OpenSPP
diff --git a/‎spp_area/README.rst‎
Lines changed: 12 additions & 1 deletion b/‎spp_area/README.rst‎
Lines changed: 12 additions & 1 deletion
diff --git a/‎spp_area/__manifest__.py‎
Lines changed: 2 additions & 1 deletion b/‎spp_area/__manifest__.py‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎spp_area/readme/HISTORY.md‎
Lines changed: 5 additions & 1 deletion b/‎spp_area/readme/HISTORY.md‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎spp_area/security/rules.xml‎
Lines changed: 33 additions & 0 deletions b/‎spp_area/security/rules.xml‎
Lines changed: 33 additions & 0 deletions
diff --git a/‎spp_area/static/description/index.html‎
Lines changed: 13 additions & 1 deletion b/‎spp_area/static/description/index.html‎
Lines changed: 13 additions & 1 deletion
diff --git a/‎spp_change_request_v2/README.rst‎
Lines changed: 13 additions & 1 deletion b/‎spp_change_request_v2/README.rst‎
Lines changed: 13 additions & 1 deletion
diff --git a/‎spp_change_request_v2/__manifest__.py‎
Lines changed: 3 additions & 1 deletion b/‎spp_change_request_v2/__manifest__.py‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎spp_change_request_v2/readme/HISTORY.md‎
Lines changed: 5 additions & 1 deletion b/‎spp_change_request_v2/readme/HISTORY.md‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎spp_change_request_v2/security/area_filter_rules.xml‎
Lines changed: 34 additions & 0 deletions b/‎spp_change_request_v2/security/area_filter_rules.xml‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎spp_change_request_v2/static/description/index.html‎
Lines changed: 17 additions & 4 deletions b/‎spp_change_request_v2/static/description/index.html‎
Lines changed: 17 additions & 4 deletions
@@ -140,14 +140,25 @@ Dependencies
 Changelog
 =========
 
-19.0.2.0.1
+19.0.2.0.2
 ~~~~~~~~~~
 
 - fix(security): grant ``group_area_viewer`` (read-only) to
   spp_user_roles support roles (Global Support, Global Support Manager,
   Local Support) so they can browse area records per the OP#951 menu
   audit.
 
+19.0.2.0.1
+~~~~~~~~~~
+
+- fix(security): add a global ``ir.rule`` on ``res.partner`` that
+  filters registrants by ``area_id`` for users with ``center_area_ids``
+  set (OP#989). Replaces the limited ``search_read`` /
+  ``web_search_read`` override in ``models/registrant.py`` which missed
+  ``name_search`` (Many2one dropdowns), ``search_count``,
+  ``read_group``, and related-field traversal. The rule's conditional
+  domain is a no-op for users without center areas (global roles).
+
 19.0.2.0.0
 ~~~~~~~~~~
 
 
@@ -6,7 +6,7 @@
     "name": "OpenSPP Area Management",
     "summary": "Establishes direct associations between OpenSPP registrants, beneficiary groups, and their corresponding geographical administrative areas. It validates registrant-area linkages against official area types, ensuring data integrity and enabling targeted program delivery and analysis.",
     "category": "OpenSPP/Core",
-    "version": "19.0.2.0.1",
+    "version": "19.0.2.0.2",
     "sequence": 1,
     "author": "OpenSPP.org",
     "website": "https://github.com/OpenSPP/OpenSPP2",
@@ -34,6 +34,7 @@
         "security/groups.xml",
         "security/ir.model.access.csv",
         "data/user_roles.xml",
+        "security/rules.xml",
         "wizard/area_import_language_wizard_views.xml",
         "views/area_base.xml",
         "views/area_tag.xml",
 
@@ -1,7 +1,11 @@
-### 19.0.2.0.1
+### 19.0.2.0.2
 
 - fix(security): grant `group_area_viewer` (read-only) to spp_user_roles support roles (Global Support, Global Support Manager, Local Support) so they can browse area records per the OP#951 menu audit.
 
+### 19.0.2.0.1
+
+- fix(security): add a global `ir.rule` on `res.partner` that filters registrants by `area_id` for users with `center_area_ids` set (OP#989). Replaces the limited `search_read` / `web_search_read` override in `models/registrant.py` which missed `name_search` (Many2one dropdowns), `search_count`, `read_group`, and related-field traversal. The rule's conditional domain is a no-op for users without center areas (global roles).
+
 ### 19.0.2.0.0
 
