Introduction
In Odoo, controllers play a vital role in handling web requests and returning responses. They are the foundation for creating custom web pages, dashboards, and APIs. Some pages need to be publicly available, while others should only be accessible to logged-in users. To manage this, Odoo provides a way to create authenticated controllers that ensure access is restricted to authorized users.
This article explains what authenticated controllers are, why they are important, and how you can create one in Odoo 19. It also includes examples, practical use cases, and best practices to help you implement them correctly.
What Are Authenticated Controllers?
An authenticated controller is a controller in Odoo that allows access only to logged-in users. When a user tries to access a route defined in an authenticated controller, Odoo automatically checks if they are logged in. If they are not, Odoo redirects them to the login page. Once they log in successfully, the system allows them to access the requested page.
Odoo handles authentication through sessions and cookies. When a user logs in, a session is created and linked to that user. Every request made by the same browser carries that session, allowing Odoo to identify the user and apply the proper permissions. This ensures that only authenticated users can access protected routes.
Authentication Modes in Odoo
Odoo’s @http.route() decorator includes an auth parameter, which controls how users are allowed to access a specific route. It supports three main modes:
- public – Allows anyone to access the route, even if they are not logged in. This is commonly used for website pages, product listings, or forms that are open to all visitors.
- user – Allows only logged-in users to access the route. If the user is not logged in, Odoo redirects them to the login page. This is the standard option for authenticated controllers.
- none – Does not use Odoo’s session or authentication system. This mode is useful when you need to handle custom authentication logic, such as external API integrations or webhooks.
When you want to restrict access to logged-in users, you should always use auth='user'.
How to Create an Authenticated Controller in Odoo 19
Creating an authenticated controller in Odoo 19 is simple. Start by creating a new Python file inside your module’s controllers directory. Then import the required classes from Odoo, create a controller class, and define a route with auth='user'.
Example:
from odoo import http
from odoo.http import request
class MyAuthenticatedController(http.Controller):
@http.route('/my_module/authenticated_page', type='http', auth='user', website=True)
def authenticated_page(self, **kw):
user = request.env.user
return request.render('my_module.authenticated_template', {
'user_name': user.name,
'message': 'Welcome to your authenticated page!',
})
In this example, the route /my_module/authenticated_page is accessible only to logged-in users. When someone visits the page without logging in, Odoo automatically redirects them to the login screen. After successful login, they are redirected back to the requested page.
Authenticated JSON API
You can also use authenticated controllers to build secure APIs. By using type='json' with auth='user', you can ensure that only logged-in users can make API calls.
example:
from odoo import http
from odoo.http import request
class MyAPIController(http.Controller):
@http.route('/my_module/get_user_info', type='json', auth='user')
def get_user_info(self):
user = request.env.user
return {
'id': user.id,
'name': user.name,
'email': user.email,
}
This route returns the logged-in user’s basic information in JSON format. It is commonly used in frontend JavaScript integrations or mobile apps that interact with Odoo.
When working with authenticated controllers, it is important to follow a few good practices. Always use auth='user' for any route that handles private or sensitive data. If your controller interacts with Odoo models, make sure the logged-in user has proper access rights and record rules. For frontend routes that render templates, use website=True.
When working with authenticated controllers, it is important to follow a few good practices. Always use auth='user' for any route that handles private or sensitive data. If your controller interacts with Odoo models, make sure the logged-in user has proper access rights and record rules. For frontend routes that render templates, use website=True. For data-focused endpoints or AJAX calls, use type='json'.
Common Issues and Solutions
If you face an “Access Denied” error after login, check the access rights of the user on the models involved. If you are building routes for portal users, ensure the users belong to the “Portal” group. When testing routes that are not part of the website, remove the website=True attribute from the decorator.
Authenticated controllers are a key part of developing secure, reliable, and user-friendly applications in Odoo 19. They help you restrict access, protect sensitive data, and provide personalized experiences for each user. By using the auth='user' parameter and following best practices, you can create controllers that integrate seamlessly with Odoo’s authentication and access control system.
To read more about How to Create a Generic Controller in Odoo 18 Website, refer to our blog How to Create a Generic Controller in Odoo 18 Website.