fix(spp_session_tracking): harden security, views, and test coverage

- Fix ACL allowing session users to write own facilitated sessions
- Add co-facilitator write access and multi-company record rules
- Add attendance record rules scoped to facilitated sessions
- Add state transition guards, write() override, and time validation
- Add ondelete=restrict on session_type_id, facilitator_id, company_id
- Fix N+1 query in _compute_counts using read_group
- Remove PII from log messages (log rec.id only)
- Rename required_attendance_pct to required_attendance_percentage
- Restructure form with oe_title, button_box, ribbons, named groups
- Add graph, pivot views; improve list, kanban, calendar, search views
- Fix spp_case_session button_box XPath to use hasclass()
- Add 63 tests (security, constraints, coverage) for 95%+ coverage
- Update DESCRIPTION.md to reflect security and view changes

Author: gonzalesedwin1123

spp_case_session/views/session_views.xml

@@ -6,17 +6,15 @@
         <field name="model">spp.session</field>
         <field name="inherit_id" ref="spp_session_tracking.view_session_form" />
         <field name="arch" type="xml">
-            <xpath expr="//sheet/group[1]" position="before">
-                <div class="oe_button_box" name="button_box">
-                    <button
-                        name="action_view_cases"
-                        type="object"
-                        class="oe_stat_button"
-                        icon="fa-folder-open"
-                    >
-                        <field name="case_count" widget="statinfo" string="Cases" />
-                    </button>
-                </div>
+            <xpath expr="//div[hasclass('oe_button_box')]" position="inside">
+                <button
+                    name="action_view_cases"
+                    type="object"
+                    class="oe_stat_button"
+                    icon="fa-folder-open"
+                >
+                    <field name="case_count" widget="statinfo" string="Cases" />
+                </button>
             </xpath>
         </field>
     </record>

spp_session_tracking/data/session_data.xml

@@ -9,7 +9,7 @@
         >General training and capacity building sessions for beneficiaries</field>
         <field name="frequency">monthly</field>
         <field name="duration_hours">3.0</field>
-        <field name="required_attendance_pct">80.0</field>
+        <field name="required_attendance_percentage">80.0</field>
         <field name="track_topics">True</field>
     </record>
 
@@ -21,7 +21,7 @@
         >Regular support group meetings for community members</field>
         <field name="frequency">biweekly</field>
         <field name="duration_hours">2.0</field>
-        <field name="required_attendance_pct">75.0</field>
+        <field name="required_attendance_percentage">75.0</field>
         <field name="track_topics">False</field>
     </record>
 
@@ -33,7 +33,7 @@
         >Family Development Sessions for conditional cash transfer programs</field>
         <field name="frequency">monthly</field>
         <field name="duration_hours">2.5</field>
-        <field name="required_attendance_pct">85.0</field>
+        <field name="required_attendance_percentage">85.0</field>
         <field name="track_topics">True</field>
     </record>
 
@@ -43,7 +43,7 @@
         <field name="description">Specialized workshops on various topics</field>
         <field name="frequency">one_time</field>
         <field name="duration_hours">4.0</field>
-        <field name="required_attendance_pct">90.0</field>
+        <field name="required_attendance_percentage">90.0</field>
         <field name="track_topics">True</field>
     </record>
 

spp_session_tracking/models/session.py

@@ -1,6 +1,12 @@
 # Part of OpenSPP. See LICENSE file for full copyright and licensing details.
 
+import logging
+
 from odoo import api, fields, models
+from odoo.exceptions import UserError, ValidationError
+from odoo.tools.translate import _
+
+_logger = logging.getLogger(__name__)
 
 
 class Session(models.Model):
@@ -10,14 +16,26 @@ class Session(models.Model):
     _order = "date desc"
 
     name = fields.Char(required=True, tracking=True)
-    session_type_id = fields.Many2one("spp.session.type", required=True, string="Session Type", tracking=True)
+    session_type_id = fields.Many2one(
+        "spp.session.type",
+        required=True,
+        ondelete="restrict",
+        string="Session Type",
+        tracking=True,
+    )
 
     date = fields.Date(required=True, default=fields.Date.today, tracking=True)
     start_time = fields.Float()
     end_time = fields.Float()
     duration_hours = fields.Float(compute="_compute_duration", store=True, string="Duration (Hours)")
 
-    facilitator_id = fields.Many2one("res.users", required=True, string="Facilitator", tracking=True)
+    facilitator_id = fields.Many2one(
+        "res.users",
+        required=True,
+        ondelete="restrict",
+        string="Facilitator",
+        tracking=True,
+    )
     co_facilitator_ids = fields.Many2many(
         "res.users",
         "session_co_facilitator_rel",
@@ -65,16 +83,22 @@ class Session(models.Model):
     )
 
     notes = fields.Text()
-    company_id = fields.Many2one("res.company", default=lambda self: self.env.company)
+    company_id = fields.Many2one("res.company", default=lambda self: self.env.company, ondelete="restrict")
 
