Odoo security is not solely firewalls and SSL—it's all the way through the data model, access rules, method exposure, and even how you develop custom modules. The Odoo 19 backend security documentation provides an orderly presentation of what's built in to protect you, as well as what to avoid.
Throughout this article, we take you through the key pillars of Odoo backend security (access rights, record rules, field access, unsafe methods, SQL injection, content escaping, etc.), point out typical pitfalls, and provide tangible guidelines to make your Odoo 19 deployment as secure as it can be.
Core Security Concepts in Odoo 19
Before going into best practices, it's important to understand the foundational layers of security that Odoo offers (and enforces) by design. The official documentation presents these in this order: Access Rights, Record Rules, Field Access, and then covers Security Pitfalls such as unsafe public methods, SQL injections, domain building, and unescaped content.
Access Rights
- Access Rights define which models a user group is allowed to create, read, write, or delete.
- They are a first coarse filter. If a user or group does not have access rights for a model, they will not even attempt to call model methods (or ORM calls) for these records.
- Carefully with granting broad rights (above all write/delete) in the level of access rights.
- Access rights are usually set in modules' XML manifest (in ir.model.access entries).
Record Rules
- Record rules (domain rules) regulate row-level constraints: upon completing access right validation, Odoo enforces record rules to filter or limit which records are visible / editable.
- They are definable by group; they hold a domain expression and indicate if they should apply in read, write, create, delete contexts.
- Record rules operate over model-level ORM calls and limit them by default
- One must be careful about the difference between global rules and group rules: global record rules apply to all users, group rules only to specific groups.
- The frequent mistake is that poorly built rules (e.g. too lax) can inadvertently leak data.
Field Access
- Aside from access rights and record rules, Odoo also implements field-level security through field access rules. Certain fields in a model can be hidden or read-only for given groups.
- Field-level settings let you suppress or limit private fields (e.g. salary, cost, internal notes) from some users, even if they may view the record.
- Misconfiguration here can result in data breaches: e.g., a user views a record and looks at the raw JSON / code, and reads fields they shouldn't
Security Pitfalls & Advanced Issues
The documentation calls out several categories of risks and pitfalls to be vigilant about. Let’s go through them with commentary and mitigations.
Unsafe Public Methods
- In Odoo, model methods starting with @api.model, @api.multi, or @api.one are considered “public” (i.e. callable by RPC/web). If you define a method that should be private/internal, but do not secure it, it can be exposed.
- Public methods must enforce their own access checks, especially when doing record modifications. Do not rely solely on record rules for everything.
- Always check self.env.user.has_group(...) or self.check_access_rights(...) / self.check_access_rule(...) within sensitive methods.
Bypassing the ORM
- Directly accessing self._cr (the database cursor) or using low-level SQL bypasses Odoo’s security checks (access rights / record rules). This is highly dangerous if mishandled.
- If you must use raw SQL (for performance or complex queries), always guard it carefully, validate inputs, and ensure that the query filters by id IN allowed_ids or similar patterns that respect record rules.
- As a best practice: minimize use of raw SQL; prefer using the ORM unless absolutely necessary.
SQL Injections
- When constructing raw SQL queries, avoid concatenating strings with input variables. That leads to SQL injection risks.
- Always use parameterized queries (i.e. %s style) and pass variables separately.
- Be careful with dynamic filtering (e.g. building WHERE clauses)—ensure the fields and operators used are safe and validated.
Building Domains
- When you dynamically build domain expressions (lists of tuples for search / filtering), you must validate/sanitize the parts (field names, operators, values).
- Avoid building domains from untrusted user input without validation. A malicious user might inject domain tuples intended to override or circumvent restrictions.
Unescaped Field Content & Unsafe Markup
- When rendering content (HTML, rich text fields, report templates), unescaped or unsanitized content can lead to XSS (cross-site scripting) or HTML injection.
- Use Odoo’s Markup utilities or safe escaping methods to ensure HTML or user content does not break the page or execute scripts.
- The docs distinguish between escaping vs sanitizing—you must choose the right approach based on whether you want to allow a subset of HTML or block all.
Accessing Object Attributes
- Avoid using Python’s getattr(object, some_name) on arbitrary user-supplied values, because a malicious input could refer to internal attributes or exploit properties.
- Prefer explicit access via a whitelist of allowed attributes.
Odoo 19 provides a strong, multi-layered security framework that covers access rights, record rules, field restrictions, and ORM-level validations, but maintaining a secure environment ultimately depends on how developers configure and extend the system. Common vulnerabilities such as unsafe public methods, SQL injections, or misconfigured record rules can easily undermine these protections if not handled carefully. To ensure robust security, always rely on Odoo’s built-in ORM and access control mechanisms, validate all user inputs, sanitize rendered content, and regularly review permissions and rules. By combining Odoo’s built-in safeguards with careful coding and periodic audits, you can keep your Odoo 19 deployment secure, reliable, and compliant.
To read more about The Ultimate Guide to Odoo 19 New Features and Enhancements, refer to our blog The Ultimate Guide to Odoo 19 New Features and Enhancements.