user (portal/public included): no group is set
stay acl-global-read access_stay_date_label_user — Access rule grants read on 'model_stay_date_label' to every user (portal/public included): no group is set
stock_measuring_device_zippcube route-auth-none /stock/zippcube/<string:zippcube_device_name>/measurement — Endpoint 'ZippcubeController.measurement' uses auth="none": it runs with no user/session at all
stock_vertical_lift route-public-csrf-off /vertical-lift — Public HTTP endpoint 'VerticalLiftController.vertical_lift' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
stock_vertical_lift route-public-sudo /vertical-lift — Unauthenticated endpoint 'VerticalLiftController.vertical_lift' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
storage_file acl-global-read access_storage_file_read_public — Access rule grants read on 'model_storage_file' to every user (portal/public included): no group is set
survey rule-group-bypass survey_survey_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey rule-group-bypass survey_question_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey rule-group-bypass survey_question_answer_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey rule-group-bypass survey_user_input_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey rule-group-bypass survey_user_input_line_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey route-public-sudo /survey/get_background_image/<string:survey_token>/<string:answer_token> — Unauthenticated endpoint 'Survey.survey_get_background' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
survey route-public-sudo /survey/get_question_image/<string:survey_token>/<string:answer_token>/<int:question_id>/<int:suggested_answer_id> — Unauthenticated endpoint 'Survey.survey_get_question_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
test_http route-public-csrf-off /test_http/upload_file — Public HTTP endpoint 'HttpTest.upload_file_retry' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
test_http route-auth-none /test_http/upload_file — Endpoint 'HttpTest.upload_file_retry' uses auth="none": it runs with no user/session at all
test_new_api acl-global-write access_decimal_precision_test_all — Access rule grants write/create/unlink on 'model_decimal_precision_test' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
test_read_group acl-global-read access_test_read_group_on_date — Access rule grants read on 'model_test_read_group_on_date' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_aggregate_boolean — Access rule grants read on 'model_test_read_group_aggregate_boolean' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_aggregate — Access rule grants read on 'model_test_read_group_aggregate' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_on_selection — Access rule grants read on 'model_test_read_group_on_selection' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_fill_temporal — Access rule grants read on 'model_test_read_group_fill_temporal' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_order — Access rule grants read on 'model_test_read_group_order' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_order_line — Access rule grants read on 'model_test_read_group_order_line' to every user (portal/public included): no group is set
test_search_panel acl-global-read access_test_search_panel_source_model — Access rule grants read on 'model_test_search_panel_source_model' to every user (portal/public included): no group is set
test_search_panel acl-global-read access_test_search_panel_category_target_model — Access rule grants read on 'model_test_search_panel_category_target_model' to every user (portal/public included): no group is set
test_search_panel acl-global-read access_test_search_panel_category_target_model_no_parent_name — Access rule grants read on 'model_test_search_panel_category_target_model_no_parent_name' to every user (portal/public included): no group is set
test_search_panel acl-global-read access_test_search_panel_filter_target_model — Access rule grants read on 'model_test_search_panel_filter_target_model' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_a — Access rule grants read on 'model_test_testing_utilities_a' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_readonly — Access rule grants read on 'model_test_testing_utilities_readonly' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_c — Access rule grants read on 'model_test_testing_utilities_c' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_d — Access rule grants read on 'model_test_testing_utilities_d' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_e — Access rule grants read on 'model_test_testing_utilities_e' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_f — Access rule grants read on 'model_test_testing_utilities_f' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_g — Access rule grants read on 'model_test_testing_utilities_g' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_m2o — Access rule grants read on 'model_test_testing_utilities_m2o' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_default — Access rule grants read on 'model_test_testing_utilities_default' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_parent — Access rule grants read on 'model_test_testing_utilities_parent' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_sub — Access rule grants read on 'model_test_testing_utilities_sub' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_sub2 — Access rule grants read on 'model_test_testing_utilities_sub2' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_sub3 — Access rule grants read on 'model_test_testing_utilities_sub3' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_recursive — Access rule grants read on 'model_test_testing_utilities_recursive' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_onchange_parent — Access rule grants read on 'model_test_testing_utilities_onchange_parent' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_onchange_line — Access rule grants read on 'model_test_testing_utilities_onchange_line' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_req_bool — Access rule grants read on 'model_test_testing_utilities_req_bool' to every user (portal/public included): no group is set
test_website acl-global-read access_test_model — Access rule grants read on 'model_test_model' to every user (portal/public included): no group is set
upgrade_analysis acl-global-read access_upgrade_record — Access rule grants read on 'model_upgrade_record' to every user (portal/public included): no group is set
upgrade_analysis acl-global-read access_upgrade_attribute — Access rule grants read on 'model_upgrade_attribute' to every user (portal/public included): no group is set
vault route-public-sudo /vault/inbox/<string:token> — Unauthenticated endpoint 'Controller.vault_inbox' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
vault_share route-public-sudo /vault/share/<string:token> — Unauthenticated endpoint 'Controller.vault_share' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web route-auth-none / — Endpoint 'Home.index' uses auth="none": it runs with no user/session at all
web route-auth-none /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all
web route-auth-none /web/login — Endpoint 'Home.web_login' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/csslist — Endpoint 'WebClient.csslist' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/jslist — Endpoint 'WebClient.jslist' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/locale/<string:lang> — Endpoint 'WebClient.load_locale' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/qweb/<string:unique> — Endpoint 'WebClient.qweb' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/bootstrap_translations — Endpoint 'WebClient.bootstrap_translations' uses auth="none": it runs with no user/session at all
web route-public-sudo /web/webclient/translations/<string:unique> — Unauthenticated endpoint 'WebClient.translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web route-auth-none /web/webclient/version_info — Endpoint 'WebClient.version_info' uses auth="none": it runs with no user/session at all
web route-auth-none /web/tests/mobile — Endpoint 'WebClient.test_mobile_suite' uses auth="none": it runs with no user/session at all
web route-auth-none /web/benchmarks — Endpoint 'WebClient.benchmarks' uses auth="none": it runs with no user/session at all
web route-auth-none /web/database/selector — Endpoint 'Database.selector' uses auth="none": it runs with no user/session at all
web route-auth-none /web/database/manager — Endpoint 'Database.manager' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/create — Public HTTP endpoint 'Database.create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/create — Endpoint 'Database.create' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/duplicate — Public HTTP endpoint 'Database.duplicate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/duplicate — Endpoint 'Database.duplicate' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/drop — Public HTTP endpoint 'Database.drop' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/drop — Endpoint 'Database.drop' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/backup — Public HTTP endpoint 'Database.backup' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/backup — Endpoint 'Database.backup' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/restore — Public HTTP endpoint 'Database.restore' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/restore — Endpoint 'Database.restore' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/change_password — Public HTTP endpoint 'Database.change_password' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/change_password — Endpoint 'Database.change_password' uses auth="none": it runs with no user/session at all
web route-auth-none /web/database/list — Endpoint 'Database.list' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/get_session_info — Endpoint 'Session.get_session_info' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/authenticate — Endpoint 'Session.authenticate' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/get_lang_list — Endpoint 'Session.get_lang_list' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/logout — Endpoint 'Session.logout' uses auth="none": it runs with no user/session at all
web route-auth-none /web/binary/company_logo, /logo, /logo.png — Endpoint 'Binary.company_logo' uses auth="none": it runs with no user/session at all
web route-auth-none /web/pivot/check_xlsxwriter — Endpoint 'TableExporter.check_xlsxwriter' uses auth="none": it runs with no user/session at all
web_editor route-auth-none /web_editor/font_to_img/<icon>, /web_editor/font_to_img/<icon>/<color>, /web_editor/font_to_img/<icon>/<color>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<int:size>/<int:alpha> — Endpoint 'Web_Editor.export_icon_to_png' uses auth="none": it runs with no user/session at all
web_editor route-public-sudo /web_editor/public_render_template — Unauthenticated endpoint 'Web_Editor.public_render_template' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web_editor route-public-sudo /web_editor/shape/<module>/<path:filename> — Unauthenticated endpoint 'Web_Editor.shape' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web_tour acl-global-read access_web_tour_tour — Access rule grants read on 'model_web_tour_tour' to every user (portal/public included): no group is set
web_unsplash route-public-sudo /web_unsplash/get_app_id — Unauthenticated endpoint 'Web_Unsplash.get_unsplash_app_id' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website acl-global-read access_website_public — Access rule grants read on 'website.model_website' to every user (portal/public included): no group is set
website acl-global-read access_website_menu — Access rule grants read on 'model_website_menu' to every user (portal/public included): no group is set
website acl-global-read access_seo_public — Access rule grants read on 'model_website_seo_metadata' to every user (portal/public included): no group is set
website route-public-sudo / — Unauthenticated endpoint 'Website.index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /sitemap.xml — Unauthenticated endpoint 'Website.sitemap_xml_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/info — Unauthenticated endpoint 'Website.website_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/snippet/filters — Unauthenticated endpoint 'Website.get_dynamic_filter' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/snippet/filter_templates — Unauthenticated endpoint 'Website.get_dynamic_snippet_templates' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /google<string(length=16):key>.html — Unauthenticated endpoint 'Website.google_console_search' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/action/<path_or_xml_id_or_id>, /website/action/<path_or_xml_id_or_id>/<path:path> — Unauthenticated endpoint 'Website.actions_server' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_blog acl-global-read blog_tag — Access rule grants read on 'model_blog_tag' to every user (portal/public included): no group is set
website_crm_partner_assign route-public-sudo /partners, /partners/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>, /partners/grade/<model("res.partner.grade"):grade>/page/<int:page>, /partners/country/<model("res.country"):country>, /partners/country/<model("res.country"):country>/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_crm_partner_assign route-public-sudo /partners/<partner_id> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_customer acl-global-read res_partner_tag_sale_manager — Access rule grants read on 'model_res_partner_tag' to every user (portal/public included): no group is set
website_customer route-public-sudo /customers, /customers/page/<int:page>, /customers/country/<model("res.country"):country>, /customers/country/<model("res.country"):country>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>, /customers/industry/<model("res.partner.industry"):industry>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCustomer.customers' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_customer route-public-sudo /customers/<partner_id> — Unauthenticated endpoint 'WebsiteCustomer.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event acl-global-read access_event_category_public — Access rule grants read on 'event.model_event_tag_category' to every user (portal/public included): no group is set
website_event acl-global-read access_event_tag_public — Access rule grants read on 'event.model_event_tag' to every user (portal/public included): no group is set
website_event acl-global-read access_website_event_menu_public — Access rule grants read on 'model_website_event_menu' to every user (portal/public included): no group is set
website_event route-public-sudo /event, /event/page/<int:page>, /events, /events/page/<int:page> — Unauthenticated endpoint 'WebsiteEventController.events' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_meet route-public-sudo /event/<model('event.event'):event>/meeting_room_create — Unauthenticated endpoint 'WebsiteEventMeetController.create_meeting_room' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_meet route-public-sudo /event/active_langs — Unauthenticated endpoint 'WebsiteEventMeetController.active_langs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_meet route-public-sudo /event/<model('event.event', "[('community_menu', '=', True)]"):event>/meeting_room/<model("event.meeting.room","[('event_id','=',event.id)]"):meeting_room> — Unauthenticated endpoint 'WebsiteEventMeetController.event_meeting_room_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_questions rule-group-bypass ir_rule_event_question_event_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_event_questions rule-group-bypass ir_rule_event_question_answer_event_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_event_track acl-global-read access_event_track_tag_public — Access rule grants read on 'model_event_track_tag' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_location_public — Access rule grants read on 'model_event_track_location' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track__public — Access rule grants read on 'model_event_track' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_sponsor_type_public — Access rule grants read on 'model_event_sponsor_type' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_sponsor_public — Access rule grants read on 'model_event_sponsor' to every user (portal/public included): no group is set
website_event_track acl-global-read event_track_tag_category_access_public — Access rule grants read on 'model_event_track_tag_category' to every user (portal/public included): no group is set
website_event_track route-public-sudo /event/<model("event.event", "[('website_track', '=', True)]"):event>/track/<model("event.track", "[('event_id', '=', event.id)]"):track> — Unauthenticated endpoint 'EventTrackController.event_track_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track route-public-sudo /event/<model("event.event"):event>/track_proposal/post — Unauthenticated endpoint 'EventTrackController.event_track_proposal_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track_exhibitor route-public-sudo /event/<model("event.event", "[('exhibitor_menu', '=', True)]"):event>/exhibitor/<model("event.sponsor", "[('event_id', '=', event.id)]"):sponsor> — Unauthenticated endpoint 'ExhibitorController.event_exhibitor' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track_live route-public-sudo /event_track/get_track_suggestion — Unauthenticated endpoint 'EventTrackLiveController.get_next_track_suggestion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_form route-public-csrf-off /website_form/<string:model_name> — Public HTTP endpoint 'WebsiteForm.website_form' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
website_forum acl-global-read access_forum_forum — Access rule grants read on 'model_forum_forum' to every user (portal/public included): no group is set
website_forum rule-group-bypass website_forum_create_website_designer — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/<model("forum.post", "[('forum_id','=',forum.id),('parent_id','=',False),('can_view', '=', True)]"):question> — Unauthenticated endpoint 'WebsiteForum.question' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/partner/<int:partner_id> — Unauthenticated endpoint 'WebsiteForum.open_partner' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_google_map route-public-sudo /google_map — Unauthenticated endpoint 'GoogleMap.google_map' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_hr_recruitment acl-global-read access_hr_job_public — Access rule grants read on 'hr.model_hr_job' to every user (portal/public included): no group is set
website_hr_recruitment rule-group-bypass hr_job_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_hr_recruitment route-public-sudo /jobs, /jobs/country/<model("res.country"):country>, /jobs/department/<model("hr.department"):department>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>, /jobs/office/<int:office_id>, /jobs/country/<model("res.country"):country>/office/<int:office_id>, /jobs/department/<model("hr.department"):department>/office/<int:office_id>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>/office/<int:office_id> — Unauthenticated endpoint 'WebsiteHrRecruitment.jobs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_livechat acl-global-read access_im_livechat_channel_public — Access rule grants read on 'im_livechat.model_im_livechat_channel' to every user (portal/public included): no group is set
website_livechat route-public-sudo /livechat/channel/<model("im_livechat.channel"):channel> — Unauthenticated endpoint 'WebsiteLivechat.channel_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail route-public-sudo /website_mail/follow — Unauthenticated endpoint 'WebsiteMail.website_message_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail route-public-sudo /website_mail/is_follower — Unauthenticated endpoint 'WebsiteMail.is_follower' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_channel route-public-sudo /groups — Unauthenticated endpoint 'MailGroup.view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_channel route-public-sudo /groups/is_member — Unauthenticated endpoint 'MailGroup.is_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_channel route-public-sudo /groups/subscription — Unauthenticated endpoint 'MailGroup.subscription' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_channel route-public-sudo /groups/subscribe/<model('mail.channel'):channel>/<int:partner_id>/<string:token> — Unauthenticated endpoint 'MailGroup.confirm_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_channel route-public-sudo /groups/unsubscribe/<model('mail.channel'):channel>/<int:partner_id>/<string:token> — Unauthenticated endpoint 'MailGroup.confirm_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /website_mass_mailing/is_subscriber — Unauthenticated endpoint 'MassMailController.is_subscriber' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /website_mass_mailing/subscribe — Unauthenticated endpoint 'MassMailController.subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /website_mass_mailing/get_content — Unauthenticated endpoint 'MassMailController.get_mass_mailing_content' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_membership route-public-sudo /members, /members/page/<int:page>, /members/association/<membership_id>, /members/association/<membership_id>/page/<int:page>, /members/country/<int:country_id>, /members/country/<country_name>-<int:country_id>, /members/country/<int:country_id>/page/<int:page>, /members/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<country_name>-<int:country_id>, /members/association/<membership_id>/country/<int:country_id>, /members/association/<membership_id>/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteMembership.members' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_membership route-public-sudo /members/<partner_id> — Unauthenticated endpoint 'WebsiteMembership.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_no_crawler route-public-sudo /robots.txt — Unauthenticated endpoint 'Website.robots' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_oca_integrator acl-global-read access_sponsorship_line — Access rule grants read on 'model_sponsorship_line' to every user (portal/public included): no group is set
website_oca_integrator acl-global-read access_contributor_module_reader — Access rule grants read on 'model_contributor_module_line' to every user (portal/public included): no group is set
website_oca_integrator route-public-sudo /integrators, /integrators/page/<int:page>, /integrators/country/<model("res.country"):country>, /integrators/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteIntegrator.integrators' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_oca_integrator route-public-sudo /integrators/<integrator_id> — Unauthenticated endpoint 'WebsiteIntegrator.integrators_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_oca_integrator route-public-sudo /integrators/<integrator_id>/contributors, /integrators/<integrator_id>/contributors/page/<int:page>, /integrators/<integrator_id>/contributors/country/<int:country_id>, /integrators/<integrator_id>/contributors/country/<int:country_id>/page/<int:page>, /integrators/<integrator_id>/contributors/country/<country_name>-<int:country_id>, /integrators/<integrator_id>/contributors/country/<country_name>-<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteIntegrator.integrator_contributors' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_oca_psc_team route-public-sudo /psc-teams — Unauthenticated endpoint 'WebsitePscTeam.psc_teams' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_oca_psc_team route-public-sudo /psc-teams/<project_id> — Unauthenticated endpoint 'WebsitePscTeam.psc_team_project_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_partner route-public-sudo /partners/<partner_id> — Unauthenticated endpoint 'WebsitePartnerPage.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_product_configurator route-public-sudo /website_product_configurator/onchange — Unauthenticated endpoint 'ProductConfigWebsiteSale.onchange' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_product_configurator route-public-sudo /website_product_configurator/save_configuration — Unauthenticated endpoint 'ProductConfigWebsiteSale.save_configuration' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_product_configurator_mrp route-public-csrf-off /shop/cart/update — Public HTTP endpoint 'WebsiteProductConfigMrp.cart_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
website_profile route-public-sudo /profile/avatar/<int:user_id> — Unauthenticated endpoint 'WebsiteProfile.get_user_profile_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_profile route-public-sudo /profile/users, /profile/users/page/<int:page> — Unauthenticated endpoint 'WebsiteProfile.view_all_users_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_profile route-public-sudo /profile/validate_email — Unauthenticated endpoint 'WebsiteProfile.validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale acl-global-read access_product_product_public — Access rule grants read on 'product.model_product_product' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_template_public — Access rule grants read on 'product.model_product_template' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_category_public — Access rule grants read on 'product.model_product_category' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_public_category_public — Access rule grants read on 'model_product_public_category' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_pricelist_public — Access rule grants read on 'product.model_product_pricelist' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_pricelist_item_public — Access rule grants read on 'product.model_product_pricelist_item' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_ribbon_public — Access rule grants read on 'website_sale.model_product_ribbon' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_public — Access rule grants read on 'product.model_product_attribute' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_value_public — Access rule grants read on 'product.model_product_attribute_value' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_product_attribute — Access rule grants read on 'product.model_product_template_attribute_value' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_product_attribute_custom_value — Access rule grants read on 'sale.model_product_attribute_custom_value' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_template_attribute_exclusion — Access rule grants read on 'product.model_product_template_attribute_exclusion' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_template_attribute_line_public — Access rule grants read on 'product.model_product_template_attribute_line' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_image_public — Access rule grants read on 'model_product_image' to every user (portal/public included): no group is set
website_sale acl-global-read access_ecom_extra_fields_public — Access rule grants read on 'model_website_sale_extra_field' to every user (portal/public included): no group is set
website_sale route-public-sudo /shop/pricelist — Unauthenticated endpoint 'WebsiteSale.pricelist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/cart — Unauthenticated endpoint 'WebsiteSale.cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/address — Unauthenticated endpoint 'WebsiteSale.address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/checkout — Unauthenticated endpoint 'WebsiteSale.checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/payment/transaction/, /shop/payment/transaction/<int:so_id>, /shop/payment/transaction/<int:so_id>/<string:access_token> — Unauthenticated endpoint 'WebsiteSale.payment_transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/payment/token — Unauthenticated endpoint 'WebsiteSale.payment_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/payment/get_status/<int:sale_order_id> — Unauthenticated endpoint 'WebsiteSale.payment_get_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/payment/validate — Unauthenticated endpoint 'WebsiteSale.payment_validate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/confirmation — Unauthenticated endpoint 'WebsiteSale.payment_confirmation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/tracking_last_order — Unauthenticated endpoint 'WebsiteSale.tracking_cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/products/recently_viewed_delete — Unauthenticated endpoint 'WebsiteSale.products_recently_viewed_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_charge_payment_fee route-public-sudo /shop/payment — Unauthenticated endpoint 'WebsiteSaleFee.payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_comparison acl-global-read access_product_attribute_category_public — Access rule grants read on 'model_product_attribute_category' to every user (portal/public included): no group is set
website_sale_delivery route-public-sudo /shop/carrier_rate_shipment — Unauthenticated endpoint 'WebsiteSaleDelivery.cart_carrier_rate_shipment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_digital route-public-sudo /my/orders/<int:order_id> — Unauthenticated endpoint 'WebsiteSaleDigital.portal_order_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_digital route-public-sudo /my/download — Unauthenticated endpoint 'WebsiteSaleDigital.download_attachment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_product_assortment route-public-sudo /sale/get_info_assortment_preview — Unauthenticated endpoint 'WebsiteSaleVariantController.get_info_assortment_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_product_brand route-public-sudo /page/product_brands — Unauthenticated endpoint 'WebsiteSale.product_brands' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_product_minimal_price route-public-sudo /sale/get_combination_info_minimal_price — Unauthenticated endpoint 'WebsiteSaleVariantController.get_combination_info_minimal_price' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_stock_list_preview route-public-sudo /sale/get_combination_info_stock_preview — Unauthenticated endpoint 'WebsiteSaleVariantController.get_combination_info_stock_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_wishlist route-public-sudo /shop/wishlist/add — Unauthenticated endpoint 'WebsiteSaleWishlist.add_to_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_wishlist route-public-sudo /shop/wishlist/remove/<model("product.wishlist"):wish> — Unauthenticated endpoint 'WebsiteSaleWishlist.rm_from_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides rule-group-bypass rule_slide_channel_officer_r — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides rule-group-bypass rule_slide_slide_officer_r — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides rule-group-bypass rule_slide_slide_resource_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides route-public-sudo /slides — Unauthenticated endpoint 'WebsiteSlides.slides_channel_home' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/<model("slide.channel"):channel>, /slides/<model("slide.channel"):channel>/page/<int:page>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>/page/<int:page>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>/page/<int:page> — Unauthenticated endpoint 'WebsiteSlides.channel' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/channel/join — Unauthenticated endpoint 'WebsiteSlides.slide_channel_join' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/<model("slide.slide"):slide> — Unauthenticated endpoint 'WebsiteSlides.slide_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/<int:slide_id>/get_image — Unauthenticated endpoint 'WebsiteSlides.slide_get_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/like — Unauthenticated endpoint 'WebsiteSlides.slide_like' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/quiz/submit — Unauthenticated endpoint 'WebsiteSlides.slide_quiz_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/embed/<int:slide_id> — Unauthenticated endpoint 'WebsiteSlides.slides_embed' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /mail/chatter_post — Unauthenticated endpoint 'SlidesPortalChatter.portal_chatter_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides_forum rule-group-bypass website_slides_forum_website_slides_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides_forum rule-group-bypass website_slides_forum_website_slides_officer_post — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides_forum rule-group-bypass website_slides_forum_website_slides_officer_tag — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_twitter acl-global-read access_website_twitter_tweet_public — Access rule grants read on 'website_twitter.model_website_twitter_tweet' to every user (portal/public included): no group is set
website_twitter route-public-sudo /website_twitter/get_favorites — Unauthenticated endpoint 'Twitter.get_tweets' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes

Active Pull Requests 6

0 fresh 0 rotting 0 rotten

Security Findings

Errors 186

Module Code Message
base acl-privilege-escalation access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions
base acl-global-write access_ir_ui_view_custom_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_custom' to EVERY user (portal/public included): no group is set
base acl-privilege-escalation access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions
base acl-global-write access_report_layout — Access rule grants write/create/unlink on 'model_report_layout' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_template — Access rule grants write/create/unlink on 'model_custom_info_template' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_property — Access rule grants write/create/unlink on 'model_custom_info_property' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_value — Access rule grants write/create/unlink on 'model_custom_info_value' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_option — Access rule grants write/create/unlink on 'model_custom_info_option' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_category — Access rule grants write/create/unlink on 'model_custom_info_category' to EVERY user (portal/public included): no group is set
base_tier_validation acl-global-write access_tier_review — Access rule grants write/create/unlink on 'model_tier_review' to EVERY user (portal/public included): no group is set
bus acl-public-write access_bus_presence_portal — Access rule grants write/create/unlink on 'model_bus_presence' to the portal/public group 'base.group_portal'
calendar rule-public-bypass calendar_attendee_rule_my — Record rule with an always-true domain grants portal/public users access to every record of its model
cms_delete_content_example acl-global-write access_cms_delete_content_example — Access rule grants write/create/unlink on 'model_cms_delete_content_example' to EVERY user (portal/public included): no group is set
excel_import_export acl-global-write xlsx_template_user — Access rule grants write/create/unlink on 'model_xlsx_template' to EVERY user (portal/public included): no group is set
excel_import_export acl-global-write xlsx_template_export_user — Access rule grants write/create/unlink on 'model_xlsx_template_export' to EVERY user (portal/public included): no group is set
excel_import_export acl-global-write xlsx_template_import_user — Access rule grants write/create/unlink on 'model_xlsx_template_import' to EVERY user (portal/public included): no group is set
fieldservice_route acl-public-write access_fsm_route_dayroute_portal — Access rule grants write/create on 'model_fsm_route_dayroute' to the portal/public group 'base.group_portal'
fieldservice_stock acl-public-write access_stock_move_portal — Access rule grants write on 'stock.model_stock_move' to the portal/public group 'base.group_portal'
gamification acl-public-write goal_portal — Access rule grants write on 'gamification.model_gamification_goal' to the portal/public group 'base.group_portal'
gamification acl-public-write badge_user_portal — Access rule grants write/create on 'gamification.model_gamification_badge_user' to the portal/public group 'base.group_portal'
graphql_demo route-user-csrf-off /graphql/demo — HTTP endpoint 'GraphQLController.graphql' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user
helpdesk_mgmt acl-public-write access_helpdesk_ticket_stage_public — Access rule grants write on 'model_helpdesk_ticket_stage' to the portal/public group 'base.group_public'
hr_expense_portal acl-public-write access_hr_expense_portal — Access rule grants write on 'hr_expense.model_hr_expense' to the portal/public group 'base.group_portal'
hr_recruitment acl-global-write access_hr_applicant_category — Access rule grants write/create on 'model_hr_applicant_category' to EVERY user (portal/public included): no group is set
mail acl-public-write access_mail_message_portal — Access rule grants write/create/unlink on 'model_mail_message' to the portal/public group 'base.group_portal'
mail acl-public-write access_mail_followers_portal — Access rule grants write/create on 'model_mail_followers' to the portal/public group 'base.group_portal'
mail acl-public-write access_mail_channel_partner_portal — Access rule grants write/create/unlink on 'model_mail_channel_partner' to the portal/public group 'base.group_portal'
partner_autocomplete acl-public-write access_partner_autocomplete_sync_portal — Access rule grants create on 'model_res_partner_autocomplete_sync' to the portal/public group 'base.group_portal'
payment acl-public-write payment_method_portal — Access rule grants write/create/unlink on 'model_payment_token' to the portal/public group 'base.group_portal'
purchase_invoice_plan acl-global-write access_purchase_invoice_plan — Access rule grants write/create/unlink on 'model_purchase_invoice_plan' to EVERY user (portal/public included): no group is set
rating acl-public-write access_rating_public — Access rule grants write/create on 'rating.model_rating_rating' to the portal/public group 'base.group_public'
rating acl-public-write access_rating_portal — Access rule grants write/create on 'rating.model_rating_rating' to the portal/public group 'base.group_portal'
report_wkhtmltopdf_param acl-global-write paperformat_parameter_access_employee — Access rule grants create on 'model_report_paperformat_parameter' to EVERY user (portal/public included): no group is set
sale_invoice_plan acl-global-write access_sale_invoice_plan — Access rule grants write/create/unlink on 'model_sale_invoice_plan' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_some_obj — Access rule grants write/create/unlink on 'model_test_access_right_some_obj' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_container — Access rule grants write/create/unlink on 'model_test_access_right_container' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_parent — Access rule grants write/create/unlink on 'model_test_access_right_parent' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_obj_categ — Access rule grants write/create/unlink on 'model_test_access_right_obj_categ' to EVERY user (portal/public included): no group is set
test_action_bindings acl-global-write access_tab_a — Access rule grants write/create/unlink on 'model_tab_a' to EVERY user (portal/public included): no group is set
test_action_bindings acl-global-write access_tab_b — Access rule grants write/create/unlink on 'model_tab_b' to EVERY user (portal/public included): no group is set
test_component acl-global-write access_test_component_collection — Access rule grants write/create/unlink on 'model_test_component_collection' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_test_backend — Access rule grants write/create/unlink on 'model_test_backend' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_connector_test_record — Access rule grants write/create/unlink on 'model_connector_test_record' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_connector_test_binding — Access rule grants write/create/unlink on 'model_connector_test_binding' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_no_inherits_binding — Access rule grants write/create/unlink on 'model_no_inherits_binding' to EVERY user (portal/public included): no group is set
test_convert acl-global-write access_test_convert_test_model — Access rule grants write/create/unlink on 'model_test_convert_test_model' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_converter_model — Access rule grants write/create/unlink on 'model_test_converter_test_model' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_test_converter_test_model_sub — Access rule grants write/create/unlink on 'model_test_converter_test_model_sub' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_test_converter_monetary — Access rule grants write/create/unlink on 'model_test_converter_monetary' to EVERY user (portal/public included): no group is set
test_exceptions acl-global-write access_test_exceptions_model — Access rule grants write/create/unlink on 'model_test_exceptions_model' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_boolean — Access rule grants write/create/unlink on 'model_export_boolean' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_float — Access rule grants write/create/unlink on 'model_export_float' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_decimal — Access rule grants write/create/unlink on 'model_export_decimal' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string_bounded — Access rule grants write/create/unlink on 'model_export_string_bounded' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string_required — Access rule grants write/create/unlink on 'model_export_string_required' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string — Access rule grants write/create/unlink on 'model_export_string' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_date — Access rule grants write/create/unlink on 'model_export_date' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_datetime — Access rule grants write/create/unlink on 'model_export_datetime' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_text — Access rule grants write/create/unlink on 'model_export_text' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection — Access rule grants write/create/unlink on 'model_export_selection' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection_function — Access rule grants write/create/unlink on 'model_export_selection_function' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2one — Access rule grants write/create/unlink on 'model_export_many2one' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many — Access rule grants write/create/unlink on 'model_export_one2many' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2many — Access rule grants write/create/unlink on 'model_export_many2many' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_function — Access rule grants write/create/unlink on 'model_export_function' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child — Access rule grants write/create/unlink on 'model_export_one2many_child' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_multiple — Access rule grants write/create/unlink on 'model_export_one2many_multiple' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_multiple_child — Access rule grants write/create/unlink on 'model_export_one2many_multiple_child' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child_1 — Access rule grants write/create/unlink on 'model_export_one2many_child_1' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child_2 — Access rule grants write/create/unlink on 'model_export_one2many_child_2' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2many_other — Access rule grants write/create/unlink on 'model_export_many2many_other' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection_withdefault — Access rule grants write/create/unlink on 'model_export_selection_withdefault' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_recursive — Access rule grants write/create/unlink on 'model_export_one2many_recursive' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_unique — Access rule grants write/create/unlink on 'model_export_unique' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_m2o_str — Access rule grants write/create/unlink on 'model_export_m2o_str' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_m2o_str_child — Access rule grants write/create/unlink on 'model_export_m2o_str_child' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_mother — Access rule grants write/create/unlink on 'model_test_inherit_mother' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_daughter — Access rule grants write/create/unlink on 'model_test_inherit_daughter' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_property — Access rule grants write/create/unlink on 'model_test_inherit_property' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_unit — Access rule grants write/create/unlink on 'model_test_unit' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_unit_line — Access rule grants write/create/unlink on 'model_test_unit_line' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_box — Access rule grants write/create/unlink on 'model_test_box' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_pallet — Access rule grants write/create/unlink on 'model_test_pallet' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_another_unit — Access rule grants write/create/unlink on 'model_test_another_unit' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_another_box — Access rule grants write/create/unlink on 'model_test_another_box' to EVERY user (portal/public included): no group is set
test_limits acl-global-write access_test_limits_model — Access rule grants write/create/unlink on 'model_test_limits_model' to EVERY user (portal/public included): no group is set
test_mail acl-global-write access_test_performance_mail — Access rule grants write/create/unlink on 'model_test_performance_mail' to EVERY user (portal/public included): no group is set
test_mail acl-public-write access_mail_test_portal — Access rule grants write on 'model_mail_test' to the portal/public group 'base.group_portal'
test_new_api acl-global-write access_category — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_category' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_discussion — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_discussion' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_message — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_message' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_emailmessage — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_emailmessage' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi_line — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi_line2 — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line2' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi_tag — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_tag' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_creativework_edition — Access rule grants write/create/unlink on 'model_test_new_api_creativework_edition' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_creativework_book — Access rule grants write/create/unlink on 'model_test_new_api_creativework_book' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_creativework_movie — Access rule grants write/create/unlink on 'model_test_new_api_creativework_movie' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_mixed — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_mixed' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_domain_bool — Access rule grants write/create/unlink on 'model_domain_bool' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_foo — Access rule grants write/create/unlink on 'model_test_new_api_foo' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_bar — Access rule grants write/create/unlink on 'model_test_new_api_bar' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_related — Access rule grants write/create/unlink on 'model_test_new_api_related' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_company — Access rule grants write/create/unlink on 'model_test_new_api_company' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_company_attr — Access rule grants write/create/unlink on 'model_test_new_api_company_attr' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_inverse — Access rule grants write/create/unlink on 'model_test_new_api_compute_inverse' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_protected — Access rule grants write/create/unlink on 'model_test_new_api_compute_protected' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_multi_compute_inverse — Access rule grants write/create/unlink on 'model_test_new_api_multi_compute_inverse' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_recursive — Access rule grants write/create/unlink on 'model_test_new_api_recursive' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_recursive_tree — Access rule grants write/create/unlink on 'model_test_new_api_recursive_tree' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_cascade — Access rule grants write/create/unlink on 'model_test_new_api_cascade' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_onchange — Access rule grants write/create/unlink on 'model_test_new_api_compute_onchange' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_one2many — Access rule grants write/create/unlink on 'model_test_new_api_one2many' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_one2many_line — Access rule grants write/create/unlink on 'model_test_new_api_one2many_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_binary_svg — Access rule grants write/create/unlink on 'model_test_new_api_binary_svg' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_base — Access rule grants write/create/unlink on 'model_test_new_api_monetary_base' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_related — Access rule grants write/create/unlink on 'model_test_new_api_monetary_related' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_custom — Access rule grants write/create/unlink on 'model_test_new_api_monetary_custom' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_inherits — Access rule grants write/create/unlink on 'model_test_new_api_monetary_inherits' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_field_with_caps — Access rule grants write/create/unlink on 'model_test_new_api_field_with_caps' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_req_m2o — Access rule grants write/create/unlink on 'model_test_new_api_req_m2o' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_selection — Access rule grants write/create/unlink on 'model_test_new_api_selection' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_attachment — Access rule grants write/create/unlink on 'model_test_new_api_attachment' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_attachment_host — Access rule grants write/create/unlink on 'model_test_new_api_attachment_host' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_image — Access rule grants write/create/unlink on 'model_test_new_api_model_image' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_a — Access rule grants write/create/unlink on 'model_test_new_api_model_a' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_b — Access rule grants write/create/unlink on 'model_test_new_api_model_b' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_parent — Access rule grants write/create/unlink on 'model_test_new_api_model_parent' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_child — Access rule grants write/create/unlink on 'model_test_new_api_model_child' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_child_nocheck — Access rule grants write/create/unlink on 'model_test_new_api_model_child_nocheck' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_display — Access rule grants write/create/unlink on 'model_test_new_api_display' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_active_field — Access rule grants write/create/unlink on 'model_test_new_api_model_active_field' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_many2one_reference — Access rule grants write/create/unlink on 'model_test_new_api_model_many2one_reference' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_inverse_m2o_ref — Access rule grants write/create/unlink on 'model_test_new_api_inverse_m2o_ref' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_binary — Access rule grants write/create/unlink on 'model_test_new_api_model_binary' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_child_m2o — Access rule grants write/create/unlink on 'model_test_new_api_model_child_m2o' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_parent_m2o — Access rule grants write/create/unlink on 'model_test_new_api_model_parent_m2o' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_order — Access rule grants write/create/unlink on 'model_test_new_api_monetary_order' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_order_line — Access rule grants write/create/unlink on 'model_test_new_api_monetary_order_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_move — Access rule grants write/create/unlink on 'model_test_new_api_move' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_move_line — Access rule grants write/create/unlink on 'model_test_new_api_move_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_order — Access rule grants write/create/unlink on 'model_test_new_api_order' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_order_line — Access rule grants write/create/unlink on 'model_test_new_api_order_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_shared_cache_compute_parent — Access rule grants write/create/unlink on 'model_test_new_api_model_shared_cache_compute_parent' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_model_shared_cache_compute_line — Access rule grants write/create/unlink on 'model_test_new_api_model_shared_cache_compute_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_container — Access rule grants write/create/unlink on 'model_test_new_api_compute_container' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_member — Access rule grants write/create/unlink on 'model_test_new_api_compute_member' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_trigger_left — Access rule grants write/create/unlink on 'model_test_new_api_trigger_left' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_trigger_middle — Access rule grants write/create/unlink on 'model_test_new_api_trigger_middle' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_trigger_right — Access rule grants write/create/unlink on 'model_test_new_api_trigger_right' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_base — Access rule grants write/create/unlink on 'model_test_performance_base' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_line — Access rule grants write/create/unlink on 'model_test_performance_line' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_tag — Access rule grants write/create/unlink on 'model_test_performance_tag' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_bacon — Access rule grants write/create/unlink on 'model_test_performance_bacon' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_eggs — Access rule grants write/create/unlink on 'model_test_performance_eggs' to EVERY user (portal/public included): no group is set
test_queue_job acl-global-write access_test_queue_job — Access rule grants write/create/unlink on 'model_test_queue_job' to EVERY user (portal/public included): no group is set
test_queue_job acl-global-write access_test_queue_channel — Access rule grants write/create/unlink on 'model_test_queue_channel' to EVERY user (portal/public included): no group is set
test_queue_job acl-global-write access_test_related_action — Access rule grants write/create/unlink on 'model_test_related_action' to EVERY user (portal/public included): no group is set
test_rpc acl-global-write access_test_rpc_model_a — Access rule grants write/create/unlink on 'model_test_rpc_model_a' to EVERY user (portal/public included): no group is set
test_rpc acl-global-write access_test_rpc_model_b — Access rule grants write/create/unlink on 'model_test_rpc_model_b' to EVERY user (portal/public included): no group is set
test_testing_utilities acl-global-write access_model_test_testing_utilities_onchange_count — Access rule grants write/create/unlink on 'model_test_testing_utilities_onchange_count' to EVERY user (portal/public included): no group is set
test_testing_utilities acl-global-write access_test_testing_utilities_onchange_count_sub — Access rule grants write/create/unlink on 'model_test_testing_utilities_onchange_count_sub' to EVERY user (portal/public included): no group is set
test_testing_utilities acl-global-write access_o2m_readonly_subfield_parent — Access rule grants write/create/unlink on 'model_o2m_readonly_subfield_parent' to EVERY user (portal/public included): no group is set
test_testing_utilities acl-global-write access_o2m_readonly_subfield_child — Access rule grants write/create/unlink on 'model_o2m_readonly_subfield_child' to EVERY user (portal/public included): no group is set
test_uninstall acl-global-write access_test_uninstall_model — Access rule grants write/create/unlink on 'model_test_uninstall_model' to EVERY user (portal/public included): no group is set
test_xlsx_export acl-global-write access_export_group_operator — Access rule grants write/create/unlink on 'model_export_group_operator' to EVERY user (portal/public included): no group is set
test_xlsx_export acl-global-write access_export_group_operator_one2many — Access rule grants write/create/unlink on 'model_export_group_operator_one2many' to EVERY user (portal/public included): no group is set
test_xlsx_export acl-global-write access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set
utm acl-global-write access_utm_campaign — Access rule grants create on 'model_utm_campaign' to EVERY user (portal/public included): no group is set
utm acl-global-write access_utm_medium — Access rule grants create on 'model_utm_medium' to EVERY user (portal/public included): no group is set
utm acl-global-write access_utm_source — Access rule grants create on 'model_utm_source' to EVERY user (portal/public included): no group is set
web_editor acl-global-write access_web_editor_converter_test — Access rule grants write/create/unlink on 'model_web_editor_converter_test' to EVERY user (portal/public included): no group is set
web_editor acl-global-write access_web_editor_converter_test_sub — Access rule grants write/create/unlink on 'model_web_editor_converter_test_sub' to EVERY user (portal/public included): no group is set
website route-user-csrf-off /website/reset_template — HTTP endpoint 'Website.reset_template' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user
website_crm_partner_assign acl-public-write partner_access_crm_lead — Access rule grants write on 'crm.model_crm_lead' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_post_portal — Access rule grants write/create/unlink on 'model_forum_post' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_post_vote_portal — Access rule grants write/create on 'model_forum_post_vote' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_tag_public — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_public'
website_forum acl-public-write access_forum_tag_portal — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_portal'
website_sale_wishlist acl-public-write access_product_wishlist_portal — Access rule grants write/create/unlink on 'model_product_wishlist' to the portal/public group 'base.group_portal'

