fix(spp_base_common): gate Apps menu on base.group_system via existing menuitem override (OP#951)

Earlier commits in this PR attempted the gating via spp_security: first
as an XML record override (e70a983), then as a post_init_hook
(cc11557). Both produced empty group_ids on a freshly installed DB —
verified on port 32774 with spp_security at 19.0.2.0.1.

Root cause: spp_base_common's views/main_view.xml already overrides
base.menu_management with its own <menuitem> (to set the OpenSPP web
icon). spp_base_common loads AFTER spp_security in the dep graph, and
in Odoo 19 a <menuitem> without an explicit `groups` attribute resets
group_ids on the target record. So any group_ids that spp_security's
hook or XML override writes earlier gets clobbered later by
spp_base_common's reload.

Fix: gate the menu where it's already declared. Add
`groups="base.group_system"` to the existing menuitem in
spp_base_common, and revert the spp_security gymnastics (version
bump, HISTORY entry, _gate_apps_menu hook, migration script).

System Admin is the only OpenSPP role that pulls in base.group_system
(via spp_user_roles.global_role_admin → Command.link(base.group_system)),
so this single attribute hides Apps from every other role and matches
the OP#951 audit's `Apps: no` rows.

Modules touched:
- spp_base_common: + groups attr on Apps menuitem; bump 19.0.2.0.0
  → 19.0.2.0.1 + HISTORY entry
- spp_security: revert version bump, drop _gate_apps_menu hook and
  associated comment, no migration script needed

Author: emjay0921

spp_base_common/__manifest__.py

@@ -5,7 +5,7 @@
 {
     "name": "OpenSPP Base (Common)",
     "category": "OpenSPP/Core",
-    "version": "19.0.2.0.0",
+    "version": "19.0.2.0.1",
     "sequence": 1,
     "author": "OpenSPP.org",
     "website": "https://github.com/OpenSPP/OpenSPP2",

spp_base_common/readme/HISTORY.md

@@ -1,3 +1,7 @@
+### 19.0.2.0.1
+
+- fix(security): add `groups="base.group_system"` to the existing `<menuitem id="base.menu_management" />` override in `views/main_view.xml`. Out of the box the Apps top-level menu has no group restriction and is visible to every logged-in user, violating the OP#951 audit's `Apps: no` rows. The override here is the single authoritative declaration for this menu's attributes in the OpenSPP install (sequence, custom OpenSPP icon, and now group_ids); doing the gating anywhere upstream (e.g. a `post_init_hook` in `spp_security`) is unreliable because this `<menuitem>` reload re-writes the record without a `groups` attribute and resets `group_ids` to empty.
+
 ### 19.0.2.0.0
 
 - Initial migration to OpenSPP2

spp_base_common/views/main_view.xml

@@ -7,10 +7,22 @@
         sequence="-1"
     />
 
+    <!--
+        Gate the Apps top-level menu on base.group_system per the OP#951
+        role/menu audit (only System Admin should see Apps). spp_base_common
+        already overrides this menuitem to set the OpenSPP web_icon; adding
+        the groups attribute here is reliable because this <menuitem> runs
+        AFTER any upstream module's post_init_hook on fresh install AND on
+        every subsequent module upgrade. Doing the same gating from a
+        post_init_hook in an upstream module (e.g. spp_security) does not
+        survive because a later `<menuitem>` reload re-writes the record
+        without a `groups` attribute, resetting group_ids to empty.
+    -->
     <menuitem
         id="base.menu_management"
         name="Apps"
         web_icon="spp_base_common,static/description/OpenSPP-Icons-App.png"
+        groups="base.group_system"
     />
     <menuitem
         id="base.menu_administration"

spp_security/__manifest__.py

@@ -4,7 +4,7 @@
     "name": "OpenSPP Security",
     "summary": "Central security definitions for OpenSPP modules",
     "category": "OpenSPP/Core",
-    "version": "19.0.2.0.1",
+    "version": "19.0.2.0.0",
     "author": "OpenSPP.org",
     "website": "https://github.com/OpenSPP/OpenSPP2",
     "license": "LGPL-3",

spp_security/hooks.py

@@ -31,7 +31,6 @@ def post_init_hook(env_or_cr, registry=None):
         env = env_or_cr
 
     _setup_admin_group_inheritance(env)
-    _gate_apps_menu(env)
 
 
 def _setup_admin_group_inheritance(env):
@@ -64,33 +63,3 @@ def _setup_admin_group_inheritance(env):
 
     except Exception as e:
         _logger.warning("Failed to set up admin group inheritance: %s", str(e))
-
-
-def _gate_apps_menu(env):
-    """
-    Restrict the "Apps" top-level menu (base.menu_management) to base.group_system.
-
-    Out of the box this menuitem has no `groups` attribute, so every logged-in
-    user sees it. Per the OP#951 role/menu audit only System Admin should see
-    Apps; everyone else should not. base.group_system is the only group System
-    Admin pulls in transitively (via spp_user_roles.global_role_admin), so a
-    single Many2many write here enforces the audit for every role.
-
-    Idempotent — re-applies on every install/upgrade of spp_security. Uses a
-    hook rather than a `<record id="base.menu_management">` XML override
-    because cross-module Many2many writes via data XML can be wiped on
-    subsequent base-module upgrades.
-    """
-    try:
-        apps_menu = env.ref("base.menu_management", raise_if_not_found=False)
-        system_admin = env.ref("base.group_system", raise_if_not_found=False)
-        if not apps_menu or not system_admin:
-            _logger.warning("Could not gate Apps menu: base.menu_management or base.group_system not found")
-            return
-        if apps_menu.group_ids == system_admin:
-            _logger.debug("Apps menu gating already configured")
-            return
-        apps_menu.write({"group_ids": [(6, 0, [system_admin.id])]})
-        _logger.info("Gated Apps menu (base.menu_management) on base.group_system")
-    except Exception as e:
-        _logger.warning("Failed to gate Apps menu: %s", str(e))

spp_security/readme/HISTORY.md

@@ -1,7 +1,3 @@
-### 19.0.2.0.1
-
-- fix(security): gate the Odoo-stock **Apps** top-level menu (`base.menu_management`) on `base.group_system` via a new `_gate_apps_menu` hook called from `post_init_hook`. Out of the box the menu had no `groups` restriction and was visible to every logged-in user, so the OP#951 audit's `Apps: no` rows were silently violated. System Admin is the only OpenSPP role that pulls in `base.group_system`, so this single Many2many write hides Apps from every other role without touching any individual role definition. Hook is idempotent and re-applies on every install/upgrade.
-
 ### 19.0.2.0.0
 
 - Initial migration to OpenSPP2

spp_security/security/groups_admin.xml

@@ -39,16 +39,6 @@ Used for field agents and limited-access users.</field>
         <field name="implied_ids" eval="[Command.link(ref('group_spp_admin'))]" />
     </record>
 
-    <!--
-        Note: the "Apps" top-level menu (base.menu_management) is gated on
-        base.group_system at install / upgrade time by the post_init_hook
-        (see hooks.py:_gate_apps_menu). A hook is used instead of an
-        `<record id="base.menu_management" ...>` override because the XML
-        override is unreliable for cross-module Many2many writes (it can
-        be wiped on subsequent base-module upgrades). The hook idempotently
-        re-applies the gating on every install/upgrade of spp_security.
-    -->
-
     <!--
         How domain modules extend this:
         ===============================