To restrict certain URLs in Odoo based on user roles or groups, you can use Odoo’s built-in
access control mechanisms along with custom code in controllers. Here’s how you can achieve
this:
1. Using Access Control Lists (ACLs)
Access Control Lists (ACLs) in Odoo allow you to define which users or groups can read,
write, create, or delete records of specific models.
1. Define a security rule in your module: Create a file named security/[Link]
in your module directory.
1 id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
2 access_restricted_model,[Link],model_restricted_model,
↪ base.group_user,1,0,0,0
This example restricts access to the [Link] model to users who belong to
the base.group_user group, allowing read access only.
2. Using Record Rules
Record rules allow you to define more granular access controls based on specific conditions.
1. Define a record rule in your module: Create a file named security/[Link]
in your module directory.
1 id,name,model_id:id,groups,domain,perm_read,perm_write,perm_create,perm_unlink
2 rule_restricted_model,Restricted Model Access,model_restricted_model,
↪ base.group_user,[(1, '=', 1)],1,0,0,0
This example allows users in the base.group_user group to read all records in the
[Link] model.
3. Restricting Controller URLs
To restrict access to specific URLs based on user roles or groups, you can customize your
controller methods to check the user’s group and redirect or deny access accordingly.
1. Create a custom controller: In your custom module, create a file named
controllers/[Link].
1 from odoo import http
2 from [Link] import request
3
4 class MyController([Link]):
5
6 @[Link]('/restricted/url', type='http', auth='user')
7 def restricted_url(self, **kwargs):
8 user = [Link]
1
� 9 if not user.has_group('your_module.your_group'):
10 return [Link]('/web/login') # Redirect to login if the
↪ user does not belong to the group
11
12 return "Welcome to the restricted URL!"
This example defines a controller that restricts access to the URL /restricted/url
based on whether the user belongs to a specific group.
2. Define the group in your module: Create a file named security/[Link]
in your module directory.
1 <odoo>
2 <data noupdate="1">
3 <record id="group_restricted_user" model="[Link]">
4 <field name="name">Restricted User</field>
5 </record>
6 </data>
7 </odoo>
3. Update the manifest file: Ensure that your manifest file __manifest__.py includes
references to the security files.
1 {
2 'name': 'Your Module',
3 'version': '1.0',
4 'category': 'Hidden',
5 'description': 'Module to restrict URL access based on user roles or
↪ groups',
6 'depends': ['base'],
7 'data': [
8 'security/[Link]',
9 'security/[Link]',
10 'security/[Link]',
11 'views/[Link]',
12 ],
13 'installable': True,
14 'application': False,
15 }
4. Grant the Group to Users
Make sure the users who should have access to the restricted URL are added to the
group_restricted_user group.
This setup ensures that specific URLs in Odoo are restricted based on user roles or groups
using a combination of ACLs, record rules, and custom controller code.