Warnings 511

Module Code Message
account rule-group-bypass account_analytic_line_rule_billing_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
account_brand acl-global-read res_partner_account_brand_access — Access rule grants read on 'model_res_partner_account_brand' to every user (portal/public included): no group is set
account_invoice_transmit_method acl-global-read access_transmit_method_read — Access rule grants read on 'model_transmit_method' to every user (portal/public included): no group is set
account_payment route-public-sudo /invoice/pay/<int:invoice_id>/form_tx — Unauthenticated endpoint 'PaymentPortal.invoice_pay_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
account_payment route-public-sudo /invoice/pay/<int:invoice_id>/s2s_token_tx — Unauthenticated endpoint 'PaymentPortal.invoice_pay_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
auth_from_http_remote_user route-auth-none /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all
auth_oauth route-public-sudo /auth_oauth/signin — Unauthenticated endpoint 'OAuthController.signin' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_oauth route-auth-none /auth_oauth/signin — Endpoint 'OAuthController.signin' uses auth="none": it runs with no user/session at all
auth_oauth route-auth-none /auth_oauth/oea — Endpoint 'OAuthController.oea' uses auth="none": it runs with no user/session at all
auth_oauth_autologin route-auth-none /auth/auto_login_redirect_link — Endpoint 'OAuthAutoLogin.auto_login_redirect_link' uses auth="none": it runs with no user/session at all
auth_saml route-public-sudo /auth_saml/get_auth_request — Unauthenticated endpoint 'AuthSAMLController.get_auth_request' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_saml route-auth-none /auth_saml/get_auth_request — Endpoint 'AuthSAMLController.get_auth_request' uses auth="none": it runs with no user/session at all
auth_saml route-public-csrf-off /auth_saml/signin — Public HTTP endpoint 'AuthSAMLController.signin' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
auth_saml route-public-sudo /auth_saml/signin — Unauthenticated endpoint 'AuthSAMLController.signin' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_saml route-auth-none /auth_saml/signin — Endpoint 'AuthSAMLController.signin' uses auth="none": it runs with no user/session at all
auth_saml route-public-csrf-off /auth_saml/metadata — Public HTTP endpoint 'AuthSAMLController.saml_metadata' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
auth_saml route-public-sudo /auth_saml/metadata — Unauthenticated endpoint 'AuthSAMLController.saml_metadata' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_saml route-auth-none /auth_saml/metadata — Endpoint 'AuthSAMLController.saml_metadata' uses auth="none": it runs with no user/session at all
auth_signup route-public-sudo /web/signup — Unauthenticated endpoint 'AuthSignupHome.web_auth_signup' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
auth_signup route-public-sudo /web/reset_password — Unauthenticated endpoint 'AuthSignupHome.web_auth_reset_password' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
base acl-global-read access_ir_property_group_user — Access rule grants read on 'model_ir_property' to every user (portal/public included): no group is set
base acl-global-read access_ir_ui_view_group_user — Access rule grants read on 'model_ir_ui_view' to every user (portal/public included): no group is set
base acl-global-read access_res_company_group_user — Access rule grants read on 'model_res_company' to every user (portal/public included): no group is set
base acl-global-read access_res_partner_title_group_partner_manager — Access rule grants read on 'model_res_partner_title' to every user (portal/public included): no group is set
base acl-global-write access_res_users_log_all — Access rule grants create on 'model_res_users_log' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
base acl-global-read access_ir_actions_client — Access rule grants read on 'model_ir_actions_client' to every user (portal/public included): no group is set
base acl-global-read paperformat_access_portal — Access rule grants read on 'model_report_paperformat' to every user (portal/public included): no group is set
base route-public-csrf-off /xmlrpc/<service> — Public HTTP endpoint 'RPC.xmlrpc_1' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base route-auth-none /xmlrpc/<service> — Endpoint 'RPC.xmlrpc_1' uses auth="none": it runs with no user/session at all
base route-public-csrf-off /xmlrpc/2/<service> — Public HTTP endpoint 'RPC.xmlrpc_2' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base route-auth-none /xmlrpc/2/<service> — Endpoint 'RPC.xmlrpc_2' uses auth="none": it runs with no user/session at all
base route-auth-none /jsonrpc — Endpoint 'RPC.jsonrpc' uses auth="none": it runs with no user/session at all
base_automation acl-global-read access_base_automation — Access rule grants read on 'model_base_automation' to every user (portal/public included): no group is set
base_comment_template acl-global-read access_base_comment_template_user — Access rule grants read on 'model_base_comment_template' to every user (portal/public included): no group is set
base_ebill_payment_contract acl-global-read access_ebill_payment_contract_read — Access rule grants read on 'model_ebill_payment_contract' to every user (portal/public included): no group is set
base_gengo route-public-csrf-off /website/gengo_callback — Public HTTP endpoint 'website_gengo.gengo_callback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base_gengo route-public-sudo /website/gengo_callback — Unauthenticated endpoint 'website_gengo.gengo_callback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
base_import_module route-public-csrf-off /base_import_module/login_upload — Public HTTP endpoint 'ImportModule.login_upload' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base_import_module route-auth-none /base_import_module/login_upload — Endpoint 'ImportModule.login_upload' uses auth="none": it runs with no user/session at all
base_unece acl-global-read access_unece_code_list_read — Access rule grants read on 'model_unece_code_list' to every user (portal/public included): no group is set
board acl-global-read access_board_board all — Access rule grants read on 'model_board_board' to every user (portal/public included): no group is set
calendar rule-group-bypass calendar_event_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
connector_jira route-auth-none /connector_jira/webhooks/issue — Endpoint 'JiraWebhookController.webhook_issue' uses auth="none": it runs with no user/session at all
connector_jira route-auth-none /connector_jira/webhooks/worklog — Endpoint 'JiraWebhookController.webhook_worklog' uses auth="none": it runs with no user/session at all
crm acl-global-read access_crm_stage — Access rule grants read on 'model_crm_stage' to every user (portal/public included): no group is set
crm rule-group-bypass crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm rule-group-bypass crm_activity_report_rule_all_activities — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm_salesperson_planner rule-group-bypass all_salesperson_planner_visit — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm_salesperson_planner rule-group-bypass all_salesperson_planner_visit_template — Record rule with an always-true domain bypasses every other record rule of its model for its group
delivery_local_pickup route-public-sudo /local_pickup/<int:picking_id> — Unauthenticated endpoint 'DeliveryLocalPickupController.public_local_pickup_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
dms route-public-sudo /my/dms/directory/<int:dms_directory_id> — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_directory' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
dms route-public-sudo /my/dms/file/<int:dms_file_id>/download — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_file_download' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
document_page_portal rule-group-bypass knowledge_user_document_page_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
event acl-global-read access_event_event_portal — Access rule grants read on 'model_event_event' to every user (portal/public included): no group is set
fieldservice rule-group-bypass fsm_order_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
github_connector acl-global-read access_github_analysis_rule_reader — Access rule grants read on 'model_github_analysis_rule' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_analysis_rule_group_reader — Access rule grants read on 'model_github_analysis_rule_group' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_organization_reader — Access rule grants read on 'model_github_organization' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_organization_serie_reader — Access rule grants read on 'model_github_organization_serie' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_repository_branch_rule_info_report_reader — Access rule grants read on 'model_github_repository_branch_rule_info_report' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_repository_reader — Access rule grants read on 'model_github_repository' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_repository_branch_reader — Access rule grants read on 'model_github_repository_branch' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_team_reader — Access rule grants read on 'model_github_team' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_team_partner_reader — Access rule grants read on 'model_github_team_partner' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_team_repository_reader — Access rule grants read on 'model_github_team_repository' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_author_reader — Access rule grants read on 'model_odoo_author' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_lib_bin_reader — Access rule grants read on 'model_odoo_lib_bin' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_lib_python_reader — Access rule grants read on 'model_odoo_lib_python' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_license_reader — Access rule grants read on 'model_odoo_license' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_module_reader — Access rule grants read on 'model_odoo_module' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_module_version_reader — Access rule grants read on 'model_odoo_module_version' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_module_version_rule_info_report_reader — Access rule grants read on 'model_odoo_module_version_rule_info_report' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_category_reader — Access rule grants read on 'model_odoo_category' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_manifest_key_reader — Access rule grants read on 'model_odoo_manifest_key' to every user (portal/public included): no group is set
google_account route-auth-none /google_account/authentication — Endpoint 'GoogleAuth.oauth2callback' uses auth="none": it runs with no user/session at all
helpdesk_mgmt rule-group-bypass helpdesk_ticket_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_attendance rule-group-bypass hr_attendance_rule_attendance_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_attendance_rfid rule-group-bypass hr_attendance_rfid_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_expense rule-group-bypass ir_rule_hr_expense_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_expense rule-group-bypass ir_rule_hr_expense_sheet_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass hr_leave_rule_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass hr_leave_allocation_rule_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass resource_leaves_base_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass resource_leaves_holidays_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_personal_equipment_request rule-group-bypass personal_equipment_request_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_personal_equipment_request rule-group-bypass personal_equipment_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_resume_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_resume_rule_employee_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_skill_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_skills rule-group-bypass hr_skill_rule_hr_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
http_routing route-public-sudo /website/translations/<string:unique> — Unauthenticated endpoint 'Routing.get_website_translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
hw_drivers route-auth-none /hw_drivers/action — Endpoint 'StatusController.action' uses auth="none": it runs with no user/session at all
hw_drivers route-public-csrf-off /hw_drivers/check_certificate — Public HTTP endpoint 'StatusController.check_certificate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_drivers route-auth-none /hw_drivers/check_certificate — Endpoint 'StatusController.check_certificate' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_drivers/event — Endpoint 'StatusController.event' uses auth="none": it runs with no user/session at all
hw_drivers route-public-csrf-off /hw_drivers/box/connect — Public HTTP endpoint 'StatusController.connect_box' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_drivers route-auth-none /hw_drivers/box/connect — Endpoint 'StatusController.connect_box' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/scanner — Endpoint 'KeyboardUSBController.get_barcode' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/default_printer_action — Endpoint 'PrinterController.default_printer_action' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/scale_read — Endpoint 'ScaleReadOldRoute.scale_read' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/display_refresh — Endpoint 'DisplayController.display_refresh' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/customer_facing_display — Endpoint 'DisplayController.customer_facing_display' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/take_control — Endpoint 'DisplayController.take_control' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_proxy/test_ownership — Endpoint 'DisplayController.test_ownership' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /point_of_sale/get_serialized_order, /point_of_sale/get_serialized_order/<string:display_identifier> — Endpoint 'DisplayController.get_serialized_order' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /point_of_sale/display, /point_of_sale/display/<string:display_identifier> — Endpoint 'DisplayController.display' uses auth="none": it runs with no user/session at all
hw_escpos route-auth-none /hw_proxy/open_cashbox — Endpoint 'EscposProxy.open_cashbox' uses auth="none": it runs with no user/session at all
hw_escpos route-auth-none /hw_proxy/print_receipt — Endpoint 'EscposProxy.print_receipt' uses auth="none": it runs with no user/session at all
hw_escpos route-auth-none /hw_proxy/print_xml_receipt — Endpoint 'EscposProxy.print_xml_receipt' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none / — Endpoint 'IoTboxHomepage.index' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /list_drivers — Endpoint 'IoTboxHomepage.list_drivers' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /load_drivers — Endpoint 'IoTboxHomepage.load_drivers' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /list_credential — Endpoint 'IoTboxHomepage.list_credential' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /save_credential — Public HTTP endpoint 'IoTboxHomepage.save_credential' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /save_credential — Endpoint 'IoTboxHomepage.save_credential' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /clear_credential — Public HTTP endpoint 'IoTboxHomepage.clear_credential' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /clear_credential — Endpoint 'IoTboxHomepage.clear_credential' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /wifi — Endpoint 'IoTboxHomepage.wifi' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /wifi_connect — Public HTTP endpoint 'IoTboxHomepage.connect_to_wifi' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /wifi_connect — Endpoint 'IoTboxHomepage.connect_to_wifi' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /wifi_clear — Public HTTP endpoint 'IoTboxHomepage.clear_wifi_configuration' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /wifi_clear — Endpoint 'IoTboxHomepage.clear_wifi_configuration' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /server_clear — Public HTTP endpoint 'IoTboxHomepage.clear_server_configuration' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /server_clear — Endpoint 'IoTboxHomepage.clear_server_configuration' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /drivers_clear — Public HTTP endpoint 'IoTboxHomepage.clear_drivers_list' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /drivers_clear — Endpoint 'IoTboxHomepage.clear_drivers_list' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /server_connect — Public HTTP endpoint 'IoTboxHomepage.connect_to_server' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /server_connect — Endpoint 'IoTboxHomepage.connect_to_server' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /steps — Public HTTP endpoint 'IoTboxHomepage.step_by_step_configure_page' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /steps — Endpoint 'IoTboxHomepage.step_by_step_configure_page' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /step_configure — Public HTTP endpoint 'IoTboxHomepage.step_by_step_configure' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /step_configure — Endpoint 'IoTboxHomepage.step_by_step_configure' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /server — Endpoint 'IoTboxHomepage.server' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /remote_connect — Endpoint 'IoTboxHomepage.remote_connect' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /enable_ngrok — Public HTTP endpoint 'IoTboxHomepage.enable_ngrok' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /enable_ngrok — Endpoint 'IoTboxHomepage.enable_ngrok' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /six_payment_terminal — Public HTTP endpoint 'IoTboxHomepage.six_payment_terminal' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /six_payment_terminal — Endpoint 'IoTboxHomepage.six_payment_terminal' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /six_payment_terminal_add — Public HTTP endpoint 'IoTboxHomepage.add_six_payment_terminal' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /six_payment_terminal_add — Endpoint 'IoTboxHomepage.add_six_payment_terminal' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /six_payment_terminal_clear — Public HTTP endpoint 'IoTboxHomepage.clear_six_payment_terminal' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /six_payment_terminal_clear — Endpoint 'IoTboxHomepage.clear_six_payment_terminal' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/upgrade — Endpoint 'IoTboxHomepage.upgrade' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_upgrade — Endpoint 'IoTboxHomepage.perform_upgrade' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/get_version — Endpoint 'IoTboxHomepage.check_version' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_flashing_create_partition — Endpoint 'IoTboxHomepage.perform_flashing_create_partition' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_flashing_download_raspbian — Endpoint 'IoTboxHomepage.perform_flashing_download_raspbian' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_flashing_copy_raspbian — Endpoint 'IoTboxHomepage.perform_flashing_copy_raspbian' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/hello — Endpoint 'Proxy.hello' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/handshake — Endpoint 'Proxy.handshake' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/status — Endpoint 'Proxy.status_http' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/status_json — Endpoint 'Proxy.status_json' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/scan_item_success — Endpoint 'Proxy.scan_item_success' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/scan_item_error_unrecognized — Endpoint 'Proxy.scan_item_error_unrecognized' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/help_needed — Endpoint 'Proxy.help_needed' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/help_canceled — Endpoint 'Proxy.help_canceled' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/payment_request — Endpoint 'Proxy.payment_request' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/payment_status — Endpoint 'Proxy.payment_status' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/payment_cancel — Endpoint 'Proxy.payment_cancel' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/transaction_start — Endpoint 'Proxy.transaction_start' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/transaction_end — Endpoint 'Proxy.transaction_end' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/cashier_mode_activated — Endpoint 'Proxy.cashier_mode_activated' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/cashier_mode_deactivated — Endpoint 'Proxy.cashier_mode_deactivated' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/open_cashbox — Endpoint 'Proxy.open_cashbox' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/print_receipt — Endpoint 'Proxy.print_receipt' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/log — Endpoint 'Proxy.log' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/print_pdf_invoice — Endpoint 'Proxy.print_pdf_invoice' uses auth="none": it runs with no user/session at all
im_livechat acl-global-read access_livechat_channel — Access rule grants read on 'model_im_livechat_channel' to every user (portal/public included): no group is set
im_livechat acl-global-read access_livechat_channel_rule — Access rule grants read on 'model_im_livechat_channel_rule' to every user (portal/public included): no group is set
im_livechat route-auth-none /im_livechat/load_templates — Endpoint 'LivechatController.load_templates' uses auth="none": it runs with no user/session at all
im_livechat route-public-sudo /im_livechat/support/<int:channel_id> — Unauthenticated endpoint 'LivechatController.support_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/loader/<int:channel_id> — Unauthenticated endpoint 'LivechatController.loader' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/init — Unauthenticated endpoint 'LivechatController.livechat_init' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/get_session — Unauthenticated endpoint 'LivechatController.get_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/feedback — Unauthenticated endpoint 'LivechatController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/history — Unauthenticated endpoint 'LivechatController.history_pages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/notify_typing — Unauthenticated endpoint 'LivechatController.notify_typing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/email_livechat_transcript — Unauthenticated endpoint 'LivechatController.email_livechat_transcript' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
intrastat_product acl-global-read access_intrastat_unit_read — Access rule grants read on 'model_intrastat_unit' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_transaction_read — Access rule grants read on 'model_intrastat_transaction' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_transport_mode_read — Access rule grants read on 'model_intrastat_transport_mode' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_region_read — Access rule grants read on 'model_intrastat_region' to every user (portal/public included): no group is set
iot_input_oca route-public-csrf-off /iot/<serial>/action — Public HTTP endpoint 'CallIot.call_unauthorized_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_input_oca route-public-sudo /iot/<serial>/action — Unauthenticated endpoint 'CallIot.call_unauthorized_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
iot_input_oca route-auth-none /iot/<serial>/action — Endpoint 'CallIot.call_unauthorized_iot' uses auth="none": it runs with no user/session at all
iot_input_oca route-public-csrf-off /iot/<device_identification>/multi_input — Public HTTP endpoint 'CallIot.call_unauthorized_iot_multi_input' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_input_oca route-public-sudo /iot/<device_identification>/multi_input — Unauthenticated endpoint 'CallIot.call_unauthorized_iot_multi_input' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
iot_input_oca route-auth-none /iot/<device_identification>/multi_input — Endpoint 'CallIot.call_unauthorized_iot_multi_input' uses auth="none": it runs with no user/session at all
iot_input_oca route-public-csrf-off /iot/<serial>/check — Public HTTP endpoint 'CallIot.check_unauthorized_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_input_oca route-public-sudo /iot/<serial>/check — Unauthenticated endpoint 'CallIot.check_unauthorized_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
iot_input_oca route-auth-none /iot/<serial>/check — Endpoint 'CallIot.check_unauthorized_iot' uses auth="none": it runs with no user/session at all
iot_template_oca route-public-csrf-off /iot/<serial>/configure — Public HTTP endpoint 'CallIot.configure_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_template_oca route-public-sudo /iot/<serial>/configure — Unauthenticated endpoint 'CallIot.configure_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
iot_template_oca route-auth-none /iot/<serial>/configure — Endpoint 'CallIot.configure_iot' uses auth="none": it runs with no user/session at all
l10n_ee_reporting acl-global-read access_l10n_ee_reporting_kmd_inf — Access rule grants read on 'model_l10n_ee_reporting_kmd_inf' to every user (portal/public included): no group is set
l10n_ee_reporting acl-global-read access_l10n_ee_reporting_vies_declaration — Access rule grants read on 'model_l10n_ee_reporting_vies_declaration' to every user (portal/public included): no group is set
l10n_es_aeat_mod347 route-public-sudo /mod347/accept — Unauthenticated endpoint 'Mod347Controller.mod347_accept' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_es_aeat_mod347 route-public-sudo /mod347/reject — Unauthenticated endpoint 'Mod347Controller.mod347_reject' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_eu_service acl-global-read access_l10n_eu_service_service_tax_rate_user — Access rule grants read on 'model_l10n_eu_service_service_tax_rate' to every user (portal/public included): no group is set
l10n_in acl-global-read access_l10n_in_account_invoice_report — Access rule grants read on 'model_l10n_in_account_invoice_report' to every user (portal/public included): no group is set
l10n_in acl-global-read access_l10n_in_advances_payment_report — Access rule grants read on 'model_l10n_in_advances_payment_report' to every user (portal/public included): no group is set
l10n_in acl-global-read access_l10n_in_advances_payment_adjustment_report — Access rule grants read on 'model_l10n_in_advances_payment_adjustment_report' to every user (portal/public included): no group is set
l10n_in acl-global-read access_l10n_in_product_hsn_report — Access rule grants read on 'model_l10n_in_product_hsn_report' to every user (portal/public included): no group is set
l10n_in acl-global-read access_l10n_in_exempted_report — Access rule grants read on 'model_l10n_in_exempted_report' to every user (portal/public included): no group is set
letsencrypt route-auth-none /.well-known/acme-challenge/<filename> — Endpoint 'Letsencrypt.acme_challenge' uses auth="none": it runs with no user/session at all
link_tracker route-public-sudo /r/<string:code> — Unauthenticated endpoint 'LinkTracker.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail acl-global-write access_mail_thread_all — Access rule grants write/create/unlink on 'model_mail_thread' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
mail acl-global-write access_publisher_warranty_contract_all — Access rule grants write/create/unlink on 'model_publisher_warranty_contract' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
mail route-public-sudo /mail/view — Unauthenticated endpoint 'MailController.mail_action_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/<string:res_model>/<int:res_id>/avatar/<int:partner_id> — Unauthenticated endpoint 'MailController.avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/chat_post — Unauthenticated endpoint 'MailChatController.mail_chat_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/chat_history — Unauthenticated endpoint 'MailChatController.mail_chat_history' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail_tracking route-public-csrf-off /mail/tracking/all/<string:db>, /mail/tracking/event/<string:db>/<string:event_type> — Public HTTP endpoint 'MailTrackingController.mail_tracking_event' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mail_tracking route-auth-none /mail/tracking/all/<string:db>, /mail/tracking/event/<string:db>/<string:event_type> — Endpoint 'MailTrackingController.mail_tracking_event' uses auth="none": it runs with no user/session at all
mail_tracking route-public-sudo /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Unauthenticated endpoint 'MailTrackingController.mail_tracking_open' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail_tracking route-auth-none /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Endpoint 'MailTrackingController.mail_tracking_open' uses auth="none": it runs with no user/session at all
mail_tracking_mailgun route-public-sudo /mail/tracking/mailgun/all — Unauthenticated endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail_tracking_mailgun route-auth-none /mail/tracking/mailgun/all — Endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' uses auth="none": it runs with no user/session at all
mass_mailing route-public-sudo /mail/mailing/<int:mailing_id>/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mail/mailing/unsubscribe — Unauthenticated endpoint 'MassMailController.unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mail/track/<int:mail_id>/blank.gif — Unauthenticated endpoint 'MassMailController.track_mail_open' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /r/<string:code>/m/<int:mailing_trace_id> — Unauthenticated endpoint 'MassMailController.full_url_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/blacklist/check — Unauthenticated endpoint 'MassMailController.blacklist_check' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/blacklist/add — Unauthenticated endpoint 'MassMailController.blacklist_add' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/blacklist/remove — Unauthenticated endpoint 'MassMailController.blacklist_remove' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mailing/feedback — Unauthenticated endpoint 'MassMailController.send_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing_sms route-public-sudo /sms/<int:mailing_id>/unsubscribe/<string:trace_code> — Unauthenticated endpoint 'MailingSMSController.blacklist_number' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing_sms route-public-sudo /r/<string:code>/s/<int:sms_sms_id> — Unauthenticated endpoint 'MailingSMSController.sms_short_link_redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
membership acl-global-read access_membership_membership_line — Access rule grants read on 'model_membership_membership_line' to every user (portal/public included): no group is set
operating_unit acl-global-read access_account_operating_unit_user — Access rule grants read on 'model_operating_unit' to every user (portal/public included): no group is set
partner_external_map acl-global-read access_map_website_read — Access rule grants read on 'model_map_website' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation — Access rule grants read on 'model_res_partner_relation' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation_type — Access rule grants read on 'model_res_partner_relation_type' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation_type_selection — Access rule grants read on 'model_res_partner_relation_type_selection' to every user (portal/public included): no group is set
partner_stage acl-global-read access_partner_stage_read — Access rule grants read on 'model_res_partner_stage' to every user (portal/public included): no group is set
password_security route-auth-none /password_security/estimate — Endpoint 'PasswordSecurityHome.estimate' uses auth="none": it runs with no user/session at all
payment route-public-sudo /payment/process — Unauthenticated endpoint 'PaymentProcessing.payment_status_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /payment/process/poll — Unauthenticated endpoint 'PaymentProcessing.payment_status_poll' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /website_payment/pay — Unauthenticated endpoint 'WebsitePayment.pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /website_payment/transaction/<string:reference>/<string:amount>/<string:currency_id>, /website_payment/transaction/v2/<string:amount>/<string:currency_id>/<path:reference>, /website_payment/transaction/v2/<string:amount>/<string:currency_id>/<path:reference>/<int:partner_id> — Unauthenticated endpoint 'WebsitePayment.transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /website_payment/token/<string:reference>/<string:amount>/<string:currency_id>, /website_payment/token/v2/<string:amount>/<string:currency_id>/<path:reference>, /website_payment/token/v2/<string:amount>/<string:currency_id>/<path:reference>/<int:partner_id> — Unauthenticated endpoint 'WebsitePayment.payment_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /website_payment/confirm — Unauthenticated endpoint 'WebsitePayment.confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-csrf-off /payment/adyen/return — Public HTTP endpoint 'AdyenController.adyen_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_adyen route-public-sudo /payment/adyen/return — Unauthenticated endpoint 'AdyenController.adyen_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-csrf-off /payment/adyen/notification — Public HTTP endpoint 'AdyenController.adyen_notification' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_adyen route-public-sudo /payment/adyen/notification — Unauthenticated endpoint 'AdyenController.adyen_notification' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_alipay route-public-csrf-off /payment/alipay/notify — Public HTTP endpoint 'AlipayController.alipay_notify' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_authorize route-public-csrf-off /payment/authorize/return/, /payment/authorize/cancel/ — Public HTTP endpoint 'AuthorizeController.authorize_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_authorize route-public-sudo /payment/authorize/return/, /payment/authorize/cancel/ — Unauthenticated endpoint 'AuthorizeController.authorize_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_authorize route-public-sudo /payment/authorize/s2s/create_json_3ds — Unauthenticated endpoint 'AuthorizeController.authorize_s2s_create_json_3ds' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_buckaroo route-public-csrf-off /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Public HTTP endpoint 'BuckarooController.buckaroo_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_buckaroo route-public-sudo /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Unauthenticated endpoint 'BuckarooController.buckaroo_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ingenico route-public-csrf-off /payment/ogone/accept, /payment/ogone/test/accept, /payment/ogone/decline, /payment/ogone/test/decline, /payment/ogone/exception, /payment/ogone/test/exception, /payment/ogone/cancel, /payment/ogone/test/cancel — Public HTTP endpoint 'OgoneController.ogone_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_ingenico route-public-sudo /payment/ogone/accept, /payment/ogone/test/accept, /payment/ogone/decline, /payment/ogone/test/decline, /payment/ogone/exception, /payment/ogone/test/exception, /payment/ogone/cancel, /payment/ogone/test/cancel — Unauthenticated endpoint 'OgoneController.ogone_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ingenico route-public-sudo /payment/ogone/s2s/create_json_3ds — Unauthenticated endpoint 'OgoneController.ogone_s2s_create_json_3ds' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ingenico route-public-csrf-off /payment/ogone/s2s/create — Public HTTP endpoint 'OgoneController.ogone_s2s_create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_ingenico route-public-sudo /payment/ogone/s2s/create — Unauthenticated endpoint 'OgoneController.ogone_s2s_create' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ingenico route-public-sudo /payment/ogone/validate/accept, /payment/ogone/validate/decline, /payment/ogone/validate/exception — Unauthenticated endpoint 'OgoneController.ogone_validation_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ingenico route-public-csrf-off /payment/ogone/s2s/feedback — Public HTTP endpoint 'OgoneController.feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_ingenico route-public-sudo /payment/ogone/s2s/feedback — Unauthenticated endpoint 'OgoneController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_paypal route-public-csrf-off /payment/paypal/ipn/ — Public HTTP endpoint 'PaypalController.paypal_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_paypal route-public-csrf-off /payment/paypal/dpn — Public HTTP endpoint 'PaypalController.paypal_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_paypal route-public-csrf-off /payment/paypal/cancel — Public HTTP endpoint 'PaypalController.paypal_cancel' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_payulatam route-public-csrf-off /payment/payulatam/response — Public HTTP endpoint 'PayuLatamController.payulatam_response' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_payulatam route-public-sudo /payment/payulatam/response — Unauthenticated endpoint 'PayuLatamController.payulatam_response' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_payulatam route-public-csrf-off /payment/payulatam/webhook — Public HTTP endpoint 'PayuLatamController.payulatam_webhook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_payulatam route-public-sudo /payment/payulatam/webhook — Unauthenticated endpoint 'PayuLatamController.payulatam_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_payumoney route-public-csrf-off /payment/payumoney/return, /payment/payumoney/cancel, /payment/payumoney/error — Public HTTP endpoint 'PayuMoneyController.payu_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_payumoney route-public-sudo /payment/payumoney/return, /payment/payumoney/cancel, /payment/payumoney/error — Unauthenticated endpoint 'PayuMoneyController.payu_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_redsys route-public-csrf-off /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Public HTTP endpoint 'RedsysController.redsys_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_redsys route-public-sudo /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Unauthenticated endpoint 'RedsysController.redsys_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_sips route-public-csrf-off /payment/sips/ipn/ — Public HTTP endpoint 'SipsController.sips_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_sips route-public-csrf-off /payment/sips/dpn — Public HTTP endpoint 'SipsController.sips_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_stripe route-public-sudo /payment/stripe/success, /payment/stripe/cancel — Unauthenticated endpoint 'StripeController.stripe_success' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe route-public-sudo /payment/stripe/s2s/process_payment_intent — Unauthenticated endpoint 'StripeController.stripe_s2s_process_payment_intent' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe_checkout_webhook route-public-sudo /payment/stripe/webhook — Unauthenticated endpoint 'StripeController.stripe_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_transfer route-public-csrf-off /payment/transfer/feedback — Public HTTP endpoint 'TransferController.transfer_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_transfer route-public-sudo /payment/transfer/feedback — Unauthenticated endpoint 'TransferController.transfer_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
point_of_sale rule-group-bypass rule_pos_bank_statement_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
point_of_sale rule-group-bypass rule_pos_bank_statement_line_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
point_of_sale rule-group-bypass rule_pos_cashbox_line_accountant — Record rule with an always-true domain bypasses every other record rule of its model for its group
portal route-public-sudo /mail/chatter_fetch — Unauthenticated endpoint 'PortalChatter.portal_message_fetch' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
portal route-public-sudo /web — Unauthenticated endpoint 'Home.web_client' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
portal route-auth-none /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all
pos_adyen route-public-sudo /pos_adyen/notification — Unauthenticated endpoint 'PosAdyenController.notification' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
pos_adyen route-auth-none /pos_adyen/notification — Endpoint 'PosAdyenController.notification' uses auth="none": it runs with no user/session at all
pos_mercury acl-global-read access_pos_mercury_mercury_transaction — Access rule grants read on 'model_pos_mercury_mercury_transaction' to every user (portal/public included): no group is set
privacy_consent route-public-sudo /privacy/consent/<any(accept,reject):choice>/<int:consent_id>/<token> — Unauthenticated endpoint 'ConsentController.consent' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
product_brand acl-global-read access_product_brand_public — Access rule grants read on 'model_product_brand' to every user (portal/public included): no group is set
product_harmonized_system acl-global-read access_hs_code_read — Access rule grants read on 'model_hs_code' to every user (portal/public included): no group is set
product_state acl-global-read access_product_state_public — Access rule grants read on 'model_product_state' to every user (portal/public included): no group is set
product_variant_configurator_manual_creation acl-global-write access_wizard_product_variant_configurator_manual_creation_all — Access rule grants write/create/unlink on 'model_wizard_product_variant_configurator_manual_creation' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
product_variant_configurator_manual_creation acl-global-write access_wizard_product_variant_configurator_manual_creation_line_all — Access rule grants write/create/unlink on 'model_wizard_product_variant_configurator_manual_creation_line' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
project route-public-sudo /project/rating — Unauthenticated endpoint 'RatingProject.index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
project route-public-sudo /project/rating/<int:project_id> — Unauthenticated endpoint 'RatingProject.page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
quality_control_oca acl-global-read access_manager_qc_trigger_product_template_line_user — Access rule grants read on 'model_qc_trigger_product_template_line' to every user (portal/public included): no group is set
quality_control_oca acl-global-read access_manager_qc_trigger_product_line_user — Access rule grants read on 'model_qc_trigger_product_line' to every user (portal/public included): no group is set
queue_job route-auth-none /queue_job/runjob — Endpoint 'RunJobController.runjob' uses auth="none": it runs with no user/session at all
rating route-public-sudo /rating/<string:token>/<int:rate> — Unauthenticated endpoint 'Rating.open_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
rating route-public-sudo /rating/<string:token>/<int:rate>/submit_feedback — Unauthenticated endpoint 'Rating.submit_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
report_substitute acl-global-read action_report_substitution_rule_user_access — Access rule grants read on 'model_ir_actions_report_substitution_rule' to every user (portal/public included): no group is set
rma route-public-sudo /my/rma/picking/pdf/<int:rma_id>/<int:picking_id> — Unauthenticated endpoint 'PortalRma.portal_my_rma_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
role_policy acl-global-read access_view_modifier_rule_group_user — Access rule grants read on 'model_view_modifier_rule' to every user (portal/public included): no group is set
role_policy acl-global-read access_view_type_attribute_group_user — Access rule grants read on 'model_view_type_attribute' to every user (portal/public included): no group is set
role_policy acl-global-read access_view_model_operation_group_user — Access rule grants read on 'model_view_model_operation' to every user (portal/public included): no group is set
role_policy acl-global-read access_model_method_execution_right_group_user — Access rule grants read on 'model_model_method_execution_right' to every user (portal/public included): no group is set
sale rule-group-bypass payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale rule-group-bypass payment_token_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale rule-group-bypass payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale route-public-sudo /my/orders/<int:order_id>/transaction/ — Unauthenticated endpoint 'CustomerPortal.payment_transaction_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sale route-public-sudo /my/orders/<int:order_id>/transaction/token — Unauthenticated endpoint 'CustomerPortal.payment_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sale_coupon_selection_wizard route-public-sudo /sale_coupon_selection_wizard/configure — Unauthenticated endpoint 'CouponSelectionWizardController.configure_promotion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sale_payment_mgmt rule-group-bypass account_payment_group_group_account_invoice_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale_stock route-public-sudo /my/picking/pdf/<int:picking_id> — Unauthenticated endpoint 'SaleStockPortal.portal_my_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sales_team rule-group-bypass crm_rule_all_salesteam — Record rule with an always-true domain bypasses every other record rule of its model for its group
stock_measuring_device_zippcube route-auth-none /stock/zippcube/<string:zippcube_device_name>/measurement — Endpoint 'ZippcubeController.measurement' uses auth="none": it runs with no user/session at all
stock_vertical_lift route-public-csrf-off /vertical-lift — Public HTTP endpoint 'VerticalLiftController.vertical_lift' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
stock_vertical_lift route-public-sudo /vertical-lift — Unauthenticated endpoint 'VerticalLiftController.vertical_lift' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
storage_file acl-global-read access_storage_file_read_public — Access rule grants read on 'model_storage_file' to every user (portal/public included): no group is set
survey rule-group-bypass survey_survey_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey rule-group-bypass survey_question_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey rule-group-bypass survey_label_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey rule-group-bypass survey_user_input_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey rule-group-bypass survey_user_input_line_rule_survey_user_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey route-public-sudo /survey/page/<string:survey_token>/<string:answer_token>/<int:page_id> — Unauthenticated endpoint 'Survey.survey_change_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
survey route-public-sudo /survey/submit/<string:survey_token>/<string:answer_token> — Unauthenticated endpoint 'Survey.survey_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
test_new_api acl-global-write access_decimal_precision_test_all — Access rule grants write/create/unlink on 'model_decimal_precision_test' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
test_read_group acl-global-read access_test_read_group_on_date — Access rule grants read on 'model_test_read_group_on_date' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_aggregate_boolean — Access rule grants read on 'model_test_read_group_aggregate_boolean' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_aggregate — Access rule grants read on 'model_test_read_group_aggregate' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_on_selection — Access rule grants read on 'model_test_read_group_on_selection' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_fill_temporal — Access rule grants read on 'model_test_read_group_fill_temporal' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_a — Access rule grants read on 'model_test_testing_utilities_a' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_readonly — Access rule grants read on 'model_test_testing_utilities_readonly' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_c — Access rule grants read on 'model_test_testing_utilities_c' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_d — Access rule grants read on 'model_test_testing_utilities_d' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_e — Access rule grants read on 'model_test_testing_utilities_e' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_f — Access rule grants read on 'model_test_testing_utilities_f' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_g — Access rule grants read on 'model_test_testing_utilities_g' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_m2o — Access rule grants read on 'model_test_testing_utilities_m2o' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_default — Access rule grants read on 'model_test_testing_utilities_default' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_parent — Access rule grants read on 'model_test_testing_utilities_parent' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_sub — Access rule grants read on 'model_test_testing_utilities_sub' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_sub2 — Access rule grants read on 'model_test_testing_utilities_sub2' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_sub3 — Access rule grants read on 'model_test_testing_utilities_sub3' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_recursive — Access rule grants read on 'model_test_testing_utilities_recursive' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_onchange_parent — Access rule grants read on 'model_test_testing_utilities_onchange_parent' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_onchange_line — Access rule grants read on 'model_test_testing_utilities_onchange_line' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_req_bool — Access rule grants read on 'model_test_testing_utilities_req_bool' to every user (portal/public included): no group is set
vault route-public-sudo /vault/inbox/<string:token> — Unauthenticated endpoint 'Controller.vault_inbox' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
vault_share route-public-sudo /vault/share/<string:token> — Unauthenticated endpoint 'Controller.vault_share' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web route-auth-none / — Endpoint 'Home.index' uses auth="none": it runs with no user/session at all
web route-auth-none /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all
web route-auth-none /web/dbredirect — Endpoint 'Home.web_db_redirect' uses auth="none": it runs with no user/session at all
web route-auth-none /web/login — Endpoint 'Home.web_login' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/csslist — Endpoint 'WebClient.csslist' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/jslist — Endpoint 'WebClient.jslist' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/locale/<string:lang> — Endpoint 'WebClient.load_locale' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/qweb/<string:unique> — Endpoint 'WebClient.qweb' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/bootstrap_translations — Endpoint 'WebClient.bootstrap_translations' uses auth="none": it runs with no user/session at all
web route-public-sudo /web/webclient/translations/<string:unique> — Unauthenticated endpoint 'WebClient.translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web route-auth-none /web/webclient/version_info — Endpoint 'WebClient.version_info' uses auth="none": it runs with no user/session at all
web route-auth-none /web/tests/mobile — Endpoint 'WebClient.test_mobile_suite' uses auth="none": it runs with no user/session at all
web route-auth-none /web/benchmarks — Endpoint 'WebClient.benchmarks' uses auth="none": it runs with no user/session at all
web route-auth-none /web/database/selector — Endpoint 'Database.selector' uses auth="none": it runs with no user/session at all
web route-auth-none /web/database/manager — Endpoint 'Database.manager' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/create — Public HTTP endpoint 'Database.create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/create — Endpoint 'Database.create' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/duplicate — Public HTTP endpoint 'Database.duplicate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/duplicate — Endpoint 'Database.duplicate' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/drop — Public HTTP endpoint 'Database.drop' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/drop — Endpoint 'Database.drop' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/backup — Public HTTP endpoint 'Database.backup' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/backup — Endpoint 'Database.backup' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/restore — Public HTTP endpoint 'Database.restore' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/restore — Endpoint 'Database.restore' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/change_password — Public HTTP endpoint 'Database.change_password' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/change_password — Endpoint 'Database.change_password' uses auth="none": it runs with no user/session at all
web route-auth-none /web/database/list — Endpoint 'Database.list' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/get_session_info — Endpoint 'Session.get_session_info' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/authenticate — Endpoint 'Session.authenticate' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/get_lang_list — Endpoint 'Session.get_lang_list' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/logout — Endpoint 'Session.logout' uses auth="none": it runs with no user/session at all
web route-auth-none /web/binary/company_logo, /logo, /logo.png — Endpoint 'Binary.company_logo' uses auth="none": it runs with no user/session at all
web route-auth-none /web/pivot/check_xlwt — Endpoint 'TableExporter.check_xlwt' uses auth="none": it runs with no user/session at all
web_editor route-auth-none /web_editor/font_to_img/<icon>, /web_editor/font_to_img/<icon>/<color>, /web_editor/font_to_img/<icon>/<color>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<int:size>/<int:alpha> — Endpoint 'Web_Editor.export_icon_to_png' uses auth="none": it runs with no user/session at all
web_editor route-public-sudo /web_editor/public_render_template — Unauthenticated endpoint 'Web_Editor.public_render_template' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
web_tour acl-global-read access_web_tour_tour — Access rule grants read on 'model_web_tour_tour' to every user (portal/public included): no group is set
web_unsplash route-public-sudo /web_unsplash/get_app_id — Unauthenticated endpoint 'Web_Unsplash.get_unsplash_app_id' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website acl-global-read access_website_public — Access rule grants read on 'website.model_website' to every user (portal/public included): no group is set
website acl-global-read access_website_menu — Access rule grants read on 'model_website_menu' to every user (portal/public included): no group is set
website acl-global-read access_website_page — Access rule grants read on 'model_website_page' to every user (portal/public included): no group is set
website acl-global-read access_seo_public — Access rule grants read on 'model_website_seo_metadata' to every user (portal/public included): no group is set
website route-public-sudo / — Unauthenticated endpoint 'Website.index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /sitemap.xml — Unauthenticated endpoint 'Website.sitemap_xml_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/info — Unauthenticated endpoint 'Website.website_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_apps_store route-public-sudo /shop/download_product_zip/<model("product.template"):product_tmpl>/<model("product.product"):product>/<string:google_captcha>, /shop/download_product_zip/<model("product.template"):product_tmpl>/<string:google_captcha> — Unauthenticated endpoint 'WebsiteSaleCustom.download_product_zip' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_blog acl-global-read blog_tag — Access rule grants read on 'model_blog_tag' to every user (portal/public included): no group is set
website_blog route-public-sudo /blog/<model("blog.blog", "[('website_id', 'in', (False, current_website_id))]"):blog>/post/<model("blog.post", "[('blog_id','=',blog[0])]"):blog_post> — Unauthenticated endpoint 'WebsiteBlog.blog_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_blog route-public-sudo /blog/<int:blog_id>/post/new — Unauthenticated endpoint 'WebsiteBlog.blog_post_create' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_crm route-public-sudo /website_form/<string:model_name> — Unauthenticated endpoint 'WebsiteForm.website_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_crm_partner_assign route-public-sudo /partners, /partners/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>, /partners/grade/<model("res.partner.grade"):grade>/page/<int:page>, /partners/country/<model("res.country"):country>, /partners/country/<model("res.country"):country>/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_crm_partner_assign route-public-sudo /partners/<partner_id> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_customer acl-global-read res_partner_tag_sale_manager — Access rule grants read on 'model_res_partner_tag' to every user (portal/public included): no group is set
website_customer route-public-sudo /customers, /customers/page/<int:page>, /customers/country/<model("res.country"):country>, /customers/country/<model("res.country"):country>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>, /customers/industry/<model("res.partner.industry"):industry>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCustomer.customers' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_customer route-public-sudo /customers/<partner_id> — Unauthenticated endpoint 'WebsiteCustomer.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event acl-global-read access_event_type_public — Access rule grants read on 'event.model_event_type' to every user (portal/public included): no group is set
website_event route-public-sudo /event/<model("event.event", "[('website_id', 'in', (False, current_website_id))]"):event>/register — Unauthenticated endpoint 'WebsiteEventController.event_register' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event route-public-sudo /event/<model("event.event", "[('website_id', 'in', (False, current_website_id))]"):event>/registration/confirm — Unauthenticated endpoint 'WebsiteEventController.registration_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_questions acl-global-write event_registration_answer_all — Access rule grants write/create/unlink on 'model_event_registration_answer' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
website_event_sale acl-global-read access_event_event_ticket_public — Access rule grants read on 'event_sale.model_event_event_ticket' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_tag_public — Access rule grants read on 'model_event_track_tag' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_location_public — Access rule grants read on 'model_event_track_location' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track__public — Access rule grants read on 'model_event_track' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_sponsor_type_public — Access rule grants read on 'model_event_sponsor_type' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_sponsor_public — Access rule grants read on 'model_event_sponsor' to every user (portal/public included): no group is set
website_event_track acl-global-read access_website_event_menu_public — Access rule grants read on 'model_website_event_menu' to every user (portal/public included): no group is set
website_event_track route-public-sudo /event/<model("event.event", "[('website_id', 'in', (False, current_website_id))]"):event>/track/<model("event.track", "[('event_id','=',event[0])]"):track> — Unauthenticated endpoint 'WebsiteEventTrackController.event_track_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track route-public-sudo /event/<model("event.event", "[('website_id', 'in', (False, current_website_id))]"):event>/track_proposal/post — Unauthenticated endpoint 'WebsiteEventTrackController.event_track_proposal_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_form route-public-csrf-off /website_form/<string:model_name> — Public HTTP endpoint 'WebsiteForm.website_form' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
website_form route-public-sudo /website_form/<string:model_name> — Unauthenticated endpoint 'WebsiteForm.website_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_form_recaptcha route-public-sudo /website/recaptcha/ — Unauthenticated endpoint 'WebsiteForm.recaptcha_public' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_form_recaptcha route-public-sudo /website/recaptcha/form_enabled/<string:model_name> — Unauthenticated endpoint 'WebsiteForm.has_website_form_access' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum acl-global-read access_forum_forum — Access rule grants read on 'model_forum_forum' to every user (portal/public included): no group is set
website_forum route-public-sudo /forum/<model("forum.forum", "[('website_id', 'in', (False, current_website_id))]"):forum>/question/<model("forum.post", "[('forum_id','=',forum[0]),('parent_id','=',False),('can_view', '=', True)]"):question> — Unauthenticated endpoint 'WebsiteForum.question' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/partner/<int:partner_id> — Unauthenticated endpoint 'WebsiteForum.open_partner' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_google_map route-public-sudo /google_map — Unauthenticated endpoint 'GoogleMap.google_map' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_hr_recruitment acl-global-read access_hr_job_public — Access rule grants read on 'hr.model_hr_job' to every user (portal/public included): no group is set
website_hr_recruitment rule-group-bypass hr_job_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_hr_recruitment route-public-sudo /jobs, /jobs/country/<model("res.country"):country>, /jobs/department/<model("hr.department"):department>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>, /jobs/office/<int:office_id>, /jobs/country/<model("res.country"):country>/office/<int:office_id>, /jobs/department/<model("hr.department"):department>/office/<int:office_id>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>/office/<int:office_id> — Unauthenticated endpoint 'WebsiteHrRecruitment.jobs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_livechat acl-global-read access_im_livechat_channel_public — Access rule grants read on 'im_livechat.model_im_livechat_channel' to every user (portal/public included): no group is set
website_livechat route-public-sudo /livechat/channel/<model("im_livechat.channel"):channel> — Unauthenticated endpoint 'WebsiteLivechat.channel_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_livechat route-public-sudo /im_livechat/visitor_leave_session — Unauthenticated endpoint 'WebsiteLivechat.visitor_leave_session' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_livechat route-public-sudo /im_livechat/close_empty_livechat — Unauthenticated endpoint 'WebsiteLivechat.close_empty_livechat' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail route-public-sudo /website_mail/follow — Unauthenticated endpoint 'WebsiteMail.website_message_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail route-public-sudo /website_mail/is_follower — Unauthenticated endpoint 'WebsiteMail.is_follower' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_channel route-public-sudo /groups — Unauthenticated endpoint 'MailGroup.view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_channel route-public-sudo /groups/is_member — Unauthenticated endpoint 'MailGroup.is_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_channel route-public-sudo /groups/subscription — Unauthenticated endpoint 'MailGroup.subscription' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_channel route-public-sudo /groups/subscribe/<model('mail.channel'):channel>/<int:partner_id>/<string:token> — Unauthenticated endpoint 'MailGroup.confirm_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_channel route-public-sudo /groups/unsubscribe/<model('mail.channel'):channel>/<int:partner_id>/<string:token> — Unauthenticated endpoint 'MailGroup.confirm_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /website_mass_mailing/is_subscriber — Unauthenticated endpoint 'MassMailController.is_subscriber' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /website_mass_mailing/subscribe — Unauthenticated endpoint 'MassMailController.subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /website_mass_mailing/get_content — Unauthenticated endpoint 'MassMailController.get_mass_mailing_content' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_membership route-public-sudo /members, /members/page/<int:page>, /members/association/<membership_id>, /members/association/<membership_id>/page/<int:page>, /members/country/<int:country_id>, /members/country/<country_name>-<int:country_id>, /members/country/<int:country_id>/page/<int:page>, /members/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<country_name>-<int:country_id>, /members/association/<membership_id>/country/<int:country_id>, /members/association/<membership_id>/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteMembership.members' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_membership route-public-sudo /members/<partner_id> — Unauthenticated endpoint 'WebsiteMembership.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_oca_integrator acl-global-read access_sponsorship_line — Access rule grants read on 'model_sponsorship_line' to every user (portal/public included): no group is set
website_oca_integrator acl-global-read access_contributor_module_reader — Access rule grants read on 'model_contributor_module_line' to every user (portal/public included): no group is set
website_oca_integrator route-public-sudo /integrators, /integrators/page/<int:page>, /integrators/country/<model("res.country"):country>, /integrators/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteIntegrator.integrators' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_oca_integrator route-public-sudo /integrators/<integrator_id> — Unauthenticated endpoint 'WebsiteIntegrator.integrators_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_oca_integrator route-public-sudo /integrators/<integrator_id>/contributors, /integrators/<integrator_id>/contributors/page/<int:page>, /integrators/<integrator_id>/contributors/country/<int:country_id>, /integrators/<integrator_id>/contributors/country/<int:country_id>/page/<int:page>, /integrators/<integrator_id>/contributors/country/<country_name>-<int:country_id>, /integrators/<integrator_id>/contributors/country/<country_name>-<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteIntegrator.integrator_contributors' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_oca_psc_team route-public-sudo /psc-teams — Unauthenticated endpoint 'WebsitePscTeam.psc_teams' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_oca_psc_team route-public-sudo /psc-teams/<project_id> — Unauthenticated endpoint 'WebsitePscTeam.psc_team_project_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_partner route-public-sudo /partners/<partner_id> — Unauthenticated endpoint 'WebsitePartnerPage.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_profile route-public-sudo /profile/avatar/<int:user_id> — Unauthenticated endpoint 'WebsiteProfile.get_user_profile_avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_profile route-public-sudo /profile/ranks_badges — Unauthenticated endpoint 'WebsiteProfile.view_ranks_badges' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_profile route-public-sudo /profile/users, /profile/users/page/<int:page> — Unauthenticated endpoint 'WebsiteProfile.view_all_users_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_profile route-public-sudo /profile/validate_email — Unauthenticated endpoint 'WebsiteProfile.validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale acl-global-read access_product_product_public — Access rule grants read on 'product.model_product_product' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_template_public — Access rule grants read on 'product.model_product_template' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_category_public — Access rule grants read on 'product.model_product_category' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_public_category_public — Access rule grants read on 'model_product_public_category' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_pricelist_public — Access rule grants read on 'product.model_product_pricelist' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_pricelist_item_public — Access rule grants read on 'product.model_product_pricelist_item' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_style — Access rule grants read on 'website_sale.model_product_style' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_supplierinfo — Access rule grants read on 'product.model_product_supplierinfo' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_public — Access rule grants read on 'product.model_product_attribute' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_value_public — Access rule grants read on 'product.model_product_attribute_value' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_product_attribute — Access rule grants read on 'product.model_product_template_attribute_value' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_product_attribute_custom_value — Access rule grants read on 'sale.model_product_attribute_custom_value' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_template_attribute_exclusion — Access rule grants read on 'product.model_product_template_attribute_exclusion' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_template_attribute_line_public — Access rule grants read on 'product.model_product_template_attribute_line' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_image_public — Access rule grants read on 'model_product_image' to every user (portal/public included): no group is set
website_sale route-public-sudo /shop/pricelist — Unauthenticated endpoint 'WebsiteSale.pricelist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/cart — Unauthenticated endpoint 'WebsiteSale.cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-csrf-off /shop/cart/update — Public HTTP endpoint 'WebsiteSale.cart_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
website_sale route-public-sudo /shop/address — Unauthenticated endpoint 'WebsiteSale.address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/checkout — Unauthenticated endpoint 'WebsiteSale.checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/payment/transaction/, /shop/payment/transaction/<int:so_id>, /shop/payment/transaction/<int:so_id>/<string:access_token> — Unauthenticated endpoint 'WebsiteSale.payment_transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/payment/token — Unauthenticated endpoint 'WebsiteSale.payment_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/payment/get_status/<int:sale_order_id> — Unauthenticated endpoint 'WebsiteSale.payment_get_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/payment/validate — Unauthenticated endpoint 'WebsiteSale.payment_validate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/confirmation — Unauthenticated endpoint 'WebsiteSale.payment_confirmation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/print — Unauthenticated endpoint 'WebsiteSale.print_saleorder' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/tracking_last_order — Unauthenticated endpoint 'WebsiteSale.tracking_cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/products/recently_viewed_delete — Unauthenticated endpoint 'WebsiteSale.products_recently_viewed_delete' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_comparison acl-global-read access_product_attribute_category_public — Access rule grants read on 'model_product_attribute_category' to every user (portal/public included): no group is set
website_sale_coupon_page route-public-sudo /promotions — Unauthenticated endpoint 'WebsiteSale.promotion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_coupon_selection_wizard route-public-sudo /promotions/<int:program_id>/apply — Unauthenticated endpoint 'WebsiteSaleCouponWizard.promotion_program_apply' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_delivery route-public-sudo /shop/carrier_rate_shipment — Unauthenticated endpoint 'WebsiteSaleDelivery.cart_carrier_rate_shipment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_digital route-public-sudo /my/orders/<int:order_id> — Unauthenticated endpoint 'WebsiteSaleDigital.portal_order_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_digital route-public-sudo /my/download — Unauthenticated endpoint 'WebsiteSaleDigital.download_attachment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_product_assortment route-public-sudo /sale/get_info_assortment_preview — Unauthenticated endpoint 'WebsiteSaleVariantController.get_info_assortment_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_product_brand route-public-sudo /page/product_brands — Unauthenticated endpoint 'WebsiteSale.product_brands' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_product_minimal_price route-public-sudo /sale/get_combination_info_minimal_price — Unauthenticated endpoint 'WebsiteSaleVariantController.get_combination_info_minimal_price' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_resource_booking route-public-sudo /shop/booking/<int:index>/confirm — Unauthenticated endpoint 'WebsiteSale.booking_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_stock_list_preview route-public-sudo /sale/get_combination_info_stock_preview — Unauthenticated endpoint 'WebsiteSaleVariantController.get_combination_info_stock_preview' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_wishlist route-public-sudo /shop/wishlist/add — Unauthenticated endpoint 'WebsiteSaleWishlist.add_to_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_wishlist route-public-sudo /shop/wishlist/remove/<model("product.wishlist"):wish> — Unauthenticated endpoint 'WebsiteSaleWishlist.rm_from_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides rule-group-bypass rule_slide_channel_website — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides rule-group-bypass rule_slide_slide_website — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_slides route-public-sudo /slides — Unauthenticated endpoint 'WebsiteSlides.slides_channel_home' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/<model("slide.channel"):channel>, /slides/<model("slide.channel"):channel>/page/<int:page>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>, /slides/<model("slide.channel"):channel>/tag/<model("slide.tag"):tag>/page/<int:page>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>, /slides/<model("slide.channel"):channel>/category/<model("slide.slide"):category>/page/<int:page> — Unauthenticated endpoint 'WebsiteSlides.channel' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/channel/join — Unauthenticated endpoint 'WebsiteSlides.slide_channel_join' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/<model("slide.slide", "[('website_id', 'in', (False, current_website_id))]"):slide> — Unauthenticated endpoint 'WebsiteSlides.slide_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/<int:slide_id>/get_image — Unauthenticated endpoint 'WebsiteSlides.slide_get_image' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/like — Unauthenticated endpoint 'WebsiteSlides.slide_like' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/quiz/submit — Unauthenticated endpoint 'WebsiteSlides.slide_quiz_submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/embed/<int:slide_id> — Unauthenticated endpoint 'WebsiteSlides.slides_embed' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /mail/chatter_post — Unauthenticated endpoint 'SlidesPortalChatter.portal_chatter_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_twitter acl-global-read access_website_twitter_tweet_public — Access rule grants read on 'website_twitter.model_website_twitter_tweet' to every user (portal/public included): no group is set

