Client Portal Security: Protecting External User Access in Odoo
Odoo's portal gives external users access to your system. Here's how to ensure they only see what they should — and nothing more.
Odoo's customer portal is a direct window into your business operations. Clients can view their invoices, track orders, sign quotes, and access project updates. This is enormously valuable for client experience — but it also means external, untrusted users have authenticated access to your Odoo database.
Portal Security Risks
1. Over-Permissioned Portal Groups
The default portal access groups are reasonable, but custom modules often add portal users to internal groups during development. We've seen portal users inadvertently given access to all partner records, all invoices, or even project timesheets for other clients.
2. Record Rule Bypass
Record rules are the primary mechanism for limiting what portal users can see. If a custom module defines a model that's accessible via portal but doesn't implement proper record rules with ('user_id', '=', user.id) or ('partner_id', '=', user.partner_id.id) domains, all records are visible to all portal users.
💡 Want to check your Odoo instance for the issues described above? NonaGuard's automated security audit covers all of these checks and more — in under 60 seconds.
3. Direct URL Access
Portal controllers often use record IDs in URLs. Without proper access checks in the controller method, a portal user can change the ID in the URL to view another client's invoice or order. Always use check_access_rights and check_access_rule in portal controllers.
Hardening Your Portal
- Audit portal access groups — List all groups assigned to portal users and verify each is intentional
- Test with a real portal account — Log in as a portal user and systematically try to access data belonging to other clients
- Review custom portal controllers — Every
@http.routewithauth='user'type'http'needs access validation - Implement rate limiting — Portal users shouldn't be able to make unlimited API calls
NonaGuard checks for portal permission escalation risks, orphaned portal accounts, and misconfigured external access groups. Run a portal security scan.
🛡️ Check Your Odoo Security Posture
NonaGuard scans for permission vulnerabilities, exposed API surfaces, missing 2FA, and 200+ other security checks. Get your security score in under 60 seconds.