 - Initial migration to OpenSPP2
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!--
+Part of OpenSPP. See LICENSE file for full copyright and licensing details.
+
+Area-based row-level filtering for registrants (OP#989).
+
+Replaces / strengthens the `_prepare_domain` override in models/registrant.py
+which only catches `search_read` / `web_search_read`. An ir.rule applies to
+every ORM read path automatically: `search`, `search_count`, `read_group`,
+`name_search` (Many2one dropdowns), `read`, and related-field traversal.
+
+The rule is scoped to `is_registrant = True` only — non-registrant contacts
+(users' own partners, admins, companies, system bots, mail followers) must
+remain readable, otherwise every record using `message_partner_ids` /
+`message_follower_ids` blows up for local users with `center_area_ids`.
+
+The conditional domain makes the rule a no-op for users without
+`center_area_ids` (global roles).
+-->
+<odoo noupdate="1">
+    <record id="rule_res_partner_area_filter" model="ir.rule">
+        <field name="name">Registrants: visible only within user's center areas</field>
+        <field name="model_id" ref="base.model_res_partner" />
+        <field
+            name="domain_force"
+        >['|', ('is_registrant', '=', False), ('area_id', 'child_of', user.center_area_ids.ids)] if user.center_area_ids else []</field>
+        <field name="global" eval="True" />
+        <field name="perm_read" eval="True" />
+        <field name="perm_write" eval="True" />
+        <field name="perm_create" eval="True" />
+        <field name="perm_unlink" eval="True" />
+    </record>
+</odoo>
@@ -537,7 +537,7 @@ <h2><a class="toc-backref" href="#toc-entry-1">Changelog</a></h2>
 </div>
 </div>
 <div class="section" id="section-1">
-<h1>19.0.2.0.1</h1>
+<h1>19.0.2.0.2</h1>
 <ul class="simple">
 <li>fix(security): grant <tt class="docutils literal">group_area_viewer</tt> (read-only) to
 spp_user_roles support roles (Global Support, Global Support Manager,
@@ -546,6 +546,18 @@ <h1>19.0.2.0.1</h1>
 </ul>
 </div>
 <div class="section" id="section-2">
+<h1>19.0.2.0.1</h1>
+<ul class="simple">
+<li>fix(security): add a global <tt class="docutils literal">ir.rule</tt> on <tt class="docutils literal">res.partner</tt> that
+filters registrants by <tt class="docutils literal">area_id</tt> for users with <tt class="docutils literal">center_area_ids</tt>
+set (OP#989). Replaces the limited <tt class="docutils literal">search_read</tt> /
+<tt class="docutils literal">web_search_read</tt> override in <tt class="docutils literal">models/registrant.py</tt> which missed
+<tt class="docutils literal">name_search</tt> (Many2one dropdowns), <tt class="docutils literal">search_count</tt>,
+<tt class="docutils literal">read_group</tt>, and related-field traversal. The rule’s conditional
+domain is a no-op for users without center areas (global roles).</li>
+</ul>
+</div>
+<div class="section" id="section-3">
 <h1>19.0.2.0.0</h1>
 <ul class="simple">
 <li>Initial migration to OpenSPP2</li>
 
@@ -853,7 +853,7 @@ Before declaring a new CR type complete:
 Changelog
 =========
 
-19.0.2.0.4
+19.0.2.0.6
 ~~~~~~~~~~
 
 - fix(security): align CR Requestor / CR Local Validator / CR HQ
@@ -864,6 +864,18 @@ Changelog
   visibility once the menu root is gated. Adds ``spp_hazard`` to module
   dependencies.
 
+19.0.2.0.5
+~~~~~~~~~~
+
+- fix(security): add a global ``ir.rule`` on ``spp.change.request`` that
+  filters by ``registrant_id.area_id`` against the user's
+  ``center_area_ids`` (OP#989 round-2). The earlier ``_prepare_domain``
+  override only caught ``search_read`` / ``web_search_read`` and missed
+  the registrant Many2one picker (which uses ``name_search`` →
+  ``_search``), so users could still select out-of-area registrants. The
+  conditional domain is a no-op for users with no center areas (global
+  roles).
+
 19.0.2.0.3
 ~~~~~~~~~~
 
 
@@ -1,6 +1,6 @@
 {
     "name": "OpenSPP Change Request V2",
-    "version": "19.0.2.0.4",
+    "version": "19.0.2.0.6",
     "sequence": 50,
     "category": "OpenSPP",
     "summary": "Configuration-driven change request system with UX improvements, conflict detection and duplicate prevention",
@@ -13,6 +13,7 @@
         "mail",
         "spp_base_common",
         "spp_registry",
+        "spp_area",
         "spp_security",
         "spp_approval",
         "spp_event_data",
@@ -25,6 +26,7 @@
         "security/privileges.xml",
         "security/groups.xml",
         "security/rules.xml",
+        "security/area_filter_rules.xml",
         "security/ir.model.access.csv",
         # Views (loaded before data that references them)
         "views/dms_file_views.xml",
 
@@ -1,7 +1,11 @@
-### 19.0.2.0.4
+### 19.0.2.0.6
 
 - fix(security): align CR Requestor / CR Local Validator / CR HQ Validator roles with the OP#951 menu audit — replace the `spp_registry.group_registry_read` (Tier-3, no menu) link with `spp_registry.group_registry_viewer` so these roles see the Registry menu; add `spp_hazard.group_hazard_viewer` so they retain Hazard visibility once the menu root is gated. Adds `spp_hazard` to module dependencies.
 
+### 19.0.2.0.5
+
+- fix(security): add a global `ir.rule` on `spp.change.request` that filters by `registrant_id.area_id` against the user's `center_area_ids` (OP#989 round-2). The earlier `_prepare_domain` override only caught `search_read` / `web_search_read` and missed the registrant Many2one picker (which uses `name_search` → `_search`), so users could still select out-of-area registrants. The conditional domain is a no-op for users with no center areas (global roles).
+
 ### 19.0.2.0.3
 
 - fix: add HTML escaping to all computed Html fields with `sanitize=False` to prevent stored XSS (#50)
 
@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!--
+Part of OpenSPP. See LICENSE file for full copyright and licensing details.
+
+Area-based row-level filtering for change requests (OP#989).
+
+QA round 1 surfaced that the original `_prepare_domain` override on
+`spp.change.request` only caught `search_read` / `web_search_read`. The
+registrant picker on the CR form (a Many2one widget) calls `name_search` ->
+`_search` and bypasses the override. An ir.rule applies to every ORM read
+path automatically, including `name_search`, `search_count`, `read_group`,
+and related-field traversal.
+
+Mirrors the conditional domain pattern from `spp_area/security/rules.xml`
+so users without `center_area_ids` (global roles) are unaffected. The
+module now depends on `spp_area` directly so `user.center_area_ids`
+can be referenced without defensive guards.
+-->
+<odoo noupdate="1">
+    <record id="rule_spp_change_request_area_filter" model="ir.rule">
+        <field
+            name="name"
+        >Change Request: visible only within user's center areas</field>
+        <field name="model_id" ref="model_spp_change_request" />
+        <field
+            name="domain_force"
+        >[('registrant_id.area_id', 'child_of', user.center_area_ids.ids)] if user.center_area_ids else []</field>
+        <field name="global" eval="True" />
+        <field name="perm_read" eval="True" />
+        <field name="perm_write" eval="True" />
+        <field name="perm_create" eval="True" />
+        <field name="perm_unlink" eval="True" />
+    </record>
+</odoo>
@@ -1339,7 +1339,7 @@ <h2>Changelog</h2>
 </div>
 </div>
 <div class="section" id="section-1">
-<h1>19.0.2.0.4</h1>
+<h1>19.0.2.0.6</h1>
 <ul class="simple">
 <li>fix(security): align CR Requestor / CR Local Validator / CR HQ
 Validator roles with the OP#951 menu audit — replace the
@@ -1351,26 +1351,39 @@ <h1>19.0.2.0.4</h1>
 </ul>
 </div>
 <div class="section" id="section-2">
+<h1>19.0.2.0.5</h1>
+<ul class="simple">
+<li>fix(security): add a global <tt class="docutils literal">ir.rule</tt> on <tt class="docutils literal">spp.change.request</tt> that
+filters by <tt class="docutils literal">registrant_id.area_id</tt> against the user’s
+<tt class="docutils literal">center_area_ids</tt> (OP#989 round-2). The earlier <tt class="docutils literal">_prepare_domain</tt>
+override only caught <tt class="docutils literal">search_read</tt> / <tt class="docutils literal">web_search_read</tt> and missed
+the registrant Many2one picker (which uses <tt class="docutils literal">name_search</tt> →
+<tt class="docutils literal">_search</tt>), so users could still select out-of-area registrants. The
+conditional domain is a no-op for users with no center areas (global
+roles).</li>
+</ul>
+</div>
+<div class="section" id="section-3">
 <h1>19.0.2.0.3</h1>
 <ul class="simple">
 <li>fix: add HTML escaping to all computed Html fields with
 <tt class="docutils literal">sanitize=False</tt> to prevent stored XSS (#50)</li>
 </ul>
 </div>
-<div class="section" id="section-3">
+<div class="section" id="section-4">
 <h1>19.0.2.0.2</h1>
 <ul class="simple">
 <li>fix: fix batch approval wizard line deletion (#130)</li>
 </ul>
 </div>
-<div class="section" id="section-4">
+<div class="section" id="section-5">
 <h1>19.0.2.0.1</h1>
 <ul class="simple">
 <li>fix: skip field types before getattr and isolate detail prefetch
 (#129)</li>
 </ul>
 </div>
-<div class="section" id="section-5">
+<div class="section" id="section-6">
 <h1>19.0.2.0.0</h1>
 <ul class="simple">
 <li>Initial migration to OpenSPP2</li>