Active Pull Requests 7

0 fresh 0 rotting 0 rotten

Security Findings

Errors 155

Module Code Message
auth_u2f acl-public-write access_u2f_device_portal — Access rule grants write/create/unlink on 'model_u2f_device' to the portal/public group 'base.group_portal'
base acl-privilege-escalation access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions
base acl-global-write access_ir_ui_view_custom_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_custom' to EVERY user (portal/public included): no group is set
base acl-privilege-escalation access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions
base_custom_info acl-global-write access_template — Access rule grants write/create/unlink on 'model_custom_info_template' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_property — Access rule grants write/create/unlink on 'model_custom_info_property' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_value — Access rule grants write/create/unlink on 'model_custom_info_value' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_option — Access rule grants write/create/unlink on 'model_custom_info_option' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_category — Access rule grants write/create/unlink on 'model_custom_info_category' to EVERY user (portal/public included): no group is set
base_tier_validation acl-global-write access_tier_review — Access rule grants write/create/unlink on 'model_tier_review' to EVERY user (portal/public included): no group is set
bi_view_editor acl-global-write access_bve_view_everyone — Access rule grants write/create/unlink on 'bi_view_editor.model_bve_view' to EVERY user (portal/public included): no group is set
bi_view_editor acl-global-write access_bve_view_line — Access rule grants write/create/unlink on 'model_bve_view_line' to EVERY user (portal/public included): no group is set
bus acl-public-write access_bus_presence_portal — Access rule grants write/create/unlink on 'model_bus_presence' to the portal/public group 'base.group_portal'
calendar rule-public-bypass calendar_attendee_rule_my — Record rule with an always-true domain grants portal/public users access to every record of its model
document_url acl-global-write access_ir_attachment_add_url — Access rule grants write/create/unlink on 'model_ir_attachment_add_url' to EVERY user (portal/public included): no group is set
excel_import_export acl-global-write xlsx_template_user — Access rule grants write/create/unlink on 'model_xlsx_template' to EVERY user (portal/public included): no group is set
excel_import_export acl-global-write xlsx_template_export_user — Access rule grants write/create/unlink on 'model_xlsx_template_export' to EVERY user (portal/public included): no group is set
excel_import_export acl-global-write xlsx_template_import_user — Access rule grants write/create/unlink on 'model_xlsx_template_import' to EVERY user (portal/public included): no group is set
fieldservice acl-public-write access_fsm_order_portal — Access rule grants write on 'model_fsm_order' to the portal/public group 'base.group_portal'
fieldservice_route acl-public-write access_fsm_route_dayroute_portal — Access rule grants write/create on 'model_fsm_route_dayroute' to the portal/public group 'base.group_portal'
fieldservice_stock acl-public-write access_stock_move_portal — Access rule grants write on 'stock.model_stock_move' to the portal/public group 'base.group_portal'
gamification acl-public-write goal_portal — Access rule grants write on 'gamification.model_gamification_goal' to the portal/public group 'base.group_portal'
gamification acl-public-write badge_user_portal — Access rule grants write/create on 'gamification.model_gamification_badge_user' to the portal/public group 'base.group_portal'
graphql_demo route-user-csrf-off /graphql/demo — HTTP endpoint 'GraphQLController.graphql' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user
helpdesk_mgmt acl-public-write access_helpdesk_ticket_stage_public — Access rule grants write on 'model_helpdesk_ticket_stage' to the portal/public group 'base.group_public'
hr_recruitment acl-global-write access_hr_applicant_category — Access rule grants write/create on 'model_hr_applicant_category' to EVERY user (portal/public included): no group is set
l10n_br_hr acl-global-write access_hr_employee_dependent — Access rule grants write/create/unlink on 'model_hr_employee_dependent' to EVERY user (portal/public included): no group is set
l10n_cl_sii_activity acl-global-write edit_sii_activity_manager — Access rule grants write/create/unlink on 'model_sii_activity' to EVERY user (portal/public included): no group is set
l10n_th_vendor_tax_invoice acl-global-write access_account_payment_tax — Access rule grants write/create/unlink on 'model_account_payment_tax' to EVERY user (portal/public included): no group is set
mail acl-public-write access_mail_message_portal — Access rule grants write/create/unlink on 'model_mail_message' to the portal/public group 'base.group_portal'
mail acl-public-write access_mail_mail_portal — Access rule grants write/create on 'model_mail_mail' to the portal/public group 'base.group_portal'
mail acl-public-write access_mail_followers_portal — Access rule grants write/create on 'model_mail_followers' to the portal/public group 'base.group_portal'
mail acl-public-write access_mail_channel_partner_portal — Access rule grants write/create/unlink on 'model_mail_channel_partner' to the portal/public group 'base.group_portal'
partner_autocomplete acl-public-write access_partner_autocomplete_sync_portal — Access rule grants create on 'model_res_partner_autocomplete_sync' to the portal/public group 'base.group_portal'
payment acl-public-write payment_method_portal — Access rule grants write/create/unlink on 'model_payment_token' to the portal/public group 'base.group_portal'
purchase_invoice_plan acl-global-write access_purchase_invoice_plan — Access rule grants write/create/unlink on 'model_purchase_invoice_plan' to EVERY user (portal/public included): no group is set
purchase_work_acceptance_evaluation acl-global-write access_work_acceptance_evaluation_result — Access rule grants write/create/unlink on 'model_work_acceptance_evaluation_result' to EVERY user (portal/public included): no group is set
rating acl-public-write access_rating_public — Access rule grants write/create on 'rating.model_rating_rating' to the portal/public group 'base.group_public'
rating acl-public-write access_rating_portal — Access rule grants write/create on 'rating.model_rating_rating' to the portal/public group 'base.group_portal'
report_wkhtmltopdf_param acl-global-write paperformat_parameter_access_employee — Access rule grants create on 'model_report_paperformat_parameter' to EVERY user (portal/public included): no group is set
sale_invoice_plan acl-global-write access_sale_invoice_plan — Access rule grants write/create/unlink on 'model_sale_invoice_plan' to EVERY user (portal/public included): no group is set
stock_scanner acl-global-write scanner_hardware_user — Access rule grants write on 'stock_scanner.model_scanner_hardware' to EVERY user (portal/public included): no group is set
stock_scanner acl-global-write scanner_hardware_step_history_user — Access rule grants write/create/unlink on 'stock_scanner.model_scanner_hardware_step_history' to EVERY user (portal/public included): no group is set
survey acl-global-write access_survey_user_input_public — Access rule grants write/create on 'model_survey_user_input' to EVERY user (portal/public included): no group is set
survey acl-global-write access_survey_user_input_line_public — Access rule grants write/create on 'model_survey_user_input_line' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_some_obj — Access rule grants write/create/unlink on 'model_test_access_right_some_obj' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_container — Access rule grants write/create/unlink on 'model_test_access_right_container' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_obj_categ — Access rule grants write/create/unlink on 'model_test_access_right_obj_categ' to EVERY user (portal/public included): no group is set
test_component acl-global-write access_test_component_collection — Access rule grants write/create/unlink on 'model_test_component_collection' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_test_backend — Access rule grants write/create/unlink on 'model_test_backend' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_connector_test_record — Access rule grants write/create/unlink on 'model_connector_test_record' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_connector_test_binding — Access rule grants write/create/unlink on 'model_connector_test_binding' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_no_inherits_binding — Access rule grants write/create/unlink on 'model_no_inherits_binding' to EVERY user (portal/public included): no group is set
test_convert acl-global-write access_test_convert_test_model — Access rule grants write/create/unlink on 'model_test_convert_test_model' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_converter_model — Access rule grants write/create/unlink on 'model_test_converter_test_model' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_test_converter_test_model_sub — Access rule grants write/create/unlink on 'model_test_converter_test_model_sub' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_test_converter_monetary — Access rule grants write/create/unlink on 'model_test_converter_monetary' to EVERY user (portal/public included): no group is set
test_exceptions acl-global-write access_test_exceptions_model — Access rule grants write/create/unlink on 'model_test_exceptions_model' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_boolean — Access rule grants write/create/unlink on 'model_export_boolean' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_float — Access rule grants write/create/unlink on 'model_export_float' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_decimal — Access rule grants write/create/unlink on 'model_export_decimal' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string_bounded — Access rule grants write/create/unlink on 'model_export_string_bounded' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string_required — Access rule grants write/create/unlink on 'model_export_string_required' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string — Access rule grants write/create/unlink on 'model_export_string' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_date — Access rule grants write/create/unlink on 'model_export_date' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_datetime — Access rule grants write/create/unlink on 'model_export_datetime' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_text — Access rule grants write/create/unlink on 'model_export_text' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection — Access rule grants write/create/unlink on 'model_export_selection' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection_function — Access rule grants write/create/unlink on 'model_export_selection_function' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2one — Access rule grants write/create/unlink on 'model_export_many2one' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many — Access rule grants write/create/unlink on 'model_export_one2many' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2many — Access rule grants write/create/unlink on 'model_export_many2many' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_function — Access rule grants write/create/unlink on 'model_export_function' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child — Access rule grants write/create/unlink on 'model_export_one2many_child' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_multiple — Access rule grants write/create/unlink on 'model_export_one2many_multiple' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_multiple_child — Access rule grants write/create/unlink on 'model_export_one2many_multiple_child' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child_1 — Access rule grants write/create/unlink on 'model_export_one2many_child_1' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child_2 — Access rule grants write/create/unlink on 'model_export_one2many_child_2' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2many_other — Access rule grants write/create/unlink on 'model_export_many2many_other' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection_withdefault — Access rule grants write/create/unlink on 'model_export_selection_withdefault' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_recursive — Access rule grants write/create/unlink on 'model_export_one2many_recursive' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_unique — Access rule grants write/create/unlink on 'model_export_unique' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_m2o_str — Access rule grants write/create/unlink on 'model_export_m2o_str' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_m2o_str_child — Access rule grants write/create/unlink on 'model_export_m2o_str_child' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_mother — Access rule grants write/create/unlink on 'model_test_inherit_mother' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_daughter — Access rule grants write/create/unlink on 'model_test_inherit_daughter' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_property — Access rule grants write/create/unlink on 'model_test_inherit_property' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_unit — Access rule grants write/create/unlink on 'model_test_unit' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_box — Access rule grants write/create/unlink on 'model_test_box' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_pallet — Access rule grants write/create/unlink on 'model_test_pallet' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_another_unit — Access rule grants write/create/unlink on 'model_test_another_unit' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_another_box — Access rule grants write/create/unlink on 'model_test_another_box' to EVERY user (portal/public included): no group is set
test_limits acl-global-write access_test_limits_model — Access rule grants write/create/unlink on 'model_test_limits_model' to EVERY user (portal/public included): no group is set
test_mail acl-global-write access_test_performance_mail — Access rule grants write/create/unlink on 'model_test_performance_mail' to EVERY user (portal/public included): no group is set
test_mail acl-public-write access_mail_test_portal — Access rule grants write on 'model_mail_test' to the portal/public group 'base.group_portal'
test_new_api acl-global-write access_category — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_category' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_discussion — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_discussion' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_message — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_message' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_emailmessage — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_emailmessage' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi_line — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi_tag — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_tag' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_creativework_edition — Access rule grants write/create/unlink on 'model_test_new_api_creativework_edition' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_creativework_book — Access rule grants write/create/unlink on 'model_test_new_api_creativework_book' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_creativework_movie — Access rule grants write/create/unlink on 'model_test_new_api_creativework_movie' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_mixed — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_mixed' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_domain_bool — Access rule grants write/create/unlink on 'model_domain_bool' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_foo — Access rule grants write/create/unlink on 'model_test_new_api_foo' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_bar — Access rule grants write/create/unlink on 'model_test_new_api_bar' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_related — Access rule grants write/create/unlink on 'model_test_new_api_related' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_company — Access rule grants write/create/unlink on 'model_test_new_api_company' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_company_attr — Access rule grants write/create/unlink on 'model_test_new_api_company_attr' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_inverse — Access rule grants write/create/unlink on 'model_test_new_api_compute_inverse' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_protected — Access rule grants write/create/unlink on 'model_test_new_api_compute_protected' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_multi_compute_inverse — Access rule grants write/create/unlink on 'model_test_new_api_multi_compute_inverse' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_recursive — Access rule grants write/create/unlink on 'model_test_new_api_recursive' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_cascade — Access rule grants write/create/unlink on 'model_test_new_api_cascade' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_binary_svg — Access rule grants write/create/unlink on 'model_test_new_api_binary_svg' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_base — Access rule grants write/create/unlink on 'model_test_new_api_monetary_base' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_related — Access rule grants write/create/unlink on 'model_test_new_api_monetary_related' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_custom — Access rule grants write/create/unlink on 'model_test_new_api_monetary_custom' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_monetary_inherits — Access rule grants write/create/unlink on 'model_test_new_api_monetary_inherits' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_field_with_caps — Access rule grants write/create/unlink on 'model_test_new_api_field_with_caps' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_base — Access rule grants write/create/unlink on 'model_test_performance_base' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_line — Access rule grants write/create/unlink on 'model_test_performance_line' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_tag — Access rule grants write/create/unlink on 'model_test_performance_tag' to EVERY user (portal/public included): no group is set
test_queue_job acl-global-write access_test_queue_job — Access rule grants write/create/unlink on 'model_test_queue_job' to EVERY user (portal/public included): no group is set
test_queue_job acl-global-write access_test_queue_channel — Access rule grants write/create/unlink on 'model_test_queue_channel' to EVERY user (portal/public included): no group is set
test_queue_job acl-global-write access_test_related_action — Access rule grants write/create/unlink on 'model_test_related_action' to EVERY user (portal/public included): no group is set
test_rpc acl-global-write access_test_rpc_model_a — Access rule grants write/create/unlink on 'model_test_rpc_model_a' to EVERY user (portal/public included): no group is set
test_rpc acl-global-write access_test_rpc_model_b — Access rule grants write/create/unlink on 'model_test_rpc_model_b' to EVERY user (portal/public included): no group is set
test_testing_utilities acl-global-write access_model_test_testing_utilities_onchange_count — Access rule grants write/create/unlink on 'model_test_testing_utilities_onchange_count' to EVERY user (portal/public included): no group is set
test_testing_utilities acl-global-write access_test_testing_utilities_onchange_count_sub — Access rule grants write/create/unlink on 'model_test_testing_utilities_onchange_count_sub' to EVERY user (portal/public included): no group is set
test_testing_utilities acl-global-write access_o2m_readonly_subfield_parent — Access rule grants write/create/unlink on 'model_o2m_readonly_subfield_parent' to EVERY user (portal/public included): no group is set
test_testing_utilities acl-global-write access_o2m_readonly_subfield_child — Access rule grants write/create/unlink on 'model_o2m_readonly_subfield_child' to EVERY user (portal/public included): no group is set
test_uninstall acl-global-write access_test_uninstall_model — Access rule grants write/create/unlink on 'model_test_uninstall_model' to EVERY user (portal/public included): no group is set
utm acl-global-write access_utm_campaign — Access rule grants create on 'model_utm_campaign' to EVERY user (portal/public included): no group is set
utm acl-global-write access_utm_medium — Access rule grants create on 'model_utm_medium' to EVERY user (portal/public included): no group is set
utm acl-global-write access_utm_source — Access rule grants create on 'model_utm_source' to EVERY user (portal/public included): no group is set
web acl-global-write access_report_layout — Access rule grants write/create/unlink on 'model_report_layout' to EVERY user (portal/public included): no group is set
web_editor acl-global-write access_web_editor_converter_test — Access rule grants write/create/unlink on 'model_web_editor_converter_test' to EVERY user (portal/public included): no group is set
web_editor acl-global-write access_web_editor_converter_test_sub — Access rule grants write/create/unlink on 'model_web_editor_converter_test_sub' to EVERY user (portal/public included): no group is set
website route-user-csrf-off /website/reset_templates — HTTP endpoint 'Website.reset_template' disables CSRF protection while requiring an authenticated session: a malicious page can act on behalf of the logged-in user
website_crm_partner_assign acl-public-write partner_access_crm_lead — Access rule grants write on 'crm.model_crm_lead' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_post_portal — Access rule grants write/create/unlink on 'model_forum_post' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_post_vote_portal — Access rule grants write/create on 'model_forum_post_vote' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_tag_public — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_public'
website_forum acl-public-write access_forum_tag_portal — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_portal'
website_portal_contact acl-public-write access_partners — Access rule grants write/create on 'base.model_res_partner' to the portal/public group 'base.group_portal'
website_sale_wishlist acl-public-write access_product_wishlist_portal — Access rule grants write/create/unlink on 'model_product_wishlist' to the portal/public group 'base.group_portal'

Warnings 522

Module Code Message
account rule-group-bypass account_analytic_line_rule_billing_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
account_bill_line_distribution rule-group-bypass res_company_accounting_billing_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
account_brand acl-global-read res_partner_account_brand_access — Access rule grants read on 'model_res_partner_account_brand' to every user (portal/public included): no group is set
account_consolidation acl-global-read access_company_consolidation_profile — Access rule grants read on 'model_company_consolidation_profile' to every user (portal/public included): no group is set
account_invoice_transmit_method acl-global-read access_transmit_method_read — Access rule grants read on 'model_transmit_method' to every user (portal/public included): no group is set
account_move_multi_company rule-group-bypass res_company_accounting_billing_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
account_payment route-public-sudo /invoice/pay/<int:invoice_id>/form_tx — Unauthenticated endpoint 'PaymentPortal.invoice_pay_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
account_payment route-public-sudo /invoice/pay/<int:invoice_id>/s2s_token_tx — Unauthenticated endpoint 'PaymentPortal.invoice_pay_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
attachment_queue acl-global-read access_attachment_queue_user — Access rule grants read on 'model_attachment_queue' to every user (portal/public included): no group is set
auth_from_http_remote_user route-auth-none /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all
auth_oauth route-public-sudo /auth_oauth/signin — Unauthenticated endpoint 'OAuthController.signin' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_oauth route-auth-none /auth_oauth/signin — Endpoint 'OAuthController.signin' uses auth="none": it runs with no user/session at all
auth_oauth route-auth-none /auth_oauth/oea — Endpoint 'OAuthController.oea' uses auth="none": it runs with no user/session at all
auth_saml route-public-sudo /auth_saml/get_auth_request — Unauthenticated endpoint 'AuthSAMLController.get_auth_request' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_saml route-auth-none /auth_saml/get_auth_request — Endpoint 'AuthSAMLController.get_auth_request' uses auth="none": it runs with no user/session at all
auth_saml route-public-csrf-off /auth_saml/signin — Public HTTP endpoint 'AuthSAMLController.signin' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
auth_saml route-public-sudo /auth_saml/signin — Unauthenticated endpoint 'AuthSAMLController.signin' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_saml route-auth-none /auth_saml/signin — Endpoint 'AuthSAMLController.signin' uses auth="none": it runs with no user/session at all
auth_signup route-public-sudo /web/signup — Unauthenticated endpoint 'AuthSignupHome.web_auth_signup' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
auth_signup route-public-sudo /web/reset_password — Unauthenticated endpoint 'AuthSignupHome.web_auth_reset_password' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
auth_totp route-public-sudo /auth_totp/login — Unauthenticated endpoint 'AuthTotp.mfa_login_post' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_totp route-auth-none /auth_totp/login — Endpoint 'AuthTotp.mfa_login_post' uses auth="none": it runs with no user/session at all
auth_u2f route-public-sudo /web/u2f/login — Unauthenticated endpoint 'AuthU2FController.u2f_login' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_u2f route-auth-none /web/u2f/login — Endpoint 'AuthU2FController.u2f_login' uses auth="none": it runs with no user/session at all
base acl-global-read access_ir_property_group_user — Access rule grants read on 'model_ir_property' to every user (portal/public included): no group is set
base acl-global-read access_ir_ui_view_group_user — Access rule grants read on 'model_ir_ui_view' to every user (portal/public included): no group is set
base acl-global-read access_res_company_group_user — Access rule grants read on 'model_res_company' to every user (portal/public included): no group is set
base acl-global-read access_res_partner_title_group_partner_manager — Access rule grants read on 'model_res_partner_title' to every user (portal/public included): no group is set
base acl-global-write access_res_users_log_all — Access rule grants create on 'model_res_users_log' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
base acl-global-read access_ir_actions_client — Access rule grants read on 'model_ir_actions_client' to every user (portal/public included): no group is set
base acl-global-read paperformat_access_portal — Access rule grants read on 'model_report_paperformat' to every user (portal/public included): no group is set
base route-public-csrf-off /xmlrpc/<service> — Public HTTP endpoint 'RPC.xmlrpc_1' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base route-auth-none /xmlrpc/<service> — Endpoint 'RPC.xmlrpc_1' uses auth="none": it runs with no user/session at all
base route-public-csrf-off /xmlrpc/2/<service> — Public HTTP endpoint 'RPC.xmlrpc_2' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base route-auth-none /xmlrpc/2/<service> — Endpoint 'RPC.xmlrpc_2' uses auth="none": it runs with no user/session at all
base route-auth-none /jsonrpc — Endpoint 'RPC.jsonrpc' uses auth="none": it runs with no user/session at all
base_automation acl-global-read access_base_automation — Access rule grants read on 'model_base_automation' to every user (portal/public included): no group is set
base_gengo route-public-csrf-off /website/gengo_callback — Public HTTP endpoint 'website_gengo.gengo_callback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base_gengo route-public-sudo /website/gengo_callback — Unauthenticated endpoint 'website_gengo.gengo_callback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
base_gengo route-auth-none /website/gengo_callback — Endpoint 'website_gengo.gengo_callback' uses auth="none": it runs with no user/session at all
base_import_module route-public-csrf-off /base_import_module/login_upload — Public HTTP endpoint 'ImportModule.login_upload' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base_import_module route-auth-none /base_import_module/login_upload — Endpoint 'ImportModule.login_upload' uses auth="none": it runs with no user/session at all
base_sms_client acl-global-read access_sms_gateway_global — Access rule grants read on 'model_sms_gateway' to every user (portal/public included): no group is set
base_sms_client acl-global-read access_sms_sms_global — Access rule grants read on 'model_sms_sms' to every user (portal/public included): no group is set
base_unece acl-global-read access_unece_code_list_read — Access rule grants read on 'model_unece_code_list' to every user (portal/public included): no group is set
board acl-global-read access_board_board all — Access rule grants read on 'model_board_board' to every user (portal/public included): no group is set
calendar rule-group-bypass calendar_event_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
connector_jira route-auth-none /connector_jira/webhooks/issue — Endpoint 'JiraWebhookController.webhook_issue' uses auth="none": it runs with no user/session at all
connector_jira route-auth-none /connector_jira/webhooks/worklog — Endpoint 'JiraWebhookController.webhook_worklog' uses auth="none": it runs with no user/session at all
connector_jira_tempo_project_role route-auth-none /connector_jira/assignments — Endpoint 'ProjectAssignmentTempo.get_assignments' uses auth="none": it runs with no user/session at all
cooperator_website route-public-sudo /subscription/get_share_product — Unauthenticated endpoint 'WebsiteSubscription.get_share_product' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
cooperator_website route-public-sudo /subscription/subscribe_share — Unauthenticated endpoint 'WebsiteSubscription.share_subscription' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
crm acl-global-read access_crm_stage — Access rule grants read on 'model_crm_stage' to every user (portal/public included): no group is set
crm rule-group-bypass crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm rule-group-bypass crm_activity_report_rule_all_activities — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm_phone rule-group-bypass all_crm_phonecall_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
decimal_precision acl-global-write access_decimal_precision_test_all — Access rule grants write/create/unlink on 'model_decimal_precision_test' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
delivery_carrier_label_paazl route-public-sudo /_paazl/push_api/v1 — Unauthenticated endpoint 'PaazlController.push_api' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
delivery_carrier_label_paazl route-auth-none /_paazl/push_api/v1 — Endpoint 'PaazlController.push_api' uses auth="none": it runs with no user/session at all
dms route-public-sudo /my/dms/directory/<int:dms_directory_id> — Unauthenticated endpoint 'CustomerPortal.portal_my_dms_directory' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
document_page_portal rule-group-bypass knowledge_user_document_page_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
event acl-global-read access_event_event_portal — Access rule grants read on 'model_event_event' to every user (portal/public included): no group is set
fieldservice rule-group-bypass fsm_order_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
fieldservice_account_analytic rule-group-bypass analytic_account_fsm_dispatcher — Record rule with an always-true domain bypasses every other record rule of its model for its group
github_connector acl-global-read access_github_organization_reader — Access rule grants read on 'model_github_organization' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_organization_serie_reader — Access rule grants read on 'model_github_organization_serie' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_repository_reader — Access rule grants read on 'model_github_repository' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_repository_branch_reader — Access rule grants read on 'model_github_repository_branch' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_team_reader — Access rule grants read on 'model_github_team' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_team_partner_reader — Access rule grants read on 'model_github_team_partner' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_team_repository_reader — Access rule grants read on 'model_github_team_repository' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_author_reader — Access rule grants read on 'model_odoo_author' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_lib_bin_reader — Access rule grants read on 'model_odoo_lib_bin' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_lib_python_reader — Access rule grants read on 'model_odoo_lib_python' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_license_reader — Access rule grants read on 'model_odoo_license' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_module_reader — Access rule grants read on 'model_odoo_module' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_module_version_reader — Access rule grants read on 'model_odoo_module_version' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_category_reader — Access rule grants read on 'model_odoo_category' to every user (portal/public included): no group is set
google_account route-auth-none /google_account/authentication — Endpoint 'GoogleAuth.oauth2callback' uses auth="none": it runs with no user/session at all
helpdesk_mgmt rule-group-bypass helpdesk_ticket_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_attendance rule-group-bypass hr_attendance_rule_attendance_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_attendance_rfid rule-group-bypass hr_attendance_rfid_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_employee_ppe rule-group-bypass hr_employee_ppe_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_experience rule-group-bypass hr_curriculum_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_experience rule-group-bypass hr_academic_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_experience rule-group-bypass hr_experience_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_experience rule-group-bypass hr_certification_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass hr_leave_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass hr_leave_rule_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass hr_leave_allocation_rule_officer_read — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass resource_leaves_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays_accrual_advanced rule-group-bypass hr_leave_allocation_accruement_rule_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_personal_equipment_request rule-group-bypass personal_equipment_request_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_personal_equipment_request rule-group-bypass personal_equipment_all_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
http_routing route-public-sudo /website/translations — Unauthenticated endpoint 'Routing.get_website_translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
hw_blackbox_be route-auth-none /hw_proxy/request_blackbox/ — Endpoint 'BlackboxDriver.request_blackbox' uses auth="none": it runs with no user/session at all
hw_blackbox_be route-auth-none /hw_proxy/request_serial/ — Endpoint 'BlackboxDriver.request_serial' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_drivers/action — Endpoint 'StatusController.action' uses auth="none": it runs with no user/session at all
hw_drivers route-public-csrf-off /hw_drivers/check_certificate — Public HTTP endpoint 'StatusController.check_certificate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_drivers route-auth-none /hw_drivers/check_certificate — Endpoint 'StatusController.check_certificate' uses auth="none": it runs with no user/session at all
hw_drivers route-auth-none /hw_drivers/event — Endpoint 'StatusController.event' uses auth="none": it runs with no user/session at all
hw_drivers route-public-csrf-off /hw_drivers/box/connect — Public HTTP endpoint 'StatusController.connect_box' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_drivers route-auth-none /hw_drivers/box/connect — Endpoint 'StatusController.connect_box' uses auth="none": it runs with no user/session at all
hw_escpos route-auth-none /hw_proxy/open_cashbox — Endpoint 'EscposProxy.open_cashbox' uses auth="none": it runs with no user/session at all
hw_escpos route-auth-none /hw_proxy/print_receipt — Endpoint 'EscposProxy.print_receipt' uses auth="none": it runs with no user/session at all
hw_escpos route-auth-none /hw_proxy/print_xml_receipt — Endpoint 'EscposProxy.print_xml_receipt' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none / — Endpoint 'IoTboxHomepage.index' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /list_drivers — Endpoint 'IoTboxHomepage.list_drivers' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /load_drivers — Endpoint 'IoTboxHomepage.load_drivers' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /list_credential — Endpoint 'IoTboxHomepage.list_credential' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /save_credential — Public HTTP endpoint 'IoTboxHomepage.save_credential' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /save_credential — Endpoint 'IoTboxHomepage.save_credential' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /clear_credential — Public HTTP endpoint 'IoTboxHomepage.clear_credential' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /clear_credential — Endpoint 'IoTboxHomepage.clear_credential' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /wifi — Endpoint 'IoTboxHomepage.wifi' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /wifi_connect — Public HTTP endpoint 'IoTboxHomepage.connect_to_wifi' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /wifi_connect — Endpoint 'IoTboxHomepage.connect_to_wifi' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /wifi_clear — Public HTTP endpoint 'IoTboxHomepage.clear_wifi_configuration' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /wifi_clear — Endpoint 'IoTboxHomepage.clear_wifi_configuration' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /server_clear — Public HTTP endpoint 'IoTboxHomepage.clear_server_configuration' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /server_clear — Endpoint 'IoTboxHomepage.clear_server_configuration' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /drivers_clear — Public HTTP endpoint 'IoTboxHomepage.clear_drivers_list' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /drivers_clear — Endpoint 'IoTboxHomepage.clear_drivers_list' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /server_connect — Public HTTP endpoint 'IoTboxHomepage.connect_to_server' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /server_connect — Endpoint 'IoTboxHomepage.connect_to_server' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /steps — Public HTTP endpoint 'IoTboxHomepage.step_by_step_configure_page' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /steps — Endpoint 'IoTboxHomepage.step_by_step_configure_page' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /step_configure — Public HTTP endpoint 'IoTboxHomepage.step_by_step_configure' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /step_configure — Endpoint 'IoTboxHomepage.step_by_step_configure' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /server — Endpoint 'IoTboxHomepage.server' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /remote_connect — Endpoint 'IoTboxHomepage.remote_connect' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /enable_ngrok — Public HTTP endpoint 'IoTboxHomepage.enable_ngrok' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /enable_ngrok — Endpoint 'IoTboxHomepage.enable_ngrok' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/upgrade — Endpoint 'IoTboxHomepage.upgrade' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_upgrade — Endpoint 'IoTboxHomepage.perform_upgrade' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/get_version — Endpoint 'IoTboxHomepage.check_version' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_flashing_create_partition — Endpoint 'IoTboxHomepage.perform_flashing_create_partition' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_flashing_download_raspbian — Endpoint 'IoTboxHomepage.perform_flashing_download_raspbian' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /hw_proxy/perform_flashing_copy_raspbian — Endpoint 'IoTboxHomepage.perform_flashing_copy_raspbian' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/hello — Endpoint 'Proxy.hello' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/handshake — Endpoint 'Proxy.handshake' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/status — Endpoint 'Proxy.status_http' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/status_json — Endpoint 'Proxy.status_json' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/scan_item_success — Endpoint 'Proxy.scan_item_success' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/scan_item_error_unrecognized — Endpoint 'Proxy.scan_item_error_unrecognized' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/help_needed — Endpoint 'Proxy.help_needed' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/help_canceled — Endpoint 'Proxy.help_canceled' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/payment_request — Endpoint 'Proxy.payment_request' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/payment_status — Endpoint 'Proxy.payment_status' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/payment_cancel — Endpoint 'Proxy.payment_cancel' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/transaction_start — Endpoint 'Proxy.transaction_start' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/transaction_end — Endpoint 'Proxy.transaction_end' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/cashier_mode_activated — Endpoint 'Proxy.cashier_mode_activated' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/cashier_mode_deactivated — Endpoint 'Proxy.cashier_mode_deactivated' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/open_cashbox — Endpoint 'Proxy.open_cashbox' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/print_receipt — Endpoint 'Proxy.print_receipt' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/log — Endpoint 'Proxy.log' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/print_pdf_invoice — Endpoint 'Proxy.print_pdf_invoice' uses auth="none": it runs with no user/session at all
hw_telium_payment_terminal route-auth-none /hw_proxy/payment_terminal_transaction_start — Endpoint 'TeliumPaymentTerminalProxy.payment_terminal_transaction_start' uses auth="none": it runs with no user/session at all
im_livechat acl-global-read access_livechat_channel — Access rule grants read on 'model_im_livechat_channel' to every user (portal/public included): no group is set
im_livechat acl-global-read access_livechat_channel_rule — Access rule grants read on 'model_im_livechat_channel_rule' to every user (portal/public included): no group is set
im_livechat route-auth-none /im_livechat/external_lib.<any(css,js):ext> — Endpoint 'LivechatController.livechat_lib' uses auth="none": it runs with no user/session at all
im_livechat route-public-sudo /im_livechat/support/<int:channel_id> — Unauthenticated endpoint 'LivechatController.support_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/loader/<int:channel_id> — Unauthenticated endpoint 'LivechatController.loader' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/init — Unauthenticated endpoint 'LivechatController.livechat_init' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/feedback — Unauthenticated endpoint 'LivechatController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/history — Unauthenticated endpoint 'LivechatController.history_pages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/notify_typing — Unauthenticated endpoint 'LivechatController.notify_typing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
intrastat_product acl-global-read access_intrastat_unit_read — Access rule grants read on 'model_intrastat_unit' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_transaction_read — Access rule grants read on 'model_intrastat_transaction' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_transport_mode_read — Access rule grants read on 'model_intrastat_transport_mode' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_region_read — Access rule grants read on 'model_intrastat_region' to every user (portal/public included): no group is set
iot_input route-public-csrf-off /iot/<serial>/action — Public HTTP endpoint 'CallIot.call_unauthorized_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_input route-public-sudo /iot/<serial>/action — Unauthenticated endpoint 'CallIot.call_unauthorized_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
iot_input route-auth-none /iot/<serial>/action — Endpoint 'CallIot.call_unauthorized_iot' uses auth="none": it runs with no user/session at all
iot_input route-public-csrf-off /iot/<device_identification>/multi_input — Public HTTP endpoint 'CallIot.call_unauthorized_iot_multi_input' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_input route-public-sudo /iot/<device_identification>/multi_input — Unauthenticated endpoint 'CallIot.call_unauthorized_iot_multi_input' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
iot_input route-auth-none /iot/<device_identification>/multi_input — Endpoint 'CallIot.call_unauthorized_iot_multi_input' uses auth="none": it runs with no user/session at all
iot_input route-public-csrf-off /iot/<serial>/check — Public HTTP endpoint 'CallIot.check_unauthorized_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_input route-public-sudo /iot/<serial>/check — Unauthenticated endpoint 'CallIot.check_unauthorized_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
iot_input route-auth-none /iot/<serial>/check — Endpoint 'CallIot.check_unauthorized_iot' uses auth="none": it runs with no user/session at all
iot_template_oca route-public-csrf-off /iot/<serial>/configure — Public HTTP endpoint 'CallIot.configure_iot' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
iot_template_oca route-public-sudo /iot/<serial>/configure — Unauthenticated endpoint 'CallIot.configure_iot' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
iot_template_oca route-auth-none /iot/<serial>/configure — Endpoint 'CallIot.configure_iot' uses auth="none": it runs with no user/session at all
l10n_br_hr acl-global-read access_hr_deficiency — Access rule grants read on 'model_hr_deficiency' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_identity_type — Access rule grants read on 'model_hr_identity_type' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_civil_certificate_type — Access rule grants read on 'model_hr_civil_certificate_type' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_dependent_type — Access rule grants read on 'model_hr_dependent_type' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_ethnicity — Access rule grants read on 'model_hr_ethnicity' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_educational_attainment — Access rule grants read on 'model_hr_educational_attainment' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_admission_type — Access rule grants read on 'model_hr_contract_admission_type' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_labor_bond_type — Access rule grants read on 'model_hr_contract_labor_bond_type' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_labor_regime — Access rule grants read on 'model_hr_contract_labor_regime' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_salary_unit — Access rule grants read on 'model_hr_contract_salary_unit' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_resignation_cause — Access rule grants read on 'model_hr_contract_resignation_cause' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_notice_termination — Access rule grants read on 'model_hr_contract_notice_termination' to every user (portal/public included): no group is set
l10n_br_website_sale route-public-sudo /shop/address — Unauthenticated endpoint 'L10nBrWebsiteSale.address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_br_website_sale route-public-sudo /l10n_br/zip_search_public — Unauthenticated endpoint 'L10nBrWebsiteSale.zip_search' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_cl_sii_activity acl-global-read access_sii_activity_user — Access rule grants read on 'model_sii_activity' to every user (portal/public included): no group is set
l10n_cl_sii_folio acl-global-read access_journal_document_user — Access rule grants read on 'model_account_journal_document' to every user (portal/public included): no group is set
l10n_cl_sii_reference acl-global-read access_sii_responsibility_user — Access rule grants read on 'model_sii_responsibility' to every user (portal/public included): no group is set
l10n_cl_sii_reference acl-global-read access_sii_document_type_user — Access rule grants read on 'model_sii_document_type' to every user (portal/public included): no group is set
l10n_cl_sii_reference acl-global-read access_sii_concept_type_user — Access rule grants read on 'model_sii_concept_type' to every user (portal/public included): no group is set
l10n_cl_sii_reference acl-global-read access_sii_document_class_user — Access rule grants read on 'model_sii_document_class' to every user (portal/public included): no group is set
l10n_cl_sii_reference acl-global-read access_sii_document_letter_user — Access rule grants read on 'model_sii_document_letter' to every user (portal/public included): no group is set
l10n_cl_sii_reference acl-global-read access_sii_optional_type_user — Access rule grants read on 'model_sii_optional_type' to every user (portal/public included): no group is set
l10n_cl_sii_reference acl-global-read access_sii_reference_user — Access rule grants read on 'model_sii_reference' to every user (portal/public included): no group is set
l10n_ee_reporting acl-global-read access_l10n_ee_reporting_kmd_inf — Access rule grants read on 'model_l10n_ee_reporting_kmd_inf' to every user (portal/public included): no group is set
l10n_ee_reporting acl-global-read access_l10n_ee_reporting_vies_declaration — Access rule grants read on 'model_l10n_ee_reporting_vies_declaration' to every user (portal/public included): no group is set
l10n_es_aeat_mod347 route-public-sudo /mod347/accept — Unauthenticated endpoint 'Mod347Controller.mod347_accept' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_es_aeat_mod347 route-public-sudo /mod347/reject — Unauthenticated endpoint 'Mod347Controller.mod347_reject' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_eu_service acl-global-read access_l10n_eu_service_service_tax_rate_user — Access rule grants read on 'model_l10n_eu_service_service_tax_rate' to every user (portal/public included): no group is set
l10n_it_account_tax_kind acl-global-read access_account_tax_kind_user — Access rule grants read on 'model_account_tax_kind' to every user (portal/public included): no group is set
l10n_nl_country_states acl-global-read access_res_country_state_nl_zip — Access rule grants read on 'model_res_country_state_nl_zip' to every user (portal/public included): no group is set
l10n_th_account_report acl-global-read access_account_vat_report — Access rule grants read on 'model_account_vat_report' to every user (portal/public included): no group is set
letsencrypt route-auth-none /.well-known/acme-challenge/<filename> — Endpoint 'Letsencrypt.acme_challenge' uses auth="none": it runs with no user/session at all
link_tracker route-auth-none /r/<string:code> — Endpoint 'LinkTracker.full_url_redirect' uses auth="none": it runs with no user/session at all
mail acl-global-write access_mail_thread_all — Access rule grants write/create/unlink on 'model_mail_thread' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
mail acl-global-write access_publisher_warranty_contract_all — Access rule grants write/create/unlink on 'model_publisher_warranty_contract' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
mail route-public-sudo /mail/view — Unauthenticated endpoint 'MailController.mail_action_view' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-auth-none /mail/view — Endpoint 'MailController.mail_action_view' uses auth="none": it runs with no user/session at all
mail route-public-sudo /mail/<string:res_model>/<int:res_id>/avatar/<int:partner_id> — Unauthenticated endpoint 'MailController.avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/chat_post — Unauthenticated endpoint 'MailChatController.mail_chat_post' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-auth-none /mail/chat_post — Endpoint 'MailChatController.mail_chat_post' uses auth="none": it runs with no user/session at all
mail route-public-sudo /mail/chat_history — Unauthenticated endpoint 'MailChatController.mail_chat_history' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-auth-none /mail/chat_history — Endpoint 'MailChatController.mail_chat_history' uses auth="none": it runs with no user/session at all
mail_tracking route-public-csrf-off /mail/tracking/all/<string:db>, /mail/tracking/event/<string:db>/<string:event_type> — Public HTTP endpoint 'MailTrackingController.mail_tracking_event' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mail_tracking route-auth-none /mail/tracking/all/<string:db>, /mail/tracking/event/<string:db>/<string:event_type> — Endpoint 'MailTrackingController.mail_tracking_event' uses auth="none": it runs with no user/session at all
mail_tracking route-auth-none /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif, /mail/tracking/open/<string:db>/<int:tracking_email_id>/<string:token>/blank.gif — Endpoint 'MailTrackingController.mail_tracking_open' uses auth="none": it runs with no user/session at all
mail_tracking_mailgun route-public-sudo /mail/tracking/mailgun/all — Unauthenticated endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail_tracking_mailgun route-auth-none /mail/tracking/mailgun/all — Endpoint 'MailTrackingController.mail_tracking_mailgun_webhook' uses auth="none": it runs with no user/session at all
mass_mailing route-public-sudo /mail/mailing/<int:mailing_id>/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mail/mailing/unsubscribe — Unauthenticated endpoint 'MassMailController.unsubscribe' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-auth-none /mail/mailing/unsubscribe — Endpoint 'MassMailController.unsubscribe' uses auth="none": it runs with no user/session at all
mass_mailing route-public-sudo /mail/track/<int:mail_id>/blank.gif — Unauthenticated endpoint 'MassMailController.track_mail_open' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-auth-none /mail/track/<int:mail_id>/blank.gif — Endpoint 'MassMailController.track_mail_open' uses auth="none": it runs with no user/session at all
mass_mailing route-auth-none /r/<string:code>/m/<int:stat_id> — Endpoint 'MassMailController.full_url_redirect' uses auth="none": it runs with no user/session at all
mass_mailing route-public-sudo /mailing/blacklist/check — Unauthenticated endpoint 'MassMailController.blacklist_check' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-auth-none /mailing/blacklist/check — Endpoint 'MassMailController.blacklist_check' uses auth="none": it runs with no user/session at all
mass_mailing route-public-sudo /mailing/blacklist/add — Unauthenticated endpoint 'MassMailController.blacklist_add' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-auth-none /mailing/blacklist/add — Endpoint 'MassMailController.blacklist_add' uses auth="none": it runs with no user/session at all
mass_mailing route-public-sudo /mailing/blacklist/remove — Unauthenticated endpoint 'MassMailController.blacklist_remove' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-auth-none /mailing/blacklist/remove — Endpoint 'MassMailController.blacklist_remove' uses auth="none": it runs with no user/session at all
mass_mailing route-public-sudo /mailing/feedback — Unauthenticated endpoint 'MassMailController.send_feedback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-auth-none /mailing/feedback — Endpoint 'MassMailController.send_feedback' uses auth="none": it runs with no user/session at all
membership acl-global-read access_membership_membership_line — Access rule grants read on 'model_membership_membership_line' to every user (portal/public included): no group is set
operating_unit acl-global-read access_account_operating_unit_user — Access rule grants read on 'model_operating_unit' to every user (portal/public included): no group is set
partner_external_map acl-global-read access_map_website_read — Access rule grants read on 'model_map_website' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation — Access rule grants read on 'model_res_partner_relation' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation_type — Access rule grants read on 'model_res_partner_relation_type' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation_type_selection — Access rule grants read on 'model_res_partner_relation_type_selection' to every user (portal/public included): no group is set
partner_multi_relation_tabs acl-global-read read_res_partner_tab — Access rule grants read on 'model_res_partner_tab' to every user (portal/public included): no group is set
partner_stage acl-global-read access_partner_stage_read — Access rule grants read on 'model_res_partner_stage' to every user (portal/public included): no group is set
password_security route-auth-none /password_security/estimate — Endpoint 'PasswordSecurityHome.estimate' uses auth="none": it runs with no user/session at all
payment route-public-sudo /payment/process — Unauthenticated endpoint 'PaymentProcessing.payment_status_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /payment/process/poll — Unauthenticated endpoint 'PaymentProcessing.payment_status_poll' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /website_payment/pay — Unauthenticated endpoint 'WebsitePayment.pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /website_payment/transaction/<string:reference>/<string:amount>/<string:currency_id>, /website_payment/transaction/v2/<string:amount>/<string:currency_id>/<path:reference> — Unauthenticated endpoint 'WebsitePayment.transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /website_payment/token/<string:reference>/<string:amount>/<string:currency_id>, /website_payment/token/v2/<string:amount>/<string:currency_id>/<path:reference> — Unauthenticated endpoint 'WebsitePayment.payment_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-csrf-off /payment/adyen/return — Public HTTP endpoint 'AdyenController.adyen_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_adyen route-public-sudo /payment/adyen/return — Unauthenticated endpoint 'AdyenController.adyen_return' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-auth-none /payment/adyen/return — Endpoint 'AdyenController.adyen_return' uses auth="none": it runs with no user/session at all
payment_adyen route-public-csrf-off /payment/adyen/notification — Public HTTP endpoint 'AdyenController.adyen_notification' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_adyen route-public-sudo /payment/adyen/notification — Unauthenticated endpoint 'AdyenController.adyen_notification' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-auth-none /payment/adyen/notification — Endpoint 'AdyenController.adyen_notification' uses auth="none": it runs with no user/session at all
payment_authorize route-public-csrf-off /payment/authorize/return/, /payment/authorize/cancel/ — Public HTTP endpoint 'AuthorizeController.authorize_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_authorize route-public-sudo /payment/authorize/return/, /payment/authorize/cancel/ — Unauthenticated endpoint 'AuthorizeController.authorize_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_authorize route-public-sudo /payment/authorize/s2s/create_json_3ds — Unauthenticated endpoint 'AuthorizeController.authorize_s2s_create_json_3ds' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_buckaroo route-public-csrf-off /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Public HTTP endpoint 'BuckarooController.buckaroo_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_buckaroo route-public-sudo /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Unauthenticated endpoint 'BuckarooController.buckaroo_return' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
payment_buckaroo route-auth-none /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Endpoint 'BuckarooController.buckaroo_return' uses auth="none": it runs with no user/session at all
payment_cielo route-public-sudo /payment/cielo/create_charge — Unauthenticated endpoint 'CieloController.cielo_create_charge' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ogone route-public-sudo /payment/ogone/accept, /payment/ogone/test/accept, /payment/ogone/decline, /payment/ogone/test/decline, /payment/ogone/exception, /payment/ogone/test/exception, /payment/ogone/cancel, /payment/ogone/test/cancel — Unauthenticated endpoint 'OgoneController.ogone_form_feedback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ogone route-auth-none /payment/ogone/accept, /payment/ogone/test/accept, /payment/ogone/decline, /payment/ogone/test/decline, /payment/ogone/exception, /payment/ogone/test/exception, /payment/ogone/cancel, /payment/ogone/test/cancel — Endpoint 'OgoneController.ogone_form_feedback' uses auth="none": it runs with no user/session at all
payment_ogone route-public-sudo /payment/ogone/s2s/create_json_3ds — Unauthenticated endpoint 'OgoneController.ogone_s2s_create_json_3ds' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ogone route-public-csrf-off /payment/ogone/s2s/create — Public HTTP endpoint 'OgoneController.ogone_s2s_create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_ogone route-public-sudo /payment/ogone/s2s/create — Unauthenticated endpoint 'OgoneController.ogone_s2s_create' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ogone route-public-sudo /payment/ogone/validate/accept, /payment/ogone/validate/decline, /payment/ogone/validate/exception — Unauthenticated endpoint 'OgoneController.ogone_validation_form_feedback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ogone route-auth-none /payment/ogone/validate/accept, /payment/ogone/validate/decline, /payment/ogone/validate/exception — Endpoint 'OgoneController.ogone_validation_form_feedback' uses auth="none": it runs with no user/session at all
payment_ogone route-public-csrf-off /payment/ogone/s2s/feedback — Public HTTP endpoint 'OgoneController.feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_ogone route-public-sudo /payment/ogone/s2s/feedback — Unauthenticated endpoint 'OgoneController.feedback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ogone route-auth-none /payment/ogone/s2s/feedback — Endpoint 'OgoneController.feedback' uses auth="none": it runs with no user/session at all
payment_paypal route-public-csrf-off /payment/paypal/ipn/ — Public HTTP endpoint 'PaypalController.paypal_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_paypal route-auth-none /payment/paypal/ipn/ — Endpoint 'PaypalController.paypal_ipn' uses auth="none": it runs with no user/session at all
payment_paypal route-public-csrf-off /payment/paypal/dpn — Public HTTP endpoint 'PaypalController.paypal_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_paypal route-auth-none /payment/paypal/dpn — Endpoint 'PaypalController.paypal_dpn' uses auth="none": it runs with no user/session at all
payment_paypal route-public-csrf-off /payment/paypal/cancel — Public HTTP endpoint 'PaypalController.paypal_cancel' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_paypal route-auth-none /payment/paypal/cancel — Endpoint 'PaypalController.paypal_cancel' uses auth="none": it runs with no user/session at all
payment_payumoney route-public-csrf-off /payment/payumoney/return, /payment/payumoney/cancel, /payment/payumoney/error — Public HTTP endpoint 'PayuMoneyController.payu_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_payumoney route-public-sudo /payment/payumoney/return, /payment/payumoney/cancel, /payment/payumoney/error — Unauthenticated endpoint 'PayuMoneyController.payu_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_redsys route-public-csrf-off /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Public HTTP endpoint 'RedsysController.redsys_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_redsys route-public-sudo /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Unauthenticated endpoint 'RedsysController.redsys_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_sips route-public-csrf-off /payment/sips/ipn/ — Public HTTP endpoint 'SipsController.sips_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_sips route-auth-none /payment/sips/ipn/ — Endpoint 'SipsController.sips_ipn' uses auth="none": it runs with no user/session at all
payment_sips route-public-csrf-off /payment/sips/dpn — Public HTTP endpoint 'SipsController.sips_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_sips route-auth-none /payment/sips/dpn — Endpoint 'SipsController.sips_dpn' uses auth="none": it runs with no user/session at all
payment_stripe route-public-sudo /payment/stripe/create_charge — Unauthenticated endpoint 'StripeController.stripe_create_charge' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe_checkout_webhook route-public-sudo /payment/stripe/webhook — Unauthenticated endpoint 'StripeController.stripe_webhook' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe_sca route-public-sudo /payment/stripe/success, /payment/stripe/cancel — Unauthenticated endpoint 'StripeControllerSCA.stripe_success' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe_sca route-public-sudo /payment/stripe/s2s/process_payment_intent — Unauthenticated endpoint 'StripeControllerSCA.stripe_s2s_process_payment_intent' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_transfer route-public-csrf-off /payment/transfer/feedback — Public HTTP endpoint 'OgoneController.transfer_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_transfer route-public-sudo /payment/transfer/feedback — Unauthenticated endpoint 'OgoneController.transfer_form_feedback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
payment_transfer route-auth-none /payment/transfer/feedback — Endpoint 'OgoneController.transfer_form_feedback' uses auth="none": it runs with no user/session at all
point_of_sale rule-group-bypass rule_pos_bank_statement_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
point_of_sale rule-group-bypass rule_pos_bank_statement_line_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
point_of_sale rule-group-bypass rule_pos_cashbox_line_accountant — Record rule with an always-true domain bypasses every other record rule of its model for its group
portal route-public-sudo /mail/chatter_fetch — Unauthenticated endpoint 'PortalChatter.portal_message_fetch' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_mercury acl-global-read access_pos_mercury_mercury_transaction — Access rule grants read on 'model_pos_mercury_mercury_transaction' to every user (portal/public included): no group is set
privacy_consent route-public-sudo /privacy/consent/<any(accept,reject):choice>/<int:consent_id>/<token> — Unauthenticated endpoint 'ConsentController.consent' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
privacy_consent route-auth-none /privacy/consent/<any(accept,reject):choice>/<int:consent_id>/<token> — Endpoint 'ConsentController.consent' uses auth="none": it runs with no user/session at all
product_brand acl-global-read access_product_brand_public — Access rule grants read on 'model_product_brand' to every user (portal/public included): no group is set
product_equivalent_category acl-global-read access_product_equivalent_category_user — Access rule grants read on 'model_product_equivalent_category' to every user (portal/public included): no group is set
product_harmonized_system acl-global-read access_hs_code_read — Access rule grants read on 'model_hs_code' to every user (portal/public included): no group is set
product_state acl-global-read access_product_state_public — Access rule grants read on 'model_product_state' to every user (portal/public included): no group is set
project route-public-sudo /project/rating — Unauthenticated endpoint 'RatingProject.index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
project route-public-sudo /project/rating/<int:project_id> — Unauthenticated endpoint 'RatingProject.page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
purchase_work_acceptance_evaluation acl-global-read access_work_acceptance_evaluation_report — Access rule grants read on 'model_work_acceptance_evaluation_report' to every user (portal/public included): no group is set
quality_control acl-global-read access_manager_qc_trigger_product_template_line_user — Access rule grants read on 'quality_control.model_qc_trigger_product_template_line' to every user (portal/public included): no group is set
quality_control acl-global-read access_manager_qc_trigger_product_line_user — Access rule grants read on 'quality_control.model_qc_trigger_product_line' to every user (portal/public included): no group is set
queue_job route-auth-none /queue_job/session — Endpoint 'RunJobController.session' uses auth="none": it runs with no user/session at all
queue_job route-auth-none /queue_job/runjob — Endpoint 'RunJobController.runjob' uses auth="none": it runs with no user/session at all
rating route-public-sudo /rating/<string:token>/<int:rate> — Unauthenticated endpoint 'Rating.open_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
rating route-public-sudo /rating/<string:token>/<int:rate>/submit_feedback — Unauthenticated endpoint 'Rating.submit_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
report_substitute acl-global-read action_report_substitution_rule_user_access — Access rule grants read on 'model_ir_actions_report_substitution_rule' to every user (portal/public included): no group is set
res_company_category acl-global-read access_res_company_category_user — Access rule grants read on 'model_res_company_category' to every user (portal/public included): no group is set
rma route-public-sudo /my/rma/picking/pdf/<int:rma_id>/<int:picking_id> — Unauthenticated endpoint 'PortalRma.portal_my_rma_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sale rule-group-bypass payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale rule-group-bypass payment_token_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale route-public-sudo /my/orders/<int:order_id>/transaction/ — Unauthenticated endpoint 'CustomerPortal.payment_transaction_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sale route-public-sudo /my/orders/<int:order_id>/transaction/token — Unauthenticated endpoint 'CustomerPortal.payment_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sale_multi_operating_unit rule-group-bypass operating_unit_sale_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
sale_stock route-public-sudo /my/picking/pdf/<int:picking_id> — Unauthenticated endpoint 'SaleStockPortal.portal_my_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
stock_scanner acl-global-read scanner_scenario_user — Access rule grants read on 'stock_scanner.model_scanner_scenario' to every user (portal/public included): no group is set
stock_scanner acl-global-read scanner_scenario_step_user — Access rule grants read on 'stock_scanner.model_scanner_scenario_step' to every user (portal/public included): no group is set
stock_scanner acl-global-read scanner_scenario_transition_user — Access rule grants read on 'stock_scanner.model_scanner_scenario_transition' to every user (portal/public included): no group is set
stock_scanner rule-group-bypass scanner_hardware_access_group_sentinel — Record rule with an always-true domain bypasses every other record rule of its model for its group
storage_file acl-global-read access_storage_file_read_public — Access rule grants read on 'model_storage_file' to every user (portal/public included): no group is set
survey acl-global-read access_survey_public — Access rule grants read on 'model_survey_survey' to every user (portal/public included): no group is set
survey acl-global-read access_survey_page_public — Access rule grants read on 'model_survey_page' to every user (portal/public included): no group is set
survey acl-global-read access_survey_question_public — Access rule grants read on 'model_survey_question' to every user (portal/public included): no group is set
survey acl-global-read access_survey_label_public — Access rule grants read on 'model_survey_label' to every user (portal/public included): no group is set
survey acl-global-read access_survey_stage_public — Access rule grants read on 'model_survey_stage' to every user (portal/public included): no group is set
survey route-public-sudo /survey/start/<model("survey.survey"):survey>, /survey/start/<model("survey.survey"):survey>/<string:token> — Unauthenticated endpoint 'Survey.start_survey' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
survey route-public-sudo /survey/fill/<model("survey.survey"):survey>/<string:token>, /survey/fill/<model("survey.survey"):survey>/<string:token>/<string:prev> — Unauthenticated endpoint 'Survey.fill_survey' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
survey route-public-sudo /survey/prefill/<model("survey.survey"):survey>/<string:token>, /survey/prefill/<model("survey.survey"):survey>/<string:token>/<model("survey.page"):page> — Unauthenticated endpoint 'Survey.prefill' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
survey route-public-sudo /survey/scores/<model("survey.survey"):survey>/<string:token> — Unauthenticated endpoint 'Survey.get_scores' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
survey route-public-sudo /survey/submit/<model("survey.survey"):survey> — Unauthenticated endpoint 'Survey.submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
test_read_group acl-global-read access_test_read_group_on_date — Access rule grants read on 'model_test_read_group_on_date' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_aggregate_boolean — Access rule grants read on 'model_test_read_group_aggregate_boolean' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_aggregate — Access rule grants read on 'model_test_read_group_aggregate' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_on_selection — Access rule grants read on 'model_test_read_group_on_selection' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_fill_temporal — Access rule grants read on 'model_test_read_group_fill_temporal' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_a — Access rule grants read on 'model_test_testing_utilities_a' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_readonly — Access rule grants read on 'model_test_testing_utilities_readonly' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_c — Access rule grants read on 'model_test_testing_utilities_c' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_d — Access rule grants read on 'model_test_testing_utilities_d' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_e — Access rule grants read on 'model_test_testing_utilities_e' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_f — Access rule grants read on 'model_test_testing_utilities_f' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_g — Access rule grants read on 'model_test_testing_utilities_g' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_m2o — Access rule grants read on 'model_test_testing_utilities_m2o' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_default — Access rule grants read on 'model_test_testing_utilities_default' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_parent — Access rule grants read on 'model_test_testing_utilities_parent' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_sub — Access rule grants read on 'model_test_testing_utilities_sub' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_sub2 — Access rule grants read on 'model_test_testing_utilities_sub2' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_sub3 — Access rule grants read on 'model_test_testing_utilities_sub3' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_recursive — Access rule grants read on 'model_test_testing_utilities_recursive' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_onchange_parent — Access rule grants read on 'model_test_testing_utilities_onchange_parent' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_onchange_line — Access rule grants read on 'model_test_testing_utilities_onchange_line' to every user (portal/public included): no group is set
test_testing_utilities acl-global-read access_test_testing_utilities_req_bool — Access rule grants read on 'model_test_testing_utilities_req_bool' to every user (portal/public included): no group is set
web route-auth-none / — Endpoint 'Home.index' uses auth="none": it runs with no user/session at all
web route-auth-none /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all
web route-auth-none /web/dbredirect — Endpoint 'Home.web_db_redirect' uses auth="none": it runs with no user/session at all
web route-auth-none /web/login — Endpoint 'Home.web_login' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/csslist — Endpoint 'WebClient.csslist' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/jslist — Endpoint 'WebClient.jslist' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/locale/<string:lang> — Endpoint 'WebClient.load_locale' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/qweb — Endpoint 'WebClient.qweb' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/bootstrap_translations — Endpoint 'WebClient.bootstrap_translations' uses auth="none": it runs with no user/session at all
web route-public-sudo /web/webclient/translations — Unauthenticated endpoint 'WebClient.translations' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
web route-auth-none /web/webclient/translations — Endpoint 'WebClient.translations' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/version_info — Endpoint 'WebClient.version_info' uses auth="none": it runs with no user/session at all
web route-auth-none /web/tests/mobile — Endpoint 'WebClient.test_mobile_suite' uses auth="none": it runs with no user/session at all
web route-auth-none /web/benchmarks — Endpoint 'WebClient.benchmarks' uses auth="none": it runs with no user/session at all
web route-auth-none /web/proxy/load — Endpoint 'Proxy.load' uses auth="none": it runs with no user/session at all
web route-auth-none /web/database/selector — Endpoint 'Database.selector' uses auth="none": it runs with no user/session at all
web route-auth-none /web/database/manager — Endpoint 'Database.manager' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/create — Public HTTP endpoint 'Database.create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/create — Endpoint 'Database.create' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/duplicate — Public HTTP endpoint 'Database.duplicate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/duplicate — Endpoint 'Database.duplicate' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/drop — Public HTTP endpoint 'Database.drop' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/drop — Endpoint 'Database.drop' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/backup — Public HTTP endpoint 'Database.backup' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/backup — Endpoint 'Database.backup' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/restore — Public HTTP endpoint 'Database.restore' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/restore — Endpoint 'Database.restore' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/change_password — Public HTTP endpoint 'Database.change_password' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/change_password — Endpoint 'Database.change_password' uses auth="none": it runs with no user/session at all
web route-auth-none /web/database/list — Endpoint 'Database.list' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/get_session_info — Endpoint 'Session.get_session_info' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/authenticate — Endpoint 'Session.authenticate' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/get_lang_list — Endpoint 'Session.get_lang_list' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/logout — Endpoint 'Session.logout' uses auth="none": it runs with no user/session at all
web route-auth-none /web/binary/company_logo, /logo, /logo.png — Endpoint 'Binary.company_logo' uses auth="none": it runs with no user/session at all
web route-auth-none /web/pivot/check_xlwt — Endpoint 'TableExporter.check_xlwt' uses auth="none": it runs with no user/session at all
web_editor route-auth-none /web_editor/font_to_img/<icon>, /web_editor/font_to_img/<icon>/<color>, /web_editor/font_to_img/<icon>/<color>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<int:size>/<int:alpha> — Endpoint 'Web_Editor.export_icon_to_png' uses auth="none": it runs with no user/session at all
web_favicon route-public-sudo /web_favicon/favicon — Unauthenticated endpoint 'WebFavicon.icon' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
web_favicon route-auth-none /web_favicon/favicon — Endpoint 'WebFavicon.icon' uses auth="none": it runs with no user/session at all
web_no_crawler route-auth-none /robots.txt — Endpoint 'Main.robots' uses auth="none": it runs with no user/session at all
web_tour acl-global-read access_web_tour_tour — Access rule grants read on 'model_web_tour_tour' to every user (portal/public included): no group is set
web_unsplash route-public-sudo /web_unsplash/get_app_id — Unauthenticated endpoint 'Web_Unsplash.get_unsplash_app_id' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
webservice route-public-csrf-off /webservice/<int:backend_id>/oauth2/redirect — Public HTTP endpoint 'OAuth2Controller.redirect' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
webservice route-public-sudo /webservice/<int:backend_id>/oauth2/redirect — Unauthenticated endpoint 'OAuth2Controller.redirect' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website acl-global-read access_website_public — Access rule grants read on 'website.model_website' to every user (portal/public included): no group is set
website acl-global-read access_website_menu — Access rule grants read on 'model_website_menu' to every user (portal/public included): no group is set
website acl-global-read access_website_redirect — Access rule grants read on 'model_website_redirect' to every user (portal/public included): no group is set
website acl-global-read access_website_page — Access rule grants read on 'model_website_page' to every user (portal/public included): no group is set
website acl-global-read access_seo_public — Access rule grants read on 'model_website_seo_metadata' to every user (portal/public included): no group is set
website route-public-sudo / — Unauthenticated endpoint 'Website.index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /sitemap.xml — Unauthenticated endpoint 'Website.sitemap_xml_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/info — Unauthenticated endpoint 'Website.website_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_apps_store route-public-sudo /shop/download_product_zip/<model("product.template"):product_tmpl>/<model("product.product"):product>/<string:google_captcha>, /shop/download_product_zip/<model("product.template"):product_tmpl>/<string:google_captcha> — Unauthenticated endpoint 'WebsiteSaleCustom.download_product_zip' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_blog acl-global-read blog_tag — Access rule grants read on 'model_blog_tag' to every user (portal/public included): no group is set
website_blog route-public-sudo /blog/<model("blog.blog", "[('website_id', 'in', (False, current_website_id))]"):blog>/feed — Unauthenticated endpoint 'WebsiteBlog.blog_feed' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_blog route-public-sudo /blog/<model("blog.blog", "[('website_id', 'in', (False, current_website_id))]"):blog>/post/<model("blog.post", "[('blog_id','=',blog[0])]"):blog_post> — Unauthenticated endpoint 'WebsiteBlog.blog_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_blog route-public-sudo /blog/<int:blog_id>/post/new — Unauthenticated endpoint 'WebsiteBlog.blog_post_create' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_crm_partner_assign route-public-sudo /partners, /partners/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>, /partners/grade/<model("res.partner.grade"):grade>/page/<int:page>, /partners/country/<model("res.country"):country>, /partners/country/<model("res.country"):country>/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_crm_partner_assign route-public-sudo /partners/<partner_id> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_crm_phone_validation route-public-sudo /website_form/<string:model_name> — Unauthenticated endpoint 'WebsiteForm.website_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_customer acl-global-read res_partner_tag_sale_manager — Access rule grants read on 'model_res_partner_tag' to every user (portal/public included): no group is set
website_customer route-public-sudo /customers, /customers/page/<int:page>, /customers/country/<model("res.country"):country>, /customers/country/<model("res.country"):country>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>, /customers/industry/<model("res.partner.industry"):industry>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCustomer.customers' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_customer route-public-sudo /customers/<partner_id> — Unauthenticated endpoint 'WebsiteCustomer.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event acl-global-read access_event_type_public — Access rule grants read on 'event.model_event_type' to every user (portal/public included): no group is set
website_event route-public-sudo /event/<model("event.event", "[('website_id', 'in', (False, current_website_id))]"):event>/register — Unauthenticated endpoint 'WebsiteEventController.event_register' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event route-public-sudo /event/<model("event.event", "[('website_id', 'in', (False, current_website_id))]"):event>/registration/confirm — Unauthenticated endpoint 'WebsiteEventController.registration_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_filter_organizer route-public-sudo /event, /event/page/<int:page> — Unauthenticated endpoint 'WebsiteEventOrganizer.events' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_questions acl-global-write event_registration_answer_all — Access rule grants write/create/unlink on 'model_event_registration_answer' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
website_event_sale acl-global-read access_event_event_ticket_public — Access rule grants read on 'event_sale.model_event_event_ticket' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_tag_public — Access rule grants read on 'model_event_track_tag' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_location_public — Access rule grants read on 'model_event_track_location' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track__public — Access rule grants read on 'model_event_track' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_sponsor_type_public — Access rule grants read on 'model_event_sponsor_type' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_sponsor_public — Access rule grants read on 'model_event_sponsor' to every user (portal/public included): no group is set
website_event_track acl-global-read access_website_event_menu_public — Access rule grants read on 'model_website_event_menu' to every user (portal/public included): no group is set
website_event_track route-public-sudo /event/<model("event.event", "[('website_id', 'in', (False, current_website_id))]"):event>/track/<model("event.track", "[('event_id','=',event[0])]"):track> — Unauthenticated endpoint 'WebsiteEventTrackController.event_track_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track route-public-sudo /event/<model("event.event", "[('website_id', 'in', (False, current_website_id))]"):event>/track_proposal/post — Unauthenticated endpoint 'WebsiteEventTrackController.event_track_proposal_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_form route-public-csrf-off /website_form/<string:model_name> — Public HTTP endpoint 'WebsiteForm.website_form' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
website_form route-public-sudo /website_form/<string:model_name> — Unauthenticated endpoint 'WebsiteForm.website_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_form_recaptcha route-public-sudo /website/recaptcha/ — Unauthenticated endpoint 'WebsiteForm.recaptcha_public' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum acl-global-read access_forum_forum — Access rule grants read on 'model_forum_forum' to every user (portal/public included): no group is set
website_forum route-public-sudo /forum/validate_email — Unauthenticated endpoint 'WebsiteForum.validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum", "[('website_id', 'in', (False, current_website_id))]"):forum>/question/<model("forum.post", "[('forum_id','=',forum[0]),('parent_id','=',False),('can_view', '=', True)]"):question> — Unauthenticated endpoint 'WebsiteForum.question' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum", "[('website_id', 'in', (False, current_website_id))]"):forum>/users, /forum/<model("forum.forum"):forum>/users/page/<int:page> — Unauthenticated endpoint 'WebsiteForum.users' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/partner/<int:partner_id> — Unauthenticated endpoint 'WebsiteForum.open_partner' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/user/<int:user_id> — Unauthenticated endpoint 'WebsiteForum.open_user' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum", "[('website_id', 'in', (False, current_website_id))]"):forum>/badge — Unauthenticated endpoint 'WebsiteForum.badges' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_google_map route-public-sudo /google_map — Unauthenticated endpoint 'GoogleMap.google_map' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_hr_recruitment acl-global-read access_hr_job_public — Access rule grants read on 'hr.model_hr_job' to every user (portal/public included): no group is set
website_hr_recruitment rule-group-bypass hr_job_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_hr_recruitment route-public-sudo /jobs, /jobs/country/<model("res.country"):country>, /jobs/department/<model("hr.department"):department>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>, /jobs/office/<int:office_id>, /jobs/country/<model("res.country"):country>/office/<int:office_id>, /jobs/department/<model("hr.department"):department>/office/<int:office_id>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>/office/<int:office_id> — Unauthenticated endpoint 'WebsiteHrRecruitment.jobs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_livechat acl-global-read access_im_livechat_channel_public — Access rule grants read on 'im_livechat.model_im_livechat_channel' to every user (portal/public included): no group is set
website_livechat route-public-sudo /livechat/channel/<model("im_livechat.channel"):channel> — Unauthenticated endpoint 'WebsiteLivechat.channel_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail route-public-sudo /website_mail/follow — Unauthenticated endpoint 'WebsiteMail.website_message_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail route-public-sudo /website_mail/is_follower — Unauthenticated endpoint 'WebsiteMail.is_follower' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_channel route-public-sudo /groups — Unauthenticated endpoint 'MailGroup.view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_channel route-public-sudo /groups/is_member — Unauthenticated endpoint 'MailGroup.is_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_channel route-public-sudo /groups/subscription — Unauthenticated endpoint 'MailGroup.subscription' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_channel route-public-sudo /groups/subscribe/<model('mail.channel'):channel>/<int:partner_id>/<string:token> — Unauthenticated endpoint 'MailGroup.confirm_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_channel route-public-sudo /groups/unsubscribe/<model('mail.channel'):channel>/<int:partner_id>/<string:token> — Unauthenticated endpoint 'MailGroup.confirm_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /website_mass_mailing/is_subscriber — Unauthenticated endpoint 'MassMailController.is_subscriber' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /website_mass_mailing/subscribe — Unauthenticated endpoint 'MassMailController.subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /website_mass_mailing/get_content — Unauthenticated endpoint 'MassMailController.get_mass_mailing_content' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_membership route-public-sudo /members, /members/page/<int:page>, /members/association/<membership_id>, /members/association/<membership_id>/page/<int:page>, /members/country/<int:country_id>, /members/country/<country_name>-<int:country_id>, /members/country/<int:country_id>/page/<int:page>, /members/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<country_name>-<int:country_id>, /members/association/<membership_id>/country/<int:country_id>, /members/association/<membership_id>/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteMembership.members' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_membership route-public-sudo /members/<partner_id> — Unauthenticated endpoint 'WebsiteMembership.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_oca_integrator acl-global-read access_sponsorship_line — Access rule grants read on 'model_sponsorship_line' to every user (portal/public included): no group is set
website_oca_integrator acl-global-read access_contributor_module_reader — Access rule grants read on 'model_contributor_module_line' to every user (portal/public included): no group is set
website_oca_integrator route-public-sudo /integrators, /integrators/page/<int:page>, /integrators/country/<model("res.country"):country>, /integrators/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteIntegrator.integrators' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_oca_integrator route-public-sudo /integrators/<integrator_id> — Unauthenticated endpoint 'WebsiteIntegrator.integrators_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_oca_integrator route-public-sudo /integrators/<integrator_id>/contributors, /integrators/<integrator_id>/contributors/page/<int:page>, /integrators/<integrator_id>/contributors/country/<int:country_id>, /integrators/<integrator_id>/contributors/country/<int:country_id>/page/<int:page>, /integrators/<integrator_id>/contributors/country/<country_name>-<int:country_id>, /integrators/<integrator_id>/contributors/country/<country_name>-<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteIntegrator.integrator_contributors' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_oca_psc_team route-public-sudo /psc-teams — Unauthenticated endpoint 'WebsitePscTeam.psc_teams' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_oca_psc_team route-public-sudo /psc-teams/<project_id> — Unauthenticated endpoint 'WebsitePscTeam.psc_team_project_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_partner route-public-sudo /partners/<partner_id> — Unauthenticated endpoint 'WebsitePartnerPage.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale acl-global-read access_product_product_public — Access rule grants read on 'product.model_product_product' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_template_public — Access rule grants read on 'product.model_product_template' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_category_public — Access rule grants read on 'product.model_product_category' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_public_category_public — Access rule grants read on 'model_product_public_category' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_pricelist_public — Access rule grants read on 'product.model_product_pricelist' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_pricelist_item_public — Access rule grants read on 'product.model_product_pricelist_item' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_style — Access rule grants read on 'website_sale.model_product_style' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_supplierinfo — Access rule grants read on 'product.model_product_supplierinfo' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_public — Access rule grants read on 'product.model_product_attribute' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_value_public — Access rule grants read on 'product.model_product_attribute_value' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_product_attribute — Access rule grants read on 'product.model_product_template_attribute_value' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_product_attribute_custom_value — Access rule grants read on 'sale.model_product_attribute_custom_value' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_template_attribute_exclusion — Access rule grants read on 'product.model_product_template_attribute_exclusion' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_template_attribute_line_public — Access rule grants read on 'product.model_product_template_attribute_line' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_image_public — Access rule grants read on 'model_product_image' to every user (portal/public included): no group is set
website_sale rule-group-bypass payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_sale route-public-sudo /website_form/shop.sale.order — Unauthenticated endpoint 'WebsiteSaleForm.website_form_saleorder' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/pricelist — Unauthenticated endpoint 'WebsiteSale.pricelist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/cart — Unauthenticated endpoint 'WebsiteSale.cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-csrf-off /shop/cart/update — Public HTTP endpoint 'WebsiteSale.cart_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
website_sale route-public-sudo /shop/address — Unauthenticated endpoint 'WebsiteSale.address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/checkout — Unauthenticated endpoint 'WebsiteSale.checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/payment/transaction/, /shop/payment/transaction/<int:so_id>, /shop/payment/transaction/<int:so_id>/<string:access_token> — Unauthenticated endpoint 'WebsiteSale.payment_transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/payment/token — Unauthenticated endpoint 'WebsiteSale.payment_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/payment/get_status/<int:sale_order_id> — Unauthenticated endpoint 'WebsiteSale.payment_get_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/payment/validate — Unauthenticated endpoint 'WebsiteSale.payment_validate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/confirmation — Unauthenticated endpoint 'WebsiteSale.payment_confirmation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/print — Unauthenticated endpoint 'WebsiteSale.print_saleorder' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/tracking_last_order — Unauthenticated endpoint 'WebsiteSale.tracking_cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_charge_payment_fee route-public-sudo /shop/payment — Unauthenticated endpoint 'WebsiteSaleFee.payment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_comparison acl-global-read access_product_attribute_category_public — Access rule grants read on 'model_product_attribute_category' to every user (portal/public included): no group is set
website_sale_digital route-public-sudo /my/orders/<int:order_id> — Unauthenticated endpoint 'WebsiteSaleDigital.portal_order_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_digital route-public-sudo /my/download — Unauthenticated endpoint 'WebsiteSaleDigital.download_attachment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_product_brand route-public-sudo /page/product_brands — Unauthenticated endpoint 'WebsiteSale.product_brands' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_resource_booking route-public-sudo /shop/booking/<int:index>/confirm — Unauthenticated endpoint 'WebsiteSale.booking_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_wishlist route-public-sudo /shop/wishlist/add — Unauthenticated endpoint 'WebsiteSaleWishlist.add_to_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_wishlist route-public-sudo /shop/wishlist/remove/<model("product.wishlist"):wish> — Unauthenticated endpoint 'WebsiteSaleWishlist.rm_from_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/<model("slide.slide"):slide>/download — Unauthenticated endpoint 'WebsiteSlides.slide_download' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/embed/<int:slide_id> — Unauthenticated endpoint 'WebsiteSlides.slides_embed' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_twitter acl-global-read access_website_twitter_tweet_public — Access rule grants read on 'website_twitter.model_website_twitter_tweet' to every user (portal/public included): no group is set

