chore: regenerate spp_base_common + spp_security READMEs (OP#951)

Author: emjay0921

spp_base_common/README.rst

@@ -120,6 +120,21 @@ Dependencies
 Changelog
 =========
 
+19.0.2.0.1
+~~~~~~~~~~
+
+- fix(security): add ``groups="base.group_system"`` to the existing
+  ``<menuitem id="base.menu_management" />`` override in
+  ``views/main_view.xml``. Out of the box the Apps top-level menu has no
+  group restriction and is visible to every logged-in user, violating
+  the OP#951 audit's ``Apps: no`` rows. The override here is the single
+  authoritative declaration for this menu's attributes in the OpenSPP
+  install (sequence, custom OpenSPP icon, and now group_ids); doing the
+  gating anywhere upstream (e.g. a ``post_init_hook`` in
+  ``spp_security``) is unreliable because this ``<menuitem>`` reload
+  re-writes the record without a ``groups`` attribute and resets
+  ``group_ids`` to empty.
+
 19.0.2.0.0
 ~~~~~~~~~~
 

spp_base_common/static/description/index.html

@@ -495,6 +495,22 @@ <h2><a class="toc-backref" href="#toc-entry-1">Changelog</a></h2>
 </div>
 </div>
 <div class="section" id="section-1">
+<h1>19.0.2.0.1</h1>
+<ul class="simple">
+<li>fix(security): add <tt class="docutils literal"><span class="pre">groups=&quot;base.group_system&quot;</span></tt> to the existing
+<tt class="docutils literal">&lt;menuitem <span class="pre">id=&quot;base.menu_management&quot;</span> /&gt;</tt> override in
+<tt class="docutils literal">views/main_view.xml</tt>. Out of the box the Apps top-level menu has no
+group restriction and is visible to every logged-in user, violating
+the OP#951 audit’s <tt class="docutils literal">Apps: no</tt> rows. The override here is the single
+authoritative declaration for this menu’s attributes in the OpenSPP
+install (sequence, custom OpenSPP icon, and now group_ids); doing the
+gating anywhere upstream (e.g. a <tt class="docutils literal">post_init_hook</tt> in
+<tt class="docutils literal">spp_security</tt>) is unreliable because this <tt class="docutils literal">&lt;menuitem&gt;</tt> reload
+re-writes the record without a <tt class="docutils literal">groups</tt> attribute and resets
+<tt class="docutils literal">group_ids</tt> to empty.</li>
+</ul>
+</div>
+<div class="section" id="section-2">
 <h1>19.0.2.0.0</h1>
 <ul class="simple">
 <li>Initial migration to OpenSPP2</li>

spp_security/README.rst

@@ -140,17 +140,6 @@ Dependencies
 Changelog
 =========
 
-19.0.2.0.1
-~~~~~~~~~~
-
-- fix(security): gate the Odoo-stock **Apps** top-level menu
-  (``base.menu_management``) on ``base.group_system``. Out of the box
-  the menu had no ``groups`` restriction and was visible to every
-  logged-in user, so the OP#951 audit's ``Apps: no`` rows were silently
-  violated. System Admin is the only OpenSPP role that pulls in
-  ``base.group_system``, so this single override hides Apps from every
-  other role without touching any individual role definition.
-
 19.0.2.0.0
 ~~~~~~~~~~
 

spp_security/static/description/index.html

@@ -496,18 +496,6 @@ <h2><a class="toc-backref" href="#toc-entry-1">Changelog</a></h2>
 </div>
 </div>
 <div class="section" id="section-1">
-<h1>19.0.2.0.1</h1>
-<ul class="simple">
-<li>fix(security): gate the Odoo-stock <strong>Apps</strong> top-level menu
-(<tt class="docutils literal">base.menu_management</tt>) on <tt class="docutils literal">base.group_system</tt>. Out of the box
-the menu had no <tt class="docutils literal">groups</tt> restriction and was visible to every
-logged-in user, so the OP#951 audit’s <tt class="docutils literal">Apps: no</tt> rows were silently
-violated. System Admin is the only OpenSPP role that pulls in
-<tt class="docutils literal">base.group_system</tt>, so this single override hides Apps from every
-other role without touching any individual role definition.</li>
-</ul>
-</div>
-<div class="section" id="section-2">
 <h1>19.0.2.0.0</h1>
 <ul class="simple">
 <li>Initial migration to OpenSPP2</li>