fix(spp_api_v2_gis): add sudo() to geofence router and harden error responses

- Add sudo() to all geofence model access calls (5 places) to fix 403
  errors when API runs as public user
- Replace str(e) in 500 error handlers with generic messages across
  geofence, spatial_query, proximity, and statistics routers to prevent
  leaking Odoo internals
- Add statistics:read scope to statistics router for consistency with
  spatial_query and proximity routers
- Fix Odoo False -> None conversion for geofence description field

Author: emjay0921

spp_api_v2_gis/routers/geofence.py

@@ -60,7 +60,8 @@ async def create_geofence(
         )
 
     # Get the geofence model
-    geofence_model = env["spp.gis.geofence"]
+    # nosemgrep: odoo-sudo-without-context
+    geofence_model = env["spp.gis.geofence"].sudo()
 
     # Prepare kwargs for optional fields
     kwargs = {}
@@ -70,7 +71,8 @@ async def create_geofence(
     # Handle incident_code if provided
     if request.incident_code:
         # Find incident by code (external ID)
-        incident = env["spp.hazard.incident"].search([("code", "=", request.incident_code)], limit=1)
+        # nosemgrep: odoo-sudo-without-context
+        incident = env["spp.hazard.incident"].sudo().search([("code", "=", request.incident_code)], limit=1)
         if not incident:
             raise HTTPException(
                 status_code=status.HTTP_404_NOT_FOUND,
@@ -98,7 +100,7 @@ async def create_geofence(
         return GeofenceResponse(
             id=geofence.id,
             name=geofence.name,
-            description=geofence.description,
+            description=geofence.description or None,
             geofence_type=geofence.geofence_type,
             area_sqkm=geofence.area_sqkm,
             active=geofence.active,
@@ -115,7 +117,7 @@ async def create_geofence(
         _logger.exception("Error creating geofence")
         raise HTTPException(
             status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
-            detail=f"Failed to create geofence: {str(e)}",
+            detail="Failed to create geofence",
         ) from e
 
 
@@ -171,7 +173,8 @@ async def list_geofences(
         domain.append(("active", "=", True))
 
     # Get geofence model
-    geofence_model = env["spp.gis.geofence"]
+    # nosemgrep: odoo-sudo-without-context
+    geofence_model = env["spp.gis.geofence"].sudo()
 
     # Get total count
     total = geofence_model.search_count(domain)
@@ -232,7 +235,8 @@ async def get_geofence(
         )
 
     # Get geofence model
-    geofence_model = env["spp.gis.geofence"]
+    # nosemgrep: odoo-sudo-without-context
+    geofence_model = env["spp.gis.geofence"].sudo()
 
     # Search for geofence
     geofence = geofence_model.browse(geofence_id)
@@ -250,7 +254,7 @@ async def get_geofence(
         _logger.exception("Error converting geofence to GeoJSON")
         raise HTTPException(
             status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
-            detail=f"Failed to convert geofence to GeoJSON: {str(e)}",
+            detail="Failed to retrieve geofence data",
         ) from e
 
 
@@ -285,7 +289,8 @@ async def delete_geofence(
         )
 
     # Get geofence model
-    geofence_model = env["spp.gis.geofence"]
+    # nosemgrep: odoo-sudo-without-context
+    geofence_model = env["spp.gis.geofence"].sudo()
 
     # Search for geofence
     geofence = geofence_model.browse(geofence_id)
@@ -303,5 +308,5 @@ async def delete_geofence(
         _logger.exception("Error archiving geofence")
         raise HTTPException(
             status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
-            detail=f"Failed to archive geofence: {str(e)}",
+            detail="Failed to archive geofence",
         ) from e

spp_api_v2_gis/routers/proximity.py

@@ -73,9 +73,9 @@ async def query_proximity(
             status_code=status.HTTP_400_BAD_REQUEST,
             detail=str(e),
         ) from None
-    except Exception as e:
+    except Exception:
         _logger.exception("Proximity query failed")
         raise HTTPException(
             status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
-            detail=f"Proximity query failed: {str(e)}",
+            detail="Proximity query failed",
         ) from None

spp_api_v2_gis/routers/spatial_query.py

@@ -80,7 +80,7 @@ async def query_statistics(
         _logger.exception("Spatial query failed")
         raise HTTPException(
             status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
-            detail=f"Spatial query failed: {str(e)}",
+            detail="Spatial query failed",
         ) from e
 
 
@@ -129,9 +129,9 @@ async def query_statistics_batch(
             status_code=status.HTTP_400_BAD_REQUEST,
             detail=str(e),
         ) from None
-    except Exception as e:
+    except Exception:
         _logger.exception("Batch spatial query failed")
         raise HTTPException(
             status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
-            detail=f"Batch spatial query failed: {str(e)}",
+            detail="Batch spatial query failed",
         ) from None

spp_api_v2_gis/routers/statistics.py

@@ -38,10 +38,10 @@ async def list_statistics(
     for spatial queries and map visualization.
     """
     # Check read scope
-    if not api_client.has_scope("gis", "read"):
+    if not (api_client.has_scope("gis", "read") or api_client.has_scope("statistics", "read")):
         raise HTTPException(
             status_code=status.HTTP_403_FORBIDDEN,
-            detail="Client does not have gis:read scope",
+            detail="Client does not have gis:read or statistics:read scope",
         )
 
     try:
@@ -84,9 +84,9 @@ async def list_statistics(
             total_count=total_count,
         )
 
-    except Exception as e:
+    except Exception:
         _logger.exception("Failed to list statistics")
         raise HTTPException(
             status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
-            detail=f"Failed to list statistics: {str(e)}",
+            detail="Failed to list statistics",
         ) from None