account_shared_bank_cash/models/ir_http.py

# -*- coding: utf-8 -*-
from odoo import models
from odoo.http import request
import logging

_logger = logging.getLogger(__name__)


class IrHttp(models.AbstractModel):
    _inherit = 'ir.http'

    @classmethod
    def _pre_dispatch(cls, rule, args):
        """
        Sanitize allowed_company_ids in the request context BEFORE the
        environment is fully used. This prevents AccessError from
        environments.py when the browser cookie (cids) contains company IDs
        that are not in the user's authorized _get_company_ids() list.

        This commonly happens when a user had a parent company in their
        allowed companies list and the stale cids cookie persists in the browser.
        """
        try:
            if request.env.uid and request.session.context.get('allowed_company_ids'):
                cids = request.session.context['allowed_company_ids']
                user_cids = set(request.env.user._get_company_ids())
                valid_cids = [c for c in cids if c in user_cids]
                if not valid_cids:
                    valid_cids = [request.env.user.company_id.id]
                if valid_cids != cids:
                    _logger.warning(
                        "IrHttp: sanitizing allowed_company_ids for %s: %s -> %s",
                        request.env.user.login, cids, valid_cids
                    )
                    request.session.context['allowed_company_ids'] = valid_cids
                    request.update_context(allowed_company_ids=valid_cids)
        except Exception as e:
            _logger.debug("IrHttp: could not sanitize company context: %s", e)

        return super()._pre_dispatch(rule, args)