from odoo import http from odoo.addons.auth_oauth.controllers.main import OAuthLogin from odoo.http import request class CustomOAuthLogin(OAuthLogin): def list_providers(self): """ Override the standard list_providers to filter by current website. SECURITY FIX: Use sudo() to read provider config as public users do not have read access to auth.oauth.provider model. """ # Get the original list from super() providers = super().list_providers() # Get the current website from the request context current_website = request.website # If we are in a website context, filter the providers if current_website and current_website.id: filtered_providers = [] for provider in providers: # SECURITY: Use sudo() to avoid AccessError for public users # We search by client_id because the list_providers returns dicts with client_id provider_rec = self.env['auth.oauth.provider'].sudo().search( [('client_id', '=', provider['client_id'])], limit=1 ) if provider_rec: # Logic: Show if Website ID matches OR if Website ID is empty (Global) match_website = not provider_rec.website_id or provider_rec.website_id.id == current_website.id # Optional: Add Company Check if needed # match_company = not provider_rec.company_id or provider_rec.company_id.id == request.env.company.id if match_website: filtered_providers.append(provider) return filtered_providers return providers