API RPC Access Control Firewall

$ 48.99

v 18.0 Third Party

Availability	Odoo Online Odoo.sh On Premise
Community Apps Dependencies	Show API RPC Audit Log Monitor
Lines of code	633
Technical Name	`dff_api_rpc_access`
License	OPL-1

You bought this module and need support? Click here!

Availability	Odoo Online Odoo.sh On Premise
Community Apps Dependencies	Show API RPC Audit Log Monitor
Lines of code	633
Technical Name	`dff_api_rpc_access`
License	OPL-1

Description
License

API / RPC Access Control Firewall

Secure Odoo with API user whitelist and blacklist
Tường lửa bảo mật kiểm soát truy cập API theo Công ty / User

Protect your Odoo database from unauthorized API integrations and data leaks. Easily define which users can access XML/JSON-RPC endpoints and limit their access to specific companies. Essential for Enterprise security compliance.
Bảo vệ hệ thống Odoo khỏi các truy cập API trái phép. Dễ dàng định nghĩa user nào được gọi XML/JSON-RPC, giới hạn theo từng công ty. Công cụ bảo mật không thể thiếu cho hệ thống Enterprise tích hợp nhiều bên.

Odoo 18 CE & EE | Enterprise-Grade Security | Multi-Company Ready | End-Point Protection

The Problem / Vấn đề

By default, any active user in Odoo with a password can call the XML-RPC / JSON-RPC endpoints. For a multi-company enterprise with external integrations (E-commerce, WMS), a compromised user account means your entire database could be queried, modified, or deleted externally without you knowing.

Mặc định, bất kỳ user nào có mật khẩu cũng có thể gọi API vào Odoo. Nếu user đó bị lộ mật khẩu, toàn bộ dữ liệu hệ thống có thể bị đánh cắp hoặc phá hoại từ bên ngoài mà bạn không hề hay biết.

The Solution / Giải pháp

This module creates an API Firewall. It intercepts all incoming RPC calls, checks if the user is explicitly whitelisted for API access, validates their company permissions, and instantly rejects unauthorized calls before they reach your database models.

Module xây dựng một Tường lửa API. Mọi yêu cầu gọi RPC từ ngoài vào đều được kiểm duyệt xem user có được cấp quyền truy cập API không, và có được truy cập vào dữ liệu công ty đó không.

Core Features / Tính năng chính

User Whitelisting / Blacklisting

Explicitly block all standard users from API access and strictly whitelist only dedicated integration accounts.
Chỉ định chính xác User nào mới được quyền gọi API (XML/JSON-RPC), chặn các nhân viên thông thường.

Multi-Company Scoping

Assign API access rules per company. An integration user for Company A cannot interact with data from Company B via API.
Giới hạn truy cập API theo công ty (Hỗ trợ mô hình Multi-Company).

Real-time Rejection

Unauthorized API attempts are blocked instantaneously at the dispatcher level, before reaching any Odoo models.
Các yêu cầu API trái phép bị chặn tức thì ở tầng dispatcher, trước khi tiếp cận dữ liệu.

Lightweight Architecture

Operates seamlessly at the controller level without slowing down your system. Request validation happens in milliseconds.
Hoạt động cực nhẹ ở tầng controller, kiểm tra quyền và phản hồi chỉ trong vài mili-giây.

Access Control Policy Management

Define specific API users directly from the General Settings.
Giao diện thiết lập danh sách user được phép gọi API.

API RPC Access Policy configuration view showing User and Company settings

How To Use / 3 Bước Đơn Giản

Install App

Install the firewall module from Apps menu.
Cài đặt module từ menu Apps.

Configure

Add an API user to the whitelist in Settings > External RPC Audit.
Thêm user API vào danh sách cho phép trong Cấu hình.

Automatic Protection

API calls from non-whitelisted users (or blacklisted users) are instantly rejected.
Các user chưa được phép sẽ tự động bị chặn khỏi kết nối API.

Frequently Asked Questions (FAQ)

Will this block my internal employees from logging into Odoo UI?

No. The firewall only intercepts `/xmlrpc` and `/jsonrpc` external calls. Users logging in via the web browser interface (`/web/login`) are completely unaffected.
(Không. Tường lửa chỉ chặn kết nối qua endpoint api từ ngoài vào, không ảnh hường giao diện web của nhân viên.)

How does it handle multiple companies?

The firewall evaluates the whitelist/blacklist based on the API user's default company. It intercepts the RPC connection itself, independent of record-level rules.
(Tường lửa đọc công ty mặc định của user gọi API và kiểm tra danh sách chặn của riêng công ty đó.)

Is this module compatible with Odoo Enterprise?

100% Compatible. The module works perfectly on both Odoo 18 Community (CE) and Odoo 18 Enterprise (EE) as it hooks directly into the low-level RPC dispatcher.
(Tương thích 100% với cả Odoo 18 Community và Odoo 18 Enterprise.)

Technical Details

Compatibility

Odoo 18 Community Edition (CE) & Enterprise
Depends on: dff_api_rpc_log (API RPC Audit Log)
Inherits native dispatcher hook from the base log module

Security Layer

Evaluates rules before payload dispatch
Throws native `odoo.exceptions.AccessDenied` for rejected payloads

Premium Support & Maintenance

Priority Assistance

As a premium module, you receive priority bug fixing and assistance configuring your first API firewall policies to ensure your system is secure.

Security Updates

I actively maintain this security module to ensure it conforms to the latest Odoo 18 RPC dispatcher standards and mitigations.

Contact Developer

Odoo Proprietary License v1.0

This software and associated files (the "Software") may only be used (executed,
modified, executed after modifications) if you have purchased a valid license
from the authors, typically via Odoo Apps, or if you have received a written
agreement from the authors of the Software (see the COPYRIGHT file).

You may develop Odoo modules that use the Software as a library (typically
by depending on it, importing it and using its resources), but without copying
any source code or material from the Software. You may distribute those
modules under the license of your choice, provided that this license is
compatible with the terms of the Odoo Proprietary License (For example:
LGPL, MIT, or proprietary licenses similar to this one).

It is forbidden to publish, distribute, sublicense, or sell copies of the Software
or modified copies of the Software.

The above copyright notice and this permission notice must be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.

Please log in to comment on this module

The author can leave a single reply to each comment.
This section is meant to ask simple questions or leave a rating. Every report of a problem experienced while using the module should be addressed to the author directly (refer to the following point).
If you want to start a discussion with the author or have a question related to your purchase, please use the support page.