Here's a breakdown of how to use controllers in Odoo to handle web requests. This covers the basics, including different authentication levels and how to handle various HTTP request types.

In Odoo, controllers define HTTP endpoints that respond to web requests, acting as the bridge between the outside world and Odoo's backend. They are crucial for tasks such as rendering web pages, exposing data via JSON, and handling form submissions.

from odoo import http 

class MyController(http.Controller):
​​@http.route('/hello', auth='public')
  ​def hello(self):
​ ​return "Hello, World!" 

• @http.route() - Decorator defining the URL and behavior.
• auth='public' -  Anyone can access without logging in.

The method returns an HTTP response (text, HTML, JSON, etc.).

Parameters in @http.route()

• route (str or list) - URL path(s). Can include wildcards (e.g., '/product/').
• type (str): Response format ("http" for HTML/text, "json").
• auth (str): Authentication level ("public", "user", "none"). 
• methods (list): Allowed HTTP methods (default is `['GET']`). 
• csrf (bool): Enables/disables CSRF protection (default is `True`). 
• website (bool): Integrates with the Odoo Website app.

 Access Control with 'auth'

• public -  Open access. 
• user - Requires Odoo login.
• none - No authentication (use cautiously for public APIs).

Wildcards & Dynamic Routes

@http.route('/product/', auth='public')
def product_page(self, product_id):
​return f"Product ID: {product_id}"

captures a number from the URL and passes it to the method.

Returning Different Response Types

HTML/Template: 

from odoo.http import request

@http.route('/about', type='http', auth='public', website=True)
def about_page(self):
​return request.render('my_module.about_template', {
​ ​'company': request.env.company.name
​})

JSON:

@http.route('/api/data', type='json', auth='user')
def api_data(self):
​return {"status": "ok", "data": [1, 2, 3]}

Binary File Download:

@http.route('/download/report', type='http', auth='user')
def download_report(self):
​pdf_data = b'%PDF-...' # Your PDF bytes
  ​return request.make_response(pdf_data, [
​ ​('Content-Type', 'application/pdf'),
  ​ ​('Content-Disposition', 'attachment; filename="report.pdf"')
​])

Handling GET and POST Requests

Here’s a detailed explanation of the common HTTP request methods you can handle in Odoo controllers, with short descriptions and snippets for each:

GET - Used to retrieve data or render pages. Parameters are sent via URL query strings.

@http.route('/get_example', type='http', auth='public', methods=['GET'])
def get_example(self, **params):
​name = params.get('name')
  ​return f"Hello, {name}"

POST - Used to submit data, usually from forms or API clients. Data is available in post.

@http.route('/post_example', type='http', auth='public', methods=['POST'], csrf=True)
def post_example(self, **post):
​data = post.get('data')
  ​return f"Received: {data}"

 CSRF Protection - Enabled by default for POST requests.

Use csrf=True for forms and internal AJAX to prevent CSRF attacks
Set csrf=False for public APIs or when the request comes from an external source that cannot send a CSRF token(but understand the security implications).

Website-Specific Controllers

If website=True, the route is integrated with the Odoo Website. These routes are automatically added to the sitemap and can be linked to menu items.

@http.route('/shop/products', type='http', auth='public', website=True)
def shop_products(self):
​products = request.env['product.template'].sudo().search([])
  ​return request.render('my_module.products_page', {'products': products})