     @api.depends("start_time", "end_time")
     def _compute_duration(self):
         for rec in self:
             if rec.start_time and rec.end_time:
-                rec.duration_hours = rec.end_time - rec.start_time
+                rec.duration_hours = max(0.0, rec.end_time - rec.start_time)
             else:
                 rec.duration_hours = 0.0
 
+    @api.constrains("start_time", "end_time")
+    def _check_time_range(self):
+        for rec in self:
+            if rec.start_time and rec.end_time and rec.end_time < rec.start_time:
+                raise ValidationError(_("End time must be after start time."))
+
     @api.depends("attendance_ids", "attendance_ids.is_attended", "expected_participant_ids")
     def _compute_attendance(self):
         for rec in self:
@@ -87,11 +111,45 @@ def _compute_attendance(self):
             else:
                 rec.attendance_rate = 0.0
 
+    _VALID_TRANSITIONS = {
+        "scheduled": {"in_progress", "cancelled"},
+        "in_progress": {"completed", "cancelled"},
+        "completed": set(),
+        "cancelled": set(),
+    }
+
+    def write(self, vals):
+        if "state" in vals:
+            new_state = vals["state"]
+            for rec in self:
+                valid = self._VALID_TRANSITIONS.get(rec.state, set())
+                if new_state not in valid:
+                    raise UserError(
+                        _(
+                            "Cannot transition session from '%(current)s' to '%(target)s'.",
+                            current=rec.state,
+                            target=new_state,
+                        )
+                    )
+        return super().write(vals)
+
     def action_start(self):
-        self.state = "in_progress"
+        for rec in self:
+            if rec.state != "scheduled":
+                raise UserError(_("Only scheduled sessions can be started."))
+            _logger.info("Session id=%s transitioning from scheduled to in_progress.", rec.id)
+            rec.state = "in_progress"
 
     def action_complete(self):
-        self.state = "completed"
+        for rec in self:
+            if rec.state != "in_progress":
+                raise UserError(_("Only sessions in progress can be completed."))
+            _logger.info("Session id=%s transitioning from in_progress to completed.", rec.id)
+            rec.state = "completed"
 
     def action_cancel(self):
-        self.state = "cancelled"
+        for rec in self:
+            if rec.state not in ("scheduled", "in_progress"):
+                raise UserError(_("Only scheduled or in-progress sessions can be cancelled."))
+            _logger.info("Session id=%s transitioning from %s to cancelled.", rec.id, rec.state)
+            rec.state = "cancelled"

spp_session_tracking/models/session_attendance.py

@@ -9,12 +9,12 @@ class SessionAttendance(models.Model):
     _rec_name = "participant_id"
 
     session_id = fields.Many2one("spp.session", required=True, ondelete="cascade", string="Session")
-    participant_id = fields.Many2one("res.partner", required=True, string="Participant")
+    participant_id = fields.Many2one("res.partner", required=True, ondelete="restrict", string="Participant")
 
-    is_attended = fields.Boolean(default=False)
+    is_attended = fields.Boolean()
     attendance_time = fields.Datetime(string="Time of Attendance")
 
-    is_excused = fields.Boolean(default=False)
+    is_excused = fields.Boolean()
     excuse_reason = fields.Char()
 
     notes = fields.Text()

spp_session_tracking/models/session_topic.py

@@ -11,6 +11,6 @@ class SessionTopic(models.Model):
     name = fields.Char(required=True)
     code = fields.Char()
     description = fields.Text()
-    session_type_id = fields.Many2one("spp.session.type", string="Session Type")
+    session_type_id = fields.Many2one("spp.session.type", string="Session Type", ondelete="cascade")
     sequence = fields.Integer(default=10)
     active = fields.Boolean(default=True)

spp_session_tracking/models/session_type.py

@@ -1,6 +1,7 @@
 # Part of OpenSPP. See LICENSE file for full copyright and licensing details.
 
 from odoo import api, fields, models
+from odoo.tools.translate import _
 
 
 class SessionType(models.Model):
@@ -23,7 +24,7 @@ class SessionType(models.Model):
         default="monthly",
     )
 
-    required_attendance_pct = fields.Float(
+    required_attendance_percentage = fields.Float(
         default=80.0,
         help="Minimum attendance percentage required for compliance",
     )
@@ -37,21 +38,30 @@ class SessionType(models.Model):
 
     session_count = fields.Integer(compute="_compute_counts", string="Number of Sessions")
 
