fix(lint): annotate justified sudo() calls and fix ruff-format

gonzalesedwin1123 · gonzalesedwin1123 · commit 83cd1d685ace · 2026-03-05T15:47:03.000+08:00
Add nosemgrep annotations for legitimate sudo() usage in non-demo
modules (sequence generation, SLA breach handling, mail templates,
portal ticket creation, CEL rule counters). Fix redirect nosemgrep
prefix and ruff-format in generate_cases.py.
diff --git a/spp_case_base/models/case.py b/spp_case_base/models/case.py
@@ -277,6 +277,7 @@ class Case(models.Model):
     @api.model
     def _get_next_case_number(self):
         """Generate next case number."""
+        # nosemgrep: semgrep.odoo-sudo-without-context -- sequence generation requires sudo
         sequence = self.env["ir.sequence"].sudo()
         # Try to get existing sequence, create if doesn't exist
         seq = sequence.search([("code", "=", "spp.case")], limit=1)
diff --git a/spp_case_cel/models/case_assignment_rule.py b/spp_case_cel/models/case_assignment_rule.py
@@ -244,6 +244,7 @@ def apply_assignment(self, case):
                         vals,
                     )
 
+                # nosemgrep: semgrep.odoo-sudo-without-context -- counter update needs sudo
                 rule.sudo().write({"match_count": rule.match_count + 1})
                 return True
 
diff --git a/spp_case_cel/models/case_triage_rule.py b/spp_case_cel/models/case_triage_rule.py
@@ -234,6 +234,7 @@ def apply_triage(self, case):
                 if rule.add_vulnerability_ids:
                     case.write({"vulnerability_ids": [(4, v.id) for v in rule.add_vulnerability_ids]})
 
+                # nosemgrep: semgrep.odoo-sudo-without-context -- counter update needs sudo
                 rule.sudo().write({"match_count": rule.match_count + 1})
                 return True
 
diff --git a/spp_case_demo/models/generate_cases.py b/spp_case_demo/models/generate_cases.py
@@ -218,7 +218,8 @@ def _process_case_journey(self, case, journey, fake):
             action_date = fields.Date.today() - timedelta(days=days_back)
 
             if action == "create_plan":
-                current_plan = Plan.sudo().create(                    {
+                current_plan = Plan.sudo().create(
+                    {
                         "case_id": case.id,
                         "name": step.get("plan_name", f"Plan for {case.partner_id.name}"),
                         "is_current": True,
@@ -229,7 +230,8 @@ def _process_case_journey(self, case, journey, fake):
                 )
 
             elif action == "add_intervention" and current_plan:
-                Intervention.sudo().create(                    {
+                Intervention.sudo().create(
+                    {
                         "plan_id": current_plan.id,
                         "name": step.get("intervention", "Intervention"),
                         "description": fake.sentence(),
@@ -250,7 +252,8 @@ def _process_case_journey(self, case, journey, fake):
                     intervention.sudo().write({"state": "completed"})
             elif action in ("home_visit", "office_visit", "final_visit"):
                 visit_type = "home" if action != "office_visit" else "office"
-                Visit.sudo().create(                    {
+                Visit.sudo().create(
+                    {
                         "case_id": case.id,
                         "visit_type": visit_type,
                         "purpose": step.get("purpose", "Check-in visit"),
@@ -260,7 +263,8 @@ def _process_case_journey(self, case, journey, fake):
                 )
 
             elif action == "progress_note":
-                Note.sudo().create(                    {
+                Note.sudo().create(
+                    {
                         "case_id": case.id,
                         "note_type": "progress",
                         "content": step.get("note", fake.paragraph()),
@@ -269,7 +273,8 @@ def _process_case_journey(self, case, journey, fake):
                 )
 
             elif action in ("assessment", "emergency_assessment", "safety_assessment"):
-                Note.sudo().create(                    {
+                Note.sudo().create(
+                    {
                         "case_id": case.id,
                         "note_type": "assessment",
                         "content": step.get(
@@ -282,7 +287,8 @@ def _process_case_journey(self, case, journey, fake):
             elif action == "add_referral":
                 service = self._get_or_create_service(step.get("service", "External Service"))
                 if service:
-                    Referral.sudo().create(                        {
+                    Referral.sudo().create(
+                        {
                             "case_id": case.id,
                             "service_id": service.id,
                             "referral_reason": step.get("reason", "Service needed"),
@@ -299,13 +305,15 @@ def _process_case_journey(self, case, journey, fake):
                     limit=1,
                 )
                 if closure_stage:
-                    case.sudo().write(                        {
+                    case.sudo().write(
+                        {
                             "stage_id": closure_stage.id,
                             "actual_closure_date": action_date,
                         }
                     )
                 if current_plan:
                     current_plan.sudo().write({"state": "completed"})
+
     def _create_random_case(self, fake, beneficiaries):
         """Create a random case with realistic data."""
         # Random date within range
@@ -370,7 +378,8 @@ def _add_random_plan(self, case, fake, intake_date):
         Plan = self.env["spp.case.intervention.plan"]
         Intervention = self.env["spp.case.intervention"]
 
