From debc516c47b522bd9b4b9fef365ad11462916174 Mon Sep 17 00:00:00 2001
From: Nicolas Martinelli <nim@odoo.com>
Date: Thu, 7 Nov 2019 08:08:07 +0000
Subject: [PATCH] [FIX] website: access website in multi-company

- Create 2 companies A & B
- Create a website A
- Create a user U with access to company B only
- Connect as U and go to the website

An internal server error is raised.

This is due to 7bfcb53db37f385a99 which verifies if the user isn't
granted access to companies he is not supposed to access.

This is exactly what was done before this commit: the website is in a
company not allowed to the user.

opw-2116539

closes odoo/odoo#39921

Signed-off-by: Nicolas Martinelli (nim) <nim@odoo.com>
---
 addons/website/models/ir_http.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/addons/website/models/ir_http.py b/addons/website/models/ir_http.py
index c7b2dbc62aed..aad6cf6fabcb 100644
--- a/addons/website/models/ir_http.py
+++ b/addons/website/models/ir_http.py
@@ -193,7 +193,12 @@ class Http(models.AbstractModel):
         context['website_id'] = request.website.id
         # This is mainly to avoid access errors in website controllers where there is no
         # context (eg: /shop), and it's not going to propagate to the global context of the tab
-        context['allowed_company_ids'] = [request.website.company_id.id]
+        # If the company of the website is not in the allowed companies of the user, set the main
+        # company of the user.
+        if request.website.company_id in request.env.user.company_ids:
+            context['allowed_company_ids'] = request.website.company_id.ids
+        else:
+            context['allowed_company_ids'] = request.env.user.company_id.ids
 
         # modify bound context
         request.context = dict(request.context, **context)
-- 
GitLab