connect: remove Twilio webhook service account, use sudo() in webhook controllers#142
connect: remove Twilio webhook service account, use sudo() in webhook controllers#142litnimax wants to merge 4 commits into
Conversation
…ontrollers Twilio (and ElevenLabs) webhook requests are already authenticated by signature validation, so the dedicated portal user 'connect' is not needed. Webhook controllers now run with sudo() instead of switching to the service account. - remove connect.user_connect_webhook and its password reset logic - remove group_connect_webhook and all its ACLs/record rules across connect, connect_crm, connect_elevenlabs, connect_elevenlabs_helpdesk - connect_website: guard route_call by env.su instead of the webhook group - chatter authored by the webhook partner now uses OdooBot (partner_root) - migration 2.0.3 deletes (or archives as fallback) the old user on upgrade
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7008c8837f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if not self.check_signature(kw): | ||
| return '<Response><Say>Invalid Twilio request!</Say></Response>' | ||
| domain = request.env['connect.domain'].with_user(request.env.ref("connect.user_connect_webhook")) | ||
| domain = request.env['connect.domain'].sudo() |
There was a problem hiding this comment.
Keep webhook sudo behind mandatory authentication
When twilio_verify_requests is disabled, check_signature() returns True without validating any header, but this public route now proceeds with sudo(). In that configuration, unauthenticated callers can reach the domain/call/message webhook handlers with superuser privileges, whereas before they still ran as the limited webhook service user; please require a separate mandatory secret before escalating or avoid sudo() when signature verification is off.
Useful? React with 👍 / 👎.
Drop the twilio_verify_requests toggle (a leftover from the demo version). Webhook controllers now run with sudo(), so signature validation must be unconditional.
Summary
Removes the dedicated Twilio webhook service account (
user_connect_webhook) and itsgroup_connect_webhooksecurity group. Webhook controllers now authenticate the request via Twilio signature verification and escalate tosudo()instead of relying on a portal service user.Changes
connect/data/res_users.xml, thegroup_connect_webhookgroup inconnect/security/groups.xml, and allsecurity/webhook.xmlACL/rule files acrossconnect,connect_crm,connect_elevenlabs, andconnect_elevenlabs_helpdesk.sudo():twilio_webhooks.pyandconnect_elevenlabs/controllers/main.pynow run undersudo()behind Twilio signature validation.base.partner_root(OdooBot) inmessage.py/whatsapp_sender.py.post-migrate.pyarchives the webhook user's partner (kept for historical chatter references) and removes the now-noupdateuser record.groups.xmlno longer references the removed Webhook access level.Notes
self.env.sucheck inconnect_website.route_callworks for both the direct webhook path (controller.sudo()) and theconnect.twiml.renderpath (which callsself.sudo()).