-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[TODO] issue with public service [help needed] #1093
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
28a9c10
to
d7fab2c
Compare
do not merge I need to add a test for reproducing the bug. Also I have changed the code after the approve. |
d7fab2c
to
7ebd351
Compare
This PR has the |
This PR has the |
I think that for these cases using sudo is fine. Having tests would be great. |
@@ -43,8 +43,10 @@ def _get_backend(self): | |||
website_unique_key = self.request.httprequest.environ.get( | |||
"HTTP_WEBSITE_UNIQUE_KEY" | |||
) | |||
return self.env["shopinvader.backend"]._get_from_website_unique_key( | |||
website_unique_key | |||
return ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sebastienbeau IMO we should never use sudo in this case... Services are run with a technical user. Therefore, the technical user should have the right to read backend information.
Let's clarify a little bit. /cart (add a product, change qty...) needs the user to be authenticated. It can be with an existing account or anonymously. It's not public. /settings (currencies, supported languages...) can be public, without any authentication.
Having one shopinvader technical user is necessary to use like a public_user. We can also have 2 users (one privilegied with write access), but I do not know if it's worth the effort.
I see website_unique_key like a public identifier, not related to authentication. |
We discussed that at the sprint in Liège we concluded that Indeed when working with a SPA front end, an anonymous user does not have a token at all and there is no concept of user session like with locomotive. Hence the cc/ @lmignon |
I just had to fix this problem temporarely here https://github.com/shopinvader/odoo-shopinvader/pull/1108/commits When you define a route as "public" ATM you must use sudo because the real user will be "Public User" and not the tech one. You don't really want to grant special permissions to the public user IMO and it's also tricky because there's a validation on which groups are assigned to this kind of users (eg: no internal group that might come via implied groups). |
@simahawk Be carefull if you use the "public" auth, you'll nerver get user info if the same service is called by an authenticated user if no odoo session is provided. That's why the |
Thanks for this feedback. I'm working on these issues these days. I will do a recap of our recent findings here. My goal is to let the client (the browser) target the shopinvader api directly — SPA scenario. There is multiple ways to keep a unique cart in a time span : We found some implementation of B and C in the wild for major e-commerce sites. The C) is IMO the more elegant solution. The client always use a jwt token. The good:
The bad:
A) See above for "bind a cart" instead of "bind a user". About permissions:
Agree. |
There hasn't been any activity on this pull request in the past 4 months, so it has been marked as stale and it will be closed automatically if no further activity occurs in the next 30 days. |
To close the loop here, the current approach is summarized in #1510 (comment). |
@kevinkhao @lmignon @simahawk
TODO solve