fix(spp_security): gate Apps menu via post_init_hook, not XML record override

emjay0921 · emjay0921 · commit cc1155701943 · 2026-05-12T10:07:14.000+08:00
Move the base.menu_management group_ids write out of groups_admin.xml
and into a new _gate_apps_menu function called from post_init_hook.

XML record overrides for cross-module Many2many fields are unreliable:
the override can be wiped when the owning module (base) gets upgraded,
silently reverting our gating. Hooks are idempotent and re-apply on
every spp_security install/upgrade, which is the same pattern this
module already uses to wire spp_security.group_spp_admin into
base.group_system.implied_ids.

No behavior change in steady state — the hook produces the same effect
as the XML record did, just more robustly.
diff --git a/spp_security/hooks.py b/spp_security/hooks.py
@@ -31,6 +31,7 @@ def post_init_hook(env_or_cr, registry=None):
         env = env_or_cr
 
     _setup_admin_group_inheritance(env)
+    _gate_apps_menu(env)
 
 
 def _setup_admin_group_inheritance(env):
@@ -63,3 +64,33 @@ def _setup_admin_group_inheritance(env):
 
     except Exception as e:
         _logger.warning("Failed to set up admin group inheritance: %s", str(e))
+
+
+def _gate_apps_menu(env):
+    """
+    Restrict the "Apps" top-level menu (base.menu_management) to base.group_system.
+
+    Out of the box this menuitem has no `groups` attribute, so every logged-in
+    user sees it. Per the OP#951 role/menu audit only System Admin should see
+    Apps; everyone else should not. base.group_system is the only group System
+    Admin pulls in transitively (via spp_user_roles.global_role_admin), so a
+    single Many2many write here enforces the audit for every role.
+
+    Idempotent — re-applies on every install/upgrade of spp_security. Uses a
+    hook rather than a `<record id="base.menu_management">` XML override
+    because cross-module Many2many writes via data XML can be wiped on
+    subsequent base-module upgrades.
+    """
+    try:
+        apps_menu = env.ref("base.menu_management", raise_if_not_found=False)
+        system_admin = env.ref("base.group_system", raise_if_not_found=False)
+        if not apps_menu or not system_admin:
+            _logger.warning("Could not gate Apps menu: base.menu_management or base.group_system not found")
+            return
+        if apps_menu.group_ids == system_admin:
+            _logger.debug("Apps menu gating already configured")
+            return
+        apps_menu.write({"group_ids": [(6, 0, [system_admin.id])]})
+        _logger.info("Gated Apps menu (base.menu_management) on base.group_system")
+    except Exception as e:
+        _logger.warning("Failed to gate Apps menu: %s", str(e))
diff --git a/spp_security/readme/HISTORY.md b/spp_security/readme/HISTORY.md
@@ -1,6 +1,6 @@
 ### 19.0.2.0.1
 
-- fix(security): gate the Odoo-stock **Apps** top-level menu (`base.menu_management`) on `base.group_system`. Out of the box the menu had no `groups` restriction and was visible to every logged-in user, so the OP#951 audit's `Apps: no` rows were silently violated. System Admin is the only OpenSPP role that pulls in `base.group_system`, so this single override hides Apps from every other role without touching any individual role definition.
+- fix(security): gate the Odoo-stock **Apps** top-level menu (`base.menu_management`) on `base.group_system` via a new `_gate_apps_menu` hook called from `post_init_hook`. Out of the box the menu had no `groups` restriction and was visible to every logged-in user, so the OP#951 audit's `Apps: no` rows were silently violated. System Admin is the only OpenSPP role that pulls in `base.group_system`, so this single Many2many write hides Apps from every other role without touching any individual role definition. Hook is idempotent and re-applies on every install/upgrade.
 
 ### 19.0.2.0.0
 
diff --git a/spp_security/security/groups_admin.xml b/spp_security/security/groups_admin.xml
@@ -40,17 +40,14 @@ Used for field agents and limited-access users.</field>
     </record>
 
     <!--
-        Gate the "Apps" top-level menu on base.group_system. Out of the box
-        the Apps root menuitem has no `groups` attribute, so every logged-in
-        user can see (but not click into) it. Per the OP#951 role/menu audit
-        only System Admin should see Apps; everyone else gets `Apps no`.
-        Restricting the menu to base.group_system enforces the audit without
-        touching individual roles (System Admin is the only role that pulls
-        in base.group_system).
+        Note: the "Apps" top-level menu (base.menu_management) is gated on
+        base.group_system at install / upgrade time by the post_init_hook
+        (see hooks.py:_gate_apps_menu). A hook is used instead of an
+        `<record id="base.menu_management" ...>` override because the XML
+        override is unreliable for cross-module Many2many writes (it can
+        be wiped on subsequent base-module upgrades). The hook idempotently
+        re-applies the gating on every install/upgrade of spp_security.
     -->
-    <record id="base.menu_management" model="ir.ui.menu">
-        <field name="group_ids" eval="[Command.set([ref('base.group_system')])]" />
-    </record>
 
     <!--
         How domain modules extend this:
