Restrict DCI sync and cached value access

[jeremi]

Motivation

• The manual server action and the sync_for_partners() entrypoint allowed arbitrary internal users to trigger outbound DCI lookups and populate sensitive disability/health indicators into the shared cache spp.data.value without authorization.
• Cached DCI-backed indicators (e.g. dr.dci.has_disability, severity flags) are sensitive and were readable by base.group_user via existing ACLs, creating a confidentiality risk.
• The sync cron also ran without an explicit privileged user_id, making scheduled execution ambiguous and potentially privileged operations less explicit.

Description

• Added a service-layer authorization check _check_dci_sync_access() to spp.dci.cel.fetcher which raises AccessError unless the caller has the spp_cel_domain.group_cel_domain_manager group, and invoked it at the start of sync_for_partners() to block low-privileged RPC/server calls.
• Restricted the bound server action action_sync_dci_values to CEL Domain Managers by adding a group_ids entry and set the scheduled cron user_id to base.user_root so scheduled syncs remain explicit and privileged.
• Removed the broad base.group_user read permission for model_spp_data_value in spp_cel_domain/security/ir.model.access.csv (set read to 0) so cached DCI values are no longer globally visible to basic internal users.
• Added a regression test that a plain internal user (only base.group_user) receives AccessError when calling sync_for_partners() directly (test_sync_for_partners_requires_cel_manager).

Testing

• Ran python3 -m py_compile on the modified files (spp_dci_indicators/models/dci_cel_fetcher.py and tests) and compilation succeeded.
• Parsed the updated XML (spp_dci_indicators/data/dci_sync.xml) with xml.etree.ElementTree.parse and performed a static ACL check on spp_cel_domain/security/ir.model.access.csv, both of which succeeded.
• Ran git diff --check and static checks with no reported issues.
• Attempted to run the Odoo TransactionCase test suite but import odoo failed in this environment so full integration/unit test execution could not be performed here; a new unit test was added and should run in CI where Odoo is available.

---

Codex Task

[gemini-code-assist]

Code Review

This pull request introduces access control restrictions for syncing DCI-backed CEL values. It disables default read access to spp.data.value for base users, restricts the sync action to CEL Domain Managers, and adds a permission check in sync_for_partners along with a corresponding unit test. Feedback on the changes suggests updating the access check in _check_dci_sync_access to bypass the group check when running in superuser mode (self.env.su), preventing unexpected AccessError exceptions during sudo() operations.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

In Odoo, when a method is executed in superuser mode (e.g., via .sudo()), self.env.su is set to True, but self.env.user remains the original user. If the original user does not belong to the CEL manager group, calling self.env.user.has_group(...) will return False and raise an AccessError, even though the environment is running with elevated privileges. To ensure that sudo() works correctly and doesn't unexpectedly fail with an access error, you should explicitly bypass this check when self.env.su is True.

Suggested change

	def _check_dci_sync_access(self):
	"""Require CEL manager privileges before triggering outbound DCI sync."""
	if not self.env.user.has_group("spp_cel_domain.group_cel_domain_manager"):
	raise AccessError(_("Only CEL Domain Managers can sync DCI-backed CEL values."))
	@api.model
	def _check_dci_sync_access(self):
	"""Require CEL manager privileges before triggering outbound DCI sync."""
	if not self.env.su and not self.env.user.has_group("spp_cel_domain.group_cel_domain_manager"):
	raise AccessError(_("Only CEL Domain Managers can sync DCI-backed CEL values."))

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.12%. Comparing base (00f1e5a) to head (ea59ead).

Additional details and impacted files

@@            Coverage Diff             @@
##             19.0     #234      +/-   ##
==========================================
+ Coverage   73.05%   73.12%   +0.07%     
==========================================
  Files        1069     1076       +7     
  Lines       62080    62282     +202     
==========================================
+ Hits        45351    45543     +192     
- Misses      16729    16739      +10     

Flag	Coverage Δ
spp_analytics	93.13% <ø> (ø)
spp_api_v2	80.33% <ø> (ø)
spp_api_v2_change_request	66.85% <ø> (ø)
spp_api_v2_cycles	71.12% <ø> (ø)
spp_api_v2_data	64.41% <ø> (ø)
spp_api_v2_entitlements	70.19% <ø> (ø)
spp_api_v2_gis	71.52% <ø> (ø)
spp_api_v2_products	66.27% <ø> (ø)
spp_api_v2_service_points	70.94% <ø> (ø)
spp_api_v2_simulation	71.12% <ø> (ø)
spp_api_v2_vocabulary	57.26% <ø> (ø)
spp_approval	50.29% <ø> (ø)
spp_audit	72.60% <ø> (ø)
spp_base_common	90.26% <ø> (ø)
spp_case_cel	89.01% <ø> (ø)
spp_cel_domain	61.16% <ø> (ø)
spp_dci_indicators	95.04% <100.00%> (?)
spp_programs	64.84% <ø> (ø)
spp_registry	86.83% <ø> (ø)
spp_security	66.66% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
spp_dci_indicators/models/dci_cel_fetcher.py	94.40% <100.00%> (ø)

... and 6 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.