-    company_id = fields.Many2one("res.company", default=lambda self: self.env.company)
+    company_id = fields.Many2one("res.company", default=lambda self: self.env.company, ondelete="restrict")
 
-    @api.depends("topic_ids")
+    _unique_code = models.Constraint(
+        "UNIQUE(code)",
+        "Session type code must be unique.",
+    )
+
+    @api.depends()
     def _compute_counts(self):
+        data = self.env["spp.session"].read_group(
+            [("session_type_id", "in", self.ids)], ["session_type_id"], ["session_type_id"]
+        )
+        mapped = {d["session_type_id"][0]: d["session_type_id_count"] for d in data}
         for rec in self:
-            rec.session_count = self.env["spp.session"].search_count([("session_type_id", "=", rec.id)])
+            rec.session_count = mapped.get(rec.id, 0)
 
     def action_view_sessions(self):
         """Open view with sessions of this type."""
         self.ensure_one()
         return {
             "type": "ir.actions.act_window",
-            "name": f"Sessions - {self.name}",
+            "name": _("Sessions - %s", self.name),
             "res_model": "spp.session",
-            "view_mode": "tree,form,calendar,kanban",
+            "view_mode": "list,form,calendar,kanban",
             "domain": [("session_type_id", "=", self.id)],
             "context": {"default_session_type_id": self.id},
         }

spp_session_tracking/readme/DESCRIPTION.md

@@ -26,7 +26,7 @@ After installing:
 
 1. Navigate to **Session Tracking > Configuration > Session Types**
 2. Review pre-configured session types (Training, Family Development Session, Group Meeting, Workshop)
-3. Add or modify session types and topics as needed
+3. Add or modify session types as needed; topics are managed within each session type form when topic tracking is enabled
 4. Adjust required attendance percentage per session type
 
 Four session types are pre-configured with sample topics for Family Development Sessions and Training Sessions.
@@ -36,16 +36,16 @@ Four session types are pre-configured with sample topics for Family Development
 - **Menu**: Session Tracking > Sessions > All Sessions
 - **My Sessions**: Session Tracking > Sessions > My Sessions (filtered to current user as facilitator)
 - **Configuration**: Session Tracking > Configuration > Session Types (managers only)
-- **Views**: List, form, calendar (by date), kanban (grouped by state)
+- **Views**: List, form, calendar (by date), kanban (grouped by state), graph, pivot
 
 ### Security
 
 | Group                                          | Access                                |
 | ---------------------------------------------- | ------------------------------------- |
-| `spp_session_tracking.group_session_user`      | Read all sessions and session types/topics; write own facilitated sessions; read/write/create attendance (no delete) |
+| `spp_session_tracking.group_session_user`      | Read all sessions and session types/topics; create/write own facilitated or co-facilitated sessions; read/write/create attendance for own sessions (no delete) |
 | `spp_session_tracking.group_session_manager`   | Full CRUD on all sessions, types, topics, and attendance |
 
-The session user group can view all sessions but only edit sessions they facilitate (via record rule). The `spp_security.group_spp_admin` group implies manager access.
+The session user group can view all sessions but only edit sessions where they are the facilitator or co-facilitator (via record rules). Session creation requires manager access. The `spp_security.group_spp_admin` group implies manager access. Multi-company record rules ensure users only see sessions belonging to their company.
 
 ### Extension Points
 

spp_session_tracking/security/ir.model.access.csv

@@ -3,7 +3,7 @@ access_spp_session_type_user,access_spp_session_type_user,spp_session_tracking.m
 access_spp_session_type_manager,access_spp_session_type_manager,spp_session_tracking.model_spp_session_type,spp_session_tracking.group_session_manager,1,1,1,1
 access_spp_session_topic_user,access_spp_session_topic_user,spp_session_tracking.model_spp_session_topic,spp_session_tracking.group_session_user,1,0,0,0
 access_spp_session_topic_manager,access_spp_session_topic_manager,spp_session_tracking.model_spp_session_topic,spp_session_tracking.group_session_manager,1,1,1,1
-access_spp_session_user,access_spp_session_user,spp_session_tracking.model_spp_session,spp_session_tracking.group_session_user,1,0,0,0
+access_spp_session_user,access_spp_session_user,spp_session_tracking.model_spp_session,spp_session_tracking.group_session_user,1,1,0,0
 access_spp_session_manager,access_spp_session_manager,spp_session_tracking.model_spp_session,spp_session_tracking.group_session_manager,1,1,1,1
 access_spp_session_attendance_user,access_spp_session_attendance_user,spp_session_tracking.model_spp_session_attendance,spp_session_tracking.group_session_user,1,1,1,0
 access_spp_session_attendance_manager,access_spp_session_attendance_manager,spp_session_tracking.model_spp_session_attendance,spp_session_tracking.group_session_manager,1,1,1,1