Active Pull Requests 7

0 fresh 0 rotting 0 rotten

Module Repository Title Age CI
airport OCA/vertical-travel [MIG] airport: Migration to 11.0 #56 no CI data
connector_magento OCA/connector-magento [11.0] [MIG] connector_magento #274 no CI data
connector_woocommerce OCA/connector-woocommerce [11.0] [MIG] connector_woocommerce #41 no CI data
mrp_subcontracting OCA/manufacture [11.0] [mig] mrp subcontracting #1721 no CI data
mrp_subcontracting_purchase_link OCA/manufacture 11.0 mig mrp subcontracting purchase link #1722 no CI data
product-packaging-type OCA/product-attribute [MIG]11.0 mig product packaging type #2174 no CI data
transportation OCA/vertical-travel [MIG] transportation: Migration to 11.0 #55 no CI data

Security Findings

Errors 130

Module Code Message
anonymization acl-global-write access_ir_model_fields_anonymization_migration_fix — Access rule grants write/create/unlink on 'model_ir_model_fields_anonymization_migration_fix' to EVERY user (portal/public included): no group is set
auth_u2f acl-public-write access_u2f_device_portal — Access rule grants write/create/unlink on 'model_u2f_device' to the portal/public group 'base.group_portal'
base acl-privilege-escalation access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions
base acl-global-write access_ir_ui_view_custom_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_custom' to EVERY user (portal/public included): no group is set
base acl-privilege-escalation access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions
base_tier_validation acl-global-write access_tier_review — Access rule grants write/create/unlink on 'model_tier_review' to EVERY user (portal/public included): no group is set
bi_view_editor acl-global-write access_bve_view_everyone — Access rule grants write/create/unlink on 'bi_view_editor.model_bve_view' to EVERY user (portal/public included): no group is set
bus acl-public-write access_bus_presence_portal — Access rule grants write/create/unlink on 'model_bus_presence' to the portal/public group 'base.group_portal'
calendar rule-public-bypass calendar_attendee_rule_my — Record rule with an always-true domain grants portal/public users access to every record of its model
cms_delete_content_example acl-global-write access_cms_delete_content_example — Access rule grants write/create/unlink on 'model_cms_delete_content_example' to EVERY user (portal/public included): no group is set
cms_notification acl-public-write portal_users_can_write_users — Access rule grants write on 'base.model_res_users' to the portal/public group 'base.group_portal'
cms_notification acl-privilege-escalation portal_users_can_write_users — Access rule grants write on security model 'base.model_res_users' to group 'base.group_portal': members can escalate their own permissions
cms_toolbar_example acl-global-write access_cms_toolbar_content_example — Access rule grants write/create/unlink on 'model_cms_toolbar_content_example' to EVERY user (portal/public included): no group is set
document_url acl-global-write access_ir_attachment_add_url — Access rule grants write/create/unlink on 'model_ir_attachment_add_url' to EVERY user (portal/public included): no group is set
gamification acl-public-write goal_portal — Access rule grants write on 'gamification.model_gamification_goal' to the portal/public group 'base.group_portal'
gamification acl-public-write badge_user_portal — Access rule grants write/create on 'gamification.model_gamification_badge_user' to the portal/public group 'base.group_portal'
helpdesk_mgmt acl-public-write access_helpdesk_ticket_stage_public — Access rule grants write on 'model_helpdesk_ticket_stage' to the portal/public group 'base.group_public'
hr_recruitment acl-global-write access_hr_applicant_category — Access rule grants write/create on 'model_hr_applicant_category' to EVERY user (portal/public included): no group is set
mail acl-public-write access_mail_message_portal — Access rule grants write/create/unlink on 'model_mail_message' to the portal/public group 'base.group_portal'
mail acl-public-write access_mail_mail_portal — Access rule grants write/create on 'model_mail_mail' to the portal/public group 'base.group_portal'
mail acl-public-write access_mail_followers_portal — Access rule grants write/create on 'model_mail_followers' to the portal/public group 'base.group_portal'
mail acl-public-write access_mail_channel_partner_portal — Access rule grants write/create/unlink on 'model_mail_channel_partner' to the portal/public group 'base.group_portal'
mail acl-public-write access_mail_test_portal — Access rule grants write on 'model_mail_test' to the portal/public group 'base.group_portal'
mail_digest acl-public-write access_user_notification_conf_portal — Access rule grants write/create/unlink on 'model_user_notification_conf' to the portal/public group 'base.group_portal'
payment acl-public-write payment_method_portal — Access rule grants write/create/unlink on 'model_payment_token' to the portal/public group 'base.group_portal'
rating acl-public-write access_rating_public — Access rule grants write/create on 'rating.model_rating_rating' to the portal/public group 'base.group_public'
rating acl-public-write access_rating_portal — Access rule grants write/create on 'rating.model_rating_rating' to the portal/public group 'base.group_portal'
report_wkhtmltopdf_param acl-global-write paperformat_parameter_access_employee — Access rule grants create on 'model_report_paperformat_parameter' to EVERY user (portal/public included): no group is set
stock_scanner acl-global-write scanner_hardware_user — Access rule grants write on 'stock_scanner.model_scanner_hardware' to EVERY user (portal/public included): no group is set
stock_scanner acl-global-write scanner_hardware_step_history_user — Access rule grants write/create/unlink on 'stock_scanner.model_scanner_hardware_step_history' to EVERY user (portal/public included): no group is set
survey acl-global-write access_survey_user_input_public — Access rule grants write/create on 'model_survey_user_input' to EVERY user (portal/public included): no group is set
survey acl-global-write access_survey_user_input_line_public — Access rule grants write/create on 'model_survey_user_input_line' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_some_obj — Access rule grants write/create/unlink on 'model_test_access_right_some_obj' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_container — Access rule grants write/create/unlink on 'model_test_access_right_container' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_obj_categ — Access rule grants write/create/unlink on 'model_test_access_right_obj_categ' to EVERY user (portal/public included): no group is set
test_component acl-global-write access_test_component_collection — Access rule grants write/create/unlink on 'model_test_component_collection' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_test_backend — Access rule grants write/create/unlink on 'model_test_backend' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_connector_test_record — Access rule grants write/create/unlink on 'model_connector_test_record' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_connector_test_binding — Access rule grants write/create/unlink on 'model_connector_test_binding' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_no_inherits_binding — Access rule grants write/create/unlink on 'model_no_inherits_binding' to EVERY user (portal/public included): no group is set
test_convert acl-global-write access_test_convert_test_model — Access rule grants write/create/unlink on 'model_test_convert_test_model' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_converter_model — Access rule grants write/create/unlink on 'model_test_converter_test_model' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_test_converter_test_model_sub — Access rule grants write/create/unlink on 'model_test_converter_test_model_sub' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_test_converter_monetary — Access rule grants write/create/unlink on 'model_test_converter_monetary' to EVERY user (portal/public included): no group is set
test_documentation_examples acl-global-write access_inheritance_0 — Access rule grants write/create/unlink on 'model_inheritance_0' to EVERY user (portal/public included): no group is set
test_documentation_examples acl-global-write access_inheritance_1 — Access rule grants write/create/unlink on 'model_inheritance_1' to EVERY user (portal/public included): no group is set
test_documentation_examples acl-global-write access_extension_0 — Access rule grants write/create/unlink on 'model_extension_0' to EVERY user (portal/public included): no group is set
test_documentation_examples acl-global-write access_delegation_child0 — Access rule grants write/create/unlink on 'model_delegation_child0' to EVERY user (portal/public included): no group is set
test_documentation_examples acl-global-write access_delegation_child1 — Access rule grants write/create/unlink on 'model_delegation_child1' to EVERY user (portal/public included): no group is set
test_documentation_examples acl-global-write access_delegation_parent — Access rule grants write/create/unlink on 'model_delegation_parent' to EVERY user (portal/public included): no group is set
test_exceptions acl-global-write access_test_exceptions_model — Access rule grants write/create/unlink on 'model_test_exceptions_model' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_boolean — Access rule grants write/create/unlink on 'model_export_boolean' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_float — Access rule grants write/create/unlink on 'model_export_float' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_decimal — Access rule grants write/create/unlink on 'model_export_decimal' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string_bounded — Access rule grants write/create/unlink on 'model_export_string_bounded' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string_required — Access rule grants write/create/unlink on 'model_export_string_required' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string — Access rule grants write/create/unlink on 'model_export_string' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_date — Access rule grants write/create/unlink on 'model_export_date' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_datetime — Access rule grants write/create/unlink on 'model_export_datetime' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_text — Access rule grants write/create/unlink on 'model_export_text' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection — Access rule grants write/create/unlink on 'model_export_selection' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection_function — Access rule grants write/create/unlink on 'model_export_selection_function' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2one — Access rule grants write/create/unlink on 'model_export_many2one' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many — Access rule grants write/create/unlink on 'model_export_one2many' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2many — Access rule grants write/create/unlink on 'model_export_many2many' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_function — Access rule grants write/create/unlink on 'model_export_function' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child — Access rule grants write/create/unlink on 'model_export_one2many_child' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_multiple — Access rule grants write/create/unlink on 'model_export_one2many_multiple' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_multiple_child — Access rule grants write/create/unlink on 'model_export_one2many_multiple_child' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child_1 — Access rule grants write/create/unlink on 'model_export_one2many_child_1' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child_2 — Access rule grants write/create/unlink on 'model_export_one2many_child_2' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2many_other — Access rule grants write/create/unlink on 'model_export_many2many_other' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection_withdefault — Access rule grants write/create/unlink on 'model_export_selection_withdefault' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_recursive — Access rule grants write/create/unlink on 'model_export_one2many_recursive' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_unique — Access rule grants write/create/unlink on 'model_export_unique' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_mother — Access rule grants write/create/unlink on 'model_test_inherit_mother' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_daughter — Access rule grants write/create/unlink on 'model_test_inherit_daughter' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_property — Access rule grants write/create/unlink on 'model_test_inherit_property' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_unit — Access rule grants write/create/unlink on 'model_test_unit' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_box — Access rule grants write/create/unlink on 'model_test_box' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_pallet — Access rule grants write/create/unlink on 'model_test_pallet' to EVERY user (portal/public included): no group is set
test_limits acl-global-write access_test_limits_model — Access rule grants write/create/unlink on 'model_test_limits_model' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_category — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_category' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_discussion — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_discussion' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_message — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_message' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_emailmessage — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_emailmessage' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi_line — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi_tag — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_tag' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_creativework_edition — Access rule grants write/create/unlink on 'model_test_new_api_creativework_edition' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_creativework_book — Access rule grants write/create/unlink on 'model_test_new_api_creativework_book' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_creativework_movie — Access rule grants write/create/unlink on 'model_test_new_api_creativework_movie' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_mixed — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_mixed' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_domain_bool — Access rule grants write/create/unlink on 'model_domain_bool' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_foo — Access rule grants write/create/unlink on 'model_test_new_api_foo' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_bar — Access rule grants write/create/unlink on 'model_test_new_api_bar' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_related — Access rule grants write/create/unlink on 'model_test_new_api_related' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_company — Access rule grants write/create/unlink on 'model_test_new_api_company' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_company_attr — Access rule grants write/create/unlink on 'model_test_new_api_company_attr' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_inverse — Access rule grants write/create/unlink on 'model_test_new_api_compute_inverse' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_protected — Access rule grants write/create/unlink on 'model_test_new_api_compute_protected' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_recursive — Access rule grants write/create/unlink on 'model_test_new_api_recursive' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_cascade — Access rule grants write/create/unlink on 'model_test_new_api_cascade' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_base — Access rule grants write/create/unlink on 'model_test_performance_base' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_line — Access rule grants write/create/unlink on 'model_test_performance_line' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_tag — Access rule grants write/create/unlink on 'model_test_performance_tag' to EVERY user (portal/public included): no group is set
test_performance acl-global-write access_test_performance_mail — Access rule grants write/create/unlink on 'model_test_performance_mail' to EVERY user (portal/public included): no group is set
test_queue_job acl-global-write access_test_queue_job — Access rule grants write/create/unlink on 'model_test_queue_job' to EVERY user (portal/public included): no group is set
test_queue_job acl-global-write access_test_queue_channel — Access rule grants write/create/unlink on 'model_test_queue_channel' to EVERY user (portal/public included): no group is set
test_queue_job acl-global-write access_test_related_action — Access rule grants write/create/unlink on 'model_test_related_action' to EVERY user (portal/public included): no group is set
test_rpc acl-global-write access_test_rpc_model_a — Access rule grants write/create/unlink on 'model_test_rpc_model_a' to EVERY user (portal/public included): no group is set
test_rpc acl-global-write access_test_rpc_model_b — Access rule grants write/create/unlink on 'model_test_rpc_model_b' to EVERY user (portal/public included): no group is set
test_uninstall acl-global-write access_test_uninstall_model — Access rule grants write/create/unlink on 'model_test_uninstall_model' to EVERY user (portal/public included): no group is set
utm acl-global-write access_utm_campaign — Access rule grants create on 'model_utm_campaign' to EVERY user (portal/public included): no group is set
utm acl-global-write access_utm_medium — Access rule grants create on 'model_utm_medium' to EVERY user (portal/public included): no group is set
utm acl-global-write access_utm_source — Access rule grants create on 'model_utm_source' to EVERY user (portal/public included): no group is set
web_editor acl-global-write access_web_editor_converter_test — Access rule grants write/create/unlink on 'model_web_editor_converter_test' to EVERY user (portal/public included): no group is set
web_editor acl-global-write access_web_editor_converter_test_sub — Access rule grants write/create/unlink on 'model_web_editor_converter_test_sub' to EVERY user (portal/public included): no group is set
website_crm_partner_assign acl-public-write partner_access_crm_lead — Access rule grants write on 'crm.model_crm_lead' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_post_portal — Access rule grants write/create/unlink on 'model_forum_post' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_post_vote_portal — Access rule grants write/create on 'model_forum_post_vote' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_tag_public — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_public'
website_forum acl-public-write access_forum_tag_portal — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_portal'
website_sale_wishlist acl-public-write access_product_wishlist_public — Access rule grants write/create/unlink on 'model_product_wishlist' to the portal/public group 'base.group_public'
website_sale_wishlist acl-public-write access_product_wishlist_portal — Access rule grants write/create/unlink on 'model_product_wishlist' to the portal/public group 'base.group_portal'

