Naglis Jonaitis <[email protected]>

A Python developer from Kaunas, Lithuania.

GU d? -p+ c++ l++ u? e++ m+(++) s-/ !n h+ !f g- w+ t- r y?

Elsewhere: GitHub / GitLab / StackOverflow



Below is a list of security vulnerabilites I have discovered and disclosed (currently only in Odoo).

Odoo addons

Over time, I have written a few Odoo addons, each of varying degree of usefulness. They are all available under either AGPL-3 or LGPL-3 license. Use at your own ~~peril~~ risk.


These are but short barfs not worthy of a separate post. Below are the few last ones. The rest are here. There is also a feed.
# :

Starting with Odoo v11, the automatic calculation of the string attribute on model fields has become a bit smarter - the field name is titlecased instead of only capitalizing the first character and _id and _ids are removed from the end of the field name prior to titlecasing, allowing to omit the string attribute in even more cases.

# :

It appears int based selection field support is scheduled for removal in Odoo 13.0.

# :

Odoo has an _unknown model which can be (and is) used as the co-model on relational fields when the actual model is not yet known (eg. in abstract mixin models). It will be automatically set by Odoo if no co-model is specified, but if you set it explicitly you will not get a warning.

# :

In Odoo 12 a new @http.route keyword argument save_session was introduced, which, if set to False, will prevent a new session ID being generated and stored when the controller endpoint is called. This is useful for non-authenticated (auth='none') endpoints where the session is not relevant (eg. JSON endpoints for API purposes) and prevents useless session files being stored.

# :

In Odoo 11, if you stumble upon weird TypeError: Model 'foo' does not exist in registry. errors while Odoo is just starting up in threaded mode (eg. during development) and you are certain that the foo model does exist, this might be due to an issue with addon preloading under Python 3, in which case setting ODOO_PRELOAD_ADDONS=no in the shell environment should fix the issue. Or you could run Odoo in worker mode.