Why Odoo Code Needs Specialized Review
Generic code review tools do not understand Odoo. They cannot tell you that your computed field creates an N+1 query pattern, that your controller bypasses access rights with sudo(), that your XML view inheritance will break on upgrade, or that your JavaScript widget does not follow the OWL component lifecycle. Odoo has its own patterns, anti-patterns, and security model that require specialized knowledge.
An AI agent trained on Odoo's codebase and best practices catches issues that generic linters miss entirely.
Security Review
1. Access Control Issues
# AI flags security vulnerabilities:
"Security Review — custom_sales module
CRITICAL: SQL injection risk
File: controllers/api.py, line 45
Code: cr.execute(f'SELECT * FROM sale_order WHERE
name = \'{order_name}\'')
Fix: Use parameterized query:
cr.execute('SELECT * FROM sale_order WHERE
name = %s', (order_name,))
HIGH: Unrestricted sudo() usage
File: models/sale_order.py, line 89
Code: self.sudo().write({'state': 'done'})
Issue: sudo() bypasses ALL access rights.
Context: Called from a public controller.
Fix: Use specific user context or validate permissions
before sudo().
MEDIUM: Missing access rights check
File: controllers/export.py, line 23
Code: records = request.env['hr.employee'].search([])
Issue: No check_access_rights() before search.
User with portal access could read all employees.
Fix: Add explicit access check or use request.env.user."2. Data Exposure Risks
# AI detects data leaks:
"Data Exposure Review:
WARNING: Sensitive field in API response
File: controllers/api.py, line 67
Code: partner.read(['name', 'email', 'bank_ids',
'credit_limit', 'property_payment_term_id'])
Issue: bank_ids exposes customer bank accounts
in public API response.
Fix: Remove bank_ids from field list.
WARNING: Unfiltered search in portal view
File: controllers/portal.py, line 34
Issue: Portal user can search all res.partner records
without company or customer-specific filtering.
Fix: Add domain filter for current user's company."Performance Review
3. ORM Anti-Patterns
# AI identifies performance issues:
"Performance Review — custom_inventory module
SLOW: N+1 query pattern
File: models/stock_report.py, line 56
Code:
for move in stock_moves: # 500+ records
product = move.product_id # query per iteration
category = product.categ_id # another query
Fix: Prefetch with read() or mapped():
stock_moves.mapped('product_id.categ_id')
SLOW: Unbounded search
File: models/analytics.py, line 23
Code: self.env['sale.order.line'].search([])
Issue: No limit, no domain. Loads ALL sale order lines.
Will timeout on databases with 100K+ lines.
Fix: Add appropriate domain and limit.
SLOW: Computed field without store=True
File: models/product_ext.py, line 34
Field: total_sold (sum of all sale order lines)
Issue: Recomputed on every access. With 10K products
on a list view, this means 10K aggregate queries.
Fix: Add store=True with proper depends."Code Quality Checks
| Category | Checks Performed | Issues Found |
|---|---|---|
| Security | SQL injection, sudo abuse, access rights | 3 |
| Performance | N+1 queries, unbounded search, missing indexes | 7 |
| ORM patterns | Deprecated APIs, wrong field types, compute errors | 5 |
| View quality | Inheritance safety, XPath accuracy, widget usage | 4 |
| Testing | Test coverage, missing edge cases, fragile tests | 6 |
| Style | Naming conventions, docstrings, code organization | 12 |
Odoo-Specific Best Practices
# AI enforces Odoo conventions:
"Best Practice Violations:
1. Model naming: 'SaleOrderExtension' should be
'SaleOrder' inheriting 'sale.order' (not new model)
2. Field naming: 'customerName' should be 'customer_name'
(Odoo uses snake_case for fields)
3. Compute method: '_get_total' should be '_compute_total'
(Odoo convention: _compute_ prefix)
4. Onchange: Using @api.onchange for validation.
Use @api.constrains instead for data integrity.
5. Data files: XML ID 'sale_order_view_1' is not descriptive.
Use 'view_sale_order_form_custom_discount'
6. Module structure: Controllers in models/ directory.
Move to controllers/ directory."Automated Fix Suggestions
The AI agent does not just identify problems — it provides exact fix code for each issue. Security vulnerabilities come with corrected parameterized queries. Performance anti-patterns come with optimized implementations. Style violations come with reformatted code. Developers review the suggestions and apply them with minimal effort.
Pre-Commit Integration
The AI code review can run as a pre-commit hook or CI pipeline step, catching issues before they merge into the main branch. Every pull request gets an automated review focused on Odoo-specific concerns that human reviewers and generic linters would miss.
DeployMonkey AI Code Review
DeployMonkey's AI agent reviews your Odoo custom module code for security vulnerabilities, performance anti-patterns, ORM best practice violations, and code quality issues. Catch problems before they reach production — with fix suggestions included.