diff --git a/addons/mail_plugin/controllers/authenticate.py b/addons/mail_plugin/controllers/authenticate.py
index 998f2689960e83a1223f1a20fb92e06d858cab96..436197cbfd710718a3b90f813dc9f5432ea3e0ed 100644
--- a/addons/mail_plugin/controllers/authenticate.py
+++ b/addons/mail_plugin/controllers/authenticate.py
@@ -11,6 +11,7 @@ import werkzeug
 
 from odoo import http
 from odoo.http import request
+from werkzeug.exceptions import NotFound
 
 _logger = logging.getLogger(__name__)
 
@@ -92,6 +93,8 @@ class Authenticate(http.Controller):
     # Using UTC explicitly in case of a distributed system where the generation and the signature verification do not
     # necessarily happen on the same server
     def _generate_auth_code(self, scope, name):
+        if not request.env.user._is_internal():
+            raise NotFound()
         auth_dict = {
             'scope': scope,
             'name': name,
diff --git a/addons/mail_plugin/controllers/mail_plugin.py b/addons/mail_plugin/controllers/mail_plugin.py
index 1d747cc419416dd4fd528a80e24d4911c69a60f2..d26576f13b2b63795a122442a0de2400abebcc60 100644
--- a/addons/mail_plugin/controllers/mail_plugin.py
+++ b/addons/mail_plugin/controllers/mail_plugin.py
@@ -288,9 +288,8 @@ class MailPluginController(http.Controller):
         search = self._get_iap_search_term(email)
 
         partner_iap = request.env["res.partner.iap"].sudo().search([("iap_search_domain", "=", search)], limit=1)
-
         if partner_iap:
-            return partner_iap.partner_id
+            return partner_iap.partner_id.sudo(False)
 
         return request.env["res.partner"].search([("is_company", "=", True), ("email_normalized", "=ilike", "%" + search)], limit=1)
 
@@ -298,6 +297,12 @@ class MailPluginController(http.Controller):
         if not company:
             return {'id': -1}
 
+        try:
+            company.check_access_rights('read')
+            company.check_access_rule('read')
+        except AccessError:
+            return {'id': company.id, 'name': _('No Access')}
+
         fields_list = ['id', 'name', 'phone', 'mobile', 'email', 'website']
 
         company_values = dict((fname, company[fname]) for fname in fields_list)
diff --git a/addons/mail_plugin/i18n/mail_plugin.pot b/addons/mail_plugin/i18n/mail_plugin.pot
index 364220c1136d2b7bffd24f25f8ebc87e6ec19943..b4145a4546cde308412f256eeeeccbf40590fd7e 100644
--- a/addons/mail_plugin/i18n/mail_plugin.pot
+++ b/addons/mail_plugin/i18n/mail_plugin.pot
@@ -467,6 +467,12 @@ msgstr ""
 msgid "Logout"
 msgstr ""
 
+#. module: mail_plugin
+#: code:addons/mail_plugin/controllers/mail_plugin.py:0
+#, python-format
+msgid "No Access"
+msgstr ""
+
 #. module: mail_plugin
 #. openerp-web
 #: code:addons/mail_plugin/static/src/to_translate/translations_outlook.xml:0
diff --git a/addons/mail_plugin/tests/test_controller.py b/addons/mail_plugin/tests/test_controller.py
index fa788ee1a11a3d32619eee9bfdca84af7d6f5f4c..41757791f4cc516e05d0f4c5543f790cde423f57 100644
--- a/addons/mail_plugin/tests/test_controller.py
+++ b/addons/mail_plugin/tests/test_controller.py
@@ -6,6 +6,7 @@ from unittest.mock import Mock, patch
 
 from odoo.addons.iap.tools import iap_tools
 from odoo.addons.mail_plugin.tests.common import TestMailPluginControllerCommon, mock_auth_method_outlook
+from odoo.exceptions import AccessError
 
 
 class TestMailPluginController(TestMailPluginControllerCommon):
@@ -126,6 +127,39 @@ class TestMailPluginController(TestMailPluginControllerCommon):
         self.assertEqual(first_company_id, second_company_id, "Should not create a new company")
         self.assertEqual(result["partner"]["company"]["additionalInfo"]["iap_information"], "test")
 
+    def test_get_partner_no_access(self):
+        """Test the case where the partner has been enriched by someone else, but we can't access it."""
+        partner = self.env["res.partner"].create({"name": "Test", "website": "https://test.example.com"})
+        self.env["res.partner.iap"].create({
+            "partner_id": partner.id,
+            "iap_search_domain": "@test.example.com",
+        })
+
+        # sanity check, we can access the partner
+        result = self.mock_plugin_partner_get(
+            "Test", "test@test.example.com",
+            lambda _, domain: {"name": "Name", "email": "test@test.example.com"},
+        )
+        self.assertEqual(result["partner"]["company"]["website"], "https://test.example.com")
+
+        # now we can't access it
+        def _check_access_rule(record, operation, *args, **kwargs):
+            if operation == "read" and record == partner:
+                raise AccessError("No Access")
+            return True
+
+        with patch.object(type(partner), 'check_access_rule', _check_access_rule):
+            result = self.mock_plugin_partner_get(
+                "Test", "test@test.example.com",
+                lambda _, domain: {"name": "Name", "email": "test@test.example.com"},
+            )
+        self.assertEqual(result["partner"]["company"].get("id"), partner.id)
+        self.assertEqual(result["partner"]["company"].get("name"), "No Access")
+        self.assertFalse(result["partner"]["company"].get("website"))
+
+        partners = self.env["res.partner"].search([("email", "=", partner.email)])
+        self.assertEqual(partners, partner, "Should not have created a new partner")
+
     def test_get_partner_no_email_returned_by_iap(self):
         """Test the case where IAP do not return an email address.