RuntimeError when accessing the current request on XML-RPC calls #24183

yajo · 2018-04-11T12:33:31Z

Impacted versions: 8-11

Current behavior:

If during an XMLRPC call you try to get anything from http.request, you'd get a RuntimeError such as this one:

Traceback (most recent call last):
  File "/opt/odoo/custom/src/odoo/odoo/service/wsgi_server.py", line 56, in xmlrpc_return
    result = odoo.http.dispatch_rpc(service, method, params)
  File "/opt/odoo/custom/src/odoo/odoo/http.py", line 118, in dispatch_rpc
    result = dispatch(method, params)
  File "/opt/odoo/custom/src/odoo/odoo/service/common.py", line 57, in dispatch
    return g[exp_method_name](*params)
  [...]
  File "/usr/local/lib/python2.7/dist-packages/werkzeug/local.py", line 343, in __getattr__
    return getattr(self._get_current_object(), name)
  File "/usr/local/lib/python2.7/dist-packages/werkzeug/local.py", line 302, in _get_current_object
    return self.__local()
  File "/usr/local/lib/python2.7/dist-packages/werkzeug/local.py", line 135, in _lookup
    raise RuntimeError(\'object unbound\')
RuntimeError: object unbound

This renders imposible in practice to fix issues such as OCA/server-tools#1125 or to implement #22212 (comment).

Expected behavior:

XML-RPC calls should have request, since after all they belong to one. Otherwise, at least there should be an alternate way to access the request parameters.

Fix for v12: #24187

@Tecnativa

The text was updated successfully, but these errors were encountered:

To fix OCA#1125 I needed to refactor the addon. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied. This PR is implemented assuming odoo/odoo#24187 will be merged and backported.

nhomar · 2018-04-12T16:03:20Z

@yajo Can you share a snippet of the script you are using, please? I can not reproduce on my side.

yajo · 2018-04-16T06:11:38Z

Yes, you need to try to get the request details from a method that can be called from a XMLRPC call. I.e.:

from odoo import api, http, models
class ResUsers(models.Model):
  @api.model
  def check_credentials(self):
    # Log the remote login IP
    print(http.request.httprequest.remote_addr)
    return super(ResUsers, self).check_credentials()

Then you have to connect to that database through XMLRPC and execute that method. In the example, that happens just by authenticating, like explained in the docs.

A quick search revealed related issues such as #21530 or #14939.

odony · 2018-04-16T16:07:46Z

This is the expected behavior as of today, as the XML-RPC layer is implemented separately from the regular web layer. This is from historical reasons, and originally allowed the XML-RPC stack to operate without the web client.
You could either rephrase this issue as a Wishlist request for converting the XMLRPC layer to a normal controller, or close it as "not a bug".

Issues like #21530 or #14939 seem to indicate that odoo.http.request was used without precautions in addons code where it is not guaranteed to exist (e.g. when called via XMLRPC, or when invoked by an ir.cron job, etc.)

To fix OCA#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.

This way, XMLRPC calls can get request details form the standard `odoo.http.request` system. Move jsonrpc to the same controller while at it, for coherence. Fix odoo#24183

This way, XMLRPC calls can get request details form the standard `odoo.http.request` system. Move jsonrpc to the same controller while at it, for coherence. Fix #24183

MiquelRForgeFlow · 2018-05-09T10:16:33Z

This can be closed, right?

To fix #1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.

To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied. [FIX] auth_brute_force: Small typos - The `whitelisted` field needs to exist in view to be usable. - The correct class is `decoration-danger` for tree views.

To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied. [FIX] auth_brute_force: Small typos (#1250) - The `whitelisted` field needs to exist in view to be usable. - The correct class is `decoration-danger` for tree views.

…1219) To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied. [FIX] auth_brute_force: Small typos (OCA/server-tools#1250) - The `whitelisted` field needs to exist in view to be usable. - The correct class is `decoration-danger` for tree views.

…1219) To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied. [FIX] auth_brute_force: Small typos (OCA/server-tools#1250) - The `whitelisted` field needs to exist in view to be usable. - The correct class is `decoration-danger` for tree views. [FIX] auth_brute_force: Fix addon requirement computation (OCA/server-tools#1251) Include HACK for odoo/odoo#24833, which explains the false positive problem we were having here: an addon being importable doesn't mean it is installed.

To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.

…1219) To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.

To fix OCA#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.

…1219) To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded. The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.

yajo mentioned this issue Apr 11, 2018

Rate-limit login attempts after a number of failures. #22212

Merged

yajo changed the title ~~Not possible to access the current request on XML-RPC calls~~ RuntimeError when accessing the current request on XML-RPC calls Apr 11, 2018

Yenthe666 added Framework General frontend/backend framework issues 11.0 10.0 9.0 labels Apr 11, 2018

yajo mentioned this issue Apr 11, 2018

[IMP] Convert XMLRPC handler to a regular HTTP controller #24187

Merged

yajo mentioned this issue Apr 12, 2018

[REF] auth_brute_force: Cover all auth entrypoints OCA/server-tools#1219

Merged

nhomar added the Need information the reports lacks of information label Apr 12, 2018

odony added Wishlist and removed Need information the reports lacks of information labels Apr 16, 2018

xmo-odoo pushed a commit that referenced this issue May 9, 2018

[IMP] Handle XMLRPC calls from standard controllers

285ead2

This way, XMLRPC calls can get request details form the standard `odoo.http.request` system. Move jsonrpc to the same controller while at it, for coherence. Fix #24183

xmo-odoo closed this as completed May 9, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

RuntimeError when accessing the current request on XML-RPC calls #24183

RuntimeError when accessing the current request on XML-RPC calls #24183

yajo commented Apr 11, 2018 •

edited

nhomar commented Apr 12, 2018

yajo commented Apr 16, 2018

odony commented Apr 16, 2018

MiquelRForgeFlow commented May 9, 2018

RuntimeError when accessing the current request on XML-RPC calls #24183

RuntimeError when accessing the current request on XML-RPC calls #24183

Comments

yajo commented Apr 11, 2018 • edited

Current behavior:

Expected behavior:

nhomar commented Apr 12, 2018

yajo commented Apr 16, 2018

odony commented Apr 16, 2018

MiquelRForgeFlow commented May 9, 2018

yajo commented Apr 11, 2018 •

edited