Existing Odoo S3 modules all suffer from the same design limitation - a "one size fits all" approach to security. Our client needed more control over their data, so we developed a new integration.

Background to the project

We're developing an e-commerce website with an Odoo back-end. Our client has a large inventory of products, most of which are available in a range of colours. Customers can also have the products customised using their own artwork.

This meant we were going to launch with a database of over 100,000 different product images. And for each order we'll need to store the uploaded files for printing, along with pre-production proofs for the customer to approve.

That's a lot of data.

So to handle it all, we decided to use S3.

S3 is a cloud-native storage service, offered by Amazon Web Services (AWS) as Amazon S3. You can host S3 on your own infrastructure as well, using the open source project Minio which is compatible with the S3 API.

The problem with the current approach

There are several modules available to store Odoo data in S3. However, when we reviewed them we discovered that they all follow the same basic design:

  • they are hard-coded to use Amazon's S3 services (so you can't host elsewhere)
  • all data is stored in the same S3 bucket

An S3 bucket is where your files are stored, similar to a directory on your PC. The same access control rules apply to all files within a bucket. To have different sets of access permissions in S3, you need to group your files into different buckets.

In our project we have two distinct types of data:

  • Public - product images to be displayed on the website
  • Private - artwork files which are specifc to one customer. We also store PDFs of invoices and proofs, which contain personally identifiable information.

Storing both sets of data in the same bucket (and relying on website access control to secure it) would run the risk of exposing customer information if either the webserver or the public S3 server were compromised.

Our solution

The reason that the existing Odoo modules keep all of the data in the same place is that they use the ir.attachment model, which is global. So there can only be one data source configured for the whole Odoo instance.

We developed a new module which operates at field level.

This lets us add file storage fields to any Odoo model, and configure the S3 server and bucket name independently for each type of data.

Security by design

Our website now has a storage architecture like this:

The private S3 server is behind a firewall, and only accessible from Odoo. All customer uploads and downloads go through the Odoo API and require a signed-in session.

Additional logging can be used to detect a breach (e.g. if we detect an unusually high number of requests) and to aid recovery and reporting (every access is audited).

Read more about security by design at the National Cyber Security Centre.