Warnings 435

Module Code Message
account route-public-sudo /my/invoices/pdf/<int:invoice_id> — Unauthenticated endpoint 'PortalAccount.portal_my_invoice_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
account_consolidation acl-global-read access_company_consolidation_profile — Access rule grants read on 'model_company_consolidation_profile' to every user (portal/public included): no group is set
account_invoice_transmit_method acl-global-read access_transmit_method_read — Access rule grants read on 'model_transmit_method' to every user (portal/public included): no group is set
account_payment route-public-sudo /invoice/pay/<int:invoice_id>/form_tx — Unauthenticated endpoint 'PaymentPortal.invoice_pay_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
account_payment route-public-sudo /invoice/pay/<int:invoice_id>/s2s_token_tx — Unauthenticated endpoint 'PaymentPortal.invoice_pay_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
account_payment route-public-sudo /invoice/pay/<int:invoice_id>/s2s_json_token_tx — Unauthenticated endpoint 'PaymentPortal.invoice_pay_token_json' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
anonymization acl-global-read access_ir_model_fields_anonymization_user — Access rule grants read on 'model_ir_model_fields_anonymization' to every user (portal/public included): no group is set
anonymization acl-global-read access_ir_model_fields_anonymization_history_user — Access rule grants read on 'model_ir_model_fields_anonymization_history' to every user (portal/public included): no group is set
attachment_base_synchronize acl-global-read access_attachment_metadata_user — Access rule grants read on 'model_ir_attachment_metadata' to every user (portal/public included): no group is set
auth_from_http_remote_user route-auth-none /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all
auth_oauth route-public-sudo /auth_oauth/signin — Unauthenticated endpoint 'OAuthController.signin' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_oauth route-auth-none /auth_oauth/signin — Endpoint 'OAuthController.signin' uses auth="none": it runs with no user/session at all
auth_oauth route-auth-none /auth_oauth/oea — Endpoint 'OAuthController.oea' uses auth="none": it runs with no user/session at all
auth_saml route-public-sudo /auth_saml/get_auth_request — Unauthenticated endpoint 'AuthSAMLController.get_auth_request' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_saml route-auth-none /auth_saml/get_auth_request — Endpoint 'AuthSAMLController.get_auth_request' uses auth="none": it runs with no user/session at all
auth_saml route-public-csrf-off /auth_saml/signin — Public HTTP endpoint 'AuthSAMLController.signin' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
auth_saml route-public-sudo /auth_saml/signin — Unauthenticated endpoint 'AuthSAMLController.signin' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_saml route-auth-none /auth_saml/signin — Endpoint 'AuthSAMLController.signin' uses auth="none": it runs with no user/session at all
auth_saml_create_user acl-global-read access_auth_saml_create_user_auth_saml_create_user — Access rule grants read on 'model_auth_saml_create_user_auth_saml_create_user' to every user (portal/public included): no group is set
auth_signup route-public-sudo /web/signup — Unauthenticated endpoint 'AuthSignupHome.web_auth_signup' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
auth_signup route-public-sudo /web/reset_password — Unauthenticated endpoint 'AuthSignupHome.web_auth_reset_password' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
auth_totp route-public-sudo /auth_totp/login — Unauthenticated endpoint 'AuthTotp.mfa_login_post' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_totp route-auth-none /auth_totp/login — Endpoint 'AuthTotp.mfa_login_post' uses auth="none": it runs with no user/session at all
auth_u2f route-public-sudo /web/u2f/login — Unauthenticated endpoint 'AuthU2FController.u2f_login' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_u2f route-auth-none /web/u2f/login — Endpoint 'AuthU2FController.u2f_login' uses auth="none": it runs with no user/session at all
base acl-global-read access_ir_property_group_user — Access rule grants read on 'model_ir_property' to every user (portal/public included): no group is set
base acl-global-read access_ir_ui_view_group_user — Access rule grants read on 'model_ir_ui_view' to every user (portal/public included): no group is set
base acl-global-read access_res_company_group_user — Access rule grants read on 'model_res_company' to every user (portal/public included): no group is set
base acl-global-read access_res_partner_title_group_partner_manager — Access rule grants read on 'model_res_partner_title' to every user (portal/public included): no group is set
base acl-global-read access_res_request_link_group_user — Access rule grants read on 'model_res_request_link' to every user (portal/public included): no group is set
base acl-global-write access_res_users_log_all — Access rule grants create on 'model_res_users_log' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
base acl-global-read access_ir_actions_client — Access rule grants read on 'model_ir_actions_client' to every user (portal/public included): no group is set
base acl-global-read paperformat_access_portal — Access rule grants read on 'model_report_paperformat' to every user (portal/public included): no group is set
base_automation acl-global-read access_base_automation — Access rule grants read on 'model_base_automation' to every user (portal/public included): no group is set
base_dav route-public-csrf-off /.well-known/carddav, /.well-known/caldav, /.well-known/webdav — Public HTTP endpoint 'Main.handle_well_known_request' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base_dav route-auth-none /.well-known/carddav, /.well-known/caldav, /.well-known/webdav — Endpoint 'Main.handle_well_known_request' uses auth="none": it runs with no user/session at all
base_dav route-public-csrf-off Main.handle_dav_request — Public HTTP endpoint 'Main.handle_dav_request' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base_dav route-auth-none Main.handle_dav_request — Endpoint 'Main.handle_dav_request' uses auth="none": it runs with no user/session at all
base_gengo route-public-csrf-off /website/gengo_callback — Public HTTP endpoint 'website_gengo.gengo_callback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base_gengo route-public-sudo /website/gengo_callback — Unauthenticated endpoint 'website_gengo.gengo_callback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
base_gengo route-auth-none /website/gengo_callback — Endpoint 'website_gengo.gengo_callback' uses auth="none": it runs with no user/session at all
base_import_module route-public-csrf-off /base_import_module/login — Public HTTP endpoint 'ImportModule.login' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base_import_module route-auth-none /base_import_module/login — Endpoint 'ImportModule.login' uses auth="none": it runs with no user/session at all
base_sms_client acl-global-read access_sms_gateway_global — Access rule grants read on 'model_sms_gateway' to every user (portal/public included): no group is set
base_sms_client acl-global-read access_sms_sms_global — Access rule grants read on 'model_sms_sms' to every user (portal/public included): no group is set
base_unece acl-global-read access_unece_code_list_read — Access rule grants read on 'model_unece_code_list' to every user (portal/public included): no group is set
board acl-global-read access_board_board all — Access rule grants read on 'model_board_board' to every user (portal/public included): no group is set
business_requirement route-public-sudo /my/business_requirement/pdf/<int:br_id> — Unauthenticated endpoint 'CustomerPortal.portal_br_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
calendar rule-group-bypass calendar_event_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
connector_jira route-auth-none /connector_jira/webhooks/issue — Endpoint 'JiraWebhookController.webhook_issue' uses auth="none": it runs with no user/session at all
connector_jira route-auth-none /connector_jira/webhooks/worklog — Endpoint 'JiraWebhookController.webhook_worklog' uses auth="none": it runs with no user/session at all
crm acl-global-read access_crm_stage — Access rule grants read on 'model_crm_stage' to every user (portal/public included): no group is set
crm rule-group-bypass crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm rule-group-bypass crm_rule_all_lead_report — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm rule-group-bypass crm_activity_report_rule_all_activities — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm_phone rule-group-bypass all_crm_phonecall_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
decimal_precision acl-global-write access_decimal_precision_test_all — Access rule grants write/create/unlink on 'model_decimal_precision_test' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
easy_switch_user route-auth-none /easy_switch_user/switch — Endpoint 'SwitchController.switch' uses auth="none": it runs with no user/session at all
event acl-global-read access_event_event_portal — Access rule grants read on 'model_event_event' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_organization_reader — Access rule grants read on 'model_github_organization' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_organization_serie_reader — Access rule grants read on 'model_github_organization_serie' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_repository_reader — Access rule grants read on 'model_github_repository' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_repository_branch_reader — Access rule grants read on 'model_github_repository_branch' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_team_reader — Access rule grants read on 'model_github_team' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_team_partner_reader — Access rule grants read on 'model_github_team_partner' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_team_repository_reader — Access rule grants read on 'model_github_team_repository' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_author_reader — Access rule grants read on 'model_odoo_author' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_lib_bin_reader — Access rule grants read on 'model_odoo_lib_bin' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_lib_python_reader — Access rule grants read on 'model_odoo_lib_python' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_license_reader — Access rule grants read on 'model_odoo_license' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_module_reader — Access rule grants read on 'model_odoo_module' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_module_version_reader — Access rule grants read on 'model_odoo_module_version' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_category_reader — Access rule grants read on 'model_odoo_category' to every user (portal/public included): no group is set
google_account route-auth-none /google_account/authentication — Endpoint 'GoogleAuth.oauth2callback' uses auth="none": it runs with no user/session at all
helpdesk_mgmt rule-group-bypass helpdesk_ticket_personal_rule_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_attendance rule-group-bypass hr_attendance_rule_attendance_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_experience rule-group-bypass hr_curriculum_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_experience rule-group-bypass hr_academic_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_experience rule-group-bypass hr_experience_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_experience rule-group-bypass hr_certification_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass resource_leaves_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
http_routing route-public-sudo /website/translations — Unauthenticated endpoint 'Routing.get_website_translations' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
hw_blackbox_be route-auth-none /hw_proxy/request_blackbox/ — Endpoint 'BlackboxDriver.request_blackbox' uses auth="none": it runs with no user/session at all
hw_blackbox_be route-auth-none /hw_proxy/request_serial/ — Endpoint 'BlackboxDriver.request_serial' uses auth="none": it runs with no user/session at all
hw_escpos route-auth-none /hw_proxy/open_cashbox — Endpoint 'EscposProxy.open_cashbox' uses auth="none": it runs with no user/session at all
hw_escpos route-auth-none /hw_proxy/print_receipt — Endpoint 'EscposProxy.print_receipt' uses auth="none": it runs with no user/session at all
hw_escpos route-auth-none /hw_proxy/print_xml_receipt — Endpoint 'EscposProxy.print_xml_receipt' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none / — Endpoint 'PosboxHomepage.index' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /wifi — Endpoint 'PosboxHomepage.wifi' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /wifi_connect — Public HTTP endpoint 'PosboxHomepage.connect_to_wifi' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /wifi_connect — Endpoint 'PosboxHomepage.connect_to_wifi' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /wifi_clear — Public HTTP endpoint 'PosboxHomepage.clear_wifi_configuration' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /wifi_clear — Endpoint 'PosboxHomepage.clear_wifi_configuration' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /remote_connect — Endpoint 'PosboxHomepage.remote_connect' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-public-csrf-off /enable_ngrok — Public HTTP endpoint 'PosboxHomepage.enable_ngrok' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
hw_posbox_homepage route-auth-none /enable_ngrok — Endpoint 'PosboxHomepage.enable_ngrok' uses auth="none": it runs with no user/session at all
hw_posbox_upgrade route-auth-none /hw_proxy/upgrade — Endpoint 'PosboxUpgrader.upgrade' uses auth="none": it runs with no user/session at all
hw_posbox_upgrade route-auth-none /hw_proxy/perform_upgrade — Endpoint 'PosboxUpgrader.perform_upgrade' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/hello — Endpoint 'Proxy.hello' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/handshake — Endpoint 'Proxy.handshake' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/status — Endpoint 'Proxy.status_http' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/status_json — Endpoint 'Proxy.status_json' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/scan_item_success — Endpoint 'Proxy.scan_item_success' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/scan_item_error_unrecognized — Endpoint 'Proxy.scan_item_error_unrecognized' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/help_needed — Endpoint 'Proxy.help_needed' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/help_canceled — Endpoint 'Proxy.help_canceled' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/payment_request — Endpoint 'Proxy.payment_request' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/payment_status — Endpoint 'Proxy.payment_status' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/payment_cancel — Endpoint 'Proxy.payment_cancel' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/transaction_start — Endpoint 'Proxy.transaction_start' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/transaction_end — Endpoint 'Proxy.transaction_end' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/cashier_mode_activated — Endpoint 'Proxy.cashier_mode_activated' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/cashier_mode_deactivated — Endpoint 'Proxy.cashier_mode_deactivated' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/open_cashbox — Endpoint 'Proxy.open_cashbox' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/print_receipt — Endpoint 'Proxy.print_receipt' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/is_scanner_connected — Endpoint 'Proxy.is_scanner_connected' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/scanner — Endpoint 'Proxy.scanner' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/log — Endpoint 'Proxy.log' uses auth="none": it runs with no user/session at all
hw_proxy route-auth-none /hw_proxy/print_pdf_invoice — Endpoint 'Proxy.print_pdf_invoice' uses auth="none": it runs with no user/session at all
hw_scale route-auth-none /hw_proxy/scale_read/ — Endpoint 'ScaleDriver.scale_read' uses auth="none": it runs with no user/session at all
hw_scale route-auth-none /hw_proxy/scale_zero/ — Endpoint 'ScaleDriver.scale_zero' uses auth="none": it runs with no user/session at all
hw_scale route-auth-none /hw_proxy/scale_tare/ — Endpoint 'ScaleDriver.scale_tare' uses auth="none": it runs with no user/session at all
hw_scale route-auth-none /hw_proxy/scale_clear_tare/ — Endpoint 'ScaleDriver.scale_clear_tare' uses auth="none": it runs with no user/session at all
hw_scanner route-auth-none /hw_proxy/scanner — Endpoint 'ScannerDriver.scanner' uses auth="none": it runs with no user/session at all
hw_screen route-auth-none /hw_proxy/display_refresh — Endpoint 'HardwareScreen.display_refresh' uses auth="none": it runs with no user/session at all
hw_screen route-auth-none /hw_proxy/customer_facing_display — Endpoint 'HardwareScreen.update_user_facing_display' uses auth="none": it runs with no user/session at all
hw_screen route-auth-none /hw_proxy/take_control — Endpoint 'HardwareScreen.take_control' uses auth="none": it runs with no user/session at all
hw_screen route-auth-none /hw_proxy/test_ownership — Endpoint 'HardwareScreen.test_ownership' uses auth="none": it runs with no user/session at all
hw_screen route-auth-none /point_of_sale/display — Endpoint 'HardwareScreen.render_main_display' uses auth="none": it runs with no user/session at all
hw_screen route-auth-none /point_of_sale/get_serialized_order — Endpoint 'HardwareScreen.get_serialized_order' uses auth="none": it runs with no user/session at all
im_livechat acl-global-read access_livechat_channel — Access rule grants read on 'model_im_livechat_channel' to every user (portal/public included): no group is set
im_livechat acl-global-read access_livechat_channel_rule — Access rule grants read on 'model_im_livechat_channel_rule' to every user (portal/public included): no group is set
im_livechat route-auth-none /im_livechat/external_lib.<any(css,js):ext> — Endpoint 'LivechatController.livechat_lib' uses auth="none": it runs with no user/session at all
im_livechat route-public-sudo /im_livechat/support/<int:channel_id> — Unauthenticated endpoint 'LivechatController.support_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/loader/<int:channel_id> — Unauthenticated endpoint 'LivechatController.loader' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/init — Unauthenticated endpoint 'LivechatController.livechat_init' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/feedback — Unauthenticated endpoint 'LivechatController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/history — Unauthenticated endpoint 'LivechatController.history_pages' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
intrastat_product acl-global-read access_intrastat_unit_read — Access rule grants read on 'model_intrastat_unit' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_transaction_read — Access rule grants read on 'model_intrastat_transaction' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_transport_mode_read — Access rule grants read on 'model_intrastat_transport_mode' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_region_read — Access rule grants read on 'model_intrastat_region' to every user (portal/public included): no group is set
keychain acl-global-read access_keychain_account — Access rule grants read on 'model_keychain_account' to every user (portal/public included): no group is set
l10n_be_intrastat acl-global-read access_l10n_be_intrastat_transaction — Access rule grants read on 'model_l10n_be_intrastat_transaction' to every user (portal/public included): no group is set
l10n_be_intrastat acl-global-read access_l10n_be_intrastat_transport_mode — Access rule grants read on 'model_l10n_be_intrastat_transport_mode' to every user (portal/public included): no group is set
l10n_be_intrastat acl-global-read access_l10n_be_intrastat_region — Access rule grants read on 'model_l10n_be_intrastat_region' to every user (portal/public included): no group is set
l10n_es_aeat_mod347 route-public-sudo /mod347/accept — Unauthenticated endpoint 'Mod347Controller.mod347_accept' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_es_aeat_mod347 route-public-sudo /mod347/reject — Unauthenticated endpoint 'Mod347Controller.mod347_reject' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_eu_service acl-global-read access_l10n_eu_service_service_tax_rate — Access rule grants read on 'model_l10n_eu_service_service_tax_rate' to every user (portal/public included): no group is set
l10n_it_account_tax_kind acl-global-read access_account_tax_kind_user — Access rule grants read on 'model_account_tax_kind' to every user (portal/public included): no group is set
l10n_nl_country_states acl-global-read access_res_country_state_nl_zip — Access rule grants read on 'model_res_country_state_nl_zip' to every user (portal/public included): no group is set
letsencrypt route-auth-none /.well-known/acme-challenge/<filename> — Endpoint 'Letsencrypt.acme_challenge' uses auth="none": it runs with no user/session at all
link_tracker route-auth-none /r/<string:code> — Endpoint 'LinkTracker.full_url_redirect' uses auth="none": it runs with no user/session at all
mail acl-global-write access_mail_thread_all — Access rule grants write/create/unlink on 'model_mail_thread' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
mail acl-global-write access_publisher_warranty_contract_all — Access rule grants write/create/unlink on 'model_publisher_warranty_contract' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
mail route-public-sudo /mail/view — Unauthenticated endpoint 'MailController.mail_action_view' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-auth-none /mail/view — Endpoint 'MailController.mail_action_view' uses auth="none": it runs with no user/session at all
mail route-public-sudo /mail/<string:res_model>/<int:res_id>/avatar/<int:partner_id> — Unauthenticated endpoint 'MailController.avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/chat_post — Unauthenticated endpoint 'MailChatController.mail_chat_post' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-auth-none /mail/chat_post — Endpoint 'MailChatController.mail_chat_post' uses auth="none": it runs with no user/session at all
mail route-public-sudo /mail/chat_history — Unauthenticated endpoint 'MailChatController.mail_chat_history' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-auth-none /mail/chat_history — Endpoint 'MailChatController.mail_chat_history' uses auth="none": it runs with no user/session at all
mail_template_attachment_i18n acl-global-read access_attachment_language_everyone — Access rule grants read on 'model_ir_attachment_language' to every user (portal/public included): no group is set
mail_tracking route-public-csrf-off /mail/tracking/all/<string:db> — Public HTTP endpoint 'MailTrackingController.mail_tracking_all' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mail_tracking route-auth-none /mail/tracking/all/<string:db> — Endpoint 'MailTrackingController.mail_tracking_all' uses auth="none": it runs with no user/session at all
mail_tracking route-public-csrf-off /mail/tracking/event/<string:db>/<string:event_type> — Public HTTP endpoint 'MailTrackingController.mail_tracking_event' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mail_tracking route-auth-none /mail/tracking/event/<string:db>/<string:event_type> — Endpoint 'MailTrackingController.mail_tracking_event' uses auth="none": it runs with no user/session at all
mail_tracking route-auth-none /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif — Endpoint 'MailTrackingController.mail_tracking_open' uses auth="none": it runs with no user/session at all
mass_mailing route-public-sudo /mail/mailing/<int:mailing_id>/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mail/track/<int:mail_id>/blank.gif — Unauthenticated endpoint 'MassMailController.track_mail_open' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-auth-none /mail/track/<int:mail_id>/blank.gif — Endpoint 'MassMailController.track_mail_open' uses auth="none": it runs with no user/session at all
mass_mailing route-auth-none /r/<string:code>/m/<int:stat_id> — Endpoint 'MassMailController.full_url_redirect' uses auth="none": it runs with no user/session at all
membership acl-global-read access_membership_membership_line — Access rule grants read on 'model_membership_membership_line' to every user (portal/public included): no group is set
mobile_app_picking route-auth-none /mobile_app_picking — Endpoint 'Home.index' uses auth="none": it runs with no user/session at all
operating_unit acl-global-read access_account_operating_unit_user — Access rule grants read on 'model_operating_unit' to every user (portal/public included): no group is set
partner_external_map acl-global-read access_map_website_read — Access rule grants read on 'model_map_website' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation — Access rule grants read on 'model_res_partner_relation' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation_type — Access rule grants read on 'model_res_partner_relation_type' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation_type_selection — Access rule grants read on 'model_res_partner_relation_type_selection' to every user (portal/public included): no group is set
partner_multi_relation_tabs acl-global-read read_res_partner_tab — Access rule grants read on 'model_res_partner_tab' to every user (portal/public included): no group is set
payment route-public-sudo /website_payment/pay — Unauthenticated endpoint 'WebsitePayment.pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /website_payment/transaction/<string:reference>/<string:amount>/<string:currency_id>, /website_payment/transaction/v2/<string:amount>/<string:currency_id>/<path:reference> — Unauthenticated endpoint 'WebsitePayment.transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /website_payment/token/<string:reference>/<string:amount>/<string:currency_id>, /website_payment/token/v2/<string:amount>/<string:currency_id>/<path:reference> — Unauthenticated endpoint 'WebsitePayment.payment_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment route-public-sudo /website_payment/json_token/<string:reference>/<string:amount>/<string:currency_id>, /website_payment/json_token/v2/<string:amount>/<string:currency_id>/<path:reference> — Unauthenticated endpoint 'WebsitePayment.payment_token_json' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-public-csrf-off /payment/adyen/return — Public HTTP endpoint 'AdyenController.adyen_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_adyen route-public-sudo /payment/adyen/return — Unauthenticated endpoint 'AdyenController.adyen_return' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-auth-none /payment/adyen/return — Endpoint 'AdyenController.adyen_return' uses auth="none": it runs with no user/session at all
payment_adyen route-public-csrf-off /payment/adyen/notification — Public HTTP endpoint 'AdyenController.adyen_notification' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_adyen route-public-sudo /payment/adyen/notification — Unauthenticated endpoint 'AdyenController.adyen_notification' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-auth-none /payment/adyen/notification — Endpoint 'AdyenController.adyen_notification' uses auth="none": it runs with no user/session at all
payment_authorize route-public-csrf-off /payment/authorize/return/, /payment/authorize/cancel/ — Public HTTP endpoint 'AuthorizeController.authorize_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_authorize route-public-sudo /payment/authorize/return/, /payment/authorize/cancel/ — Unauthenticated endpoint 'AuthorizeController.authorize_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_authorize route-public-sudo /payment/authorize/s2s/create_json_3ds — Unauthenticated endpoint 'AuthorizeController.authorize_s2s_create_json_3ds' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_buckaroo route-public-csrf-off /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Public HTTP endpoint 'BuckarooController.buckaroo_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_buckaroo route-public-sudo /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Unauthenticated endpoint 'BuckarooController.buckaroo_return' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
payment_buckaroo route-auth-none /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Endpoint 'BuckarooController.buckaroo_return' uses auth="none": it runs with no user/session at all
payment_ogone route-public-sudo /payment/ogone/accept, /payment/ogone/test/accept, /payment/ogone/decline, /payment/ogone/test/decline, /payment/ogone/exception, /payment/ogone/test/exception, /payment/ogone/cancel, /payment/ogone/test/cancel — Unauthenticated endpoint 'OgoneController.ogone_form_feedback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ogone route-auth-none /payment/ogone/accept, /payment/ogone/test/accept, /payment/ogone/decline, /payment/ogone/test/decline, /payment/ogone/exception, /payment/ogone/test/exception, /payment/ogone/cancel, /payment/ogone/test/cancel — Endpoint 'OgoneController.ogone_form_feedback' uses auth="none": it runs with no user/session at all
payment_ogone route-public-sudo /payment/ogone/s2s/create_json_3ds — Unauthenticated endpoint 'OgoneController.ogone_s2s_create_json_3ds' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ogone route-public-csrf-off /payment/ogone/s2s/create — Public HTTP endpoint 'OgoneController.ogone_s2s_create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_ogone route-public-sudo /payment/ogone/s2s/create — Unauthenticated endpoint 'OgoneController.ogone_s2s_create' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ogone route-public-sudo /payment/ogone/validate/accept, /payment/ogone/validate/decline, /payment/ogone/validate/exception — Unauthenticated endpoint 'OgoneController.ogone_validation_form_feedback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ogone route-auth-none /payment/ogone/validate/accept, /payment/ogone/validate/decline, /payment/ogone/validate/exception — Endpoint 'OgoneController.ogone_validation_form_feedback' uses auth="none": it runs with no user/session at all
payment_ogone route-public-csrf-off /payment/ogone/s2s/feedback — Public HTTP endpoint 'OgoneController.feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_ogone route-public-sudo /payment/ogone/s2s/feedback — Unauthenticated endpoint 'OgoneController.feedback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
payment_ogone route-auth-none /payment/ogone/s2s/feedback — Endpoint 'OgoneController.feedback' uses auth="none": it runs with no user/session at all
payment_paypal route-public-csrf-off /payment/paypal/ipn/ — Public HTTP endpoint 'PaypalController.paypal_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_paypal route-auth-none /payment/paypal/ipn/ — Endpoint 'PaypalController.paypal_ipn' uses auth="none": it runs with no user/session at all
payment_paypal route-public-csrf-off /payment/paypal/dpn — Public HTTP endpoint 'PaypalController.paypal_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_paypal route-auth-none /payment/paypal/dpn — Endpoint 'PaypalController.paypal_dpn' uses auth="none": it runs with no user/session at all
payment_paypal route-public-csrf-off /payment/paypal/cancel — Public HTTP endpoint 'PaypalController.paypal_cancel' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_paypal route-auth-none /payment/paypal/cancel — Endpoint 'PaypalController.paypal_cancel' uses auth="none": it runs with no user/session at all
payment_payumoney route-public-csrf-off /payment/payumoney/return, /payment/payumoney/cancel, /payment/payumoney/error — Public HTTP endpoint 'PayuMoneyController.payu_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_payumoney route-public-sudo /payment/payumoney/return, /payment/payumoney/cancel, /payment/payumoney/error — Unauthenticated endpoint 'PayuMoneyController.payu_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_redsys route-public-csrf-off /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Public HTTP endpoint 'RedsysController.redsys_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_redsys route-public-sudo /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Unauthenticated endpoint 'RedsysController.redsys_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_redsys route-public-sudo /payment/redsys/result/<page> — Unauthenticated endpoint 'RedsysController.redsys_result' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_sips route-public-csrf-off /payment/sips/ipn/ — Public HTTP endpoint 'SipsController.sips_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_sips route-auth-none /payment/sips/ipn/ — Endpoint 'SipsController.sips_ipn' uses auth="none": it runs with no user/session at all
payment_sips route-public-csrf-off /payment/sips/dpn — Public HTTP endpoint 'SipsController.sips_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_sips route-auth-none /payment/sips/dpn — Endpoint 'SipsController.sips_dpn' uses auth="none": it runs with no user/session at all
payment_stripe route-public-sudo /payment/stripe/create_charge — Unauthenticated endpoint 'StripeController.stripe_create_charge' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe_sca route-public-sudo /payment/stripe/success, /payment/stripe/cancel — Unauthenticated endpoint 'StripeControllerSCA.stripe_success' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe_sca route-public-sudo /payment/stripe/s2s/process_payment_intent — Unauthenticated endpoint 'StripeControllerSCA.stripe_s2s_confirm_payment_intent' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_transfer route-public-csrf-off /payment/transfer/feedback — Public HTTP endpoint 'OgoneController.transfer_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_transfer route-public-sudo /payment/transfer/feedback — Unauthenticated endpoint 'OgoneController.transfer_form_feedback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
payment_transfer route-auth-none /payment/transfer/feedback — Endpoint 'OgoneController.transfer_form_feedback' uses auth="none": it runs with no user/session at all
point_of_sale rule-group-bypass rule_pos_bank_statement_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
point_of_sale rule-group-bypass rule_pos_bank_statement_line_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
point_of_sale rule-group-bypass rule_pos_cashbox_line_accountant — Record rule with an always-true domain bypasses every other record rule of its model for its group
portal route-public-sudo /mail/chatter_fetch — Unauthenticated endpoint 'PortalChatter.portal_message_fetch' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
pos_mercury acl-global-read access_pos_mercury_mercury_transaction — Access rule grants read on 'model_pos_mercury_mercury_transaction' to every user (portal/public included): no group is set
privacy_consent route-public-sudo /privacy/consent/<any(accept,reject):choice>/<int:consent_id>/<token> — Unauthenticated endpoint 'ConsentController.consent' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
privacy_consent route-auth-none /privacy/consent/<any(accept,reject):choice>/<int:consent_id>/<token> — Endpoint 'ConsentController.consent' uses auth="none": it runs with no user/session at all
product_brand acl-global-read access_product_brand_public — Access rule grants read on 'model_product_brand' to every user (portal/public included): no group is set
product_harmonized_system acl-global-read access_hs_code_read — Access rule grants read on 'model_hs_code' to every user (portal/public included): no group is set
quality_control acl-global-read access_manager_qc_trigger_product_template_line_user — Access rule grants read on 'quality_control.model_qc_trigger_product_template_line' to every user (portal/public included): no group is set
quality_control acl-global-read access_manager_qc_trigger_product_line_user — Access rule grants read on 'quality_control.model_qc_trigger_product_line' to every user (portal/public included): no group is set
queue_job route-auth-none /queue_job/session — Endpoint 'RunJobController.session' uses auth="none": it runs with no user/session at all
queue_job route-auth-none /queue_job/runjob — Endpoint 'RunJobController.runjob' uses auth="none": it runs with no user/session at all
rating route-public-sudo /rating/<string:token>/<int:rate> — Unauthenticated endpoint 'Rating.open_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
rating route-public-sudo /rating/<string:token>/<int:rate>/submit_feedback — Unauthenticated endpoint 'Rating.submit_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
runbot_buildout route-public-csrf-off /runbot/build/<model('runbot.build'):build>/rerun_buildout — Public HTTP endpoint 'Runbot.build_rerun_buildout' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
runbot_buildout route-public-sudo /runbot/build/<model('runbot.build'):build>/rerun_buildout — Unauthenticated endpoint 'Runbot.build_rerun_buildout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
runbot_gitlab route-public-sudo /runbot/hook_gitlab/<int:repo_id>, /runbot/hook_gitlab/org — Unauthenticated endpoint 'RunbotCIController.hook_gitlab' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sale route-public-sudo /my/orders/pdf/<int:order_id> — Unauthenticated endpoint 'CustomerPortal.portal_order_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sale_payment route-public-sudo /pay/sale/<int:order_id>/form_tx — Unauthenticated endpoint 'PaymentPortal.sale_pay_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sale_payment route-public-sudo /pay/sale/<int:order_id>/s2s_token_tx — Unauthenticated endpoint 'PaymentPortal.sale_pay_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sale_payment route-public-sudo /pay/sale/<int:order_id>/s2s_json_token_tx — Unauthenticated endpoint 'PaymentPortal.sale_pay_token_json' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
sale_timesheet rule-group-bypass account_analytic_line_rule_billing_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
stock_request rule-group-bypass stock_request_user_inventory_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
stock_request rule-group-bypass stock_request_order_user_inventory_user_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
stock_scanner acl-global-read scanner_scenario_user — Access rule grants read on 'stock_scanner.model_scanner_scenario' to every user (portal/public included): no group is set
stock_scanner acl-global-read scanner_scenario_step_user — Access rule grants read on 'stock_scanner.model_scanner_scenario_step' to every user (portal/public included): no group is set
stock_scanner acl-global-read scanner_scenario_transition_user — Access rule grants read on 'stock_scanner.model_scanner_scenario_transition' to every user (portal/public included): no group is set
stock_scanner rule-group-bypass scanner_hardware_access_group_sentinel — Record rule with an always-true domain bypasses every other record rule of its model for its group
survey acl-global-read access_survey_public — Access rule grants read on 'model_survey_survey' to every user (portal/public included): no group is set
survey acl-global-read access_survey_page_public — Access rule grants read on 'model_survey_page' to every user (portal/public included): no group is set
survey acl-global-read access_survey_question_public — Access rule grants read on 'model_survey_question' to every user (portal/public included): no group is set
survey acl-global-read access_survey_label_public — Access rule grants read on 'model_survey_label' to every user (portal/public included): no group is set
survey acl-global-read access_survey_stage_public — Access rule grants read on 'model_survey_stage' to every user (portal/public included): no group is set
survey route-public-sudo /survey/start/<model("survey.survey"):survey>, /survey/start/<model("survey.survey"):survey>/<string:token> — Unauthenticated endpoint 'WebsiteSurvey.start_survey' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
survey route-public-sudo /survey/fill/<model("survey.survey"):survey>/<string:token>, /survey/fill/<model("survey.survey"):survey>/<string:token>/<string:prev> — Unauthenticated endpoint 'WebsiteSurvey.fill_survey' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
survey route-public-sudo /survey/prefill/<model("survey.survey"):survey>/<string:token>, /survey/prefill/<model("survey.survey"):survey>/<string:token>/<model("survey.page"):page> — Unauthenticated endpoint 'WebsiteSurvey.prefill' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
survey route-public-sudo /survey/scores/<model("survey.survey"):survey>/<string:token> — Unauthenticated endpoint 'WebsiteSurvey.get_scores' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
survey route-public-sudo /survey/submit/<model("survey.survey"):survey> — Unauthenticated endpoint 'WebsiteSurvey.submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
test_read_group acl-global-read access_test_read_group_on_date — Access rule grants read on 'model_test_read_group_on_date' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_aggregate_boolean — Access rule grants read on 'model_test_read_group_aggregate_boolean' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_on_selection — Access rule grants read on 'model_test_read_group_on_selection' to every user (portal/public included): no group is set
test_server_environment acl-global-read access_server_env_test — Access rule grants read on 'model_server_env_test' to every user (portal/public included): no group is set
test_server_environment acl-global-read access_server_env_test2 — Access rule grants read on 'model_server_env_test2' to every user (portal/public included): no group is set
test_server_environment acl-global-read access_server_env_test_inherits1 — Access rule grants read on 'model_server_env_test_inherits1' to every user (portal/public included): no group is set
test_server_environment acl-global-read access_server_env_test_inherits2 — Access rule grants read on 'model_server_env_test_inherits2' to every user (portal/public included): no group is set
web route-auth-none / — Endpoint 'Home.index' uses auth="none": it runs with no user/session at all
web route-auth-none /web — Endpoint 'Home.web_client' uses auth="none": it runs with no user/session at all
web route-auth-none /web/dbredirect — Endpoint 'Home.web_db_redirect' uses auth="none": it runs with no user/session at all
web route-auth-none /web/login — Endpoint 'Home.web_login' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/csslist — Endpoint 'WebClient.csslist' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/jslist — Endpoint 'WebClient.jslist' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/locale/<string:lang> — Endpoint 'WebClient.load_locale' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/qweb — Endpoint 'WebClient.qweb' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/bootstrap_translations — Endpoint 'WebClient.bootstrap_translations' uses auth="none": it runs with no user/session at all
web route-public-sudo /web/webclient/translations — Unauthenticated endpoint 'WebClient.translations' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
web route-auth-none /web/webclient/translations — Endpoint 'WebClient.translations' uses auth="none": it runs with no user/session at all
web route-auth-none /web/webclient/version_info — Endpoint 'WebClient.version_info' uses auth="none": it runs with no user/session at all
web route-auth-none /web/tests/mobile — Endpoint 'WebClient.test_mobile_suite' uses auth="none": it runs with no user/session at all
web route-auth-none /web/benchmarks — Endpoint 'WebClient.benchmarks' uses auth="none": it runs with no user/session at all
web route-auth-none /web/proxy/load — Endpoint 'Proxy.load' uses auth="none": it runs with no user/session at all
web route-auth-none /web/database/selector — Endpoint 'Database.selector' uses auth="none": it runs with no user/session at all
web route-auth-none /web/database/manager — Endpoint 'Database.manager' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/create — Public HTTP endpoint 'Database.create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/create — Endpoint 'Database.create' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/duplicate — Public HTTP endpoint 'Database.duplicate' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/duplicate — Endpoint 'Database.duplicate' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/drop — Public HTTP endpoint 'Database.drop' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/drop — Endpoint 'Database.drop' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/backup — Public HTTP endpoint 'Database.backup' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/backup — Endpoint 'Database.backup' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/restore — Public HTTP endpoint 'Database.restore' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/restore — Endpoint 'Database.restore' uses auth="none": it runs with no user/session at all
web route-public-csrf-off /web/database/change_password — Public HTTP endpoint 'Database.change_password' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
web route-auth-none /web/database/change_password — Endpoint 'Database.change_password' uses auth="none": it runs with no user/session at all
web route-auth-none /web/database/list — Endpoint 'Database.list' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/get_session_info — Endpoint 'Session.get_session_info' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/authenticate — Endpoint 'Session.authenticate' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/get_lang_list — Endpoint 'Session.get_lang_list' uses auth="none": it runs with no user/session at all
web route-auth-none /web/session/logout — Endpoint 'Session.logout' uses auth="none": it runs with no user/session at all
web route-auth-none /web/binary/company_logo, /logo, /logo.png — Endpoint 'Binary.company_logo' uses auth="none": it runs with no user/session at all
web route-auth-none /web/pivot/check_xlwt — Endpoint 'TableExporter.check_xlwt' uses auth="none": it runs with no user/session at all
web_editor route-auth-none /web_editor/font_to_img/<icon>, /web_editor/font_to_img/<icon>/<color>, /web_editor/font_to_img/<icon>/<color>/<int:size>, /web_editor/font_to_img/<icon>/<color>/<int:size>/<int:alpha> — Endpoint 'Web_Editor.export_icon_to_png' uses auth="none": it runs with no user/session at all
web_favicon route-public-sudo /web_favicon/favicon — Unauthenticated endpoint 'WebFavicon.icon' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
web_favicon route-auth-none /web_favicon/favicon — Endpoint 'WebFavicon.icon' uses auth="none": it runs with no user/session at all
web_tour acl-global-read access_web_tour_tour — Access rule grants read on 'model_web_tour_tour' to every user (portal/public included): no group is set
website acl-global-read access_website_public — Access rule grants read on 'website.model_website' to every user (portal/public included): no group is set
website acl-global-read access_website_menu — Access rule grants read on 'model_website_menu' to every user (portal/public included): no group is set
website acl-global-read access_website_redirect — Access rule grants read on 'model_website_redirect' to every user (portal/public included): no group is set
website acl-global-read access_website_page — Access rule grants read on 'model_website_page' to every user (portal/public included): no group is set
website acl-global-read access_seo_public — Access rule grants read on 'model_website_seo_metadata' to every user (portal/public included): no group is set
website route-public-sudo / — Unauthenticated endpoint 'Website.index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /sitemap.xml — Unauthenticated endpoint 'Website.sitemap_xml_index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website route-public-sudo /website/info — Unauthenticated endpoint 'Website.website_info' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_apps_store route-public-sudo /shop/change_attribute_version — Unauthenticated endpoint 'WebsiteSaleCustom.change_product_attribute_version' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_apps_store route-public-sudo /shop/download_product_zip/<model("product.template"):product_tmpl>/<model("product.product"):product>/<string:google_captcha>, /shop/download_product_zip/<model("product.template"):product_tmpl>/<string:google_captcha> — Unauthenticated endpoint 'WebsiteSaleCustom.download_product_zip' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_blog acl-global-read blog_tag — Access rule grants read on 'model_blog_tag' to every user (portal/public included): no group is set
website_blog route-public-sudo /blog/<model("blog.blog"):blog>/feed — Unauthenticated endpoint 'WebsiteBlog.blog_feed' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_blog route-public-sudo /blog/<model("blog.blog"):blog>/post/<model("blog.post", "[('blog_id','=',blog[0])]"):blog_post> — Unauthenticated endpoint 'WebsiteBlog.blog_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_blog route-public-sudo /blog/post_get_discussion/ — Unauthenticated endpoint 'WebsiteBlog.discussion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_contact_extend route-public-sudo /verify_email — Unauthenticated endpoint 'VerifyController.verify_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_contact_extend route-public-sudo /website_form/<string:model_name> — Unauthenticated endpoint 'MyFilter.website_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_crm_partner_assign route-public-sudo /partners, /partners/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>, /partners/grade/<model("res.partner.grade"):grade>/page/<int:page>, /partners/country/<model("res.country"):country>, /partners/country/<model("res.country"):country>/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_crm_partner_assign route-public-sudo /partners/<partner_id> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_crm_phone_validation route-public-sudo /website_form/<string:model_name> — Unauthenticated endpoint 'WebsiteForm.website_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_customer acl-global-read res_partner_tag_sale_manager — Access rule grants read on 'model_res_partner_tag' to every user (portal/public included): no group is set
website_customer route-public-sudo /customers, /customers/page/<int:page>, /customers/country/<model("res.country"):country>, /customers/country/<model("res.country"):country>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>, /customers/industry/<model("res.partner.industry"):industry>/page/<int:page>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>, /customers/industry/<model("res.partner.industry"):industry>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCustomer.customers' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_customer route-public-sudo /customers/<partner_id> — Unauthenticated endpoint 'WebsiteCustomer.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event acl-global-read access_event_type_public — Access rule grants read on 'event.model_event_type' to every user (portal/public included): no group is set
website_event route-public-sudo /event/<model("event.event"):event>/register — Unauthenticated endpoint 'WebsiteEventController.event_register' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event route-public-sudo /event/<model("event.event"):event>/registration/confirm — Unauthenticated endpoint 'WebsiteEventController.registration_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_questions acl-global-write event_registration_answer_all — Access rule grants write/create/unlink on 'model_event_registration_answer' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
website_event_sale acl-global-read access_event_event_ticket_public — Access rule grants read on 'event_sale.model_event_event_ticket' to every user (portal/public included): no group is set
website_event_sale route-public-sudo /event/<model("event.event"):event>/registration/confirm — Unauthenticated endpoint 'WebsiteEventSaleController.registration_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track acl-global-read access_event_track_tag_public — Access rule grants read on 'model_event_track_tag' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_location_public — Access rule grants read on 'model_event_track_location' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track__public — Access rule grants read on 'model_event_track' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_sponsor_type_public — Access rule grants read on 'model_event_sponsor_type' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_sponsor_public — Access rule grants read on 'model_event_sponsor' to every user (portal/public included): no group is set
website_event_track route-public-sudo /event/<model("event.event"):event>/track/<model("event.track", "[('event_id','=',event[0])]"):track> — Unauthenticated endpoint 'WebsiteEventTrackController.event_track_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track route-public-sudo /event/<model("event.event"):event>/track_proposal/post — Unauthenticated endpoint 'WebsiteEventTrackController.event_track_proposal_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_form route-public-csrf-off /website_form/<string:model_name> — Public HTTP endpoint 'WebsiteForm.website_form' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
website_form route-public-sudo /website_form/<string:model_name> — Unauthenticated endpoint 'WebsiteForm.website_form' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_form_recaptcha route-public-sudo /website/recaptcha/ — Unauthenticated endpoint 'WebsiteForm.recaptcha_public' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum acl-global-read access_forum_forum — Access rule grants read on 'model_forum_forum' to every user (portal/public included): no group is set
website_forum route-public-sudo /forum/validate_email — Unauthenticated endpoint 'WebsiteForum.validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/question/<model("forum.post", "[('forum_id','=',forum[0]),('parent_id','=',False),('can_view', '=', True)]"):question> — Unauthenticated endpoint 'WebsiteForum.question' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/users, /forum/<model("forum.forum"):forum>/users/page/<int:page> — Unauthenticated endpoint 'WebsiteForum.users' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/partner/<int:partner_id> — Unauthenticated endpoint 'WebsiteForum.open_partner' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/user/<int:user_id> — Unauthenticated endpoint 'WebsiteForum.open_user' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/badge — Unauthenticated endpoint 'WebsiteForum.badges' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum_doc acl-global-read all_documentation_toc — Access rule grants read on 'model_forum_documentation_toc' to every user (portal/public included): no group is set
website_google_map route-public-sudo /google_map — Unauthenticated endpoint 'GoogleMap.google_map' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_hr_recruitment acl-global-read access_hr_job_public — Access rule grants read on 'hr.model_hr_job' to every user (portal/public included): no group is set
website_hr_recruitment rule-group-bypass hr_job_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_hr_recruitment route-public-sudo /jobs, /jobs/country/<model("res.country"):country>, /jobs/department/<model("hr.department"):department>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>, /jobs/office/<int:office_id>, /jobs/country/<model("res.country"):country>/office/<int:office_id>, /jobs/department/<model("hr.department"):department>/office/<int:office_id>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>/office/<int:office_id> — Unauthenticated endpoint 'WebsiteHrRecruitment.jobs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_livechat acl-global-read access_im_livechat_channel_public — Access rule grants read on 'im_livechat.model_im_livechat_channel' to every user (portal/public included): no group is set
website_livechat route-public-sudo /livechat/channel/<model("im_livechat.channel"):channel> — Unauthenticated endpoint 'WebsiteLivechat.channel_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_logo route-auth-none /web/binary/website_logo, /website_logo, /website_logo.png — Endpoint 'Website.website_logo' uses auth="none": it runs with no user/session at all
website_mail route-public-sudo /website_mail/follow — Unauthenticated endpoint 'WebsiteMail.website_message_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail route-public-sudo /website_mail/is_follower — Unauthenticated endpoint 'WebsiteMail.is_follower' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_channel route-public-sudo /groups/is_member — Unauthenticated endpoint 'MailGroup.is_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_channel route-public-sudo /groups/subscription — Unauthenticated endpoint 'MailGroup.subscription' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_channel route-public-sudo /groups/subscribe/<model('mail.channel'):channel>/<int:partner_id>/<string:token> — Unauthenticated endpoint 'MailGroup.confirm_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_channel route-public-sudo /groups/unsubscribe/<model('mail.channel'):channel>/<int:partner_id>/<string:token> — Unauthenticated endpoint 'MailGroup.confirm_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /mail/mailing/<int:mailing_id>/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /mail/mailing/unsubscribe — Unauthenticated endpoint 'MassMailController.unsubscribe' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-auth-none /mail/mailing/unsubscribe — Endpoint 'MassMailController.unsubscribe' uses auth="none": it runs with no user/session at all
website_mass_mailing route-public-sudo /website_mass_mailing/is_subscriber — Unauthenticated endpoint 'MassMailController.is_subscriber' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /website_mass_mailing/subscribe — Unauthenticated endpoint 'MassMailController.subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /website_mass_mailing/get_content — Unauthenticated endpoint 'MassMailController.get_mass_mailing_content' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_membership route-public-sudo /members, /members/page/<int:page>, /members/association/<membership_id>, /members/association/<membership_id>/page/<int:page>, /members/country/<int:country_id>, /members/country/<country_name>-<int:country_id>, /members/country/<int:country_id>/page/<int:page>, /members/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<country_name>-<int:country_id>, /members/association/<membership_id>/country/<int:country_id>, /members/association/<membership_id>/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteMembership.members' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_membership route-public-sudo /members/<partner_id> — Unauthenticated endpoint 'WebsiteMembership.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_multi_theme acl-global-read access_website_theme_public — Access rule grants read on 'model_website_theme' to every user (portal/public included): no group is set
website_multi_theme acl-global-read access_website_theme_asset_public — Access rule grants read on 'model_website_theme_asset' to every user (portal/public included): no group is set
website_oca_integrator acl-global-read access_sponsorship_line — Access rule grants read on 'model_sponsorship_line' to every user (portal/public included): no group is set
website_oca_integrator acl-global-read access_contributor_module_reader — Access rule grants read on 'model_contributor_module_line' to every user (portal/public included): no group is set
website_oca_integrator route-public-sudo /integrators, /integrators/page/<int:page>, /integrators/country/<model("res.country"):country>, /integrators/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteIntegrator.integrators' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_oca_integrator route-public-sudo /integrators/<integrator_id> — Unauthenticated endpoint 'WebsiteIntegrator.integrators_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_oca_integrator route-public-sudo /integrators/<integrator_id>/contributors, /integrators/<integrator_id>/contributors/page/<int:page>, /integrators/<integrator_id>/contributors/country/<int:country_id>, /integrators/<integrator_id>/contributors/country/<int:country_id>/page/<int:page>, /integrators/<integrator_id>/contributors/country/<country_name>-<int:country_id>, /integrators/<integrator_id>/contributors/country/<country_name>-<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteIntegrator.integrator_contributors' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_oca_psc_team route-public-sudo /psc-teams — Unauthenticated endpoint 'WebsitePscTeam.psc_teams' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_oca_psc_team route-public-sudo /psc-teams/<project_id> — Unauthenticated endpoint 'WebsitePscTeam.psc_team_project_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_partner route-public-sudo /partners/<partner_id> — Unauthenticated endpoint 'WebsitePartnerPage.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_quote route-public-sudo /quote/<int:order_id>/<token> — Unauthenticated endpoint 'sale_quote.view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_quote route-public-sudo /quote/<int:order_id>/<token>/decline — Unauthenticated endpoint 'sale_quote.decline' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_quote route-public-sudo /quote/update_line_dict — Unauthenticated endpoint 'sale_quote.update_line_dict' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_quote route-public-sudo /quote/add_line/<int:option_id>/<int:order_id>/<token> — Unauthenticated endpoint 'sale_quote.add' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_quote route-public-sudo /quote/<int:order_id>/transaction/ — Unauthenticated endpoint 'sale_quote.payment_transaction_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_quote route-public-sudo /quote/<int:order_id>/transaction/token — Unauthenticated endpoint 'sale_quote.payment_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_quote route-public-sudo /quote/<int:order_id>/transaction/json_token — Unauthenticated endpoint 'sale_quote.payment_token_json' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_rating_project route-public-sudo /project/rating/ — Unauthenticated endpoint 'WebsiteRatingProject.index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_rating_project route-public-sudo /project/rating/<int:project_id> — Unauthenticated endpoint 'WebsiteRatingProject.page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale acl-global-read access_product_product_public — Access rule grants read on 'product.model_product_product' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_template_public — Access rule grants read on 'product.model_product_template' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_category_public — Access rule grants read on 'product.model_product_category' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_public_category_public — Access rule grants read on 'model_product_public_category' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_pricelist_public — Access rule grants read on 'product.model_product_pricelist' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_pricelist_item_public — Access rule grants read on 'product.model_product_pricelist_item' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_style — Access rule grants read on 'website_sale.model_product_style' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_supplierinfo — Access rule grants read on 'product.model_product_supplierinfo' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_public — Access rule grants read on 'product.model_product_attribute' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_value_public — Access rule grants read on 'product.model_product_attribute_value' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_price_public — Access rule grants read on 'product.model_product_attribute_price' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_line_public — Access rule grants read on 'product.model_product_attribute_line' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_image_public — Access rule grants read on 'model_product_image' to every user (portal/public included): no group is set
website_sale rule-group-bypass payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_sale route-public-sudo /website_form/shop.sale.order — Unauthenticated endpoint 'WebsiteSaleForm.website_form_saleorder' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/pricelist — Unauthenticated endpoint 'WebsiteSale.pricelist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/cart — Unauthenticated endpoint 'WebsiteSale.cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-csrf-off /shop/cart/update — Public HTTP endpoint 'WebsiteSale.cart_update' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
website_sale route-public-sudo /shop/address — Unauthenticated endpoint 'WebsiteSale.address' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/checkout — Unauthenticated endpoint 'WebsiteSale.checkout' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/payment/transaction/, /shop/payment/transaction/<int:so_id>, /shop/payment/transaction/<int:so_id>/<string:access_token> — Unauthenticated endpoint 'WebsiteSale.payment_transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/payment/token — Unauthenticated endpoint 'WebsiteSale.payment_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/payment/json_token — Unauthenticated endpoint 'WebsiteSale.payment_token_json' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/payment/get_status/<int:sale_order_id> — Unauthenticated endpoint 'WebsiteSale.payment_get_status' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/payment/validate — Unauthenticated endpoint 'WebsiteSale.payment_validate' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/confirmation — Unauthenticated endpoint 'WebsiteSale.payment_confirmation' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/print — Unauthenticated endpoint 'WebsiteSale.print_saleorder' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale route-public-sudo /shop/tracking_last_order — Unauthenticated endpoint 'WebsiteSale.tracking_cart' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_comparison acl-global-read access_product_attribute_category_public — Access rule grants read on 'model_product_attribute_category' to every user (portal/public included): no group is set
website_sale_digital route-public-sudo /my/download — Unauthenticated endpoint 'WebsiteSaleDigital.download_attachment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_stock route-public-sudo /my/picking/pdf/<int:picking_id> — Unauthenticated endpoint 'SaleStockPortal.portal_my_picking_report' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale_wishlist route-public-sudo /shop/wishlist/remove/<model("product.wishlist"):wish> — Unauthenticated endpoint 'WebsiteSaleWishlist.rm_from_wishlist' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/slide/<model("slide.slide"):slide>/download — Unauthenticated endpoint 'WebsiteSlides.slide_download' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/embed/<int:slide_id> — Unauthenticated endpoint 'WebsiteSlides.slides_embed' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_theme_flexible acl-global-read read — Access rule grants read on 'model_theme_flexible' to every user (portal/public included): no group is set
website_twitter acl-global-read access_website_twitter_tweet_public — Access rule grants read on 'website_twitter.model_website_twitter_tweet' to every user (portal/public included): no group is set

Active Pull Requests 6

0 fresh 0 rotting 0 rotten

Security Findings

Errors 156

Module Code Message
anonymization acl-global-write access_ir_model_fields_anonymization_migration_fix — Access rule grants write/create/unlink on 'model_ir_model_fields_anonymization_migration_fix' to EVERY user (portal/public included): no group is set
base acl-privilege-escalation access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions
base acl-global-write access_ir_ui_view_custom_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_custom' to EVERY user (portal/public included): no group is set
base acl-privilege-escalation access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions
base acl-global-write access_ir_filter all — Access rule grants write/create/unlink on 'model_ir_filters' to EVERY user (portal/public included): no group is set
base acl-global-write access_ir_needaction_mixin — Access rule grants write/create/unlink on 'model_ir_needaction_mixin' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_template — Access rule grants write/create/unlink on 'model_custom_info_template' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_property — Access rule grants write/create/unlink on 'model_custom_info_property' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_value — Access rule grants write/create/unlink on 'model_custom_info_value' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_option — Access rule grants write/create/unlink on 'model_custom_info_option' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_category — Access rule grants write/create/unlink on 'model_custom_info_category' to EVERY user (portal/public included): no group is set
base_tier_validation acl-global-write access_tier_review — Access rule grants write/create/unlink on 'model_tier_review' to EVERY user (portal/public included): no group is set
bi_view_editor acl-global-write access_bve_view_everyone — Access rule grants write/create/unlink on 'bi_view_editor.model_bve_view' to EVERY user (portal/public included): no group is set
bus acl-public-write access_bus_presence_portal — Access rule grants write/create/unlink on 'model_bus_presence' to the portal/public group 'base.group_portal'
calendar acl-public-write access_calendar_attendee_portal — Access rule grants write on 'model_calendar_attendee' to the portal/public group 'base.group_portal'
calendar rule-public-bypass calendar_attendee_rule_my — Record rule with an always-true domain grants portal/public users access to every record of its model
cms_delete_content_example acl-global-write access_cms_delete_content_example — Access rule grants write/create/unlink on 'model_cms_delete_content_example' to EVERY user (portal/public included): no group is set
hr_recruitment acl-global-write access_hr_applicant_category — Access rule grants write/create on 'model_hr_applicant_category' to EVERY user (portal/public included): no group is set
l10n_br_hr acl-global-write access_hr_employee_dependent — Access rule grants write/create/unlink on 'model_hr_employee_dependent' to EVERY user (portal/public included): no group is set
mail acl-public-write access_mail_message_portal — Access rule grants write/create/unlink on 'model_mail_message' to the portal/public group 'base.group_portal'
mail acl-public-write access_mail_mail_portal — Access rule grants write/create on 'model_mail_mail' to the portal/public group 'base.group_portal'
mail acl-public-write access_mail_followers_portal — Access rule grants write/create on 'model_mail_followers' to the portal/public group 'base.group_portal'
mail acl-public-write access_mail_channel_partner_portal — Access rule grants write/create/unlink on 'model_mail_channel_partner' to the portal/public group 'base.group_portal'
medical acl-privilege-escalation assistant_res_users — Access rule grants write/create on security model 'base.model_res_users' to group 'group_medical_assistant': members can escalate their own permissions
medical acl-privilege-escalation user_res_users — Access rule grants write on security model 'base.model_res_users' to group 'group_medical_user': members can escalate their own permissions
openeducat_parent acl-privilege-escalation access_res_users_back_office — Access rule grants write/create/unlink on security model 'base.model_res_users' to group 'openeducat_core.group_op_back_office_admin': members can escalate their own permissions
payment acl-public-write payment_method_portal — Access rule grants write/create/unlink on 'model_payment_token' to the portal/public group 'base.group_portal'
portal acl-public-write access_ir_attachment_portal — Access rule grants create on 'base.model_ir_attachment' to the portal/public group 'base.group_portal'
portal_gamification acl-public-write goal_portal — Access rule grants write on 'gamification.model_gamification_goal' to the portal/public group 'base.group_portal'
portal_gamification acl-public-write badge_user_portal — Access rule grants write/create on 'gamification.model_gamification_badge_user' to the portal/public group 'base.group_portal'
product_dependencies acl-global-write access_product_dependency — Access rule grants write/create/unlink on 'model_product_dependency' to EVERY user (portal/public included): no group is set
purchase_transport_document acl-global-write access_transport_document — Access rule grants write/create/unlink on 'model_transport_document' to EVERY user (portal/public included): no group is set
rating acl-public-write access_rating_public — Access rule grants write/create on 'rating.model_rating_rating' to the portal/public group 'base.group_public'
rating acl-public-write access_rating_portal — Access rule grants write/create on 'rating.model_rating_rating' to the portal/public group 'base.group_portal'
report acl-global-write paperformat_access_employee — Access rule grants create on 'model_report_paperformat' to EVERY user (portal/public included): no group is set
report acl-global-write access_report — Access rule grants write/create/unlink on 'model_report' to EVERY user (portal/public included): no group is set
report_wkhtmltopdf_param acl-global-write paperformat_parameter_access_employee — Access rule grants create on 'model_report_paperformat_parameter' to EVERY user (portal/public included): no group is set
stock_scanner acl-global-write scanner_hardware_user — Access rule grants write on 'stock_scanner.model_scanner_hardware' to EVERY user (portal/public included): no group is set
stock_scanner acl-global-write scanner_hardware_step_history_user — Access rule grants write/create/unlink on 'stock_scanner.model_scanner_hardware_step_history' to EVERY user (portal/public included): no group is set
stock_scanner acl-global-write scanner_scenario_custom_user — Access rule grants write/create/unlink on 'stock_scanner.model_scanner_scenario_custom' to EVERY user (portal/public included): no group is set
survey acl-global-write access_survey_user_input_public — Access rule grants write/create on 'model_survey_user_input' to EVERY user (portal/public included): no group is set
survey acl-global-write access_survey_user_input_line_public — Access rule grants write/create on 'model_survey_user_input_line' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_some_obj — Access rule grants write/create/unlink on 'model_test_access_right_some_obj' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_container — Access rule grants write/create/unlink on 'model_test_access_right_container' to EVERY user (portal/public included): no group is set
test_component acl-global-write access_test_component_collection — Access rule grants write/create/unlink on 'model_test_component_collection' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_test_backend — Access rule grants write/create/unlink on 'model_test_backend' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_connector_test_record — Access rule grants write/create/unlink on 'model_connector_test_record' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_connector_test_binding — Access rule grants write/create/unlink on 'model_connector_test_binding' to EVERY user (portal/public included): no group is set
test_connector acl-global-write access_no_inherits_binding — Access rule grants write/create/unlink on 'model_no_inherits_binding' to EVERY user (portal/public included): no group is set
test_convert acl-global-write access_test_convert_test_model — Access rule grants write/create/unlink on 'model_test_convert_test_model' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_converter_model — Access rule grants write/create/unlink on 'model_test_converter_test_model' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_test_converter_test_model_sub — Access rule grants write/create/unlink on 'model_test_converter_test_model_sub' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_test_converter_monetary — Access rule grants write/create/unlink on 'model_test_converter_monetary' to EVERY user (portal/public included): no group is set
test_documentation_examples acl-global-write access_inheritance_0 — Access rule grants write/create/unlink on 'model_inheritance_0' to EVERY user (portal/public included): no group is set
test_documentation_examples acl-global-write access_inheritance_1 — Access rule grants write/create/unlink on 'model_inheritance_1' to EVERY user (portal/public included): no group is set
test_documentation_examples acl-global-write access_extension_0 — Access rule grants write/create/unlink on 'model_extension_0' to EVERY user (portal/public included): no group is set
test_documentation_examples acl-global-write access_delegation_child0 — Access rule grants write/create/unlink on 'model_delegation_child0' to EVERY user (portal/public included): no group is set
test_documentation_examples acl-global-write access_delegation_child1 — Access rule grants write/create/unlink on 'model_delegation_child1' to EVERY user (portal/public included): no group is set
test_documentation_examples acl-global-write access_delegation_parent — Access rule grants write/create/unlink on 'model_delegation_parent' to EVERY user (portal/public included): no group is set
test_exceptions acl-global-write access_test_exceptions_model — Access rule grants write/create/unlink on 'model_test_exceptions_model' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_boolean — Access rule grants write/create/unlink on 'model_export_boolean' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_float — Access rule grants write/create/unlink on 'model_export_float' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_decimal — Access rule grants write/create/unlink on 'model_export_decimal' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string_bounded — Access rule grants write/create/unlink on 'model_export_string_bounded' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string_required — Access rule grants write/create/unlink on 'model_export_string_required' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string — Access rule grants write/create/unlink on 'model_export_string' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_date — Access rule grants write/create/unlink on 'model_export_date' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_datetime — Access rule grants write/create/unlink on 'model_export_datetime' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_text — Access rule grants write/create/unlink on 'model_export_text' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection — Access rule grants write/create/unlink on 'model_export_selection' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection_function — Access rule grants write/create/unlink on 'model_export_selection_function' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2one — Access rule grants write/create/unlink on 'model_export_many2one' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many — Access rule grants write/create/unlink on 'model_export_one2many' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2many — Access rule grants write/create/unlink on 'model_export_many2many' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_function — Access rule grants write/create/unlink on 'model_export_function' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child — Access rule grants write/create/unlink on 'model_export_one2many_child' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_multiple — Access rule grants write/create/unlink on 'model_export_one2many_multiple' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_multiple_child — Access rule grants write/create/unlink on 'model_export_one2many_multiple_child' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child_1 — Access rule grants write/create/unlink on 'model_export_one2many_child_1' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child_2 — Access rule grants write/create/unlink on 'model_export_one2many_child_2' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2many_other — Access rule grants write/create/unlink on 'model_export_many2many_other' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection_withdefault — Access rule grants write/create/unlink on 'model_export_selection_withdefault' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_recursive — Access rule grants write/create/unlink on 'model_export_one2many_recursive' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_unique — Access rule grants write/create/unlink on 'model_export_unique' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_mother — Access rule grants write/create/unlink on 'model_test_inherit_mother' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_daughter — Access rule grants write/create/unlink on 'model_test_inherit_daughter' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_property — Access rule grants write/create/unlink on 'model_test_inherit_property' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_unit — Access rule grants write/create/unlink on 'model_test_unit' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_box — Access rule grants write/create/unlink on 'model_test_box' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_pallet — Access rule grants write/create/unlink on 'model_test_pallet' to EVERY user (portal/public included): no group is set
test_limits acl-global-write access_test_limits_model — Access rule grants write/create/unlink on 'model_test_limits_model' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_category — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_category' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_discussion — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_discussion' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_message — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_message' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_emailmessage — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_emailmessage' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi_line — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_creativework_edition — Access rule grants write/create/unlink on 'model_test_new_api_creativework_edition' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_creativework_book — Access rule grants write/create/unlink on 'model_test_new_api_creativework_book' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_creativework_movie — Access rule grants write/create/unlink on 'model_test_new_api_creativework_movie' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_mixed — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_mixed' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_domain_bool — Access rule grants write/create/unlink on 'model_domain_bool' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_foo — Access rule grants write/create/unlink on 'model_test_new_api_foo' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_bar — Access rule grants write/create/unlink on 'model_test_new_api_bar' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_related — Access rule grants write/create/unlink on 'model_test_new_api_related' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_company — Access rule grants write/create/unlink on 'model_test_new_api_company' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_company_attr — Access rule grants write/create/unlink on 'model_test_new_api_company_attr' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_sparse — Access rule grants write/create/unlink on 'model_test_new_api_sparse' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_compute_inverse — Access rule grants write/create/unlink on 'model_test_new_api_compute_inverse' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_recursive — Access rule grants write/create/unlink on 'model_test_new_api_recursive' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_cascade — Access rule grants write/create/unlink on 'model_test_new_api_cascade' to EVERY user (portal/public included): no group is set
test_queue_job acl-global-write access_test_queue_job — Access rule grants write/create/unlink on 'model_test_queue_job' to EVERY user (portal/public included): no group is set
test_queue_job acl-global-write access_test_queue_channel — Access rule grants write/create/unlink on 'model_test_queue_channel' to EVERY user (portal/public included): no group is set
test_queue_job acl-global-write access_test_related_action — Access rule grants write/create/unlink on 'model_test_related_action' to EVERY user (portal/public included): no group is set
test_rpc acl-global-write access_test_rpc_model_a — Access rule grants write/create/unlink on 'model_test_rpc_model_a' to EVERY user (portal/public included): no group is set
test_rpc acl-global-write access_test_rpc_model_b — Access rule grants write/create/unlink on 'model_test_rpc_model_b' to EVERY user (portal/public included): no group is set
test_uninstall acl-global-write access_test_uninstall_model — Access rule grants write/create/unlink on 'model_test_uninstall_model' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model — Access rule grants write/create/unlink on 'model_test_workflow_model' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_trigger — Access rule grants write/create/unlink on 'model_test_workflow_trigger' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_a — Access rule grants write/create/unlink on 'model_test_workflow_model_a' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_b — Access rule grants write/create/unlink on 'model_test_workflow_model_b' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_c — Access rule grants write/create/unlink on 'model_test_workflow_model_c' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_d — Access rule grants write/create/unlink on 'model_test_workflow_model_d' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_e — Access rule grants write/create/unlink on 'model_test_workflow_model_e' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_f — Access rule grants write/create/unlink on 'model_test_workflow_model_f' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_g — Access rule grants write/create/unlink on 'model_test_workflow_model_g' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_h — Access rule grants write/create/unlink on 'model_test_workflow_model_h' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_i — Access rule grants write/create/unlink on 'model_test_workflow_model_i' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_j — Access rule grants write/create/unlink on 'model_test_workflow_model_j' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_k — Access rule grants write/create/unlink on 'model_test_workflow_model_k' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_l — Access rule grants write/create/unlink on 'model_test_workflow_model_l' to EVERY user (portal/public included): no group is set
utm acl-global-write access_utm_campaign — Access rule grants create on 'model_utm_campaign' to EVERY user (portal/public included): no group is set
utm acl-global-write access_utm_medium — Access rule grants create on 'model_utm_medium' to EVERY user (portal/public included): no group is set
utm acl-global-write access_utm_source — Access rule grants create on 'model_utm_source' to EVERY user (portal/public included): no group is set
web_editor acl-global-write access_web_editor_converter_test — Access rule grants write/create/unlink on 'model_web_editor_converter_test' to EVERY user (portal/public included): no group is set
web_editor acl-global-write access_web_editor_converter_test_sub — Access rule grants write/create/unlink on 'model_web_editor_converter_test_sub' to EVERY user (portal/public included): no group is set
web_shortcut acl-global-write access_web_shortcut — Access rule grants write/create/unlink on 'model_web_shortcut' to EVERY user (portal/public included): no group is set
website_crm_partner_assign acl-public-write partner_access_crm_lead — Access rule grants write on 'crm.model_crm_lead' to the portal/public group 'base.group_portal'
website_crm_partner_assign acl-public-write crm_lead_portal_access — Access rule grants write on 'crm.model_crm_lead' to the portal/public group 'base.group_portal'
website_crm_partner_assign acl-public-write crm_activity_portal_access — Access rule grants write/create on 'crm.model_crm_activity' to the portal/public group 'base.group_portal'
website_crm_partner_assign acl-public-write mail_message_subtype_portal_access — Access rule grants write/create on 'mail.model_mail_message_subtype' to the portal/public group 'base.group_portal'
website_crm_partner_assign acl-public-write lead_portal_access — Access rule grants write on 'crm.model_crm_lead' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_post_portal — Access rule grants write/create/unlink on 'model_forum_post' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_post_vote_portal — Access rule grants write/create on 'model_forum_post_vote' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_tag_public — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_public'
website_forum acl-public-write access_forum_tag_portal — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_portal'
website_portal_contact acl-public-write access_partners — Access rule grants write/create on 'base.model_res_partner' to the portal/public group 'base.group_portal'
website_portal_contract acl-public-write account_analytic_account_portal — Access rule grants write on 'analytic.model_account_analytic_account' to the portal/public group 'base.group_portal'
website_portal_contract acl-public-write account_analytic_invoice_line_portal — Access rule grants write on 'contract.model_account_analytic_invoice_line' to the portal/public group 'base.group_portal'
website_sale_recently_viewed_products acl-public-write access_website_sale_product_view_public — Access rule grants write/create on 'model_website_sale_product_view' to the portal/public group 'base.group_public'
website_sale_wishlist acl-global-write access_product_wishlist — Access rule grants write/create/unlink on 'model_product_wishlist' to EVERY user (portal/public included): no group is set

