fix(spp_api_v2): remove url fallback from display_name to prevent security leak

jeremi · jeremi · commit 6438991731de · 2026-02-18T21:17:36.000+07:00
The _compute_display_name method was falling back to record.url when
endpoint was not set. Since url has groups="spp_api_v2.group_api_v2_auditor"
but display_name is store=True with no groups restriction, the URL value
was being persisted into an unrestricted field, bypassing field-level security.
Also adds url to @api.depends implicitly by removing the reference entirely.
Replace the url fallback with a generic "API Call" string.
diff --git a/spp_api_v2/models/api_outgoing_log.py b/spp_api_v2/models/api_outgoing_log.py
@@ -142,7 +142,7 @@ class ApiOutgoingLog(models.Model):
     def _compute_display_name(self):
         for record in self:
             timestamp_str = record.timestamp.strftime("%Y-%m-%d %H:%M") if record.timestamp else ""
-            record.display_name = f"{record.http_method} {record.endpoint or record.url} @ {timestamp_str}"
+            record.display_name = f"{record.http_method} {record.endpoint or 'API Call'} @ {timestamp_str}"
 
     # ==========================================
     # API Methods
diff --git a/spp_api_v2/services/outgoing_api_log_service.py b/spp_api_v2/services/outgoing_api_log_service.py
@@ -107,25 +107,22 @@ def log_call(
             # sudo() is intentional: log records must be created regardless of
             # the calling user's permissions on spp.api.outgoing.log. The
             # service is an internal component, not a user-facing API.
-            return (
-                self.env["spp.api.outgoing.log"]
-                .sudo()
-                .log_call(
-                    url=safe_url,
-                    endpoint=endpoint,
-                    http_method=http_method,
-                    request_summary=truncated_request,
-                    response_summary=truncated_response,
-                    response_status_code=response_status_code,
-                    user_id=self.user_id,
-                    origin_model=origin_model,
-                    origin_record_id=origin_record_id,
-                    duration_ms=duration_ms,
-                    service_name=self.service_name,
-                    service_code=self.service_code,
-                    status=status,
-                    error_detail=error_detail,
-                )
+            log_model = self.env["spp.api.outgoing.log"].sudo()  # nosemgrep: odoo-sudo-without-context
+            return log_model.log_call(
+                url=safe_url,
+                endpoint=endpoint,
+                http_method=http_method,
+                request_summary=truncated_request,
+                response_summary=truncated_response,
+                response_status_code=response_status_code,
+                user_id=self.user_id,
+                origin_model=origin_model,
+                origin_record_id=origin_record_id,
+                duration_ms=duration_ms,
+                service_name=self.service_name,
+                service_code=self.service_code,
+                status=status,
+                error_detail=error_detail,
             )
         except (KeyError, AttributeError, TypeError) as e:
             _logger.warning("Failed to log outgoing API call due to data error: %s", type(e).__name__)
