Skip to content

connect: remove Twilio webhook service account, use sudo() in webhook controllers#142

Open
litnimax wants to merge 4 commits into
19.0from
litnimax/remove-twilio-portal-user
Open

connect: remove Twilio webhook service account, use sudo() in webhook controllers#142
litnimax wants to merge 4 commits into
19.0from
litnimax/remove-twilio-portal-user

Conversation

@litnimax

Copy link
Copy Markdown
Member

Summary

Removes the dedicated Twilio webhook service account (user_connect_webhook) and its group_connect_webhook security group. Webhook controllers now authenticate the request via Twilio signature verification and escalate to sudo() instead of relying on a portal service user.

Changes

  • Drop the webhook service account: removed connect/data/res_users.xml, the group_connect_webhook group in connect/security/groups.xml, and all security/webhook.xml ACL/rule files across connect, connect_crm, connect_elevenlabs, and connect_elevenlabs_helpdesk.
  • Webhook controllers use sudo(): twilio_webhooks.py and connect_elevenlabs/controllers/main.py now run under sudo() behind Twilio signature validation.
  • Chatter authorship: messages authored by base.partner_root (OdooBot) in message.py / whatsapp_sender.py.
  • Migration 2.0.3: post-migrate.py archives the webhook user's partner (kept for historical chatter references) and removes the now-noupdate user record.
  • Comment cleanup: recording-privilege comment in groups.xml no longer references the removed Webhook access level.

Notes

  • All affected module versions are bumped so the removed group/ACL/rule records are garbage-collected on upgrade.
  • self.env.su check in connect_website.route_call works for both the direct webhook path (controller .sudo()) and the connect.twiml.render path (which calls self.sudo()).

litnimax added 3 commits July 5, 2026 02:36
…ontrollers

Twilio (and ElevenLabs) webhook requests are already authenticated by
signature validation, so the dedicated portal user 'connect' is not
needed. Webhook controllers now run with sudo() instead of switching to
the service account.

- remove connect.user_connect_webhook and its password reset logic
- remove group_connect_webhook and all its ACLs/record rules across
  connect, connect_crm, connect_elevenlabs, connect_elevenlabs_helpdesk
- connect_website: guard route_call by env.su instead of the webhook group
- chatter authored by the webhook partner now uses OdooBot (partner_root)
- migration 2.0.3 deletes (or archives as fallback) the old user on upgrade

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7008c8837f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

if not self.check_signature(kw):
return '<Response><Say>Invalid Twilio request!</Say></Response>'
domain = request.env['connect.domain'].with_user(request.env.ref("connect.user_connect_webhook"))
domain = request.env['connect.domain'].sudo()

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Keep webhook sudo behind mandatory authentication

When twilio_verify_requests is disabled, check_signature() returns True without validating any header, but this public route now proceeds with sudo(). In that configuration, unauthenticated callers can reach the domain/call/message webhook handlers with superuser privileges, whereas before they still ran as the limited webhook service user; please require a separate mandatory secret before escalating or avoid sudo() when signature verification is off.

Useful? React with 👍 / 👎.

Drop the twilio_verify_requests toggle (a leftover from the demo
version). Webhook controllers now run with sudo(), so signature
validation must be unconditional.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant