Whatever is done on an XML view and if no access control/record rules is defined, any use could get any information on Odoo with a simple JS snippet:
(new window.openerp.web.Model('my.model')).query().all().then(f=>console.log(f))
Actually access control and record rules are the way to go. The whole security is about them. So if you don't have those rules for some technical or business models, while requiring them to not be seen by a logged-in user, then your own concept of those models is wrong or not well thought out.
And you also can define very strict rules while bypassing them with admin rights (sudo). That's usually needed in computed fields, which depend on data a "normal" user shouldn't see but is needed for the computation.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With