-        plan = Plan.sudo().create(            {
+        plan = Plan.sudo().create(
+            {
                 "case_id": case.id,
                 "name": f"Support Plan - {case.partner_id.name or 'Client'}",
                 "is_current": True,
@@ -391,7 +400,8 @@ def _add_random_plan(self, case, fake, intake_date):
         ]
 
         for _i in range(random.randint(2, 4)):
-            Intervention.sudo().create(                {
+            Intervention.sudo().create(
+                {
                     "plan_id": plan.id,
                     "name": random.choice(intervention_names),
                     "description": fake.sentence(),
@@ -406,7 +416,8 @@ def _add_random_visits(self, case, fake, intake_date):
 
         for _i in range(random.randint(1, 3)):
             visit_date = intake_date + timedelta(days=random.randint(5, 60))
-            Visit.sudo().create(                {
+            Visit.sudo().create(
+                {
                     "case_id": case.id,
                     "visit_type": random.choice(["home", "office", "phone", "virtual"]),
                     "purpose": fake.sentence(nb_words=5),
@@ -421,7 +432,8 @@ def _add_random_notes(self, case, fake, intake_date):
 
         for _i in range(random.randint(1, 4)):
             note_date = intake_date + timedelta(days=random.randint(1, 60))
-            Note.sudo().create(                {
+            Note.sudo().create(
+                {
                     "case_id": case.id,
                     "note_type": random.choice(["progress", "assessment", "general", "supervision"]),
                     "content": fake.paragraph(nb_sentences=random.randint(2, 5)),
@@ -440,7 +452,8 @@ def _close_random_case(self, case, fake, intake_date):
 
         if closure_stage:
             closure_date = intake_date + timedelta(days=random.randint(30, 90))
-            case.sudo().write(                {
+            case.sudo().write(
+                {
                     "stage_id": closure_stage.id,
                     "actual_closure_date": closure_date,
                 }
@@ -472,7 +485,8 @@ def _get_or_create_case_type(self, type_name):
         CaseType = self.env["spp.case.type"]
         case_type = CaseType.search([("name", "=", type_name)], limit=1)
         if not case_type:
-            case_type = CaseType.sudo().create(                {
+            case_type = CaseType.sudo().create(
+                {
                     "name": type_name,
                     "code": type_name.upper().replace(" ", "_")[:10],
                 }
@@ -528,7 +542,8 @@ def _get_or_create_service(self, service_name):
         Service = self.env["spp.service"]
         service = Service.search([("name", "=", service_name)], limit=1)
         if not service:
-            service = Service.sudo().create(                {
+            service = Service.sudo().create(
+                {
                     "name": service_name,
                     "service_type": "external",
                 }
diff --git a/spp_grm/controllers/grm_portal.py b/spp_grm/controllers/grm_portal.py
@@ -47,12 +47,10 @@ def portal_ticket_submit(self, **kw):
             "channel_id": request.env.ref("spp_grm.grm_ticket_channel_web").id,
             "partner_id": partner.id,
         }
+        # nosemgrep: semgrep.odoo-sudo-without-context -- portal users need sudo to create tickets
         ticket = request.env["spp.grm.ticket"].sudo().create(vals)
 
         ticket.send_ticket_confirmation_email(ticket)
 
-        # Redirect to the fixed internal tickets page; target is a constant
-        # relative URL, so this is not an open redirect.
-        return request.redirect(
-            "/my/tickets"
-        )  # nosemgrep: odoo-unvalidated-redirect - Redirect target is fixed internal '/my/tickets' URL.
+        # nosemgrep: semgrep.odoo-unvalidated-redirect -- fixed internal URL
+        return request.redirect("/my/tickets")
diff --git a/spp_grm/models/grm_ticket.py b/spp_grm/models/grm_ticket.py
@@ -538,6 +538,7 @@ def _compute_sla_status(self):
             if ticket.sla_status == "breached" and old_status != "breached":
                 # Use sudo() to call _on_sla_breach in a new environment context
                 # to avoid triggering compute dependencies during the compute itself
+                # nosemgrep: semgrep.odoo-sudo-without-context
                 ticket.sudo()._on_sla_breach()
 
     def _on_sla_breach(self):
@@ -677,6 +678,7 @@ def send_ticket_confirmation_email(self, ticket):
         """Send the ticket submission confirmation email."""
         template = self.env.ref("spp_grm.ticket_submission_confirmation", raise_if_not_found=False)
         if template:
+            # nosemgrep: semgrep.odoo-sudo-without-context -- mail templates require sudo
             template.sudo().send_mail(
                 ticket.id,
                 force_send=True,
diff --git a/spp_grm_cel/models/grm_routing_rule.py b/spp_grm_cel/models/grm_routing_rule.py
@@ -259,6 +259,7 @@ def apply_routing(self, ticket):
                 )
 
                 # Update match count
+                # nosemgrep: semgrep.odoo-sudo-without-context -- counter update needs sudo
                 rule.sudo().write({"match_count": rule.match_count + 1})
 
                 # Only apply the first matching rule

Original file line number	Diff line number	Diff line change
`@@ -244,6 +244,7 @@ def apply_assignment(self, case):`
`244`	`244`	`vals,`
`245`	`245`	`)`
`246`	`246`
	`247`	`+ # nosemgrep: semgrep.odoo-sudo-without-context -- counter update needs sudo`
`247`	`248`	`rule.sudo().write({"match_count": rule.match_count + 1})`
`248`	`249`	`return True`
`249`	`250`
Original file line number	Diff line number	Diff line change
`@@ -259,6 +259,7 @@ def apply_routing(self, ticket):`
`259`	`259`	`)`
`260`	`260`
`261`	`261`	`# Update match count`
	`262`	`+ # nosemgrep: semgrep.odoo-sudo-without-context -- counter update needs sudo`
`262`	`263`	`rule.sudo().write({"match_count": rule.match_count + 1})`
`263`	`264`
`264`	`265`	`# Only apply the first matching rule`