In this blog, we'll explore the importance of managing file attachments securely in Odoo.Often, there's a need to share attachments as downloadable links, but if not managed carefully, these attachments can expose sensitive information. A common solution involves making attachments publicly accessible, yet this approach can lead to serious security risks. Public access not only exposes private files but can also bypass Odoo's built-in permission system, potentially granting access to unauthorized users.
In the following sections, we'll examine these risks and show a secure way to handle attachment URLs in Odoo using access tokens.
Below are the steps and code to set up secure attachment URLs with access tokens.
1. Setting Up the attachment_url Field in the Model
First, import the necessary libraries.
Add a computed field attachment_url in your model.This field will store the secure URL for each attachment.
Here’s how we generate a secure URL with a unique access token for each attachment. If the record has an attachment, we create an ir.attachment record and generate an access_token.
In this code,We retrieve the base URL and parse it, ensuring it’s properly formatted with the scheme (http or https) and net location.
If a record has an attachment, we encode its data, create an ir.attachment record, and include an access token generated by _generate_access_token().
The attachment_url field is populated with the secure URL, which includes the access_token as a query parameter. This token allows Odoo to verify access permissions on each request, adding an important layer of security.
_generate_access_token() function generates a unique access token for each url.The attachment_url is constructed using the access_token, allowing Odoo to verify access permissions on each request.
An example url generated for a job using this method is depicted below.
