merge: resolve conflicts with 19.0 — bump spp_change_request_v2 to 19.0.2.0.6

Stacked HISTORY entry (#920 round-2 view fix) on top of main's 19.0.2.0.5
security fix (OP#989). README.rst + static/description/index.html updated
to match HISTORY.md ordering.

Author: emjay0921

spp_area/README.rst

@@ -140,6 +140,17 @@ Dependencies
 Changelog
 =========
 
+19.0.2.0.1
+~~~~~~~~~~
+
+- fix(security): add a global ``ir.rule`` on ``res.partner`` that
+  filters registrants by ``area_id`` for users with ``center_area_ids``
+  set (OP#989). Replaces the limited ``search_read`` /
+  ``web_search_read`` override in ``models/registrant.py`` which missed
+  ``name_search`` (Many2one dropdowns), ``search_count``,
+  ``read_group``, and related-field traversal. The rule's conditional
+  domain is a no-op for users without center areas (global roles).
+
 19.0.2.0.0
 ~~~~~~~~~~
 

spp_area/__manifest__.py

@@ -6,7 +6,7 @@
     "name": "OpenSPP Area Management",
     "summary": "Establishes direct associations between OpenSPP registrants, beneficiary groups, and their corresponding geographical administrative areas. It validates registrant-area linkages against official area types, ensuring data integrity and enabling targeted program delivery and analysis.",
     "category": "OpenSPP/Core",
-    "version": "19.0.2.0.0",
+    "version": "19.0.2.0.1",
     "sequence": 1,
     "author": "OpenSPP.org",
     "website": "https://github.com/OpenSPP/OpenSPP2",
@@ -33,6 +33,7 @@
         "security/privileges.xml",
         "security/groups.xml",
         "security/ir.model.access.csv",
+        "security/rules.xml",
         "wizard/area_import_language_wizard_views.xml",
         "views/area_base.xml",
         "views/area_tag.xml",

spp_area/readme/HISTORY.md

@@ -1,3 +1,7 @@
+### 19.0.2.0.1
+
+- fix(security): add a global `ir.rule` on `res.partner` that filters registrants by `area_id` for users with `center_area_ids` set (OP#989). Replaces the limited `search_read` / `web_search_read` override in `models/registrant.py` which missed `name_search` (Many2one dropdowns), `search_count`, `read_group`, and related-field traversal. The rule's conditional domain is a no-op for users without center areas (global roles).
+
 ### 19.0.2.0.0
 
 - Initial migration to OpenSPP2

spp_area/security/rules.xml

@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!--
+Part of OpenSPP. See LICENSE file for full copyright and licensing details.
+
+Area-based row-level filtering for registrants (OP#989).
+
+Replaces / strengthens the `_prepare_domain` override in models/registrant.py
+which only catches `search_read` / `web_search_read`. An ir.rule applies to
+every ORM read path automatically: `search`, `search_count`, `read_group`,
+`name_search` (Many2one dropdowns), `read`, and related-field traversal.
+
+The rule is scoped to `is_registrant = True` only — non-registrant contacts
+(users' own partners, admins, companies, system bots, mail followers) must
+remain readable, otherwise every record using `message_partner_ids` /
+`message_follower_ids` blows up for local users with `center_area_ids`.
+
+The conditional domain makes the rule a no-op for users without
+`center_area_ids` (global roles).
+-->
+<odoo noupdate="1">
+    <record id="rule_res_partner_area_filter" model="ir.rule">
+        <field name="name">Registrants: visible only within user's center areas</field>
+        <field name="model_id" ref="base.model_res_partner" />
+        <field
+            name="domain_force"
+        >['|', ('is_registrant', '=', False), ('area_id', 'child_of', user.center_area_ids.ids)] if user.center_area_ids else []</field>
+        <field name="global" eval="True" />
+        <field name="perm_read" eval="True" />
+        <field name="perm_write" eval="True" />
+        <field name="perm_create" eval="True" />
+        <field name="perm_unlink" eval="True" />
+    </record>
+</odoo>

spp_area/static/description/index.html

@@ -537,6 +537,18 @@ <h2><a class="toc-backref" href="#toc-entry-1">Changelog</a></h2>
 </div>
 </div>
 <div class="section" id="section-1">
+<h1>19.0.2.0.1</h1>
+<ul class="simple">
+<li>fix(security): add a global <tt class="docutils literal">ir.rule</tt> on <tt class="docutils literal">res.partner</tt> that
+filters registrants by <tt class="docutils literal">area_id</tt> for users with <tt class="docutils literal">center_area_ids</tt>
+set (OP#989). Replaces the limited <tt class="docutils literal">search_read</tt> /
+<tt class="docutils literal">web_search_read</tt> override in <tt class="docutils literal">models/registrant.py</tt> which missed
+<tt class="docutils literal">name_search</tt> (Many2one dropdowns), <tt class="docutils literal">search_count</tt>,
+<tt class="docutils literal">read_group</tt>, and related-field traversal. The rule’s conditional
+domain is a no-op for users without center areas (global roles).</li>
+</ul>
+</div>
+<div class="section" id="section-2">
 <h1>19.0.2.0.0</h1>
 <ul class="simple">
 <li>Initial migration to OpenSPP2</li>

spp_change_request_v2/README.rst

@@ -853,7 +853,7 @@ Before declaring a new CR type complete:
 Changelog
 =========
 
-19.0.2.0.4
+19.0.2.0.6
 ~~~~~~~~~~
 
 - fix(views): route post-submit CRs (pending / approved / applied /
@@ -867,6 +867,18 @@ Changelog
   and wires ``action="action_open_stage_form" type="object"`` on the CR
   list so row-click goes through the stage router.
 
