Odoo security, prevent a logged user from accessing unprotected tables with jsonrpc?

Question

Whatever is done on an XML view and if no access control/record rules is defined, any use could get any information on Odoo with a simple JS snippet:

(new window.openerp.web.Model('my.model')).query().all().then(f=>console.log(f))

• What could be done to prevent that?
• Is defining access control and record rules the only way?
• Is there any mechanism that would prevent the user from accessing anything that is not accessible to him through the current action/view?

Answer 1

Actually access control and record rules are the way to go. The whole security is about them. So if you don't have those rules for some technical or business models, while requiring them to not be seen by a logged-in user, then your own concept of those models is wrong or not well thought out.

And you also can define very strict rules while bypassing them with admin rights (sudo). That's usually needed in computed fields, which depend on data a "normal" user shouldn't see but is needed for the computation.