43 lines
1.7 KiB
Python
43 lines
1.7 KiB
Python
|
|
from odoo import http
|
||
|
|
from odoo.addons.auth_oauth.controllers.main import OAuthLogin
|
||
|
|
from odoo.http import request
|
||
|
|
|
||
|
|
|
||
|
|
class CustomOAuthLogin(OAuthLogin):
|
||
|
|
|
||
|
|
def list_providers(self):
|
||
|
|
"""
|
||
|
|
Override the standard list_providers to filter by current website.
|
||
|
|
SECURITY FIX: Use sudo() to read provider config as public users
|
||
|
|
do not have read access to auth.oauth.provider model.
|
||
|
|
"""
|
||
|
|
# Get the original list from super()
|
||
|
|
providers = super().list_providers()
|
||
|
|
|
||
|
|
# Get the current website from the request context
|
||
|
|
current_website = request.website
|
||
|
|
|
||
|
|
# If we are in a website context, filter the providers
|
||
|
|
if current_website and current_website.id:
|
||
|
|
filtered_providers = []
|
||
|
|
for provider in providers:
|
||
|
|
# SECURITY: Use sudo() to avoid AccessError for public users
|
||
|
|
# We search by client_id because the list_providers returns dicts with client_id
|
||
|
|
provider_rec = self.env['auth.oauth.provider'].sudo().search(
|
||
|
|
[('client_id', '=', provider['client_id'])],
|
||
|
|
limit=1
|
||
|
|
)
|
||
|
|
|
||
|
|
if provider_rec:
|
||
|
|
# Logic: Show if Website ID matches OR if Website ID is empty (Global)
|
||
|
|
match_website = not provider_rec.website_id or provider_rec.website_id.id == current_website.id
|
||
|
|
|
||
|
|
# Optional: Add Company Check if needed
|
||
|
|
# match_company = not provider_rec.company_id or provider_rec.company_id.id == request.env.company.id
|
||
|
|
|
||
|
|
if match_website:
|
||
|
|
filtered_providers.append(provider)
|
||
|
|
|
||
|
|
return filtered_providers
|
||
|
|
|
||
|
|
return providers
|