+19.0.2.0.5
+~~~~~~~~~~
+
+- fix(security): add a global ``ir.rule`` on ``spp.change.request`` that
+  filters by ``registrant_id.area_id`` against the user's
+  ``center_area_ids`` (OP#989 round-2). The earlier ``_prepare_domain``
+  override only caught ``search_read`` / ``web_search_read`` and missed
+  the registrant Many2one picker (which uses ``name_search`` →
+  ``_search``), so users could still select out-of-area registrants. The
+  conditional domain is a no-op for users with no center areas (global
+  roles).
+
 19.0.2.0.3
 ~~~~~~~~~~
 

spp_change_request_v2/__manifest__.py

@@ -1,6 +1,6 @@
 {
     "name": "OpenSPP Change Request V2",
-    "version": "19.0.2.0.4",
+    "version": "19.0.2.0.6",
     "sequence": 50,
     "category": "OpenSPP",
     "summary": "Configuration-driven change request system with UX improvements, conflict detection and duplicate prevention",
@@ -13,6 +13,7 @@
         "mail",
         "spp_base_common",
         "spp_registry",
+        "spp_area",
         "spp_security",
         "spp_approval",
         "spp_event_data",
@@ -24,6 +25,7 @@
         "security/privileges.xml",
         "security/groups.xml",
         "security/rules.xml",
+        "security/area_filter_rules.xml",
         "security/ir.model.access.csv",
         # Views (loaded before data that references them)
         "views/dms_file_views.xml",

spp_change_request_v2/readme/HISTORY.md

@@ -1,7 +1,11 @@
-### 19.0.2.0.4
+### 19.0.2.0.6
 
 - fix(views): route post-submit CRs (pending / approved / applied / rejected) through the stage review form when opened from the list, matching the Edit Details → Upload Documents → Review & Submit breadcrumb workflow used for fresh CRs (#920 round-2). Demo-generated CRs in "Applied" state previously landed on the legacy main form view from the list — now they open in `spp_change_request_review_form` like manually-created CRs. Adds the missing `_action_open_review_form` / `_action_open_documents_form` helpers and wires `action="action_open_stage_form" type="object"` on the CR list so row-click goes through the stage router.
 
+### 19.0.2.0.5
+
+- fix(security): add a global `ir.rule` on `spp.change.request` that filters by `registrant_id.area_id` against the user's `center_area_ids` (OP#989 round-2). The earlier `_prepare_domain` override only caught `search_read` / `web_search_read` and missed the registrant Many2one picker (which uses `name_search` → `_search`), so users could still select out-of-area registrants. The conditional domain is a no-op for users with no center areas (global roles).
+
 ### 19.0.2.0.3
 
 - fix: add HTML escaping to all computed Html fields with `sanitize=False` to prevent stored XSS (#50)

spp_change_request_v2/security/area_filter_rules.xml

@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!--
+Part of OpenSPP. See LICENSE file for full copyright and licensing details.
+
+Area-based row-level filtering for change requests (OP#989).
+
+QA round 1 surfaced that the original `_prepare_domain` override on
+`spp.change.request` only caught `search_read` / `web_search_read`. The
+registrant picker on the CR form (a Many2one widget) calls `name_search` ->
+`_search` and bypasses the override. An ir.rule applies to every ORM read
+path automatically, including `name_search`, `search_count`, `read_group`,
+and related-field traversal.
+
+Mirrors the conditional domain pattern from `spp_area/security/rules.xml`
+so users without `center_area_ids` (global roles) are unaffected. The
+module now depends on `spp_area` directly so `user.center_area_ids`
+can be referenced without defensive guards.
+-->
+<odoo noupdate="1">
+    <record id="rule_spp_change_request_area_filter" model="ir.rule">
+        <field
+            name="name"
+        >Change Request: visible only within user's center areas</field>
+        <field name="model_id" ref="model_spp_change_request" />
+        <field
+            name="domain_force"
+        >[('registrant_id.area_id', 'child_of', user.center_area_ids.ids)] if user.center_area_ids else []</field>
+        <field name="global" eval="True" />
+        <field name="perm_read" eval="True" />
+        <field name="perm_write" eval="True" />
+        <field name="perm_create" eval="True" />
+        <field name="perm_unlink" eval="True" />
+    </record>
+</odoo>

spp_change_request_v2/static/description/index.html

@@ -1339,7 +1339,7 @@ <h2>Changelog</h2>
 </div>
 </div>
 <div class="section" id="section-1">
-<h1>19.0.2.0.4</h1>
+<h1>19.0.2.0.6</h1>
 <ul class="simple">
 <li>fix(views): route post-submit CRs (pending / approved / applied /
 rejected) through the stage review form when opened from the list,
@@ -1353,6 +1353,19 @@ <h1>19.0.2.0.4</h1>
 list so row-click goes through the stage router.</li>
 </ul>
 </div>
+<div class="section" id="section-1-5">
+<h1>19.0.2.0.5</h1>
+<ul class="simple">
+<li>fix(security): add a global <tt class="docutils literal">ir.rule</tt> on <tt class="docutils literal">spp.change.request</tt> that
+filters by <tt class="docutils literal">registrant_id.area_id</tt> against the user’s
+<tt class="docutils literal">center_area_ids</tt> (OP#989 round-2). The earlier <tt class="docutils literal">_prepare_domain</tt>
+override only caught <tt class="docutils literal">search_read</tt> / <tt class="docutils literal">web_search_read</tt> and missed
+the registrant Many2one picker (which uses <tt class="docutils literal">name_search</tt> →
+<tt class="docutils literal">_search</tt>), so users could still select out-of-area registrants. The
+conditional domain is a no-op for users with no center areas (global
+roles).</li>
+</ul>
+</div>
 <div class="section" id="section-2">
 <h1>19.0.2.0.3</h1>
 <ul class="simple">