first push message
This commit is contained in:
@@ -0,0 +1,43 @@
|
||||
from odoo import http
|
||||
from odoo.addons.auth_oauth.controllers.main import OAuthLogin
|
||||
from odoo.http import request
|
||||
|
||||
|
||||
class CustomOAuthLogin(OAuthLogin):
|
||||
|
||||
def list_providers(self):
|
||||
"""
|
||||
Override the standard list_providers to filter by current website.
|
||||
SECURITY FIX: Use sudo() to read provider config as public users
|
||||
do not have read access to auth.oauth.provider model.
|
||||
"""
|
||||
# Get the original list from super()
|
||||
providers = super().list_providers()
|
||||
|
||||
# Get the current website from the request context
|
||||
current_website = request.website
|
||||
|
||||
# If we are in a website context, filter the providers
|
||||
if current_website and current_website.id:
|
||||
filtered_providers = []
|
||||
for provider in providers:
|
||||
# SECURITY: Use sudo() to avoid AccessError for public users
|
||||
# We search by client_id because the list_providers returns dicts with client_id
|
||||
provider_rec = self.env['auth.oauth.provider'].sudo().search(
|
||||
[('client_id', '=', provider['client_id'])],
|
||||
limit=1
|
||||
)
|
||||
|
||||
if provider_rec:
|
||||
# Logic: Show if Website ID matches OR if Website ID is empty (Global)
|
||||
match_website = not provider_rec.website_id or provider_rec.website_id.id == current_website.id
|
||||
|
||||
# Optional: Add Company Check if needed
|
||||
# match_company = not provider_rec.company_id or provider_rec.company_id.id == request.env.company.id
|
||||
|
||||
if match_website:
|
||||
filtered_providers.append(provider)
|
||||
|
||||
return filtered_providers
|
||||
|
||||
return providers
|
||||
Reference in New Issue
Block a user