Warnings 331

Module Code Message
account_invoice_transmit_method acl-global-read access_transmit_method_read — Access rule grants read on 'model_transmit_method' to every user (portal/public included): no group is set
anonymization acl-global-read access_ir_model_fields_anonymization_user — Access rule grants read on 'model_ir_model_fields_anonymization' to every user (portal/public included): no group is set
anonymization acl-global-read access_ir_model_fields_anonymization_history_user — Access rule grants read on 'model_ir_model_fields_anonymization_history' to every user (portal/public included): no group is set
attachment_base_synchronize acl-global-read access_attachment_metadata_user — Access rule grants read on 'model_ir_attachment_metadata' to every user (portal/public included): no group is set
auth_totp route-public-sudo /auth_totp/login — Unauthenticated endpoint 'AuthTotp.mfa_login_post' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_totp route-auth-none /auth_totp/login — Endpoint 'AuthTotp.mfa_login_post' uses auth="none": it runs with no user/session at all
base acl-global-read access_ir_model_constraint — Access rule grants read on 'model_ir_model_constraint' to every user (portal/public included): no group is set
base acl-global-read access_ir_model_relation — Access rule grants read on 'model_ir_model_relation' to every user (portal/public included): no group is set
base acl-global-read access_ir_property_group_user — Access rule grants read on 'model_ir_property' to every user (portal/public included): no group is set
base acl-global-read access_ir_rule_group_user — Access rule grants read on 'model_ir_rule' to every user (portal/public included): no group is set
base acl-global-read access_ir_ui_view_group_user — Access rule grants read on 'model_ir_ui_view' to every user (portal/public included): no group is set
base acl-global-write access_ir_values_group_all — Access rule grants write/create/unlink on 'model_ir_values' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
base acl-global-read access_res_company_group_user — Access rule grants read on 'model_res_company' to every user (portal/public included): no group is set
base acl-global-read access_res_partner_title_group_partner_manager — Access rule grants read on 'model_res_partner_title' to every user (portal/public included): no group is set
base acl-global-read access_res_request_link_group_user — Access rule grants read on 'model_res_request_link' to every user (portal/public included): no group is set
base acl-global-write access_res_users_log_all — Access rule grants create on 'model_res_users_log' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
base acl-global-write access_workflow_workitem_all — Access rule grants write/create/unlink on 'model_workflow_workitem' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
base acl-global-read access_ir_config_parameter — Access rule grants read on 'model_ir_config_parameter' to every user (portal/public included): no group is set
base acl-global-read access_ir_actions_client — Access rule grants read on 'model_ir_actions_client' to every user (portal/public included): no group is set
base_action_rule acl-global-read access_base_action_rule — Access rule grants read on 'model_base_action_rule' to every user (portal/public included): no group is set
base_gengo route-public-csrf-off /website/gengo_callback — Public HTTP endpoint 'website_gengo.gengo_callback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
base_gengo route-public-sudo /website/gengo_callback — Unauthenticated endpoint 'website_gengo.gengo_callback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
base_gengo route-auth-none /website/gengo_callback — Endpoint 'website_gengo.gengo_callback' uses auth="none": it runs with no user/session at all
base_sms_client acl-global-read access_sms_gateway_global — Access rule grants read on 'model_sms_gateway' to every user (portal/public included): no group is set
base_sms_client acl-global-read access_sms_sms_global — Access rule grants read on 'model_sms_sms' to every user (portal/public included): no group is set
base_unece acl-global-read access_unece_code_list_read — Access rule grants read on 'model_unece_code_list' to every user (portal/public included): no group is set
board acl-global-read access_board_board all — Access rule grants read on 'model_board_board' to every user (portal/public included): no group is set
calendar rule-group-bypass calendar_event_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
connector_woocommerce acl-global-read access_woo_sale_order_status — Access rule grants read on 'model_woo_sale_order_status' to every user (portal/public included): no group is set
connector_woocommerce acl-global-read access_woo_sale_order_line — Access rule grants read on 'model_woo_sale_order_line' to every user (portal/public included): no group is set
crm acl-global-read access_crm_stage — Access rule grants read on 'model_crm_stage' to every user (portal/public included): no group is set
crm rule-group-bypass crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm rule-group-bypass crm_rule_all_lead_report — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm rule-group-bypass crm_activity_report_rule_all_activities — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm_action rule-group-bypass crm_rule_all_action — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm_mailchimp route-public-csrf-off /mailchimp/<string:key> — Public HTTP endpoint 'Mailchimp.hook' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
crm_mailchimp route-public-sudo /mailchimp/<string:key> — Unauthenticated endpoint 'Mailchimp.hook' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
crm_mailchimp route-auth-none /mailchimp/<string:key> — Endpoint 'Mailchimp.hook' uses auth="none": it runs with no user/session at all
crm_phone rule-group-bypass all_crm_phonecall_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
decimal_precision acl-global-write access_decimal_precision_test_all — Access rule grants write/create/unlink on 'model_decimal_precision_test' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
event acl-global-read access_event_event_portal — Access rule grants read on 'model_event_event' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_organization_reader — Access rule grants read on 'model_github_organization' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_organization_serie_reader — Access rule grants read on 'model_github_organization_serie' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_repository_reader — Access rule grants read on 'model_github_repository' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_repository_branch_reader — Access rule grants read on 'model_github_repository_branch' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_team_reader — Access rule grants read on 'model_github_team' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_team_partner_reader — Access rule grants read on 'model_github_team_partner' to every user (portal/public included): no group is set
github_connector acl-global-read access_github_team_repository_reader — Access rule grants read on 'model_github_team_repository' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_author_reader — Access rule grants read on 'model_odoo_author' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_lib_bin_reader — Access rule grants read on 'model_odoo_lib_bin' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_lib_python_reader — Access rule grants read on 'model_odoo_lib_python' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_license_reader — Access rule grants read on 'model_odoo_license' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_module_reader — Access rule grants read on 'model_odoo_module' to every user (portal/public included): no group is set
github_connector_odoo acl-global-read access_odoo_module_version_reader — Access rule grants read on 'model_odoo_module_version' to every user (portal/public included): no group is set
google_account route-auth-none /google_account/authentication — Endpoint 'GoogleAuth.oauth2callback' uses auth="none": it runs with no user/session at all
help_online rule-group-bypass online_help_reader_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_attendance rule-group-bypass hr_attendance_rule_attendance_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_expense_accountedge rule-group-bypass property_rule_account_invoice_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_experience rule-group-bypass hr_curriculum_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_experience rule-group-bypass hr_academic_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_experience rule-group-bypass hr_experience_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_experience rule-group-bypass hr_certification_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass property_rule_holidays_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass resource_leaves_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_schedule rule-group-bypass property_rule_schedule_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_security rule-group-bypass property_rule_contract_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hw_blackbox_be route-auth-none /hw_proxy/request_blackbox/ — Endpoint 'BlackboxDriver.request_blackbox' uses auth="none": it runs with no user/session at all
hw_blackbox_be route-auth-none /hw_proxy/request_serial/ — Endpoint 'BlackboxDriver.request_serial' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none / — Endpoint 'PosboxHomepage.index' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /wifi — Endpoint 'PosboxHomepage.wifi' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /wifi_connect — Endpoint 'PosboxHomepage.connect_to_wifi' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /wifi_clear — Endpoint 'PosboxHomepage.clear_wifi_configuration' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /remote_connect — Endpoint 'PosboxHomepage.remote_connect' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /enable_ngrok — Endpoint 'PosboxHomepage.enable_ngrok' uses auth="none": it runs with no user/session at all
hw_posbox_upgrade route-auth-none /hw_proxy/upgrade — Endpoint 'PosboxUpgrader.upgrade' uses auth="none": it runs with no user/session at all
hw_posbox_upgrade route-auth-none /hw_proxy/perform_upgrade — Endpoint 'PosboxUpgrader.perform_upgrade' uses auth="none": it runs with no user/session at all
hw_scale route-auth-none /hw_proxy/scale_read/ — Endpoint 'ScaleDriver.scale_read' uses auth="none": it runs with no user/session at all
hw_scale route-auth-none /hw_proxy/scale_zero/ — Endpoint 'ScaleDriver.scale_zero' uses auth="none": it runs with no user/session at all
hw_scale route-auth-none /hw_proxy/scale_tare/ — Endpoint 'ScaleDriver.scale_tare' uses auth="none": it runs with no user/session at all
hw_scale route-auth-none /hw_proxy/scale_clear_tare/ — Endpoint 'ScaleDriver.scale_clear_tare' uses auth="none": it runs with no user/session at all
hw_scanner route-auth-none /hw_proxy/scanner — Endpoint 'ScannerDriver.scanner' uses auth="none": it runs with no user/session at all
hw_screen route-auth-none /hw_proxy/display_refresh — Endpoint 'HardwareScreen.display_refresh' uses auth="none": it runs with no user/session at all
hw_screen route-auth-none /hw_proxy/customer_facing_display — Endpoint 'HardwareScreen.update_user_facing_display' uses auth="none": it runs with no user/session at all
hw_screen route-auth-none /hw_proxy/take_control — Endpoint 'HardwareScreen.take_control' uses auth="none": it runs with no user/session at all
hw_screen route-auth-none /hw_proxy/test_ownership — Endpoint 'HardwareScreen.test_ownership' uses auth="none": it runs with no user/session at all
hw_screen route-auth-none /point_of_sale/display — Endpoint 'HardwareScreen.render_main_display' uses auth="none": it runs with no user/session at all
hw_screen route-auth-none /point_of_sale/get_serialized_order — Endpoint 'HardwareScreen.get_serialized_order' uses auth="none": it runs with no user/session at all
im_livechat acl-global-read access_livechat_channel — Access rule grants read on 'model_im_livechat_channel' to every user (portal/public included): no group is set
im_livechat acl-global-read access_livechat_channel_rule — Access rule grants read on 'model_im_livechat_channel_rule' to every user (portal/public included): no group is set
im_livechat route-auth-none /im_livechat/external_lib.<any(css,js):ext> — Endpoint 'LivechatController.livechat_lib' uses auth="none": it runs with no user/session at all
im_livechat route-public-sudo /im_livechat/support/<int:channel_id> — Unauthenticated endpoint 'LivechatController.support_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/loader/<int:channel_id> — Unauthenticated endpoint 'LivechatController.loader' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/init — Unauthenticated endpoint 'LivechatController.livechat_init' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/feedback — Unauthenticated endpoint 'LivechatController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
intrastat_product acl-global-read access_intrastat_unit_read — Access rule grants read on 'model_intrastat_unit' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_transaction_read — Access rule grants read on 'model_intrastat_transaction' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_transport_mode_read — Access rule grants read on 'model_intrastat_transport_mode' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_region_read — Access rule grants read on 'model_intrastat_region' to every user (portal/public included): no group is set
keychain acl-global-read access_keychain_account — Access rule grants read on 'model_keychain_account' to every user (portal/public included): no group is set
l10n_be_intrastat acl-global-read access_l10n_be_intrastat_transaction — Access rule grants read on 'model_l10n_be_intrastat_transaction' to every user (portal/public included): no group is set
l10n_be_intrastat acl-global-read access_l10n_be_intrastat_transport_mode — Access rule grants read on 'model_l10n_be_intrastat_transport_mode' to every user (portal/public included): no group is set
l10n_be_intrastat acl-global-read access_l10n_be_intrastat_region — Access rule grants read on 'model_l10n_be_intrastat_region' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_deficiency — Access rule grants read on 'model_hr_deficiency' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_identity_type — Access rule grants read on 'model_hr_identity_type' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_civil_certificate_type — Access rule grants read on 'model_hr_civil_certificate_type' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_chronic_disease — Access rule grants read on 'model_hr_chronic_disease' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_dependent_type — Access rule grants read on 'model_hr_dependent_type' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_ethnicity — Access rule grants read on 'model_hr_ethnicity' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_educational_attainment — Access rule grants read on 'model_hr_educational_attainment' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_nationality_code — Access rule grants read on 'model_hr_nationality_code' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_admission_type — Access rule grants read on 'model_hr_contract_admission_type' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_labor_bond_type — Access rule grants read on 'model_hr_contract_labor_bond_type' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_labor_regime — Access rule grants read on 'model_hr_contract_labor_regime' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_salary_unit — Access rule grants read on 'model_hr_contract_salary_unit' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_resignation_cause — Access rule grants read on 'model_hr_contract_resignation_cause' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_notice_termination — Access rule grants read on 'model_hr_contract_notice_termination' to every user (portal/public included): no group is set
l10n_es_aeat_mod347 route-public-sudo /mod347/accept — Unauthenticated endpoint 'Mod347Controller.mod347_accept' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_es_aeat_mod347 route-public-sudo /mod347/reject — Unauthenticated endpoint 'Mod347Controller.mod347_reject' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
l10n_eu_service acl-global-read access_l10n_eu_service_service_tax_rate — Access rule grants read on 'model_l10n_eu_service_service_tax_rate' to every user (portal/public included): no group is set
l10n_it_account_tax_kind acl-global-read access_account_tax_kind_user — Access rule grants read on 'model_account_tax_kind' to every user (portal/public included): no group is set
l10n_nl_country_states acl-global-read access_res_country_state_nl_zip — Access rule grants read on 'model_res_country_state_nl_zip' to every user (portal/public included): no group is set
letsencrypt route-auth-none /.well-known/acme-challenge/<filename> — Endpoint 'Letsencrypt.acme_challenge' uses auth="none": it runs with no user/session at all
link_tracker route-auth-none /r/<string:code> — Endpoint 'LinkTracker.full_url_redirect' uses auth="none": it runs with no user/session at all
mail acl-global-write access_mail_thread_all — Access rule grants write/create/unlink on 'model_mail_thread' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
mail acl-global-write access_publisher_warranty_contract_all — Access rule grants write/create/unlink on 'model_publisher_warranty_contract' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
mail route-auth-none /mail/receive — Endpoint 'MailController.receive' uses auth="none": it runs with no user/session at all
mail route-public-sudo /mail/view — Unauthenticated endpoint 'MailController.mail_action_view' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-auth-none /mail/view — Endpoint 'MailController.mail_action_view' uses auth="none": it runs with no user/session at all
mail route-public-sudo /mail/<string:res_model>/<int:res_id>/avatar/<int:partner_id> — Unauthenticated endpoint 'MailController.avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/chat_post — Unauthenticated endpoint 'MailChatController.mail_chat_post' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-auth-none /mail/chat_post — Endpoint 'MailChatController.mail_chat_post' uses auth="none": it runs with no user/session at all
mail route-public-sudo /mail/chat_history — Unauthenticated endpoint 'MailChatController.mail_chat_history' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-auth-none /mail/chat_history — Endpoint 'MailChatController.mail_chat_history' uses auth="none": it runs with no user/session at all
mail_sendgrid route-auth-none /mail/tracking/sendgrid/<string:db> — Endpoint 'SendgridTrackingController.mail_tracking_sendgrid' uses auth="none": it runs with no user/session at all
mail_tracking route-public-csrf-off /mail/tracking/all/<string:db> — Public HTTP endpoint 'MailTrackingController.mail_tracking_all' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mail_tracking route-auth-none /mail/tracking/all/<string:db> — Endpoint 'MailTrackingController.mail_tracking_all' uses auth="none": it runs with no user/session at all
mail_tracking route-public-csrf-off /mail/tracking/event/<string:db>/<string:event_type> — Public HTTP endpoint 'MailTrackingController.mail_tracking_event' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mail_tracking route-auth-none /mail/tracking/event/<string:db>/<string:event_type> — Endpoint 'MailTrackingController.mail_tracking_event' uses auth="none": it runs with no user/session at all
mail_tracking route-auth-none /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif — Endpoint 'MailTrackingController.mail_tracking_open' uses auth="none": it runs with no user/session at all
mass acl-global-read access_mass_request_type_user — Access rule grants read on 'model_mass_request_type' to every user (portal/public included): no group is set
mass_mailing route-public-sudo /mail/mailing/<int:mailing_id>/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-public-sudo /mail/track/<int:mail_id>/blank.gif — Unauthenticated endpoint 'MassMailController.track_mail_open' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-auth-none /mail/track/<int:mail_id>/blank.gif — Endpoint 'MassMailController.track_mail_open' uses auth="none": it runs with no user/session at all
mass_mailing route-auth-none /r/<string:code>/m/<int:stat_id> — Endpoint 'MassMailController.full_url_redirect' uses auth="none": it runs with no user/session at all
membership acl-global-read access_membership_membership_line — Access rule grants read on 'model_membership_membership_line' to every user (portal/public included): no group is set
mgmtsystem rule-group-bypass document_page_rule_document_user_r — Record rule with an always-true domain bypasses every other record rule of its model for its group
mgmtsystem rule-group-bypass document_page_history_rule_document_user_r — Record rule with an always-true domain bypasses every other record rule of its model for its group
openeducat_assignment rule-group-bypass backoffice_assignment_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
openeducat_assignment rule-group-bypass backoffice_assignment_sub_line_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
openeducat_attendance route-public-sudo /openeducat-attendance/take-attendance — Unauthenticated endpoint 'OpAttendanceController.create_attendance_lines' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
openeducat_attendance route-auth-none /openeducat-attendance/take-attendance — Endpoint 'OpAttendanceController.create_attendance_lines' uses auth="none": it runs with no user/session at all
openeducat_core rule-group-bypass view_students_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
openeducat_core rule-group-bypass view_faculty_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
openeducat_core rule-group-bypass view_all_subject_registration_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
openeducat_core route-public-sudo /openeducat_core/get_app_dash_data — Unauthenticated endpoint 'OpenEduCatAppController.compute_app_dashboard_data' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
openeducat_core route-auth-none /openeducat_core/get_app_dash_data — Endpoint 'OpenEduCatAppController.compute_app_dashboard_data' uses auth="none": it runs with no user/session at all
openeducat_core route-public-sudo /openeducat_core/get_faculty_dash_data — Unauthenticated endpoint 'OpenEduCatAppController.compute_faculty_dashboard_data' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
openeducat_core route-auth-none /openeducat_core/get_faculty_dash_data — Endpoint 'OpenEduCatAppController.compute_faculty_dashboard_data' uses auth="none": it runs with no user/session at all
openeducat_library rule-group-bypass view_media_request_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
openeducat_timetable rule-group-bypass backoffice_session_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
operating_unit acl-global-read access_account_operating_unit_user — Access rule grants read on 'model_operating_unit' to every user (portal/public included): no group is set
partner_external_map acl-global-read access_map_website_read — Access rule grants read on 'model_map_website' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation — Access rule grants read on 'model_res_partner_relation' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation_type — Access rule grants read on 'model_res_partner_relation_type' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation_type_selection — Access rule grants read on 'model_res_partner_relation_type_selection' to every user (portal/public included): no group is set
partner_multi_relation_hierarchy acl-global-read read_res_partner_relation_hierarchy — Access rule grants read on 'model_res_partner_relation_hierarchy' to every user (portal/public included): no group is set
partner_multi_relation_tabs acl-global-read read_res_partner_tab — Access rule grants read on 'model_res_partner_tab' to every user (portal/public included): no group is set
payment_adyen route-public-csrf-off /payment/adyen/return — Public HTTP endpoint 'AdyenController.adyen_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_adyen route-public-sudo /payment/adyen/return — Unauthenticated endpoint 'AdyenController.adyen_return' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-auth-none /payment/adyen/return — Endpoint 'AdyenController.adyen_return' uses auth="none": it runs with no user/session at all
payment_adyen route-public-csrf-off /payment/adyen/notification — Public HTTP endpoint 'AdyenController.adyen_notification' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_adyen route-public-sudo /payment/adyen/notification — Unauthenticated endpoint 'AdyenController.adyen_notification' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
payment_adyen route-auth-none /payment/adyen/notification — Endpoint 'AdyenController.adyen_notification' uses auth="none": it runs with no user/session at all
payment_authorize route-public-csrf-off /payment/authorize/return/, /payment/authorize/cancel/ — Public HTTP endpoint 'AuthorizeController.authorize_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_authorize route-public-sudo /payment/authorize/return/, /payment/authorize/cancel/ — Unauthenticated endpoint 'AuthorizeController.authorize_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_buckaroo route-public-csrf-off /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Public HTTP endpoint 'BuckarooController.buckaroo_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_buckaroo route-public-sudo /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Unauthenticated endpoint 'BuckarooController.buckaroo_return' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
payment_buckaroo route-auth-none /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Endpoint 'BuckarooController.buckaroo_return' uses auth="none": it runs with no user/session at all
payment_paypal route-public-csrf-off /payment/paypal/ipn/ — Public HTTP endpoint 'PaypalController.paypal_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_paypal route-auth-none /payment/paypal/ipn/ — Endpoint 'PaypalController.paypal_ipn' uses auth="none": it runs with no user/session at all
payment_paypal route-public-csrf-off /payment/paypal/dpn — Public HTTP endpoint 'PaypalController.paypal_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_paypal route-auth-none /payment/paypal/dpn — Endpoint 'PaypalController.paypal_dpn' uses auth="none": it runs with no user/session at all
payment_paypal route-public-csrf-off /payment/paypal/cancel — Public HTTP endpoint 'PaypalController.paypal_cancel' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_paypal route-auth-none /payment/paypal/cancel — Endpoint 'PaypalController.paypal_cancel' uses auth="none": it runs with no user/session at all
payment_payumoney route-public-csrf-off /payment/payumoney/return, /payment/payumoney/cancel, /payment/payumoney/error — Public HTTP endpoint 'PayuMoneyController.payu_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_payumoney route-public-sudo /payment/payumoney/return, /payment/payumoney/cancel, /payment/payumoney/error — Unauthenticated endpoint 'PayuMoneyController.payu_return' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_redsys route-public-csrf-off /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Public HTTP endpoint 'RedsysController.redsys_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_redsys route-public-sudo /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Unauthenticated endpoint 'RedsysController.redsys_return' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
payment_redsys route-auth-none /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Endpoint 'RedsysController.redsys_return' uses auth="none": it runs with no user/session at all
payment_redsys route-public-sudo /payment/redsys/result/<page> — Unauthenticated endpoint 'RedsysController.redsys_result' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_sips route-public-csrf-off /payment/sips/ipn/ — Public HTTP endpoint 'SipsController.sips_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_sips route-auth-none /payment/sips/ipn/ — Endpoint 'SipsController.sips_ipn' uses auth="none": it runs with no user/session at all
payment_sips route-public-csrf-off /payment/sips/dpn — Public HTTP endpoint 'SipsController.sips_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_sips route-auth-none /payment/sips/dpn — Endpoint 'SipsController.sips_dpn' uses auth="none": it runs with no user/session at all
payment_stripe route-public-sudo /payment/stripe/create_charge — Unauthenticated endpoint 'StripeController.stripe_create_charge' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe_sca route-public-sudo /payment/stripe/success, /payment/stripe/cancel — Unauthenticated endpoint 'StripeControllerSCA.stripe_success' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe_sca route-public-sudo /payment/stripe/set_payment_intent — Unauthenticated endpoint 'StripeControllerSCA.stripe_create_payment_intent' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_stripe_sca route-public-sudo /payment/stripe/s2s/process_payment_intent — Unauthenticated endpoint 'StripeControllerSCA.stripe_s2s_confirm_payment_intent' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_transfer route-public-csrf-off /payment/transfer/feedback — Public HTTP endpoint 'OgoneController.transfer_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_transfer route-public-sudo /payment/transfer/feedback — Unauthenticated endpoint 'OgoneController.transfer_form_feedback' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
payment_transfer route-auth-none /payment/transfer/feedback — Endpoint 'OgoneController.transfer_form_feedback' uses auth="none": it runs with no user/session at all
point_of_sale rule-group-bypass rule_pos_bank_statement_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
point_of_sale rule-group-bypass rule_pos_bank_statement_line_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
point_of_sale rule-group-bypass rule_pos_cashbox_line_accountant — Record rule with an always-true domain bypasses every other record rule of its model for its group
pos_mercury acl-global-read access_pos_mercury_mercury_transaction — Access rule grants read on 'model_pos_mercury_mercury_transaction' to every user (portal/public included): no group is set
privacy_consent route-public-sudo /privacy/consent/<any(accept,reject):choice>/<int:consent_id>/<token> — Unauthenticated endpoint 'ConsentController.consent' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
privacy_consent route-auth-none /privacy/consent/<any(accept,reject):choice>/<int:consent_id>/<token> — Endpoint 'ConsentController.consent' uses auth="none": it runs with no user/session at all
product_brand acl-global-read access_product_brand_public — Access rule grants read on 'model_product_brand' to every user (portal/public included): no group is set
product_harmonized_system acl-global-read access_hs_code_read — Access rule grants read on 'model_hs_code' to every user (portal/public included): no group is set
product_life_period acl-global-read access_product_life_period_user — Access rule grants read on 'model_product_life_period' to every user (portal/public included): no group is set
product_price_category acl-global-read access_product_price_category_user — Access rule grants read on 'model_product_price_category' to every user (portal/public included): no group is set
product_variant_configurator acl-global-write access_product_configurator_attribute_all — Access rule grants write/create/unlink on 'model_product_configurator_attribute' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
quality_control acl-global-read access_manager_qc_trigger_product_template_line_user — Access rule grants read on 'quality_control.model_qc_trigger_product_template_line' to every user (portal/public included): no group is set
quality_control acl-global-read access_manager_qc_trigger_product_line_user — Access rule grants read on 'quality_control.model_qc_trigger_product_line' to every user (portal/public included): no group is set
queue_job route-auth-none /queue_job/session — Endpoint 'RunJobController.session' uses auth="none": it runs with no user/session at all
queue_job route-auth-none /queue_job/runjob — Endpoint 'RunJobController.runjob' uses auth="none": it runs with no user/session at all
rating route-public-sudo /rating/<string:token>/<int:rate> — Unauthenticated endpoint 'Rating.open_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
rating route-public-sudo /rating/<string:token>/<int:rate>/submit_feedback — Unauthenticated endpoint 'Rating.submit_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
report acl-global-read paperformat_access_portal — Access rule grants read on 'model_report_paperformat' to every user (portal/public included): no group is set
stay acl-global-read access_stay_date_label_user — Access rule grants read on 'model_stay_date_label' to every user (portal/public included): no group is set
stock_lot_sale_tracking acl-global-read stock_lot_tracking_access_everybody — Access rule grants read on 'model_stock_lot_sale_tracking_report' to every user (portal/public included): no group is set
stock_scanner acl-global-read scanner_scenario_user — Access rule grants read on 'stock_scanner.model_scanner_scenario' to every user (portal/public included): no group is set
stock_scanner acl-global-read scanner_scenario_step_user — Access rule grants read on 'stock_scanner.model_scanner_scenario_step' to every user (portal/public included): no group is set
stock_scanner acl-global-read scanner_scenario_transition_user — Access rule grants read on 'stock_scanner.model_scanner_scenario_transition' to every user (portal/public included): no group is set
stock_scanner rule-group-bypass scanner_hardware_access_group_sentinel — Record rule with an always-true domain bypasses every other record rule of its model for its group
stock_tracking_add_remove acl-global-write access_stock_packaging_add_type_all — Access rule grants write/create on 'model_stock_packaging_add_type' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
storage_file acl-global-read access_storage_file_read_public — Access rule grants read on 'model_storage_file' to every user (portal/public included): no group is set
survey acl-global-read access_survey_public — Access rule grants read on 'model_survey_survey' to every user (portal/public included): no group is set
survey acl-global-read access_survey_page_public — Access rule grants read on 'model_survey_page' to every user (portal/public included): no group is set
survey acl-global-read access_survey_question_public — Access rule grants read on 'model_survey_question' to every user (portal/public included): no group is set
survey acl-global-read access_survey_label_public — Access rule grants read on 'model_survey_label' to every user (portal/public included): no group is set
survey acl-global-read access_survey_stage_public — Access rule grants read on 'model_survey_stage' to every user (portal/public included): no group is set
survey route-public-sudo /survey/start/<model("survey.survey"):survey>, /survey/start/<model("survey.survey"):survey>/<string:token> — Unauthenticated endpoint 'WebsiteSurvey.start_survey' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
survey route-public-sudo /survey/fill/<model("survey.survey"):survey>/<string:token>, /survey/fill/<model("survey.survey"):survey>/<string:token>/<string:prev> — Unauthenticated endpoint 'WebsiteSurvey.fill_survey' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
survey route-public-sudo /survey/prefill/<model("survey.survey"):survey>/<string:token>, /survey/prefill/<model("survey.survey"):survey>/<string:token>/<model("survey.page"):page> — Unauthenticated endpoint 'WebsiteSurvey.prefill' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
survey route-public-sudo /survey/scores/<model("survey.survey"):survey>/<string:token> — Unauthenticated endpoint 'WebsiteSurvey.get_scores' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
survey route-public-sudo /survey/submit/<model("survey.survey"):survey> — Unauthenticated endpoint 'WebsiteSurvey.submit' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
test_read_group acl-global-read access_test_read_group_on_date — Access rule grants read on 'model_test_read_group_on_date' to every user (portal/public included): no group is set
test_read_group acl-global-read access_test_read_group_aggregate_boolean — Access rule grants read on 'model_test_read_group_aggregate_boolean' to every user (portal/public included): no group is set
web route-auth-none /web/pivot/check_xlwt — Endpoint 'TableExporter.check_xlwt' uses auth="none": it runs with no user/session at all
web_favicon route-public-sudo /web_favicon/favicon — Unauthenticated endpoint 'WebFavicon.icon' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
web_favicon route-auth-none /web_favicon/favicon — Endpoint 'WebFavicon.icon' uses auth="none": it runs with no user/session at all
web_tour acl-global-read access_web_tour_tour — Access rule grants read on 'model_web_tour_tour' to every user (portal/public included): no group is set
webhook route-public-sudo /webhook/<webhook_name> — Unauthenticated endpoint 'WebhookController.webhook' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
webhook route-auth-none /webhook/<webhook_name> — Endpoint 'WebhookController.webhook' uses auth="none": it runs with no user/session at all
website acl-global-read access_website_public — Access rule grants read on 'website.model_website' to every user (portal/public included): no group is set
website acl-global-read access_website_menu — Access rule grants read on 'model_website_menu' to every user (portal/public included): no group is set
website acl-global-read access_seo_public — Access rule grants read on 'model_website_seo_metadata' to every user (portal/public included): no group is set
website_blog acl-global-read blog_tag — Access rule grants read on 'model_blog_tag' to every user (portal/public included): no group is set
website_blog route-public-sudo /blog/<model("blog.blog"):blog>/post/<model("blog.post", "[('blog_id','=',blog[0])]"):blog_post> — Unauthenticated endpoint 'WebsiteBlog.blog_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_blog route-public-sudo /blog/post_get_discussion/ — Unauthenticated endpoint 'WebsiteBlog.discussion' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_blog_category acl-global-read blog_category — Access rule grants read on 'model_blog_category' to every user (portal/public included): no group is set
website_crm_partner_assign route-public-sudo /partners, /partners/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>, /partners/grade/<model("res.partner.grade"):grade>/page/<int:page>, /partners/country/<model("res.country"):country>, /partners/country/<model("res.country"):country>/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_crm_partner_assign route-public-sudo /partners/<partner_id> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_customer acl-global-read res_partner_tag_sale_manager — Access rule grants read on 'model_res_partner_tag' to every user (portal/public included): no group is set
website_customer route-public-sudo /customers, /customers/page/<int:page>, /customers/country/<int:country_id>, /customers/country/<country_name>-<int:country_id>, /customers/country/<int:country_id>/page/<int:page>, /customers/country/<country_name>-<int:country_id>/page/<int:page>, /customers/tag/<tag_id>, /customers/tag/<tag_id>/page/<int:page>, /customers/tag/<tag_id>/country/<int:country_id>, /customers/tag/<tag_id>/country/<country_name>-<int:country_id>, /customers/tag/<tag_id>/country/<int:country_id>/page/<int:page>, /customers/tag/<tag_id>/country/<country_name>-<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteCustomer.customers' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_customer route-public-sudo /customers/<partner_id> — Unauthenticated endpoint 'WebsiteCustomer.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event acl-global-read access_event_type_public — Access rule grants read on 'event.model_event_type' to every user (portal/public included): no group is set
website_event route-public-sudo /event/<model("event.event"):event>/register — Unauthenticated endpoint 'WebsiteEventController.event_register' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event route-public-sudo /event/<model("event.event"):event>/registration/confirm — Unauthenticated endpoint 'WebsiteEventController.registration_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_questions acl-global-write event_registration_answer_all — Access rule grants write/create/unlink on 'model_event_registration_answer' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
website_event_sale acl-global-read access_event_event_ticket_public — Access rule grants read on 'event_sale.model_event_event_ticket' to every user (portal/public included): no group is set
website_event_sale route-public-sudo /event/<model("event.event"):event>/registration/confirm — Unauthenticated endpoint 'WebsiteEventSaleController.registration_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track acl-global-read access_event_track_tag_public — Access rule grants read on 'model_event_track_tag' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_location_public — Access rule grants read on 'model_event_track_location' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track__public — Access rule grants read on 'model_event_track' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_sponsor_type_public — Access rule grants read on 'model_event_sponsor_type' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_sponsor_public — Access rule grants read on 'model_event_sponsor' to every user (portal/public included): no group is set
website_event_track route-public-sudo /event/<model("event.event"):event>/track/<model("event.track", "[('event_id','=',event[0])]"):track> — Unauthenticated endpoint 'WebsiteEventTrackController.event_track_view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track route-public-sudo /event/<model("event.event", "[('show_tracks','=',1)]"):event>/agenda — Unauthenticated endpoint 'WebsiteEventTrackController.event_agenda' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track route-public-sudo /event/<model("event.event"):event>/track_proposal/post — Unauthenticated endpoint 'WebsiteEventTrackController.event_track_proposal_post' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum acl-global-read access_forum_forum — Access rule grants read on 'model_forum_forum' to every user (portal/public included): no group is set
website_forum route-public-sudo /forum/validate_email — Unauthenticated endpoint 'WebsiteForum.validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/question/<model("forum.post", "[('forum_id','=',forum[0]),('parent_id','=',False),('can_view', '=', True)]"):question> — Unauthenticated endpoint 'WebsiteForum.question' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/users, /forum/<model("forum.forum"):forum>/users/page/<int:page> — Unauthenticated endpoint 'WebsiteForum.users' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/partner/<int:partner_id> — Unauthenticated endpoint 'WebsiteForum.open_partner' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/user/<int:user_id> — Unauthenticated endpoint 'WebsiteForum.open_user' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/badge — Unauthenticated endpoint 'WebsiteForum.badges' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum_censored acl-global-read access_forum_censored_phrase_everyone — Access rule grants read on 'model_forum_censored_phrase' to every user (portal/public included): no group is set
website_forum_doc acl-global-read all_documentation_toc — Access rule grants read on 'model_forum_documentation_toc' to every user (portal/public included): no group is set
website_google_map route-public-sudo /google_map — Unauthenticated endpoint 'GoogleMap.google_map' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_hr_recruitment acl-global-read access_hr_job_public — Access rule grants read on 'hr.model_hr_job' to every user (portal/public included): no group is set
website_hr_recruitment rule-group-bypass hr_job_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_hr_recruitment route-public-sudo /jobs, /jobs/country/<model("res.country", "[(0, '=', 1)]"):country>, /jobs/department/<model("hr.department", "[(0, '=', 1)]"):department>, /jobs/country/<model("res.country"):country>/department/<model("hr.department", "[(0, '=', 1)]"):department>, /jobs/office/<int:office_id>, /jobs/country/<model("res.country", "[(0, '=', 1)]"):country>/office/<int:office_id>, /jobs/department/<model("hr.department", "[(0, '=', 1)]"):department>/office/<int:office_id>, /jobs/country/<model("res.country"):country>/department/<model("hr.department", "[(0, '=', 1)]"):department>/office/<int:office_id> — Unauthenticated endpoint 'WebsiteHrRecruitment.jobs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_livechat acl-global-read access_im_livechat_channel_public — Access rule grants read on 'im_livechat.model_im_livechat_channel' to every user (portal/public included): no group is set
website_livechat route-public-sudo /livechat/channel/<model("im_livechat.channel"):channel> — Unauthenticated endpoint 'WebsiteLivechat.channel_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_logo route-auth-none /web/binary/website_logo, /website_logo, /website_logo.png — Endpoint 'Website.website_logo' uses auth="none": it runs with no user/session at all
website_mail route-public-sudo /website_mail/follow — Unauthenticated endpoint 'WebsiteMail.website_message_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail route-public-sudo /website_mail/is_follower — Unauthenticated endpoint 'WebsiteMail.is_follower' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_channel route-public-sudo /groups/is_member — Unauthenticated endpoint 'MailGroup.is_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_channel route-public-sudo /groups/subscription — Unauthenticated endpoint 'MailGroup.subscription' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_channel route-public-sudo /groups/subscribe/<model('mail.channel'):channel>/<int:partner_id>/<string:token> — Unauthenticated endpoint 'MailGroup.confirm_subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_channel route-public-sudo /groups/unsubscribe/<model('mail.channel'):channel>/<int:partner_id>/<string:token> — Unauthenticated endpoint 'MailGroup.confirm_unsubscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /mail/mailing/<int:mailing_id>/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /mail/mailing/unsubscribe — Unauthenticated endpoint 'MassMailController.unsubscribe' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-auth-none /mail/mailing/unsubscribe — Endpoint 'MassMailController.unsubscribe' uses auth="none": it runs with no user/session at all
website_mass_mailing route-public-sudo /website_mass_mailing/is_subscriber — Unauthenticated endpoint 'MassMailController.is_subscriber' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /website_mass_mailing/subscribe — Unauthenticated endpoint 'MassMailController.subscribe' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /website_mass_mailing/get_content — Unauthenticated endpoint 'MassMailController.get_mass_mailing_content' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_membership route-public-sudo /members, /members/page/<int:page>, /members/association/<membership_id>, /members/association/<membership_id>/page/<int:page>, /members/country/<int:country_id>, /members/country/<country_name>-<int:country_id>, /members/country/<int:country_id>/page/<int:page>, /members/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<country_name>-<int:country_id>, /members/association/<membership_id>/country/<int:country_id>, /members/association/<membership_id>/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteMembership.members' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_membership route-public-sudo /members/<partner_id> — Unauthenticated endpoint 'WebsiteMembership.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_multi_theme acl-global-read access_website_theme_public — Access rule grants read on 'model_website_theme' to every user (portal/public included): no group is set
website_multi_theme acl-global-read access_website_theme_asset_public — Access rule grants read on 'model_website_theme_asset' to every user (portal/public included): no group is set
website_partner route-public-sudo /partners/<partner_id> — Unauthenticated endpoint 'WebsitePartnerPage.partners_detail' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_payment route-public-sudo /website_payment/pay — Unauthenticated endpoint 'WebsitePayment.pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_payment route-public-sudo /website_payment/transaction — Unauthenticated endpoint 'WebsitePayment.transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_quote route-public-sudo /quote/<int:order_id>/<token> — Unauthenticated endpoint 'sale_quote.view' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_quote route-public-sudo /quote/accept — Unauthenticated endpoint 'sale_quote.accept' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_quote route-public-sudo /quote/<int:order_id>/<token>/decline — Unauthenticated endpoint 'sale_quote.decline' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_quote route-public-sudo /quote/update_line_dict — Unauthenticated endpoint 'sale_quote.update_line_dict' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_quote route-public-sudo /quote/add_line/<int:option_id>/<int:order_id>/<token> — Unauthenticated endpoint 'sale_quote.add' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_quote route-public-sudo /quote/<int:order_id>/transaction/<int:acquirer_id>/<token> — Unauthenticated endpoint 'sale_quote.payment_transaction_token' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale acl-global-read access_product_product_public — Access rule grants read on 'product.model_product_product' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_template_public — Access rule grants read on 'product.model_product_template' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_category_public — Access rule grants read on 'product.model_product_category' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_public_category_public — Access rule grants read on 'model_product_public_category' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_pricelist_public — Access rule grants read on 'product.model_product_pricelist' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_pricelist_item_public — Access rule grants read on 'product.model_product_pricelist_item' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_style — Access rule grants read on 'website_sale.model_product_style' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_supplierinfo — Access rule grants read on 'product.model_product_supplierinfo' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_public — Access rule grants read on 'product.model_product_attribute' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_value_public — Access rule grants read on 'product.model_product_attribute_value' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_price_public — Access rule grants read on 'product.model_product_attribute_price' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_line_public — Access rule grants read on 'product.model_product_attribute_line' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_image_public — Access rule grants read on 'model_product_image' to every user (portal/public included): no group is set
website_sale rule-group-bypass payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_sale_digital route-public-sudo /my/download — Unauthenticated endpoint 'WebsiteSaleDigital.download_attachment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_seo_redirection acl-global-read read_everyone — Access rule grants read on 'model_website_seo_redirection' to every user (portal/public included): no group is set
website_slides route-public-sudo /slides/slide/<model("slide.slide", "[('channel_id.can_see', '=', True)]"):slide>/comment — Unauthenticated endpoint 'WebsiteSlides.slide_comment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/embed/<int:slide_id> — Unauthenticated endpoint 'WebsiteSlides.slides_embed' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_twitter acl-global-read access_website_twitter_tweet_public — Access rule grants read on 'website_twitter.model_website_twitter_tweet' to every user (portal/public included): no group is set

Active Pull Requests 0

No open migration PRs/MRs tracked.

