A build-to-order Odoo security module that restricts user logins to approved IP addresses and CIDR ranges. ECOSIRE scopes, builds, installs and supports it for your Odoo 17/18/19 environment — a made-to-order engagement, not an instant download. Built to order by ECOSIRE for Odoo 17, 18, 19 — indicative price from $249.00 USD; request a quote for a scoped proposal.
App manifest
Built around your workflow
A build-to-order Odoo security module that restricts user logins to approved IP addresses and CIDR ranges. ECOSIRE scopes, builds, installs and supports it for your Odoo 17/18/19 environment — a made-to-order engagement, not an instant download.
No DIY setup — a working app, built, installed and supported by ECOSIRE.
Start with a one-time build price. We scope it with you at kickoff.
ECOSIRE builds, configures and installs it on your Odoo.
You go live in about 2–4 weeks, with a post-launch support window.
Most Odoo deployments trust any device that presents a valid password, so a leaked credential, a phished login, or a reused session cookie can reach your ERP from anywhere on the internet. Odoo core gives you strong password policies, optional two-factor authentication, and group-based access rights via ir.model.access.csv and record rules — but it has no native concept of a network boundary. Nothing in the standard product lets you say "the accounting team may only authenticate from the office range, the API integration user only from our fixed server IP, and administrators only from the VPN." Auditors, ISO 27001 programs, and many finance and healthcare mandates expect exactly that network-layer control, and out of the box Odoo simply cannot enforce it.
Access Restriction By IP is the build-to-order module ECOSIRE designs to close that gap. We build an allowlist engine that hooks the authentication flow (res.users._login / _check_credentials plus session validation) so that after credentials pass, the request's source IP is evaluated against your rules before a session is granted. Rules live on new models (for example ecosire.ip.rule) with fields.Char CIDR entries validated by an @api.constrains using Python's ipaddress library, linked many2many to res.users and res.groups, and administered from clean backend views (XML/OWL list and form) governed by ir.model.access.csv and record rules so only security administrators can edit them. The engine reads the true client IP — honoring X-Forwarded-For and your --proxy-mode / reverse-proxy topology so Nginx or Cloudflare in front of Odoo does not mask the real address — and resolves per-user rules over per-group rules with a configurable default-allow or default-deny posture.
Because it operates at the authentication layer rather than the routing layer, the restriction covers the web client, the login controller, and — where you require it — the XML-RPC / JSON-RPC API, so a scripted integration cannot bypass the browser rules. Every blocked attempt can be written to a log model and surfaced through an optional automated action or email alert, giving you the audit trail assessors ask for. We keep superuser and a break-glass recovery path explicit so a misconfigured range can never lock your entire company out, and we tune behavior for Community vs Enterprise (Enterprise adds features like the built-in auth_totp two-factor that this module complements rather than replaces).
Delivery is build-to-order: we start with a short scoping call, agree the exact rule model, proxy topology, and lock-out safeguards, then build against your Odoo 17.0, 18.0, or 19.0 version, validate on a staging clone with your real network ranges, and deploy with a rollback plan. Typical delivery is 2–4 weeks from confirmed scope. Pricing starts from $249 (indicative, single-company base scope); multi-company IP policies, reverse-proxy and geo-IP integrations, per-database rule sets, and deeper audit-logging requirements increase the quoted scope.
Owns ISO 27001, SOC 2 or sector mandates and needs demonstrable network-layer access control over the ERP, with an audit trail of blocked login attempts to show assessors.
Runs the Odoo instance behind Nginx/Cloudflare and wants to lock admin and finance logins to the office VPN or fixed ranges without hand-patching core or fighting proxy-header issues.
Wants assurance that sensitive accounting and payroll access can only happen from approved locations, reducing exposure from stolen credentials or off-site devices.
Maintains XML-RPC/JSON-RPC integrations and needs API service users pinned to specific server IPs so an exposed API key cannot be used from an unknown host.
| Criterion | ECOSIRE | Custom Build | Competitor | Odoo Native |
|---|---|---|---|---|
| Network-layer login control | Purpose-built per-user and per-group IP allowlists at the auth layer | Achievable but you design and maintain the whole engine | Basic IP allow/deny, often per-user only | |
| Fit to your Odoo version | Built and validated against your 17/18/19 instance | Depends on your team's Odoo depth | Generic build; may lag your version | |
| Proxy / X-Forwarded-For handling | Tuned to your Nginx/Cloudflare topology during scoping | You must get proxy-mode right yourself | Often assumes a default setup | |
| API (XML-RPC/JSON-RPC) coverage | Optional enforcement so integrations respect the rules | Possible with extra effort | Frequently web-login only | |
| Lock-out safeguards | Explicit break-glass path, tested on staging | Only if you design and test it | Rarely documented | |
| Audit logging of blocked attempts | Dedicated log model plus optional alerts | Build it yourself | Limited or absent | |
| Support & handover | Docs, training, support window, git repo handover | Internal knowledge only | Vendor ticket queue, no source ownership | |
| Total cost & risk | Fixed quote after scoping; from $249 indicative | Unbounded dev + maintenance time | Low sticker price, poor fit risk |
This is a build-to-order engagement. After a scoping call to confirm your rule model, proxy topology and lock-out safeguards, typical delivery is 2–4 weeks. We build against your exact Odoo version, validate on a staging clone with your real network ranges, then deploy with a rollback plan.
No. We build, install and support it for your environment — there is no instant download. You receive installable source code for your Odoo major version, deployed and validated by our team, with a git repository handover at the end.
Pricing starts from $249 as an indicative single-company base scope. After the scoping call we give you a fixed written quote. Drivers such as multi-company IP policies, reverse-proxy/geo-IP integrations, per-database rule sets and deeper audit-logging increase the quoted scope.
Every build includes a post-go-live support window for defect fixes and configuration help. Because the module is version-specific, moving to a newer Odoo major release (for example 18.0 to 19.0) is a separate scoped update — we hold the git history so that upgrade is straightforward to quote.
No. We design an explicit break-glass recovery path and controlled superuser handling so a misconfigured range can never lock your whole company out, and we prove the recovery procedure during UAT on staging before go-live.
Yes. The module reads the true client IP by honoring `X-Forwarded-For` and your Odoo `--proxy-mode` / reverse-proxy setup, so a front-end proxy does not mask the real source address. We confirm the exact header chain during scoping.
Yes, where you require it. Because enforcement sits at the authentication layer, we can apply the same allowlist rules to API sessions so an integration or service user is pinned to approved server IPs and cannot be used from an unknown host.
A build-to-order Odoo security module that restricts user logins to approved IP addresses and CIDR ranges. ECOSIRE scopes, builds, installs and supports it for your Odoo 17/18/19 environment — a made-to-order engagement, not an instant download.