| Availability |
Odoo Online
Odoo.sh
On Premise
|
| Odoo Apps Dependencies |
Discuss (mail)
|
| Lines of code | 824 |
| Technical Name |
gb_ip_allow_list_login_geofencing |
| License | OPL-1 |
| Website | https://gencbaris.com/odoo_plugins/ |
| Versions | 18.0 19.0 |
| Availability |
Odoo Online
Odoo.sh
On Premise
|
| Odoo Apps Dependencies |
Discuss (mail)
|
| Lines of code | 824 |
| Technical Name |
gb_ip_allow_list_login_geofencing |
| License | OPL-1 |
| Website | https://gencbaris.com/odoo_plugins/ |
| Versions | 18.0 19.0 |
IP Allow-List & Login Geo
Restrict logins by IP / CIDR / country and alert on out-of-policy access
Odoo authentication is reachable from anywhere by default, which is a real exposure for admin accounts and a gap when pursuing Cyber Essentials or tightening internal controls. This module restricts logins to approved IPs, CIDR ranges and countries through gb.ip.rule records with allow or deny policies, optionally scoped to specific users or groups. A deny-first allow-list engine evaluates each login through a safe post-auth hook that only fires on successful core authentication, so it never leaks account existence or breaks instance-wide login. Run in monitor mode to log and alert without blocking, or enforce mode to deny out-of-policy access, controlled by a master switch. Every attempt is recorded with source IP, resolved country, matched rule and decision for a clean audit trail, and analytics surface impossible-travel and top offending IPs. The country resolver is a dependency-free, pluggable IP-to-country map.
Key Features
IP, CIDR and country allow/deny rules
Each gb.ip.rule matches a single IP, a CIDR network (e.g. 10.0.0.0/8) or an ISO country, with a policy of allow or deny validated through Python's ipaddress module. _matches_ip resolves the source against the rule so you express exactly which networks and countries may authenticate.
Deny-first, allow-list evaluation
_geo_evaluate applies in-scope rules in a clear order: an explicit deny match blocks immediately, and if any allow rules exist the source must match one or it is treated as out of policy. The decision is a pure function over the rule set, returning the matched rule, reason and resolved country.
Per-user and per-group scoping
A rule's scope is global, specific users, or specific groups, and _applies_to_user checks v19 group_ids membership. Tighten admin logins to the office network while leaving field staff unrestricted, all from one rule list with a global default.
Enforce or monitor with a master switch
ir.config_parameter gb_ip_geo.mode selects enforce (blocked logins raise AccessDenied) or monitor (the same attempt is logged as 'flagged' but allowed through), and gb_ip_geo.enabled is an audit-only kill switch. You can deploy in monitor mode first and avoid instance-wide lockouts.
Safe post-auth login hook
res.users._login runs core authentication first and only evaluates the geofence on success, so it never leaks whether a login exists for bad credentials, and any internal error is caught and the login allowed. The integration cannot break instance-wide authentication.
Full login attempt audit trail
Every evaluation writes a gb.login.attempt with login, source_ip, resolved country, decision (allowed/blocked/flagged), reason and matched rule, exposed through a SQL-view report. This is the access-control evidence Cyber Essentials and internal controls require.
Threat analytics and impossible travel
Helpers compute attempt_stats, top_offending_ips and detect_impossible_travel (the same login seen from two countries within a time window). Out-of-policy attempts post an alert to the chatter, and action_create_allow_rule whitelists a source IP in one click.
Pluggable country resolver and hygiene tools
gb.ip.country.map resolves an IP to a country from admin-entered CIDR blocks with no external GeoIP dependency, and _resolve_country can be overridden for a real database. find_overlaps flags conflicting IP rules and import_allow_cidrs bulk-creates allow rules from a CIDR list. A cron purges old attempts per retention setting.
Use Cases
Screenshots
Login Analysis
Why Choose This Module
Lock down who can reach your Odoo by restricting authentication to approved IP ranges and countries. Define allow-list rules — a single IP, a CIDR range, or an ISO country code — optionally scope them to specific users or groups, and choose hard enforcement (block) or monitor-only (log and alert). Every login attempt is recorded for a clean audit trail.
Specifications
- Compatible: Odoo 18.0 / 19.0
- License: LGPL-3
- Languages: 35+
- Author: Baris Genc
- Dependencies: base, mail
- Support: odoo@gencbaris.com
Odoo Proprietary License v1.0 This software and associated files (the "Software") may only be used (executed, modified, executed after modifications) if you have purchased a valid license from the authors, typically via Odoo Apps, or if you have received a written agreement from the authors of the Software (see the COPYRIGHT file). You may develop Odoo modules that use the Software as a library (typically by depending on it, importing it and using its resources), but without copying any source code or material from the Software. You may distribute those modules under the license of your choice, provided that this license is compatible with the terms of the Odoo Proprietary License (For example: LGPL, MIT, or proprietary licenses similar to this one). It is forbidden to publish, distribute, sublicense, or sell copies of the Software or modified copies of the Software. The above copyright notice and this permission notice must be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Please log in to comment on this module