Security Findings

Errors 133

Module Code Message
anonymization acl-global-write access_ir_model_fields_anonymization_migration_fix — Access rule grants write/create/unlink on 'model_ir_model_fields_anonymization_migration_fix' to EVERY user (portal/public included): no group is set
base acl-privilege-escalation access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions
base acl-global-write access_ir_ui_view_custom_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_custom' to EVERY user (portal/public included): no group is set
base acl-privilege-escalation access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions
base acl-global-write access_ir_filter all — Access rule grants write/create/unlink on 'model_ir_filters' to EVERY user (portal/public included): no group is set
base acl-global-write access_ir_needaction_mixin — Access rule grants write/create/unlink on 'model_ir_needaction_mixin' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_template — Access rule grants write/create/unlink on 'model_custom_info_template' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_property — Access rule grants write/create/unlink on 'model_custom_info_property' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_value — Access rule grants write/create/unlink on 'model_custom_info_value' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_option — Access rule grants write/create/unlink on 'model_custom_info_option' to EVERY user (portal/public included): no group is set
base_custom_info acl-global-write access_category — Access rule grants write/create/unlink on 'model_custom_info_category' to EVERY user (portal/public included): no group is set
base_tier_validation acl-global-write access_tier_review — Access rule grants write/create/unlink on 'model_tier_review' to EVERY user (portal/public included): no group is set
bi_view_editor acl-global-write access_bve_view_everyone — Access rule grants write/create/unlink on 'bi_view_editor.model_bve_view' to EVERY user (portal/public included): no group is set
bus acl-public-write access_bus_presence_portal — Access rule grants write/create/unlink on 'model_bus_presence' to the portal/public group 'base.group_portal'
calendar acl-public-write access_calendar_attendee_portal — Access rule grants write on 'model_calendar_attendee' to the portal/public group 'base.group_portal'
calendar rule-public-bypass calendar_attendee_rule_my — Record rule with an always-true domain grants portal/public users access to every record of its model
crm_partner_assign acl-public-write lead_portal_access — Access rule grants write on 'crm.model_crm_lead' to the portal/public group 'base.group_portal'
crm_partner_assign acl-public-write partner_access_crm_lead — Access rule grants write on 'model_crm_lead' to the portal/public group 'base.group_portal'
hr_recruitment acl-global-write access_hr_applicant_category — Access rule grants write/create on 'model_hr_applicant_category' to EVERY user (portal/public included): no group is set
mail acl-public-write access_mail_message_portal — Access rule grants write/create/unlink on 'model_mail_message' to the portal/public group 'base.group_portal'
mail acl-public-write access_mail_mail_portal — Access rule grants write/create on 'model_mail_mail' to the portal/public group 'base.group_portal'
mail acl-public-write access_mail_followers_portal — Access rule grants write/create on 'model_mail_followers' to the portal/public group 'base.group_portal'
mail acl-public-write access_mail_channel_partner_portal — Access rule grants write/create/unlink on 'model_mail_channel_partner' to the portal/public group 'base.group_portal'
openeducat_classroom acl-global-write access_op_asset — Access rule grants write/create/unlink on 'model_op_asset' to EVERY user (portal/public included): no group is set
payment acl-public-write payment_method_portal — Access rule grants write/create/unlink on 'model_payment_method' to the portal/public group 'base.group_portal'
portal acl-public-write access_ir_attachment_portal — Access rule grants create on 'base.model_ir_attachment' to the portal/public group 'base.group_portal'
portal_gamification acl-public-write goal_portal — Access rule grants write on 'gamification.model_gamification_goal' to the portal/public group 'base.group_portal'
portal_gamification acl-public-write badge_user_portal — Access rule grants write/create on 'gamification.model_gamification_badge_user' to the portal/public group 'base.group_portal'
product_dependencies acl-global-write access_product_dependency — Access rule grants write/create/unlink on 'model_product_dependency' to EVERY user (portal/public included): no group is set
purchase_transport_document acl-global-write access_transport_document — Access rule grants write/create/unlink on 'model_transport_document' to EVERY user (portal/public included): no group is set
rating acl-public-write access_rating_public — Access rule grants write/create on 'rating.model_rating_rating' to the portal/public group 'base.group_public'
rating acl-public-write access_rating_portal — Access rule grants write/create on 'rating.model_rating_rating' to the portal/public group 'base.group_portal'
report acl-global-write paperformat_access_employee — Access rule grants create on 'model_report_paperformat' to EVERY user (portal/public included): no group is set
report acl-global-write access_report — Access rule grants write/create/unlink on 'model_report' to EVERY user (portal/public included): no group is set
report_webkit acl-global-write access_ir_header_webkit — Access rule grants create on 'model_ir_header_webkit' to EVERY user (portal/public included): no group is set
report_webkit acl-global-write access_ir_header_img — Access rule grants create on 'model_ir_header_img' to EVERY user (portal/public included): no group is set
report_wkhtmltopdf_param acl-global-write paperformat_parameter_access_employee — Access rule grants create on 'model_report_paperformat_parameter' to EVERY user (portal/public included): no group is set
stock_scanner acl-global-write scanner_hardware_user — Access rule grants write on 'stock_scanner.model_scanner_hardware' to EVERY user (portal/public included): no group is set
stock_scanner acl-global-write scanner_hardware_step_history_user — Access rule grants write/create/unlink on 'stock_scanner.model_scanner_hardware_step_history' to EVERY user (portal/public included): no group is set
stock_scanner acl-global-write scanner_scenario_custom_user — Access rule grants write/create/unlink on 'stock_scanner.model_scanner_scenario_custom' to EVERY user (portal/public included): no group is set
survey acl-global-write access_survey_user_input_public — Access rule grants write/create on 'model_survey_user_input' to EVERY user (portal/public included): no group is set
survey acl-global-write access_survey_user_input_line_public — Access rule grants write/create on 'model_survey_user_input_line' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_some_obj — Access rule grants write/create/unlink on 'model_test_access_right_some_obj' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_container — Access rule grants write/create/unlink on 'model_test_access_right_container' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_converter_model — Access rule grants write/create/unlink on 'model_test_converter_test_model' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_test_converter_test_model_sub — Access rule grants write/create/unlink on 'model_test_converter_test_model_sub' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_test_converter_monetary — Access rule grants write/create/unlink on 'model_test_converter_monetary' to EVERY user (portal/public included): no group is set
test_documentation_examples acl-global-write access_inheritance_0 — Access rule grants write/create/unlink on 'model_inheritance_0' to EVERY user (portal/public included): no group is set
test_documentation_examples acl-global-write access_inheritance_1 — Access rule grants write/create/unlink on 'model_inheritance_1' to EVERY user (portal/public included): no group is set
test_documentation_examples acl-global-write access_extension_0 — Access rule grants write/create/unlink on 'model_extension_0' to EVERY user (portal/public included): no group is set
test_documentation_examples acl-global-write access_delegation_child0 — Access rule grants write/create/unlink on 'model_delegation_child0' to EVERY user (portal/public included): no group is set
test_documentation_examples acl-global-write access_delegation_child1 — Access rule grants write/create/unlink on 'model_delegation_child1' to EVERY user (portal/public included): no group is set
test_documentation_examples acl-global-write access_delegation_parent — Access rule grants write/create/unlink on 'model_delegation_parent' to EVERY user (portal/public included): no group is set
test_exceptions acl-global-write access_test_exceptions_model — Access rule grants write/create/unlink on 'model_test_exceptions_model' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_boolean — Access rule grants write/create/unlink on 'model_export_boolean' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_float — Access rule grants write/create/unlink on 'model_export_float' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_decimal — Access rule grants write/create/unlink on 'model_export_decimal' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string_bounded — Access rule grants write/create/unlink on 'model_export_string_bounded' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string_required — Access rule grants write/create/unlink on 'model_export_string_required' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string — Access rule grants write/create/unlink on 'model_export_string' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_date — Access rule grants write/create/unlink on 'model_export_date' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_datetime — Access rule grants write/create/unlink on 'model_export_datetime' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_text — Access rule grants write/create/unlink on 'model_export_text' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection — Access rule grants write/create/unlink on 'model_export_selection' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection_function — Access rule grants write/create/unlink on 'model_export_selection_function' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2one — Access rule grants write/create/unlink on 'model_export_many2one' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many — Access rule grants write/create/unlink on 'model_export_one2many' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2many — Access rule grants write/create/unlink on 'model_export_many2many' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_function — Access rule grants write/create/unlink on 'model_export_function' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child — Access rule grants write/create/unlink on 'model_export_one2many_child' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_multiple — Access rule grants write/create/unlink on 'model_export_one2many_multiple' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_multiple_child — Access rule grants write/create/unlink on 'model_export_one2many_multiple_child' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child_1 — Access rule grants write/create/unlink on 'model_export_one2many_child_1' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child_2 — Access rule grants write/create/unlink on 'model_export_one2many_child_2' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2many_other — Access rule grants write/create/unlink on 'model_export_many2many_other' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection_withdefault — Access rule grants write/create/unlink on 'model_export_selection_withdefault' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_recursive — Access rule grants write/create/unlink on 'model_export_one2many_recursive' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_unique — Access rule grants write/create/unlink on 'model_export_unique' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_mother — Access rule grants write/create/unlink on 'model_test_inherit_mother' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_daughter — Access rule grants write/create/unlink on 'model_test_inherit_daughter' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_property — Access rule grants write/create/unlink on 'model_test_inherit_property' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_unit — Access rule grants write/create/unlink on 'model_test_unit' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_box — Access rule grants write/create/unlink on 'model_test_box' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_pallet — Access rule grants write/create/unlink on 'model_test_pallet' to EVERY user (portal/public included): no group is set
test_limits acl-global-write access_test_limits_model — Access rule grants write/create/unlink on 'model_test_limits_model' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_category — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_category' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_discussion — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_discussion' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_message — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_message' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_emailmessage — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_emailmessage' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi_line — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_mixed — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_mixed' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_function_noinfiniterecursion — Access rule grants write/create/unlink on 'model_test_old_api_function_noinfiniterecursion' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_function_counter — Access rule grants write/create/unlink on 'model_test_old_api_function_counter' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_domain_bool — Access rule grants write/create/unlink on 'model_domain_bool' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_foo — Access rule grants write/create/unlink on 'model_test_new_api_foo' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_bar — Access rule grants write/create/unlink on 'model_test_new_api_bar' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_recursive — Access rule grants write/create/unlink on 'model_test_new_api_recursive' to EVERY user (portal/public included): no group is set
test_uninstall acl-global-write access_test_uninstall_model — Access rule grants write/create/unlink on 'model_test_uninstall_model' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model — Access rule grants write/create/unlink on 'model_test_workflow_model' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_trigger — Access rule grants write/create/unlink on 'model_test_workflow_trigger' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_a — Access rule grants write/create/unlink on 'model_test_workflow_model_a' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_b — Access rule grants write/create/unlink on 'model_test_workflow_model_b' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_c — Access rule grants write/create/unlink on 'model_test_workflow_model_c' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_d — Access rule grants write/create/unlink on 'model_test_workflow_model_d' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_e — Access rule grants write/create/unlink on 'model_test_workflow_model_e' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_f — Access rule grants write/create/unlink on 'model_test_workflow_model_f' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_g — Access rule grants write/create/unlink on 'model_test_workflow_model_g' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_h — Access rule grants write/create/unlink on 'model_test_workflow_model_h' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_i — Access rule grants write/create/unlink on 'model_test_workflow_model_i' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_j — Access rule grants write/create/unlink on 'model_test_workflow_model_j' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_k — Access rule grants write/create/unlink on 'model_test_workflow_model_k' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_l — Access rule grants write/create/unlink on 'model_test_workflow_model_l' to EVERY user (portal/public included): no group is set
utm acl-global-write access_utm_campaign — Access rule grants create on 'model_utm_campaign' to EVERY user (portal/public included): no group is set
utm acl-global-write access_utm_medium — Access rule grants create on 'model_utm_medium' to EVERY user (portal/public included): no group is set
utm acl-global-write access_utm_source — Access rule grants create on 'model_utm_source' to EVERY user (portal/public included): no group is set
web_editor acl-global-write access_web_editor_converter_test — Access rule grants write/create/unlink on 'model_web_editor_converter_test' to EVERY user (portal/public included): no group is set
web_editor acl-global-write access_web_editor_converter_test_sub — Access rule grants write/create/unlink on 'model_web_editor_converter_test_sub' to EVERY user (portal/public included): no group is set
web_shortcut acl-global-write access_web_shortcut — Access rule grants write/create/unlink on 'model_web_shortcut' to EVERY user (portal/public included): no group is set
web_tip acl-global-write access_web_tip — Access rule grants write on 'model_web_tip' to EVERY user (portal/public included): no group is set
website_crm_claim acl-public-write access_crm_claim — Access rule grants create on 'crm_claim.model_crm_claim' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_post_portal — Access rule grants write/create/unlink on 'model_forum_post' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_post_vote_portal — Access rule grants write/create on 'model_forum_post_vote' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_tag_public — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_public'
website_forum acl-public-write access_forum_tag_portal — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_portal'
website_portal_contact acl-public-write access_partners — Access rule grants write/create on 'base.model_res_partner' to the portal/public group 'base.group_portal'
website_sale_recently_viewed_products acl-public-write access_website_sale_product_view_public — Access rule grants write/create on 'model_website_sale_product_view' to the portal/public group 'base.group_public'
website_sale_wishlist acl-global-write access_product_wishlist — Access rule grants write/create/unlink on 'model_product_wishlist' to EVERY user (portal/public included): no group is set

Warnings 244

Module Code Message
anonymization acl-global-read access_ir_model_fields_anonymization_user — Access rule grants read on 'model_ir_model_fields_anonymization' to every user (portal/public included): no group is set
anonymization acl-global-read access_ir_model_fields_anonymization_history_user — Access rule grants read on 'model_ir_model_fields_anonymization_history' to every user (portal/public included): no group is set
auth_totp route-public-sudo /auth_totp/login — Unauthenticated endpoint 'AuthTotp.mfa_login_post' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_totp route-auth-none /auth_totp/login — Endpoint 'AuthTotp.mfa_login_post' uses auth="none": it runs with no user/session at all
base acl-global-read access_ir_model_constraint — Access rule grants read on 'model_ir_model_constraint' to every user (portal/public included): no group is set
base acl-global-read access_ir_model_relation — Access rule grants read on 'model_ir_model_relation' to every user (portal/public included): no group is set
base acl-global-read access_ir_property_group_user — Access rule grants read on 'model_ir_property' to every user (portal/public included): no group is set
base acl-global-read access_ir_rule_group_user — Access rule grants read on 'model_ir_rule' to every user (portal/public included): no group is set
base acl-global-read access_ir_ui_view_group_user — Access rule grants read on 'model_ir_ui_view' to every user (portal/public included): no group is set
base acl-global-write access_ir_values_group_all — Access rule grants write/create/unlink on 'model_ir_values' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
base acl-global-read access_res_company_group_user — Access rule grants read on 'model_res_company' to every user (portal/public included): no group is set
base acl-global-read access_res_partner_title_group_partner_manager — Access rule grants read on 'model_res_partner_title' to every user (portal/public included): no group is set
base acl-global-read access_res_request_link_group_user — Access rule grants read on 'model_res_request_link' to every user (portal/public included): no group is set
base acl-global-write access_res_users_log_all — Access rule grants create on 'model_res_users_log' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
base acl-global-write access_workflow_workitem_all — Access rule grants write/create/unlink on 'model_workflow_workitem' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
base acl-global-read access_ir_config_parameter — Access rule grants read on 'model_ir_config_parameter' to every user (portal/public included): no group is set
base acl-global-read access_ir_actions_client — Access rule grants read on 'model_ir_actions_client' to every user (portal/public included): no group is set
base_action_rule acl-global-read access_base_action_rule — Access rule grants read on 'model_base_action_rule' to every user (portal/public included): no group is set
base_unece acl-global-read access_unece_code_list_read — Access rule grants read on 'model_unece_code_list' to every user (portal/public included): no group is set
board acl-global-read access_board_board all — Access rule grants read on 'model_board_board' to every user (portal/public included): no group is set
calendar rule-group-bypass calendar_event_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
calendar route-auth-none /calendar/notify — Endpoint 'meeting_invitation.notify' uses auth="none": it runs with no user/session at all
calendar route-auth-none /calendar/notify_ack — Endpoint 'meeting_invitation.notify_ack' uses auth="none": it runs with no user/session at all
connector route-auth-none /connector/runjob — Endpoint 'RunJobController.runjob' uses auth="none": it runs with no user/session at all
connector_woocommerce acl-global-read access_woo_sale_order_status — Access rule grants read on 'model_woo_sale_order_status' to every user (portal/public included): no group is set
connector_woocommerce acl-global-read access_woo_sale_order_line — Access rule grants read on 'model_woo_sale_order_line' to every user (portal/public included): no group is set
crm acl-global-read access_crm_stage — Access rule grants read on 'model_crm_stage' to every user (portal/public included): no group is set
crm rule-group-bypass crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm rule-group-bypass crm_rule_all_lead_report — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm_action rule-group-bypass crm_rule_all_action — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm_phone rule-group-bypass all_crm_phonecall_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
decimal_precision acl-global-write access_decimal_precision_test_all — Access rule grants write/create/unlink on 'model_decimal_precision_test' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
event acl-global-read access_event_event_portal — Access rule grants read on 'model_event_event' to every user (portal/public included): no group is set
google_account route-auth-none /google_account/authentication — Endpoint 'google_auth.oauth2callback' uses auth="none": it runs with no user/session at all
help_online rule-group-bypass online_help_reader_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_evaluation rule-group-bypass hr_employee_interview_hr — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_expense_accountedge rule-group-bypass property_rule_account_invoice_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_experience rule-group-bypass hr_curriculum_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_experience rule-group-bypass hr_academic_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_experience rule-group-bypass hr_experience_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_experience rule-group-bypass hr_certification_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_gamification rule-group-bypass goal_officer_visibility — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass property_rule_holidays_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass resource_leaves_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_schedule rule-group-bypass property_rule_schedule_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_security rule-group-bypass property_rule_contract_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hw_blackbox_be route-auth-none /hw_proxy/request_blackbox/ — Endpoint 'BlackboxDriver.request_blackbox' uses auth="none": it runs with no user/session at all
hw_blackbox_be route-auth-none /hw_proxy/request_serial/ — Endpoint 'BlackboxDriver.request_serial' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none / — Endpoint 'PosboxHomepage.index' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /wifi — Endpoint 'PosboxHomepage.wifi' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /wifi_connect — Endpoint 'PosboxHomepage.connect_to_wifi' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /wifi_clear — Endpoint 'PosboxHomepage.clear_wifi_configuration' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /remote_connect — Endpoint 'PosboxHomepage.remote_connect' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /enable_ngrok — Endpoint 'PosboxHomepage.enable_ngrok' uses auth="none": it runs with no user/session at all
hw_posbox_upgrade route-auth-none /hw_proxy/upgrade — Endpoint 'PosboxUpgrader.upgrade' uses auth="none": it runs with no user/session at all
hw_posbox_upgrade route-auth-none /hw_proxy/perform_upgrade — Endpoint 'PosboxUpgrader.perform_upgrade' uses auth="none": it runs with no user/session at all
hw_scale route-auth-none /hw_proxy/scale_read/ — Endpoint 'ScaleDriver.scale_read' uses auth="none": it runs with no user/session at all
hw_scale route-auth-none /hw_proxy/scale_zero/ — Endpoint 'ScaleDriver.scale_zero' uses auth="none": it runs with no user/session at all
hw_scale route-auth-none /hw_proxy/scale_tare/ — Endpoint 'ScaleDriver.scale_tare' uses auth="none": it runs with no user/session at all
hw_scale route-auth-none /hw_proxy/scale_clear_tare/ — Endpoint 'ScaleDriver.scale_clear_tare' uses auth="none": it runs with no user/session at all
hw_scanner route-auth-none /hw_proxy/scanner — Endpoint 'ScannerDriver.scanner' uses auth="none": it runs with no user/session at all
hw_screen route-auth-none /hw_proxy/display_refresh — Endpoint 'HardwareScreen.display_refresh' uses auth="none": it runs with no user/session at all
hw_screen route-auth-none /hw_proxy/customer_facing_display — Endpoint 'HardwareScreen.update_user_facing_display' uses auth="none": it runs with no user/session at all
hw_screen route-auth-none /hw_proxy/take_control — Endpoint 'HardwareScreen.take_control' uses auth="none": it runs with no user/session at all
hw_screen route-auth-none /hw_proxy/test_ownership — Endpoint 'HardwareScreen.test_ownership' uses auth="none": it runs with no user/session at all
hw_screen route-auth-none /point_of_sale/display — Endpoint 'HardwareScreen.render_main_display' uses auth="none": it runs with no user/session at all
hw_screen route-auth-none /point_of_sale/get_serialized_order — Endpoint 'HardwareScreen.get_serialized_order' uses auth="none": it runs with no user/session at all
im_livechat acl-global-read access_livechat_channel — Access rule grants read on 'model_im_livechat_channel' to every user (portal/public included): no group is set
im_livechat acl-global-read access_livechat_channel_rule — Access rule grants read on 'model_im_livechat_channel_rule' to every user (portal/public included): no group is set
im_livechat route-auth-none /im_livechat/external_lib.<any(css,js):ext> — Endpoint 'LivechatController.livechat_lib' uses auth="none": it runs with no user/session at all
im_livechat route-public-sudo /im_livechat/support/<int:channel_id> — Unauthenticated endpoint 'LivechatController.support_page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/loader/<int:channel_id> — Unauthenticated endpoint 'LivechatController.loader' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/init — Unauthenticated endpoint 'LivechatController.livechat_init' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/history — Unauthenticated endpoint 'LivechatController.history' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
im_livechat route-public-sudo /im_livechat/feedback — Unauthenticated endpoint 'LivechatController.feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
intrastat_product acl-global-read access_intrastat_unit_read — Access rule grants read on 'model_intrastat_unit' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_transaction_read — Access rule grants read on 'model_intrastat_transaction' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_transport_mode_read — Access rule grants read on 'model_intrastat_transport_mode' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_region_read — Access rule grants read on 'model_intrastat_region' to every user (portal/public included): no group is set
l10n_be_intrastat acl-global-read access_l10n_be_intrastat_transaction — Access rule grants read on 'model_l10n_be_intrastat_transaction' to every user (portal/public included): no group is set
l10n_be_intrastat acl-global-read access_l10n_be_intrastat_transport_mode — Access rule grants read on 'model_l10n_be_intrastat_transport_mode' to every user (portal/public included): no group is set
l10n_be_intrastat acl-global-read access_l10n_be_intrastat_region — Access rule grants read on 'model_l10n_be_intrastat_region' to every user (portal/public included): no group is set
l10n_eu_service acl-global-read access_l10n_eu_service_service_tax_rate — Access rule grants read on 'model_l10n_eu_service_service_tax_rate' to every user (portal/public included): no group is set
letsencrypt route-auth-none /.well-known/acme-challenge/<filename> — Endpoint 'Letsencrypt.acme_challenge' uses auth="none": it runs with no user/session at all
link_tracker route-auth-none /r/<string:code> — Endpoint 'link_tracker.full_url_redirect' uses auth="none": it runs with no user/session at all
mail acl-global-write access_mail_thread_all — Access rule grants write/create/unlink on 'model_mail_thread' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
mail acl-global-write access_publisher_warranty_contract_all — Access rule grants write/create/unlink on 'model_publisher_warranty_contract' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
mail route-auth-none /mail/receive — Endpoint 'MailController.receive' uses auth="none": it runs with no user/session at all
mail route-public-sudo /mail/view — Unauthenticated endpoint 'MailController.mail_action_view' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-auth-none /mail/view — Endpoint 'MailController.mail_action_view' uses auth="none": it runs with no user/session at all
mail route-public-sudo /mail/<string:res_model>/<int:res_id>/avatar/<int:partner_id> — Unauthenticated endpoint 'MailController.avatar' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-public-sudo /mail/chat_post — Unauthenticated endpoint 'MailChatController.mail_chat_post' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-auth-none /mail/chat_post — Endpoint 'MailChatController.mail_chat_post' uses auth="none": it runs with no user/session at all
mail route-public-sudo /mail/chat_history — Unauthenticated endpoint 'MailChatController.mail_chat_history' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-auth-none /mail/chat_history — Endpoint 'MailChatController.mail_chat_history' uses auth="none": it runs with no user/session at all
mail route-public-sudo /mail/chat_init — Unauthenticated endpoint 'MailChatController.mail_chat_init' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
mail route-auth-none /mail/chat_init — Endpoint 'MailChatController.mail_chat_init' uses auth="none": it runs with no user/session at all
mail_tracking route-public-csrf-off /mail/tracking/all/<string:db> — Public HTTP endpoint 'MailTrackingController.mail_tracking_all' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mail_tracking route-auth-none /mail/tracking/all/<string:db> — Endpoint 'MailTrackingController.mail_tracking_all' uses auth="none": it runs with no user/session at all
mail_tracking route-public-csrf-off /mail/tracking/event/<string:db>/<string:event_type> — Public HTTP endpoint 'MailTrackingController.mail_tracking_event' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
mail_tracking route-auth-none /mail/tracking/event/<string:db>/<string:event_type> — Endpoint 'MailTrackingController.mail_tracking_event' uses auth="none": it runs with no user/session at all
mail_tracking route-auth-none /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif — Endpoint 'MailTrackingController.mail_tracking_open' uses auth="none": it runs with no user/session at all
mass acl-global-read access_mass_request_type_user — Access rule grants read on 'model_mass_request_type' to every user (portal/public included): no group is set
mass_mailing route-public-sudo /mail/mailing/<int:mailing_id>/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
mass_mailing route-auth-none /mail/track/<int:mail_id>/blank.gif — Endpoint 'MassMailController.track_mail_open' uses auth="none": it runs with no user/session at all
mass_mailing route-auth-none /r/<string:code>/m/<int:stat_id> — Endpoint 'MassMailController.full_url_redirect' uses auth="none": it runs with no user/session at all
membership acl-global-read access_membership_membership_line — Access rule grants read on 'model_membership_membership_line' to every user (portal/public included): no group is set
oauth_provider acl-global-read oauth_provider_client_all_users — Access rule grants read on 'model_oauth_provider_client' to every user (portal/public included): no group is set
oauth_provider acl-global-read oauth_provider_scope_all_users — Access rule grants read on 'model_oauth_provider_scope' to every user (portal/public included): no group is set
oauth_provider acl-global-read oauth_provider_redirect_uri_all_users — Access rule grants read on 'model_oauth_provider_redirect_uri' to every user (portal/public included): no group is set
oauth_provider acl-global-read oauth_provider_authorization_code_all_users — Access rule grants read on 'model_oauth_provider_authorization_code' to every user (portal/public included): no group is set
oauth_provider acl-global-read oauth_provider_token_all_users — Access rule grants read on 'model_oauth_provider_token' to every user (portal/public included): no group is set
oauth_provider route-public-csrf-off /oauth2/token — Public HTTP endpoint 'OAuth2ProviderController.token' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
oauth_provider route-public-sudo /oauth2/token — Unauthenticated endpoint 'OAuth2ProviderController.token' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
oauth_provider route-auth-none /oauth2/token — Endpoint 'OAuth2ProviderController.token' uses auth="none": it runs with no user/session at all
oauth_provider route-auth-none /oauth2/tokeninfo — Endpoint 'OAuth2ProviderController.tokeninfo' uses auth="none": it runs with no user/session at all
oauth_provider route-auth-none /oauth2/userinfo — Endpoint 'OAuth2ProviderController.userinfo' uses auth="none": it runs with no user/session at all
oauth_provider route-auth-none /oauth2/otherinfo — Endpoint 'OAuth2ProviderController.otherinfo' uses auth="none": it runs with no user/session at all
oauth_provider route-auth-none /oauth2/revoke_token — Endpoint 'OAuth2ProviderController.revoke_token' uses auth="none": it runs with no user/session at all
oauth_provider_jwt route-public-sudo /oauth2/public_key — Unauthenticated endpoint 'OAuth2ProviderController.public_key' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
oauth_provider_jwt route-auth-none /oauth2/public_key — Endpoint 'OAuth2ProviderController.public_key' uses auth="none": it runs with no user/session at all
operating_unit acl-global-read access_account_operating_unit_user — Access rule grants read on 'model_operating_unit' to every user (portal/public included): no group is set
partner_external_map acl-global-read access_map_website_read — Access rule grants read on 'model_map_website' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation — Access rule grants read on 'model_res_partner_relation' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation_type — Access rule grants read on 'model_res_partner_relation_type' to every user (portal/public included): no group is set
partner_multi_relation acl-global-read read_res_partner_relation_type_selection — Access rule grants read on 'model_res_partner_relation_type_selection' to every user (portal/public included): no group is set
payment rule-group-bypass payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
payment_adyen route-public-csrf-off /payment/adyen/return — Public HTTP endpoint 'AdyenController.adyen_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_adyen route-auth-none /payment/adyen/return — Endpoint 'AdyenController.adyen_return' uses auth="none": it runs with no user/session at all
payment_adyen route-public-csrf-off /payment/adyen/notification — Public HTTP endpoint 'AdyenController.adyen_notification' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_adyen route-auth-none /payment/adyen/notification — Endpoint 'AdyenController.adyen_notification' uses auth="none": it runs with no user/session at all
payment_authorize route-public-csrf-off /payment/authorize/return/, /payment/authorize/cancel/ — Public HTTP endpoint 'AuthorizeController.authorize_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_authorize route-public-sudo /payment/authorize/return/, /payment/authorize/cancel/ — Unauthenticated endpoint 'AuthorizeController.authorize_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_buckaroo route-public-csrf-off /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Public HTTP endpoint 'BuckarooController.buckaroo_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_buckaroo route-auth-none /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Endpoint 'BuckarooController.buckaroo_return' uses auth="none": it runs with no user/session at all
payment_ogone route-auth-none /payment/ogone/accept, /payment/ogone/test/accept, /payment/ogone/decline, /payment/ogone/test/decline, /payment/ogone/exception, /payment/ogone/test/exception, /payment/ogone/cancel, /payment/ogone/test/cancel — Endpoint 'OgoneController.ogone_form_feedback' uses auth="none": it runs with no user/session at all
payment_ogone route-public-csrf-off /payment/ogone/s2s/create — Public HTTP endpoint 'OgoneController.ogone_s2s_create' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_ogone route-public-csrf-off /payment/ogone/s2s/feedback — Public HTTP endpoint 'OgoneController.feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_ogone route-auth-none /payment/ogone/s2s/feedback — Endpoint 'OgoneController.feedback' uses auth="none": it runs with no user/session at all
payment_paypal route-public-csrf-off /payment/paypal/ipn/ — Public HTTP endpoint 'PaypalController.paypal_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_paypal route-auth-none /payment/paypal/ipn/ — Endpoint 'PaypalController.paypal_ipn' uses auth="none": it runs with no user/session at all
payment_paypal route-public-csrf-off /payment/paypal/dpn — Public HTTP endpoint 'PaypalController.paypal_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_paypal route-auth-none /payment/paypal/dpn — Endpoint 'PaypalController.paypal_dpn' uses auth="none": it runs with no user/session at all
payment_paypal route-public-csrf-off /payment/paypal/cancel — Public HTTP endpoint 'PaypalController.paypal_cancel' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_paypal route-auth-none /payment/paypal/cancel — Endpoint 'PaypalController.paypal_cancel' uses auth="none": it runs with no user/session at all
payment_redsys route-public-csrf-off /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Public HTTP endpoint 'RedsysController.redsys_return' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_redsys route-auth-none /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Endpoint 'RedsysController.redsys_return' uses auth="none": it runs with no user/session at all
payment_redsys route-public-sudo /payment/redsys/result/<page> — Unauthenticated endpoint 'RedsysController.redsys_result' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_sips route-public-csrf-off /payment/sips/ipn/ — Public HTTP endpoint 'SipsController.sips_ipn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_sips route-auth-none /payment/sips/ipn/ — Endpoint 'SipsController.sips_ipn' uses auth="none": it runs with no user/session at all
payment_sips route-public-csrf-off /payment/sips/dpn — Public HTTP endpoint 'SipsController.sips_dpn' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_sips route-auth-none /payment/sips/dpn — Endpoint 'SipsController.sips_dpn' uses auth="none": it runs with no user/session at all
payment_transfer route-public-csrf-off /payment/transfer/feedback — Public HTTP endpoint 'OgoneController.transfer_form_feedback' disables CSRF protection (fine for webhooks/callbacks, worth a review otherwise)
payment_transfer route-auth-none /payment/transfer/feedback — Endpoint 'OgoneController.transfer_form_feedback' uses auth="none": it runs with no user/session at all
point_of_sale rule-group-bypass rule_pos_bank_statement_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
point_of_sale rule-group-bypass rule_pos_bank_statement_line_account_user — Record rule with an always-true domain bypasses every other record rule of its model for its group
point_of_sale rule-group-bypass rule_pos_cashbox_line_accountant — Record rule with an always-true domain bypasses every other record rule of its model for its group
pos_mercury acl-global-read access_pos_mercury_mercury_transaction — Access rule grants read on 'model_pos_mercury_mercury_transaction' to every user (portal/public included): no group is set
product_brand acl-global-read access_product_brand_public — Access rule grants read on 'model_product_brand' to every user (portal/public included): no group is set
product_extended acl-global-write access_wizard_price_all — Access rule grants write/create/unlink on 'model_wizard_price' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
product_harmonized_system acl-global-read access_hs_code_read — Access rule grants read on 'model_hs_code' to every user (portal/public included): no group is set
product_variant_configurator acl-global-write access_product_configurator_attribute_all — Access rule grants write/create/unlink on 'model_product_configurator_attribute' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
quality_control acl-global-read access_manager_qc_trigger_product_template_line_user — Access rule grants read on 'quality_control.model_qc_trigger_product_template_line' to every user (portal/public included): no group is set
quality_control acl-global-read access_manager_qc_trigger_product_line_user — Access rule grants read on 'quality_control.model_qc_trigger_product_line' to every user (portal/public included): no group is set
report acl-global-read paperformat_access_portal — Access rule grants read on 'model_report_paperformat' to every user (portal/public included): no group is set
stock_scanner acl-global-read scanner_scenario_user — Access rule grants read on 'stock_scanner.model_scanner_scenario' to every user (portal/public included): no group is set
stock_scanner acl-global-read scanner_scenario_step_user — Access rule grants read on 'stock_scanner.model_scanner_scenario_step' to every user (portal/public included): no group is set
stock_scanner acl-global-read scanner_scenario_transition_user — Access rule grants read on 'stock_scanner.model_scanner_scenario_transition' to every user (portal/public included): no group is set
stock_scanner rule-group-bypass scanner_hardware_access_group_sentinel — Record rule with an always-true domain bypasses every other record rule of its model for its group
stock_tracking_add_remove acl-global-write access_stock_packaging_add_type_all — Access rule grants write/create on 'model_stock_packaging_add_type' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
survey acl-global-read access_survey_public — Access rule grants read on 'model_survey_survey' to every user (portal/public included): no group is set
survey acl-global-read access_survey_page_public — Access rule grants read on 'model_survey_page' to every user (portal/public included): no group is set
survey acl-global-read access_survey_question_public — Access rule grants read on 'model_survey_question' to every user (portal/public included): no group is set
survey acl-global-read access_survey_label_public — Access rule grants read on 'model_survey_label' to every user (portal/public included): no group is set
survey acl-global-read access_survey_stage_public — Access rule grants read on 'model_survey_stage' to every user (portal/public included): no group is set
test_new_api acl-global-read access_test_new_api_alpha — Access rule grants read on 'model_test_new_api_alpha' to every user (portal/public included): no group is set
test_new_api acl-global-read access_test_new_api_bravo — Access rule grants read on 'model_test_new_api_bravo' to every user (portal/public included): no group is set
tr_barcode acl-global-write access_tr_barcode_all — Access rule grants write/create on 'model_tr_barcode' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
web route-auth-none /web/pivot/check_xlwt — Endpoint 'TableExporter.check_xlwt' uses auth="none": it runs with no user/session at all
web_easy_switch_company route-auth-none /web_easy_switch_company/switch/change_current_company — Endpoint 'WebEasySwitchCompanyController.change_current_company' uses auth="none": it runs with no user/session at all
web_favicon route-public-sudo /web_favicon/favicon — Unauthenticated endpoint 'WebFavicon.icon' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
web_favicon route-auth-none /web_favicon/favicon — Endpoint 'WebFavicon.icon' uses auth="none": it runs with no user/session at all
website acl-global-read access_website_public — Access rule grants read on 'website.model_website' to every user (portal/public included): no group is set
website acl-global-read access_website_menu — Access rule grants read on 'model_website_menu' to every user (portal/public included): no group is set
website acl-global-read access_seo_public — Access rule grants read on 'model_website_seo_metadata' to every user (portal/public included): no group is set
website_blog acl-global-read blog_tag — Access rule grants read on 'model_blog_tag' to every user (portal/public included): no group is set
website_crm_partner_assign route-public-sudo /partners, /partners/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>, /partners/grade/<model("res.partner.grade"):grade>/page/<int:page>, /partners/country/<model("res.country"):country>, /partners/country/<model("res.country"):country>/page/<int:page>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>, /partners/grade/<model("res.partner.grade"):grade>/country/<model("res.country"):country>/page/<int:page> — Unauthenticated endpoint 'WebsiteCrmPartnerAssign.partners' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_customer acl-global-read res_partner_tag_sale_manager — Access rule grants read on 'model_res_partner_tag' to every user (portal/public included): no group is set
website_customer route-public-sudo /customers, /customers/page/<int:page>, /customers/country/<int:country_id>, /customers/country/<country_name>-<int:country_id>, /customers/country/<int:country_id>/page/<int:page>, /customers/country/<country_name>-<int:country_id>/page/<int:page>, /customers/tag/<tag_id>, /customers/tag/<tag_id>/page/<int:page>, /customers/tag/<tag_id>/country/<int:country_id>, /customers/tag/<tag_id>/country/<country_name>-<int:country_id>, /customers/tag/<tag_id>/country/<int:country_id>/page/<int:page>, /customers/tag/<tag_id>/country/<country_name>-<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteCustomer.customers' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event acl-global-read access_event_type_public — Access rule grants read on 'event.model_event_type' to every user (portal/public included): no group is set
website_event route-public-sudo /event/<model("event.event"):event>/registration/confirm — Unauthenticated endpoint 'website_event.registration_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_questions acl-global-write event_registration_answer_all — Access rule grants write/create/unlink on 'model_event_registration_answer' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
website_event_sale acl-global-read access_event_event_ticket_public — Access rule grants read on 'event_sale.model_event_event_ticket' to every user (portal/public included): no group is set
website_event_sale route-public-sudo /event/<model("event.event"):event>/registration/confirm — Unauthenticated endpoint 'website_event.registration_confirm' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_track acl-global-read access_event_track_tag_public — Access rule grants read on 'model_event_track_tag' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_location_public — Access rule grants read on 'model_event_track_location' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track__public — Access rule grants read on 'model_event_track' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_sponsor_type_public — Access rule grants read on 'model_event_sponsor_type' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_sponsor_public — Access rule grants read on 'model_event_sponsor' to every user (portal/public included): no group is set
website_forum acl-global-read access_forum_forum — Access rule grants read on 'model_forum_forum' to every user (portal/public included): no group is set
website_forum route-public-sudo /forum/validate_email — Unauthenticated endpoint 'WebsiteForum.validate_email' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/question/<model("forum.post", "[('forum_id','=',forum[0]),('parent_id','=',False),('can_view', '=', True)]"):question> — Unauthenticated endpoint 'WebsiteForum.question' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/users, /forum/<model("forum.forum"):forum>/users/page/<int:page> — Unauthenticated endpoint 'WebsiteForum.users' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/partner/<int:partner_id> — Unauthenticated endpoint 'WebsiteForum.open_partner' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/user/<int:user_id> — Unauthenticated endpoint 'WebsiteForum.open_user' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/badge — Unauthenticated endpoint 'WebsiteForum.badges' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum route-public-sudo /forum/<model("forum.forum"):forum>/badge/<model("gamification.badge"):badge> — Unauthenticated endpoint 'WebsiteForum.badge_users' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_forum_censored acl-global-read access_forum_censored_phrase_everyone — Access rule grants read on 'model_forum_censored_phrase' to every user (portal/public included): no group is set
website_forum_doc acl-global-read all_documentation_toc — Access rule grants read on 'model_forum_documentation_toc' to every user (portal/public included): no group is set
website_google_map route-public-sudo /google_map — Unauthenticated endpoint 'google_map.google_map' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_hr_recruitment acl-global-read access_hr_job_public — Access rule grants read on 'hr.model_hr_job' to every user (portal/public included): no group is set
website_hr_recruitment rule-group-bypass hr_job_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_hr_recruitment route-public-sudo /jobs, /jobs/country/<model("res.country"):country>, /jobs/department/<model("hr.department"):department>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>, /jobs/office/<int:office_id>, /jobs/country/<model("res.country"):country>/office/<int:office_id>, /jobs/department/<model("hr.department"):department>/office/<int:office_id>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>/office/<int:office_id> — Unauthenticated endpoint 'website_hr_recruitment.jobs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_livechat acl-global-read access_im_livechat_channel_public — Access rule grants read on 'im_livechat.model_im_livechat_channel' to every user (portal/public included): no group is set
website_livechat route-public-sudo /livechat/channel/<model("im_livechat.channel"):channel> — Unauthenticated endpoint 'WebsiteLivechat.channel_rating' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_logo route-auth-none /web/binary/website_logo, /website_logo, /website_logo.png — Endpoint 'Website.website_logo' uses auth="none": it runs with no user/session at all
website_mail_channel route-public-sudo /groups/is_member — Unauthenticated endpoint 'MailGroup.is_member' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mail_channel route-public-sudo /groups/subscription — Unauthenticated endpoint 'MailGroup.subscription' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /mail/mailing/<int:mailing_id>/unsubscribe — Unauthenticated endpoint 'MassMailController.mailing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-public-sudo /mail/mailing/unsubscribe — Unauthenticated endpoint 'MassMailController.unsubscribe' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
website_mass_mailing route-auth-none /mail/mailing/unsubscribe — Endpoint 'MassMailController.unsubscribe' uses auth="none": it runs with no user/session at all
website_membership route-public-sudo /members, /members/page/<int:page>, /members/association/<membership_id>, /members/association/<membership_id>/page/<int:page>, /members/country/<int:country_id>, /members/country/<country_name>-<int:country_id>, /members/country/<int:country_id>/page/<int:page>, /members/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<country_name>-<int:country_id>, /members/association/<membership_id>/country/<int:country_id>, /members/association/<membership_id>/country/<country_name>-<int:country_id>/page/<int:page>, /members/association/<membership_id>/country/<int:country_id>/page/<int:page> — Unauthenticated endpoint 'WebsiteMembership.members' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_payment route-public-sudo /website_payment/pay — Unauthenticated endpoint 'website_payment.pay' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_payment route-public-sudo /website_payment/transaction — Unauthenticated endpoint 'website_payment.transaction' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_rating_project_issue route-public-sudo /project/rating/ — Unauthenticated endpoint 'WebsiteRatingProject.index' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_rating_project_issue route-public-sudo /project/rating/<int:project_id> — Unauthenticated endpoint 'WebsiteRatingProject.page' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_sale acl-global-read access_product_product_public — Access rule grants read on 'product.model_product_product' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_template_public — Access rule grants read on 'product.model_product_template' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_category_public — Access rule grants read on 'product.model_product_category' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_public_category_public — Access rule grants read on 'model_product_public_category' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_pricelist_public — Access rule grants read on 'product.model_product_pricelist' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_pricelist_item_public — Access rule grants read on 'product.model_product_pricelist_item' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_style — Access rule grants read on 'website_sale.model_product_style' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_supplierinfo — Access rule grants read on 'product.model_product_supplierinfo' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_public — Access rule grants read on 'product.model_product_attribute' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_value_public — Access rule grants read on 'product.model_product_attribute_value' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_price_public — Access rule grants read on 'product.model_product_attribute_price' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_line_public — Access rule grants read on 'product.model_product_attribute_line' to every user (portal/public included): no group is set
website_sale acl-global-read access_website_pricelist — Access rule grants read on 'model_website_pricelist' to every user (portal/public included): no group is set
website_sale_digital route-public-sudo /my/download — Unauthenticated endpoint 'website_sale_digital.download_attachment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_seo_redirection acl-global-read read_everyone — Access rule grants read on 'model_website_seo_redirection' to every user (portal/public included): no group is set
website_slides route-public-sudo /slides/slide/<model("slide.slide", "[('channel_id.can_see', '=', True)]"):slide>/comment — Unauthenticated endpoint 'website_slides.slide_comment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/embed/<int:slide_id> — Unauthenticated endpoint 'website_slides.slides_embed' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_twitter acl-global-read access_website_twitter_tweet_public — Access rule grants read on 'website_twitter.model_website_twitter_tweet' to every user (portal/public included): no group is set

Active Pull Requests 0

No open migration PRs/MRs tracked.

Security Findings

Errors 128

Module Code Message
anonymization acl-global-write access_ir_model_fields_anonymization_migration_fix — Access rule grants write/create/unlink on 'model_ir_model_fields_anonymization_migration_fix' to EVERY user (portal/public included): no group is set
base acl-global-write access_ir_default_group_system — Access rule grants write/create/unlink on 'model_ir_default' to EVERY user (portal/public included): no group is set
base acl-privilege-escalation access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions
base acl-global-write access_ir_ui_view_custom_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_custom' to EVERY user (portal/public included): no group is set
base acl-privilege-escalation access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions
base acl-global-write access_ir_filter all — Access rule grants write/create/unlink on 'model_ir_filters' to EVERY user (portal/public included): no group is set
base acl-global-write access_ir_needaction_mixin — Access rule grants write/create/unlink on 'model_ir_needaction_mixin' to EVERY user (portal/public included): no group is set
bi_view_editor acl-global-write access_bve_view_everyone — Access rule grants write/create/unlink on 'bi_view_editor.model_bve_view' to EVERY user (portal/public included): no group is set
calendar acl-public-write access_calendar_attendee_portal — Access rule grants write on 'model_calendar_attendee' to the portal/public group 'base.group_portal'
calendar rule-public-bypass calendar_attendee_rule_my — Record rule with an always-true domain grants portal/public users access to every record of its model
crm_partner_assign acl-public-write lead_portal_access — Access rule grants write on 'crm.model_crm_lead' to the portal/public group 'base.group_portal'
crm_partner_assign acl-public-write partner_access_crm_lead — Access rule grants write on 'model_crm_lead' to the portal/public group 'base.group_portal'
hr_recruitment acl-global-write access_hr_applicant_category — Access rule grants write/create on 'model_hr_applicant_category' to EVERY user (portal/public included): no group is set
im_chat acl-public-write access_im_chat_message_portal — Access rule grants create on 'model_im_chat_message' to the portal/public group 'base.group_portal'
im_chat acl-public-write access_im_chat_session_portal — Access rule grants write/create on 'model_im_chat_session' to the portal/public group 'base.group_portal'
im_chat acl-public-write access_im_chat_conversation_state_portal — Access rule grants write/create on 'model_im_chat_conversation_state' to the portal/public group 'base.group_portal'
im_chat acl-public-write access_im_chat_presence_portal — Access rule grants write/create/unlink on 'model_im_chat_presence' to the portal/public group 'base.group_portal'
l10n_br_hr acl-global-write access_hr_employee_dependent — Access rule grants write/create/unlink on 'model_hr_employee_dependent' to EVERY user (portal/public included): no group is set
lunch acl-global-write access_report_order_line — Access rule grants write/create/unlink on 'model_report_lunch_order_line' to EVERY user (portal/public included): no group is set
lunch acl-global-write access_lunch_validation — Access rule grants write/create/unlink on 'model_lunch_validation' to EVERY user (portal/public included): no group is set
lunch acl-global-write access_lunch_cancel — Access rule grants write/create/unlink on 'model_lunch_cancel' to EVERY user (portal/public included): no group is set
openeducat_erp acl-global-write access_op_room — Access rule grants write/create/unlink on 'model_op_room' to EVERY user (portal/public included): no group is set
openeducat_erp acl-global-write access_op_asset — Access rule grants write/create/unlink on 'model_op_asset' to EVERY user (portal/public included): no group is set
openeducat_erp acl-global-write access_op_allocat_division — Access rule grants write/create/unlink on 'model_op_allocat_division' to EVERY user (portal/public included): no group is set
portal acl-public-write access_mail_message_portal — Access rule grants write/create/unlink on 'mail.model_mail_message' to the portal/public group 'base.group_portal'
portal acl-public-write access_mail_mail_portal — Access rule grants write/create on 'mail.model_mail_mail' to the portal/public group 'base.group_portal'
portal acl-public-write access_mail_notification_portal — Access rule grants write/create on 'mail.model_mail_notification' to the portal/public group 'base.group_portal'
portal acl-public-write access_mail_followers_portal — Access rule grants write on 'mail.model_mail_followers' to the portal/public group 'base.group_portal'
portal acl-public-write access_ir_attachment_group_portal — Access rule grants create on 'base.model_ir_attachment' to the portal/public group 'base.group_portal'
portal_claim acl-public-write access_crm_claim — Access rule grants create on 'crm_claim.model_crm_claim' to the portal/public group 'base.group_portal'
portal_gamification acl-public-write goal_portal — Access rule grants write on 'gamification.model_gamification_goal' to the portal/public group 'base.group_portal'
portal_gamification acl-public-write badge_user_portal — Access rule grants write/create on 'gamification.model_gamification_badge_user' to the portal/public group 'base.group_portal'
product_dependencies acl-global-write access_product_dependency — Access rule grants write/create/unlink on 'model_product_dependency' to EVERY user (portal/public included): no group is set
purchase_transport_document acl-global-write access_transport_document — Access rule grants write/create/unlink on 'model_transport_document' to EVERY user (portal/public included): no group is set
report acl-global-write paperformat_access_employee — Access rule grants create on 'model_report_paperformat' to EVERY user (portal/public included): no group is set
report acl-global-write access_report — Access rule grants write/create/unlink on 'model_report' to EVERY user (portal/public included): no group is set
report_webkit acl-global-write access_ir_header_webkit — Access rule grants create on 'model_ir_header_webkit' to EVERY user (portal/public included): no group is set
report_webkit acl-global-write access_ir_header_img — Access rule grants create on 'model_ir_header_img' to EVERY user (portal/public included): no group is set
stock_scanner acl-global-write scanner_hardware_user — Access rule grants write on 'stock_scanner.model_scanner_hardware' to EVERY user (portal/public included): no group is set
stock_scanner acl-global-write scanner_hardware_step_history_user — Access rule grants write/create/unlink on 'stock_scanner.model_scanner_hardware_step_history' to EVERY user (portal/public included): no group is set
stock_scanner acl-global-write scanner_scenario_custom_user — Access rule grants write/create/unlink on 'stock_scanner.model_scanner_scenario_custom' to EVERY user (portal/public included): no group is set
survey acl-global-write access_survey_user_input_public — Access rule grants write/create on 'model_survey_user_input' to EVERY user (portal/public included): no group is set
survey acl-global-write access_survey_user_input_line_public — Access rule grants write/create on 'model_survey_user_input_line' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_some_obj — Access rule grants write/create/unlink on 'model_test_access_right_some_obj' to EVERY user (portal/public included): no group is set
test_access_rights acl-global-write access_test_access_right_container — Access rule grants write/create/unlink on 'model_test_access_right_container' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_converter_model — Access rule grants write/create/unlink on 'model_test_converter_test_model' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_test_converter_test_model_sub — Access rule grants write/create/unlink on 'model_test_converter_test_model_sub' to EVERY user (portal/public included): no group is set
test_converter acl-global-write access_test_converter_monetary — Access rule grants write/create/unlink on 'model_test_converter_monetary' to EVERY user (portal/public included): no group is set
test_documentation_examples acl-global-write access_inheritance_0 — Access rule grants write/create/unlink on 'model_inheritance_0' to EVERY user (portal/public included): no group is set
test_documentation_examples acl-global-write access_inheritance_1 — Access rule grants write/create/unlink on 'model_inheritance_1' to EVERY user (portal/public included): no group is set
test_documentation_examples acl-global-write access_extension_0 — Access rule grants write/create/unlink on 'model_extension_0' to EVERY user (portal/public included): no group is set
test_documentation_examples acl-global-write access_delegation_child0 — Access rule grants write/create/unlink on 'model_delegation_child0' to EVERY user (portal/public included): no group is set
test_documentation_examples acl-global-write access_delegation_child1 — Access rule grants write/create/unlink on 'model_delegation_child1' to EVERY user (portal/public included): no group is set
test_documentation_examples acl-global-write access_delegation_parent — Access rule grants write/create/unlink on 'model_delegation_parent' to EVERY user (portal/public included): no group is set
test_exceptions acl-global-write access_test_exceptions_model — Access rule grants write/create/unlink on 'model_test_exceptions_model' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_boolean — Access rule grants write/create/unlink on 'model_export_boolean' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_integer — Access rule grants write/create/unlink on 'model_export_integer' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_float — Access rule grants write/create/unlink on 'model_export_float' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_decimal — Access rule grants write/create/unlink on 'model_export_decimal' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string_bounded — Access rule grants write/create/unlink on 'model_export_string_bounded' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string_required — Access rule grants write/create/unlink on 'model_export_string_required' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_string — Access rule grants write/create/unlink on 'model_export_string' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_date — Access rule grants write/create/unlink on 'model_export_date' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_datetime — Access rule grants write/create/unlink on 'model_export_datetime' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_text — Access rule grants write/create/unlink on 'model_export_text' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection — Access rule grants write/create/unlink on 'model_export_selection' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection_function — Access rule grants write/create/unlink on 'model_export_selection_function' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2one — Access rule grants write/create/unlink on 'model_export_many2one' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many — Access rule grants write/create/unlink on 'model_export_one2many' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2many — Access rule grants write/create/unlink on 'model_export_many2many' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_function — Access rule grants write/create/unlink on 'model_export_function' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child — Access rule grants write/create/unlink on 'model_export_one2many_child' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_multiple — Access rule grants write/create/unlink on 'model_export_one2many_multiple' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_multiple_child — Access rule grants write/create/unlink on 'model_export_one2many_multiple_child' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child_1 — Access rule grants write/create/unlink on 'model_export_one2many_child_1' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_child_2 — Access rule grants write/create/unlink on 'model_export_one2many_child_2' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_many2many_other — Access rule grants write/create/unlink on 'model_export_many2many_other' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_selection_withdefault — Access rule grants write/create/unlink on 'model_export_selection_withdefault' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_one2many_recursive — Access rule grants write/create/unlink on 'model_export_one2many_recursive' to EVERY user (portal/public included): no group is set
test_impex acl-global-write access_export_unique — Access rule grants write/create/unlink on 'model_export_unique' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_mother — Access rule grants write/create/unlink on 'model_test_inherit_mother' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_daughter — Access rule grants write/create/unlink on 'model_test_inherit_daughter' to EVERY user (portal/public included): no group is set
test_inherit acl-global-write access_test_inherit_property — Access rule grants write/create/unlink on 'model_test_inherit_property' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_unit — Access rule grants write/create/unlink on 'model_test_unit' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_box — Access rule grants write/create/unlink on 'model_test_box' to EVERY user (portal/public included): no group is set
test_inherits acl-global-write access_test_pallet — Access rule grants write/create/unlink on 'model_test_pallet' to EVERY user (portal/public included): no group is set
test_limits acl-global-write access_test_limits_model — Access rule grants write/create/unlink on 'model_test_limits_model' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_category — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_category' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_discussion — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_discussion' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_message — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_message' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_emailmessage — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_emailmessage' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_multi_line — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_multi_line' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_mixed — Access rule grants write/create/unlink on 'test_new_api.model_test_new_api_mixed' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_function_noinfiniterecursion — Access rule grants write/create/unlink on 'model_test_old_api_function_noinfiniterecursion' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_function_counter — Access rule grants write/create/unlink on 'model_test_old_api_function_counter' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_domain_bool — Access rule grants write/create/unlink on 'model_domain_bool' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_foo — Access rule grants write/create/unlink on 'model_test_new_api_foo' to EVERY user (portal/public included): no group is set
test_new_api acl-global-write access_test_new_api_bar — Access rule grants write/create/unlink on 'model_test_new_api_bar' to EVERY user (portal/public included): no group is set
test_uninstall acl-global-write access_test_uninstall_model — Access rule grants write/create/unlink on 'model_test_uninstall_model' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model — Access rule grants write/create/unlink on 'model_test_workflow_model' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_trigger — Access rule grants write/create/unlink on 'model_test_workflow_trigger' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_a — Access rule grants write/create/unlink on 'model_test_workflow_model_a' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_b — Access rule grants write/create/unlink on 'model_test_workflow_model_b' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_c — Access rule grants write/create/unlink on 'model_test_workflow_model_c' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_d — Access rule grants write/create/unlink on 'model_test_workflow_model_d' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_e — Access rule grants write/create/unlink on 'model_test_workflow_model_e' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_f — Access rule grants write/create/unlink on 'model_test_workflow_model_f' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_g — Access rule grants write/create/unlink on 'model_test_workflow_model_g' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_h — Access rule grants write/create/unlink on 'model_test_workflow_model_h' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_i — Access rule grants write/create/unlink on 'model_test_workflow_model_i' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_j — Access rule grants write/create/unlink on 'model_test_workflow_model_j' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_k — Access rule grants write/create/unlink on 'model_test_workflow_model_k' to EVERY user (portal/public included): no group is set
test_workflow acl-global-write access_test_workflow_model_l — Access rule grants write/create/unlink on 'model_test_workflow_model_l' to EVERY user (portal/public included): no group is set
web_shortcuts acl-global-write access_web_shortcut — Access rule grants write/create/unlink on 'model_web_shortcut' to EVERY user (portal/public included): no group is set
website acl-global-write access_website_converter_test — Access rule grants write/create/unlink on 'model_website_converter_test' to EVERY user (portal/public included): no group is set
website acl-global-write access_website_converter_test_sub — Access rule grants write/create/unlink on 'model_website_converter_test_sub' to EVERY user (portal/public included): no group is set
website_calendar_snippet rule-public-bypass website_calendar_block_partner_public — Record rule with an always-true domain grants portal/public users access to every record of its model
website_forum acl-public-write access_forum_post_portal — Access rule grants write/create/unlink on 'model_forum_post' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_post_vote_portal — Access rule grants write/create on 'model_forum_post_vote' to the portal/public group 'base.group_portal'
website_forum acl-public-write access_forum_tag_public — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_public'
website_forum acl-public-write access_forum_tag_portal — Access rule grants create on 'model_forum_tag' to the portal/public group 'base.group_portal'
website_sale_recently_viewed_products acl-global-write access_website_sale_product_view_public — Access rule grants write/create on 'model_website_sale_product_view' to EVERY user (portal/public included): no group is set
website_slides acl-public-write access_slide_slide_portal — Access rule grants write/create on 'model_slide_slide' to the portal/public group 'base.group_portal'

Warnings 229

Module Code Message
account_invoice_rounding_by_currency acl-global-read access_company_rounding — Access rule grants read on 'model_company_rounding' to every user (portal/public included): no group is set
account_invoice_transmit_method acl-global-read access_transmit_method_read — Access rule grants read on 'model_transmit_method' to every user (portal/public included): no group is set
account_outstanding_payment acl-global-read access_account_config_settings — Access rule grants read on 'model_account_config_settings' to every user (portal/public included): no group is set
anonymization acl-global-read access_ir_model_fields_anonymization_user — Access rule grants read on 'model_ir_model_fields_anonymization' to every user (portal/public included): no group is set
anonymization acl-global-read access_ir_model_fields_anonymization_history_user — Access rule grants read on 'model_ir_model_fields_anonymization_history' to every user (portal/public included): no group is set
auth_totp route-public-sudo /auth_totp/login — Unauthenticated endpoint 'AuthTotp.mfa_login_post' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
auth_totp route-auth-none /auth_totp/login — Endpoint 'AuthTotp.mfa_login_post' uses auth="none": it runs with no user/session at all
base acl-global-read access_ir_model_constraint — Access rule grants read on 'model_ir_model_constraint' to every user (portal/public included): no group is set
base acl-global-read access_ir_model_relation — Access rule grants read on 'model_ir_model_relation' to every user (portal/public included): no group is set
base acl-global-read access_ir_module_category_group_user — Access rule grants read on 'model_ir_module_category' to every user (portal/public included): no group is set
base acl-global-read access_ir_module_module_user — Access rule grants read on 'model_ir_module_module' to every user (portal/public included): no group is set
base acl-global-read access_ir_property_group_user — Access rule grants read on 'model_ir_property' to every user (portal/public included): no group is set
base acl-global-read access_ir_rule_group_user — Access rule grants read on 'model_ir_rule' to every user (portal/public included): no group is set
base acl-global-read access_ir_sequence_type_group_user — Access rule grants read on 'model_ir_sequence_type' to every user (portal/public included): no group is set
base acl-global-write access_ir_translation_all — Access rule grants write/create/unlink on 'model_ir_translation' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
base acl-global-read access_ir_ui_view_group_user — Access rule grants read on 'model_ir_ui_view' to every user (portal/public included): no group is set
base acl-global-write access_ir_values_group_all — Access rule grants write/create/unlink on 'model_ir_values' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
base acl-global-read access_res_company_group_user — Access rule grants read on 'model_res_company' to every user (portal/public included): no group is set
base acl-global-read access_res_partner_bank_type_group_user — Access rule grants read on 'model_res_partner_bank_type' to every user (portal/public included): no group is set
base acl-global-read access_res_partner_bank_type_field_group_user — Access rule grants read on 'model_res_partner_bank_type_field' to every user (portal/public included): no group is set
base acl-global-read access_res_partner_title_group_partner_manager — Access rule grants read on 'model_res_partner_title' to every user (portal/public included): no group is set
base acl-global-read access_res_request_link_group_user — Access rule grants read on 'model_res_request_link' to every user (portal/public included): no group is set
base acl-global-write access_workflow_workitem_all — Access rule grants write/create/unlink on 'model_workflow_workitem' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
base acl-global-read access_multi_company_default user — Access rule grants read on 'model_multi_company_default' to every user (portal/public included): no group is set
base acl-global-read access_ir_config_parameter — Access rule grants read on 'model_ir_config_parameter' to every user (portal/public included): no group is set
base acl-global-read access_ir_actions_client — Access rule grants read on 'model_ir_actions_client' to every user (portal/public included): no group is set
base_action_rule acl-global-read access_base_action_rule — Access rule grants read on 'model_base_action_rule' to every user (portal/public included): no group is set
base_report_to_printer acl-global-read ir_model_access_printingprinterall0 — Access rule grants read on 'model_printing_printer' to every user (portal/public included): no group is set
base_report_to_printer acl-global-read ir_model_access_printing_action_all0 — Access rule grants read on 'model_printing_action' to every user (portal/public included): no group is set
base_report_to_printer acl-global-read ir_model_access_printing_report_xml_action_all0 — Access rule grants read on 'model_printing_report_xml_action' to every user (portal/public included): no group is set
base_unece acl-global-read access_unece_code_list_read — Access rule grants read on 'model_unece_code_list' to every user (portal/public included): no group is set
board acl-global-read access_board_board all — Access rule grants read on 'model_board_board' to every user (portal/public included): no group is set
calendar rule-group-bypass calendar_event_rule_employee — Record rule with an always-true domain bypasses every other record rule of its model for its group
calendar route-auth-none /calendar/notify — Endpoint 'meeting_invitation.notify' uses auth="none": it runs with no user/session at all
calendar route-auth-none /calendar/notify_ack — Endpoint 'meeting_invitation.notify_ack' uses auth="none": it runs with no user/session at all
connector route-auth-none /connector/runjob — Endpoint 'RunJobController.runjob' uses auth="none": it runs with no user/session at all
connector_salesforce route-auth-none /salesforce/oauth — Endpoint 'SalesforceOAuthController.oauth' uses auth="none": it runs with no user/session at all
connector_woocommerce acl-global-read access_woo_sale_order_status — Access rule grants read on 'model_woo_sale_order_status' to every user (portal/public included): no group is set
connector_woocommerce acl-global-read access_woo_sale_order_line — Access rule grants read on 'model_woo_sale_order_line' to every user (portal/public included): no group is set
crm acl-global-read access_crm_case_stage — Access rule grants read on 'model_crm_case_stage' to every user (portal/public included): no group is set
crm rule-group-bypass crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm rule-group-bypass crm_rule_all_phones — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm rule-group-bypass crm_rule_all_lead_report — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm_action rule-group-bypass crm_rule_all_action — Record rule with an always-true domain bypasses every other record rule of its model for its group
dead_mans_switch_server route-public-sudo /dead_mans_switch/alive — Unauthenticated endpoint 'Main.alive' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
dead_mans_switch_server route-auth-none /dead_mans_switch/alive — Endpoint 'Main.alive' uses auth="none": it runs with no user/session at all
decimal_precision acl-global-write access_decimal_precision_test_all — Access rule grants write/create/unlink on 'model_decimal_precision_test' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
edi route-auth-none /edi/import_url — Endpoint 'EDI.import_url' uses auth="none": it runs with no user/session at all
edi route-auth-none /edi/import_edi_url — Endpoint 'EDI.import_edi_url' uses auth="none": it runs with no user/session at all
event acl-global-read access_event_event_portal — Access rule grants read on 'model_event_event' to every user (portal/public included): no group is set
event acl-global-read access_event_registration_portal — Access rule grants read on 'model_event_registration' to every user (portal/public included): no group is set
google_account route-auth-none /google_account/authentication — Endpoint 'google_auth.oauth2callback' uses auth="none": it runs with no user/session at all
help_online rule-group-bypass online_help_reader_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_evaluation rule-group-bypass hr_employee_interview_hr — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_expense_accountedge rule-group-bypass property_rule_account_invoice_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_experience rule-group-bypass hr_curriculum_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_experience rule-group-bypass hr_academic_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_experience rule-group-bypass hr_experience_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_experience rule-group-bypass hr_certification_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_gamification rule-group-bypass goal_officer_visibility — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass property_rule_holidays_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass resource_leaves_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_schedule rule-group-bypass property_rule_schedule_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_security rule-group-bypass property_rule_contract_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hw_blackbox_be route-auth-none /hw_proxy/request_blackbox/ — Endpoint 'BlackboxDriver.request_blackbox' uses auth="none": it runs with no user/session at all
hw_blackbox_be route-auth-none /hw_proxy/request_serial/ — Endpoint 'BlackboxDriver.request_serial' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none / — Endpoint 'PosboxHomepage.index' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /wifi — Endpoint 'PosboxHomepage.wifi' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /wifi_connect — Endpoint 'PosboxHomepage.connect_to_wifi' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /wifi_clear — Endpoint 'PosboxHomepage.clear_wifi_configuration' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /remote_connect — Endpoint 'PosboxHomepage.remote_connect' uses auth="none": it runs with no user/session at all
hw_posbox_homepage route-auth-none /enable_ngrok — Endpoint 'PosboxHomepage.enable_ngrok' uses auth="none": it runs with no user/session at all
hw_posbox_upgrade route-auth-none /hw_proxy/upgrade — Endpoint 'PosboxUpgrader.upgrade' uses auth="none": it runs with no user/session at all
hw_posbox_upgrade route-auth-none /hw_proxy/perform_upgrade — Endpoint 'PosboxUpgrader.perform_upgrade' uses auth="none": it runs with no user/session at all
hw_scale route-auth-none /hw_proxy/scale_read/ — Endpoint 'ScaleDriver.scale_read' uses auth="none": it runs with no user/session at all
hw_scale route-auth-none /hw_proxy/scale_zero/ — Endpoint 'ScaleDriver.scale_zero' uses auth="none": it runs with no user/session at all
hw_scale route-auth-none /hw_proxy/scale_tare/ — Endpoint 'ScaleDriver.scale_tare' uses auth="none": it runs with no user/session at all
hw_scale route-auth-none /hw_proxy/scale_clear_tare/ — Endpoint 'ScaleDriver.scale_clear_tare' uses auth="none": it runs with no user/session at all
hw_scanner route-auth-none /hw_proxy/scanner — Endpoint 'ScannerDriver.scanner' uses auth="none": it runs with no user/session at all
hw_screen route-auth-none /hw_proxy/display_refresh — Endpoint 'HardwareScreen.display_refresh' uses auth="none": it runs with no user/session at all
hw_screen route-auth-none /hw_proxy/customer_facing_display — Endpoint 'HardwareScreen.update_user_facing_display' uses auth="none": it runs with no user/session at all
hw_screen route-auth-none /hw_proxy/take_control — Endpoint 'HardwareScreen.take_control' uses auth="none": it runs with no user/session at all
hw_screen route-auth-none /hw_proxy/test_ownership — Endpoint 'HardwareScreen.test_ownership' uses auth="none": it runs with no user/session at all
hw_screen route-auth-none /point_of_sale/display — Endpoint 'HardwareScreen.render_main_display' uses auth="none": it runs with no user/session at all
hw_screen route-auth-none /point_of_sale/get_serialized_order — Endpoint 'HardwareScreen.get_serialized_order' uses auth="none": it runs with no user/session at all
hw_telium_payment_terminal route-auth-none /hw_proxy/payment_terminal_transaction_start — Endpoint 'TeliumPaymentTerminalProxy.payment_terminal_transaction_start' uses auth="none": it runs with no user/session at all
im_chat route-auth-none /im_chat/init — Endpoint 'Controller.init' uses auth="none": it runs with no user/session at all
im_chat route-auth-none /im_chat/post — Endpoint 'Controller.post' uses auth="none": it runs with no user/session at all
im_chat route-auth-none /im_chat/image/<string:uuid>/<string:user_id> — Endpoint 'Controller.image' uses auth="none": it runs with no user/session at all
im_chat route-auth-none /im_chat/history — Endpoint 'Controller.history' uses auth="none": it runs with no user/session at all
im_livechat acl-global-read access_ls_chann1 — Access rule grants read on 'model_im_livechat_channel' to every user (portal/public included): no group is set
im_livechat route-auth-none /im_livechat/support/<string:dbname>/<int:channel_id> — Endpoint 'LiveChatController.support_page' uses auth="none": it runs with no user/session at all
im_livechat route-auth-none /im_livechat/loader/<string:dbname>/<int:channel_id> — Endpoint 'LiveChatController.loader' uses auth="none": it runs with no user/session at all
im_livechat route-auth-none /im_livechat/get_session — Endpoint 'LiveChatController.get_session' uses auth="none": it runs with no user/session at all
im_livechat route-auth-none /im_livechat/available — Endpoint 'LiveChatController.available' uses auth="none": it runs with no user/session at all
intrastat_product acl-global-read access_intrastat_unit_read — Access rule grants read on 'model_intrastat_unit' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_transaction_read — Access rule grants read on 'model_intrastat_transaction' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_transport_mode_read — Access rule grants read on 'model_intrastat_transport_mode' to every user (portal/public included): no group is set
intrastat_product acl-global-read access_intrastat_region_read — Access rule grants read on 'model_intrastat_region' to every user (portal/public included): no group is set
l10n_be_intrastat acl-global-read access_l10n_be_intrastat_transaction — Access rule grants read on 'model_l10n_be_intrastat_transaction' to every user (portal/public included): no group is set
l10n_be_intrastat acl-global-read access_l10n_be_intrastat_transport_mode — Access rule grants read on 'model_l10n_be_intrastat_transport_mode' to every user (portal/public included): no group is set
l10n_be_intrastat acl-global-read access_l10n_be_intrastat_region — Access rule grants read on 'model_l10n_be_intrastat_region' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_deficiency — Access rule grants read on 'model_hr_deficiency' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_identity_type — Access rule grants read on 'model_hr_identity_type' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_civil_certificate_type — Access rule grants read on 'model_hr_civil_certificate_type' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_chronic_disease — Access rule grants read on 'model_hr_chronic_disease' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_dependent_type — Access rule grants read on 'model_hr_dependent_type' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_ethnicity — Access rule grants read on 'model_hr_ethnicity' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_educational_attainment — Access rule grants read on 'model_hr_educational_attainment' to every user (portal/public included): no group is set
l10n_br_hr acl-global-read access_hr_nationality_code — Access rule grants read on 'model_hr_nationality_code' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_admission_type — Access rule grants read on 'model_hr_contract_admission_type' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_labor_bond_type — Access rule grants read on 'model_hr_contract_labor_bond_type' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_labor_regime — Access rule grants read on 'model_hr_contract_labor_regime' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_salary_unit — Access rule grants read on 'model_hr_contract_salary_unit' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_resignation_cause — Access rule grants read on 'model_hr_contract_resignation_cause' to every user (portal/public included): no group is set
l10n_br_hr_contract acl-global-read access_hr_contract_notice_termination — Access rule grants read on 'model_hr_contract_notice_termination' to every user (portal/public included): no group is set
l10n_cn_fapiao acl-global-read access_fapiao_tag — Access rule grants read on 'model_fapiao_tag' to every user (portal/public included): no group is set
l10n_cn_fapiao acl-global-read access_fapiao_tax_type — Access rule grants read on 'model_fapiao_tax_type' to every user (portal/public included): no group is set
l10n_eu_service acl-global-read access_l10n_eu_service_service_tax_rate — Access rule grants read on 'model_l10n_eu_service_service_tax_rate' to every user (portal/public included): no group is set
l10n_it_account_tax_kind acl-global-read access_account_tax_kind_user — Access rule grants read on 'model_account_tax_kind' to every user (portal/public included): no group is set
l10n_pe_toponyms acl-global-read access_res_country_district_group_user — Access rule grants read on 'model_res_country_district' to every user (portal/public included): no group is set
l10n_pe_toponyms acl-global-read access_res_country_province_group_user — Access rule grants read on 'model_res_country_province' to every user (portal/public included): no group is set
letsencrypt route-auth-none /.well-known/acme-challenge/<filename> — Endpoint 'Letsencrypt.acme_challenge' uses auth="none": it runs with no user/session at all
mail acl-global-write access_mail_thread_all — Access rule grants write/create/unlink on 'model_mail_thread' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
mail acl-global-write access_publisher_warranty_contract_all — Access rule grants write/create/unlink on 'model_publisher_warranty_contract' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
mail rule-group-bypass mail_followers_read_write_others — Record rule with an always-true domain bypasses every other record rule of its model for its group
mail route-auth-none /mail/receive — Endpoint 'MailController.receive' uses auth="none": it runs with no user/session at all
mail_mandrill route-auth-none /mandrill/event — Endpoint 'MailController.event' uses auth="none": it runs with no user/session at all
mail_tracking route-auth-none /mail/tracking/all/<string:db> — Endpoint 'MailTrackingController.mail_tracking_all' uses auth="none": it runs with no user/session at all
mail_tracking route-auth-none /mail/tracking/event/<string:db>/<string:event_type> — Endpoint 'MailTrackingController.mail_tracking_event' uses auth="none": it runs with no user/session at all
mail_tracking route-auth-none /mail/tracking/open/<string:db>/<int:tracking_email_id>/blank.gif — Endpoint 'MailTrackingController.mail_tracking_open' uses auth="none": it runs with no user/session at all
mass acl-global-read access_mass_request_type_user — Access rule grants read on 'model_mass_request_type' to every user (portal/public included): no group is set
mass_mailing route-auth-none /mail/track/<int:mail_id>/blank.gif — Endpoint 'MassMailController.track_mail_open' uses auth="none": it runs with no user/session at all
mass_mailing route-auth-none /mail/mailing/<int:mailing_id>/unsubscribe — Endpoint 'MassMailController.mailing' uses auth="none": it runs with no user/session at all
mass_mailing_custom_unsubscribe route-public-sudo CustomUnsubscribe.mailing — Unauthenticated endpoint 'CustomUnsubscribe.mailing' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
membership acl-global-read access_membership_membership_line — Access rule grants read on 'model_membership_membership_line' to every user (portal/public included): no group is set
operating_unit acl-global-read access_account_operating_unit_user — Access rule grants read on 'model_operating_unit' to every user (portal/public included): no group is set
partner_external_maps acl-global-read access_map_website_read — Access rule grants read on 'model_map_website' to every user (portal/public included): no group is set
partner_relations acl-global-read read_res_partner_relation — Access rule grants read on 'model_res_partner_relation' to every user (portal/public included): no group is set
partner_relations acl-global-read read_res_partner_relation_type — Access rule grants read on 'model_res_partner_relation_type' to every user (portal/public included): no group is set
partner_relations acl-global-read read_res_partner_relation_type_selection — Access rule grants read on 'model_res_partner_relation_type_selection' to every user (portal/public included): no group is set
payment rule-group-bypass payment_transaction_salesman_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
payment_adyen route-auth-none /payment/adyen/return — Endpoint 'AdyenController.adyen_return' uses auth="none": it runs with no user/session at all
payment_adyen route-auth-none /payment/adyen/notification — Endpoint 'AdyenController.adyen_notification' uses auth="none": it runs with no user/session at all
payment_alipay route-auth-none /payment/alipay/notify/ — Endpoint 'AlipayController.alipay_autoreceive' uses auth="none": it runs with no user/session at all
payment_alipay route-auth-none /payment/alipay/return/ — Endpoint 'AlipayController.alipay_return' uses auth="none": it runs with no user/session at all
payment_authorize route-public-sudo /payment/authorize/return/, /payment/authorize/cancel/ — Unauthenticated endpoint 'AuthorizeController.authorize_form_feedback' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_buckaroo route-auth-none /payment/buckaroo/return, /payment/buckaroo/cancel, /payment/buckaroo/error, /payment/buckaroo/reject — Endpoint 'BuckarooController.buckaroo_return' uses auth="none": it runs with no user/session at all
payment_ogone route-auth-none /payment/ogone/accept, /payment/ogone/test/accept, /payment/ogone/decline, /payment/ogone/test/decline, /payment/ogone/exception, /payment/ogone/test/exception, /payment/ogone/cancel, /payment/ogone/test/cancel — Endpoint 'OgoneController.ogone_form_feedback' uses auth="none": it runs with no user/session at all
payment_paypal route-auth-none /payment/paypal/ipn/ — Endpoint 'PaypalController.paypal_ipn' uses auth="none": it runs with no user/session at all
payment_paypal route-auth-none /payment/paypal/dpn — Endpoint 'PaypalController.paypal_dpn' uses auth="none": it runs with no user/session at all
payment_paypal route-auth-none /payment/paypal/cancel — Endpoint 'PaypalController.paypal_cancel' uses auth="none": it runs with no user/session at all
payment_redsys route-auth-none /payment/redsys/return, /payment/redsys/cancel, /payment/redsys/error, /payment/redsys/reject — Endpoint 'RedsysController.redsys_return' uses auth="none": it runs with no user/session at all
payment_redsys route-public-sudo /payment/redsys/result/<page> — Unauthenticated endpoint 'RedsysController.redsys_result' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
payment_sips route-auth-none /payment/sips/ipn/ — Endpoint 'SipsController.sips_ipn' uses auth="none": it runs with no user/session at all
payment_sips route-auth-none /payment/sips/dpn — Endpoint 'SipsController.sips_dpn' uses auth="none": it runs with no user/session at all
payment_transfer route-auth-none /payment/transfer/feedback — Endpoint 'OgoneController.transfer_form_feedback' uses auth="none": it runs with no user/session at all
payment_wcpay route-auth-none /payment/weixin/notify — Endpoint 'WcpayController.weixin_notify' uses auth="none": it runs with no user/session at all
product acl-global-read access_product_pricelist_type_user — Access rule grants read on 'model_product_pricelist_type' to every user (portal/public included): no group is set
product_brand acl-global-read access_product_brand_public — Access rule grants read on 'model_product_brand' to every user (portal/public included): no group is set
product_extended acl-global-write access_wizard_price_all — Access rule grants write/create/unlink on 'model_wizard_price' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
product_harmonized_system acl-global-read access_hs_code_read — Access rule grants read on 'model_hs_code' to every user (portal/public included): no group is set
product_pricelist_cache acl-global-read access_product_price_cache_public — Access rule grants read on 'model_product_price_cache' to every user (portal/public included): no group is set
product_variant_cost_price acl-global-read access_product_price_history_product_global — Access rule grants read on 'model_product_price_history_product' to every user (portal/public included): no group is set
project acl-global-read access_project_category — Access rule grants read on 'model_project_category' to every user (portal/public included): no group is set
quality_control acl-global-read access_manager_qc_trigger_product_template_line_user — Access rule grants read on 'quality_control.model_qc_trigger_product_template_line' to every user (portal/public included): no group is set
quality_control acl-global-read access_manager_qc_trigger_product_line_user — Access rule grants read on 'quality_control.model_qc_trigger_product_line' to every user (portal/public included): no group is set
report acl-global-read paperformat_access_portal — Access rule grants read on 'model_report_paperformat' to every user (portal/public included): no group is set
stock_scanner acl-global-read scanner_scenario_user — Access rule grants read on 'stock_scanner.model_scanner_scenario' to every user (portal/public included): no group is set
stock_scanner acl-global-read scanner_scenario_step_user — Access rule grants read on 'stock_scanner.model_scanner_scenario_step' to every user (portal/public included): no group is set
stock_scanner acl-global-read scanner_scenario_transition_user — Access rule grants read on 'stock_scanner.model_scanner_scenario_transition' to every user (portal/public included): no group is set
stock_scanner rule-group-bypass scanner_hardware_access_group_sentinel — Record rule with an always-true domain bypasses every other record rule of its model for its group
stock_tracking_add_remove acl-global-write access_stock_packaging_add_type_all — Access rule grants write/create on 'model_stock_packaging_add_type' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
survey acl-global-read access_survey_public — Access rule grants read on 'model_survey_survey' to every user (portal/public included): no group is set
survey acl-global-read access_survey_page_public — Access rule grants read on 'model_survey_page' to every user (portal/public included): no group is set
survey acl-global-read access_survey_question_public — Access rule grants read on 'model_survey_question' to every user (portal/public included): no group is set
survey acl-global-read access_survey_label_public — Access rule grants read on 'model_survey_label' to every user (portal/public included): no group is set
survey acl-global-read access_survey_stage_public — Access rule grants read on 'model_survey_stage' to every user (portal/public included): no group is set
tr_barcode acl-global-write access_tr_barcode_all — Access rule grants write/create on 'model_tr_barcode' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
users_ldap_push acl-global-read read_field_mappings — Access rule grants read on 'model_res_company_ldap_field_mapping' to every user (portal/public included): no group is set
web_easy_switch_company route-auth-none /web_easy_switch_company/switch/change_current_company — Endpoint 'WebEasySwitchCompanyController.change_current_company' uses auth="none": it runs with no user/session at all
web_favicon route-public-sudo /web_favicon/favicon — Unauthenticated endpoint 'WebFavicon.icon' (auth="none") calls .sudo(): privileged code reachable without login, review what it exposes
web_favicon route-auth-none /web_favicon/favicon — Endpoint 'WebFavicon.icon' uses auth="none": it runs with no user/session at all
web_graph route-auth-none /web_graph/check_xlwt — Endpoint 'TableExporter.check_xlwt' uses auth="none": it runs with no user/session at all
web_no_crawler route-auth-none /robots.txt — Endpoint 'Main.robots' uses auth="none": it runs with no user/session at all
website acl-global-read access_website_public — Access rule grants read on 'website.model_website' to every user (portal/public included): no group is set
website acl-global-read access_website_menu — Access rule grants read on 'model_website_menu' to every user (portal/public included): no group is set
website acl-global-read access_seo_public — Access rule grants read on 'model_website_seo_metadata' to every user (portal/public included): no group is set
website_blog acl-global-read blog_tag — Access rule grants read on 'model_blog_tag' to every user (portal/public included): no group is set
website_certification acl-global-read access_certifications_public — Access rule grants read on 'model_certification_certification' to every user (portal/public included): no group is set
website_certification acl-global-read access_certifications_types_public — Access rule grants read on 'model_certification_type' to every user (portal/public included): no group is set
website_country_localized_pages acl-global-read access_ir_ui_view_country_line_group_user — Access rule grants read on 'model_ir_ui_view_country_line' to every user (portal/public included): no group is set
website_event acl-global-read access_event_type_public — Access rule grants read on 'event.model_event_type' to every user (portal/public included): no group is set
website_event_filter_organizer route-public-sudo /event, /event/page/<int:page> — Unauthenticated endpoint 'WebsiteEventOrganizer.events' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_register_free route-public-sudo /event/<model("event.event"):event>/register/register_free — Unauthenticated endpoint 'WebsiteEvent.event_register_free' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_event_sale acl-global-read access_event_event_ticket_public — Access rule grants read on 'event_sale.model_event_event_ticket' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_tag_public — Access rule grants read on 'model_event_tag' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_stage_public — Access rule grants read on 'model_event_track_stage' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_tag_public — Access rule grants read on 'model_event_track_tag' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_location_public — Access rule grants read on 'model_event_track_location' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track__public — Access rule grants read on 'model_event_track' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_sponsor_type_public — Access rule grants read on 'model_event_sponsor_type' to every user (portal/public included): no group is set
website_event_track acl-global-read access_event_track_sponsor_public — Access rule grants read on 'model_event_sponsor' to every user (portal/public included): no group is set
website_forum acl-global-read access_forum_forum — Access rule grants read on 'model_forum_forum' to every user (portal/public included): no group is set
website_forum_doc acl-global-read all_documentation_toc — Access rule grants read on 'model_forum_documentation_toc' to every user (portal/public included): no group is set
website_hr_recruitment acl-global-read access_hr_job_public — Access rule grants read on 'hr.model_hr_job' to every user (portal/public included): no group is set
website_hr_recruitment rule-group-bypass hr_job_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
website_hr_recruitment route-public-sudo /jobs, /jobs/country/<model("res.country"):country>, /jobs/department/<model("hr.department"):department>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>, /jobs/office/<int:office_id>, /jobs/country/<model("res.country"):country>/office/<int:office_id>, /jobs/department/<model("hr.department"):department>/office/<int:office_id>, /jobs/country/<model("res.country"):country>/department/<model("hr.department"):department>/office/<int:office_id> — Unauthenticated endpoint 'website_hr_recruitment.jobs' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_logo route-auth-none /web/binary/website_logo, /website_logo, /website_logo.png — Endpoint 'Website.website_logo' uses auth="none": it runs with no user/session at all
website_sale acl-global-read access_product_product_public — Access rule grants read on 'product.model_product_product' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_template_public — Access rule grants read on 'product.model_product_template' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_category_public — Access rule grants read on 'product.model_product_category' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_public_category_public — Access rule grants read on 'model_product_public_category' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_pricelist_version_public — Access rule grants read on 'product.model_product_pricelist_version' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_pricelist_public — Access rule grants read on 'product.model_product_pricelist' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_pricelist_item_public — Access rule grants read on 'product.model_product_pricelist_item' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_product_price_type_public — Access rule grants read on 'product.model_product_price_type' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_style — Access rule grants read on 'website_sale.model_product_style' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_supplierinfo — Access rule grants read on 'product.model_product_supplierinfo' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_public — Access rule grants read on 'product.model_product_attribute' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_value_public — Access rule grants read on 'product.model_product_attribute_value' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_price_public — Access rule grants read on 'product.model_product_attribute_price' to every user (portal/public included): no group is set
website_sale acl-global-read access_product_attribute_line_public — Access rule grants read on 'product.model_product_attribute_line' to every user (portal/public included): no group is set
website_sale_delivery acl-global-read access_delivery_carrier_public — Access rule grants read on 'delivery.model_delivery_carrier' to every user (portal/public included): no group is set
website_sale_product_legal acl-global-read everyone_read — Access rule grants read on 'model_website_sale_product_legal_legal_term' to every user (portal/public included): no group is set
website_seo_redirection acl-global-read read_everyone — Access rule grants read on 'model_website_seo_redirection' to every user (portal/public included): no group is set
website_slides route-public-sudo /slides/slide/<model("slide.slide", "[('channel_id.can_see', '=', True)]"):slide>/comment — Unauthenticated endpoint 'WebsiteSlides.slide_comment' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_slides route-public-sudo /slides/embed/<int:slide_id> — Unauthenticated endpoint 'WebsiteSlides.slides_embed' (auth="public") calls .sudo(): privileged code reachable without login, review what it exposes
website_twitter acl-global-read access_website_twitter_tweet_public — Access rule grants read on 'website_twitter.model_website_twitter_tweet' to every user (portal/public included): no group is set

Active Pull Requests 0

No open migration PRs/MRs tracked.

Security Findings

Errors 24

Module Code Message
anonymization acl-global-write access_ir_model_fields_anonymization_migration_fix — Access rule grants write/create/unlink on 'model_ir_model_fields_anonymization_migration_fix' to EVERY user (portal/public included): no group is set
base acl-global-write access_ir_default_group_system — Access rule grants write/create/unlink on 'model_ir_default' to EVERY user (portal/public included): no group is set
base acl-privilege-escalation access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions
base acl-global-write access_ir_ui_view_custom_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_custom' to EVERY user (portal/public included): no group is set
base acl-global-write access_ir_ui_view_sc_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_sc' to EVERY user (portal/public included): no group is set
base acl-privilege-escalation access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions
base acl-global-write access_ir_filter all — Access rule grants write/create/unlink on 'model_ir_filters' to EVERY user (portal/public included): no group is set
base acl-global-write access_ir_needaction_mixin — Access rule grants write/create/unlink on 'model_ir_needaction_mixin' to EVERY user (portal/public included): no group is set
base_calendar acl-global-write access_calendar_attendee — Access rule grants write/create/unlink on 'model_calendar_attendee' to EVERY user (portal/public included): no group is set
base_report_assembler acl-global-write access_assembled_report — Access rule grants write/create/unlink on 'model_assembled_report' to EVERY user (portal/public included): no group is set
hr_recruitment acl-global-write access_hr_applicant_category — Access rule grants write/create on 'model_hr_applicant_category' to EVERY user (portal/public included): no group is set
lunch acl-global-write access_report_order_line — Access rule grants write/create/unlink on 'model_report_lunch_order_line' to EVERY user (portal/public included): no group is set
lunch acl-global-write access_lunch_validation — Access rule grants write/create/unlink on 'model_lunch_validation' to EVERY user (portal/public included): no group is set
lunch acl-global-write access_lunch_cancel — Access rule grants write/create/unlink on 'model_lunch_cancel' to EVERY user (portal/public included): no group is set
portal acl-public-write access_ir_attachment_group_portal — Access rule grants create on 'base.model_ir_attachment' to the portal/public group 'portal.group_portal'
portal_claim acl-public-write access_crm_claim — Access rule grants create on 'crm_claim.model_crm_claim' to the portal/public group 'portal.group_portal'
portal_event acl-public-write access_registration — Access rule grants write/create/unlink on 'event.model_event_registration' to the portal/public group 'portal.group_portal'
product_dependencies acl-global-write access_product_dependency — Access rule grants write/create/unlink on 'model_product_dependency' to EVERY user (portal/public included): no group is set
report_webkit acl-global-write access_ir_header_webkit — Access rule grants create on 'model_ir_header_webkit' to EVERY user (portal/public included): no group is set
report_webkit acl-global-write access_ir_header_img — Access rule grants create on 'model_ir_header_img' to EVERY user (portal/public included): no group is set

Warnings 51

Module Code Message
anonymization acl-global-read access_ir_model_fields_anonymization_user — Access rule grants read on 'model_ir_model_fields_anonymization' to every user (portal/public included): no group is set
anonymization acl-global-read access_ir_model_fields_anonymization_history_user — Access rule grants read on 'model_ir_model_fields_anonymization_history' to every user (portal/public included): no group is set
base acl-global-read access_ir_model_constraint — Access rule grants read on 'model_ir_model_constraint' to every user (portal/public included): no group is set
base acl-global-read access_ir_model_relation — Access rule grants read on 'model_ir_model_relation' to every user (portal/public included): no group is set
base acl-global-read access_ir_module_category_group_user — Access rule grants read on 'model_ir_module_category' to every user (portal/public included): no group is set
base acl-global-read access_ir_module_module_user — Access rule grants read on 'model_ir_module_module' to every user (portal/public included): no group is set
base acl-global-read access_ir_property_group_user — Access rule grants read on 'model_ir_property' to every user (portal/public included): no group is set
base acl-global-read access_ir_rule_group_user — Access rule grants read on 'model_ir_rule' to every user (portal/public included): no group is set
base acl-global-read access_ir_sequence_type_group_user — Access rule grants read on 'model_ir_sequence_type' to every user (portal/public included): no group is set
base acl-global-write access_ir_translation_all — Access rule grants write/create/unlink on 'model_ir_translation' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
base acl-global-read access_ir_ui_menu_group_user — Access rule grants read on 'model_ir_ui_menu' to every user (portal/public included): no group is set
base acl-global-read access_ir_ui_view_group_user — Access rule grants read on 'model_ir_ui_view' to every user (portal/public included): no group is set
base acl-global-write access_ir_values_group_all — Access rule grants write/create/unlink on 'model_ir_values' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
base acl-global-read access_res_company_group_user — Access rule grants read on 'model_res_company' to every user (portal/public included): no group is set
base acl-global-read access_res_partner_bank_type_group_user — Access rule grants read on 'model_res_partner_bank_type' to every user (portal/public included): no group is set
base acl-global-read access_res_partner_bank_type_field_group_user — Access rule grants read on 'model_res_partner_bank_type_field' to every user (portal/public included): no group is set
base acl-global-read access_res_partner_title_group_partner_manager — Access rule grants read on 'model_res_partner_title' to every user (portal/public included): no group is set
base acl-global-read access_res_request_link_group_user — Access rule grants read on 'model_res_request_link' to every user (portal/public included): no group is set
base acl-global-write access_workflow_workitem_all — Access rule grants write/create/unlink on 'model_workflow_workitem' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
base acl-global-read access_multi_company_default user — Access rule grants read on 'model_multi_company_default' to every user (portal/public included): no group is set
base acl-global-read access_ir_actions_client — Access rule grants read on 'model_ir_actions_client' to every user (portal/public included): no group is set
base_action_rule acl-global-read access_base_action_rule — Access rule grants read on 'model_base_action_rule' to every user (portal/public included): no group is set
base_report_to_printer acl-global-read ir_model_access_printingprinterall0 — Access rule grants read on 'model_printing_printer' to every user (portal/public included): no group is set
board acl-global-read access_board_board all — Access rule grants read on 'model_board_board' to every user (portal/public included): no group is set
crm acl-global-read access_crm_case_stage — Access rule grants read on 'model_crm_case_stage' to every user (portal/public included): no group is set
crm rule-group-bypass crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group
crm rule-group-bypass crm_rule_all_phones — Record rule with an always-true domain bypasses every other record rule of its model for its group
currency_rate_update acl-global-read ir_model_access_currencyrateupdate0 — Access rule grants read on 'currency_rate_update.model_currency_rate_update' to every user (portal/public included): no group is set
currency_rate_update acl-global-read ir_model_access_currencyrateupdate4 — Access rule grants read on 'currency_rate_update.model_currency_rate_update_service' to every user (portal/public included): no group is set
document_webdav acl-global-write access_webdav_file_property_all — Access rule grants write/create/unlink on 'model_document_webdav_file_property' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
event acl-global-read access_event_event_portal — Access rule grants read on 'model_event_event' to every user (portal/public included): no group is set
event acl-global-read access_event_registration_portal — Access rule grants read on 'model_event_registration' to every user (portal/public included): no group is set
google_docs acl-global-read access_google_docs — Access rule grants read on 'model_google_docs_config' to every user (portal/public included): no group is set
hr_evaluation rule-group-bypass hr_employee_interview_hr — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_expense_accountedge rule-group-bypass property_rule_account_invoice_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_holidays rule-group-bypass property_rule_holidays_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_schedule rule-group-bypass property_rule_schedule_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_security rule-group-bypass property_rule_contract_officer — Record rule with an always-true domain bypasses every other record rule of its model for its group
l10n_pe_toponyms acl-global-read access_res_country_district_group_user — Access rule grants read on 'model_res_country_district' to every user (portal/public included): no group is set
l10n_pe_toponyms acl-global-read access_res_country_province_group_user — Access rule grants read on 'model_res_country_province' to every user (portal/public included): no group is set
mail acl-global-write access_mail_thread_all — Access rule grants write/create/unlink on 'model_mail_thread' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
mail acl-global-write access_publisher_warranty_contract_all — Access rule grants write/create/unlink on 'model_publisher_warranty_contract' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
membership acl-global-read access_membership_membership_line — Access rule grants read on 'model_membership_membership_line' to every user (portal/public included): no group is set
partner_relations acl-global-read read_res_partner_relation — Access rule grants read on 'model_res_partner_relation' to every user (portal/public included): no group is set
partner_relations acl-global-read read_res_partner_relation_type — Access rule grants read on 'model_res_partner_relation_type' to every user (portal/public included): no group is set
partner_relations acl-global-read read_res_partner_relation_type_selection — Access rule grants read on 'model_res_partner_relation_type_selection' to every user (portal/public included): no group is set
portal acl-global-read access_acquirer — Access rule grants read on 'portal.model_portal_payment_acquirer' to every user (portal/public included): no group is set
project acl-global-read access_project_category — Access rule grants read on 'model_project_category' to every user (portal/public included): no group is set
stock_tracking_add_remove acl-global-write access_stock_packaging_add_type_all — Access rule grants write/create on 'model_stock_packaging_add_type' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
tr_barcode acl-global-write access_tr_barcode_all — Access rule grants write/create on 'model_tr_barcode' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
tree_view_record_id acl-global-read access_module_tree_view_record_id_installed — Access rule grants read on 'model_module_tree_view_record_id_installed' to every user (portal/public included): no group is set

Active Pull Requests 0

No open migration PRs/MRs tracked.

Security Findings

Errors 18

Module Code Message
base acl-global-write access_ir_default_group_system — Access rule grants write/create/unlink on 'model_ir_default' to EVERY user (portal/public included): no group is set
base acl-privilege-escalation access_ir_model_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_access_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_access' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_model_fields_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_model_fields' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_ir_rule_group_erp_manager — Access rule grants write/create/unlink on security model 'model_ir_rule' to group 'group_erp_manager': members can escalate their own permissions
base acl-global-write access_ir_ui_view_custom_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_custom' to EVERY user (portal/public included): no group is set
base acl-global-write access_ir_ui_view_sc_group_user — Access rule grants write/create/unlink on 'model_ir_ui_view_sc' to EVERY user (portal/public included): no group is set
base acl-privilege-escalation access_res_groups_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_groups' to group 'group_erp_manager': members can escalate their own permissions
base acl-privilege-escalation access_res_users_group_erp_manager — Access rule grants write/create/unlink on security model 'model_res_users' to group 'group_erp_manager': members can escalate their own permissions
base_module_quality acl-global-write access_module_quality_check — Access rule grants write/create/unlink on 'model_module_quality_check' to EVERY user (portal/public included): no group is set
base_module_quality acl-global-write access_module_quality_detail — Access rule grants write/create/unlink on 'model_module_quality_detail' to EVERY user (portal/public included): no group is set
email_template acl-global-write access_email_template_manager — Access rule grants write/create/unlink on 'model_email_template' to EVERY user (portal/public included): no group is set
hr_performance acl-global-write access_attribute_line — Access rule grants write/create/unlink on 'model_attribute_line' to EVERY user (portal/public included): no group is set
import_google acl-privilege-escalation access_ir_model_data_partner_manager — Access rule grants write on security model 'base.model_res_users' to group 'base.group_partner_manager': members can escalate their own permissions
mail acl-global-write access_mail_message — Access rule grants write/create on 'model_mail_message' to EVERY user (portal/public included): no group is set
mail acl-global-write access_mail_thread — Access rule grants write/create on 'model_mail_thread' to EVERY user (portal/public included): no group is set
report_webkit acl-global-write access_ir_header_webkit — Access rule grants create on 'model_ir_header_webkit' to EVERY user (portal/public included): no group is set
report_webkit acl-global-write access_ir_header_img — Access rule grants create on 'model_ir_header_img' to EVERY user (portal/public included): no group is set

Warnings 46

Module Code Message
anonymization acl-global-read access_ir_model_fields_anonymization_user — Access rule grants read on 'model_ir_model_fields_anonymization' to every user (portal/public included): no group is set
anonymization acl-global-read access_ir_model_fields_anonymization_history_user — Access rule grants read on 'model_ir_model_fields_anonymization_history' to every user (portal/public included): no group is set
base acl-global-write access_res_widget_user_all — Access rule grants write/create/unlink on 'model_res_widget_user' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
base acl-global-read access_ir_module_category_group_user — Access rule grants read on 'model_ir_module_category' to every user (portal/public included): no group is set
base acl-global-read access_ir_module_module_user — Access rule grants read on 'model_ir_module_module' to every user (portal/public included): no group is set
base acl-global-read access_ir_property_group_user — Access rule grants read on 'model_ir_property' to every user (portal/public included): no group is set
base acl-global-read access_ir_rule_group_user — Access rule grants read on 'model_ir_rule' to every user (portal/public included): no group is set
base acl-global-read access_ir_sequence_group_user — Access rule grants read on 'model_ir_sequence' to every user (portal/public included): no group is set
base acl-global-read access_ir_sequence_type_group_user — Access rule grants read on 'model_ir_sequence_type' to every user (portal/public included): no group is set
base acl-global-write access_ir_translation_all — Access rule grants write/create/unlink on 'model_ir_translation' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
base acl-global-read access_ir_ui_menu_group_user — Access rule grants read on 'model_ir_ui_menu' to every user (portal/public included): no group is set
base acl-global-read access_ir_ui_view_group_user — Access rule grants read on 'model_ir_ui_view' to every user (portal/public included): no group is set
base acl-global-write access_ir_values_group_all — Access rule grants write/create/unlink on 'model_ir_values' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
base acl-global-read access_res_company_group_user — Access rule grants read on 'model_res_company' to every user (portal/public included): no group is set
base acl-global-read access_res_groups_group_user — Access rule grants read on 'model_res_groups' to every user (portal/public included): no group is set
base acl-global-read access_res_partner_bank_type_group_user — Access rule grants read on 'model_res_partner_bank_type' to every user (portal/public included): no group is set
base acl-global-read access_res_partner_bank_type_field_group_user — Access rule grants read on 'model_res_partner_bank_type_field' to every user (portal/public included): no group is set
base acl-global-read access_res_partner_title_group_partner_manager — Access rule grants read on 'model_res_partner_title' to every user (portal/public included): no group is set
base acl-global-read access_res_request_link_group_user — Access rule grants read on 'model_res_request_link' to every user (portal/public included): no group is set
base acl-global-write access_workflow_workitem_all — Access rule grants write/create/unlink on 'model_workflow_workitem' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
base acl-global-read access_multi_company_default user — Access rule grants read on 'model_multi_company_default' to every user (portal/public included): no group is set
base acl-global-read access_ir_filter all — Access rule grants read on 'model_ir_filters' to every user (portal/public included): no group is set
base acl-global-write access_ir_filters — Access rule grants write/create/unlink on 'model_ir_filters' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
base acl-global-read access_res_widget_user — Access rule grants read on 'model_res_widget' to every user (portal/public included): no group is set
base acl-global-write access_res_log_all — Access rule grants write/create/unlink on 'model_res_log' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
base acl-global-read access_ir_config_parameter — Access rule grants read on 'model_ir_config_parameter' to every user (portal/public included): no group is set
base acl-global-read access_ir_actions_client — Access rule grants read on 'model_ir_actions_client' to every user (portal/public included): no group is set
base_action_rule acl-global-read access_base_action_rule — Access rule grants read on 'model_base_action_rule' to every user (portal/public included): no group is set
base_report_to_printer acl-global-read ir_model_access_printingprinterall0 — Access rule grants read on 'model_printing_printer' to every user (portal/public included): no group is set
board acl-global-read access_board_board all — Access rule grants read on 'model_board_board' to every user (portal/public included): no group is set
board acl-global-read access_board_board_line all — Access rule grants read on 'model_board_board_line' to every user (portal/public included): no group is set
board acl-global-read access_res_log_report all — Access rule grants read on 'model_res_log_report' to every user (portal/public included): no group is set
crm rule-group-bypass crm_rule_all_lead — Record rule with an always-true domain bypasses every other record rule of its model for its group
currency_rate_update acl-global-read ir_model_access_currencyrateupdate0 — Access rule grants read on 'currency_rate_update.model_currency_rate_update' to every user (portal/public included): no group is set
currency_rate_update acl-global-read ir_model_access_currencyrateupdate4 — Access rule grants read on 'currency_rate_update.model_currency_rate_update_service' to every user (portal/public included): no group is set
document_webdav acl-global-write access_webdav_file_property_all — Access rule grants write/create/unlink on 'model_document_webdav_file_property' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)
edi acl-global-read access_ir_edi_all_read — Access rule grants read on 'model_edi_document' to every user (portal/public included): no group is set
email_template acl-global-read access_email_template — Access rule grants read on 'model_email_template' to every user (portal/public included): no group is set
hr_evaluation rule-group-bypass hr_employee_interview_hr — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_expense_accountedge rule-group-bypass property_rule_account_invoice_manager — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_experience rule-group-bypass hr_academic_hruser_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_experience rule-group-bypass hr_professional_hruser_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
hr_experience rule-group-bypass hr_certification_hruser_rule — Record rule with an always-true domain bypasses every other record rule of its model for its group
membership acl-global-read access_membership_membership_line — Access rule grants read on 'model_membership_membership_line' to every user (portal/public included): no group is set
project_service_base rule-group-bypass project_group_project_user_all_tasks — Record rule with an always-true domain bypasses every other record rule of its model for its group
tr_barcode acl-global-write access_tr_barcode_all — Access rule grants write/create on 'model_tr_barcode' to EVERY user (portal/public included): no group is set ('_all' naming suggests it is intentional)