OpenSPP · emjay0921 · May 11, 2026 · May 11, 2026 · May 11, 2026 · May 11, 2026
diff --git a/spp_area/README.rst b/spp_area/README.rst
@@ -140,6 +140,14 @@ Dependencies
 Changelog
 =========
 
+19.0.2.0.1
+~~~~~~~~~~
+
+- fix(security): grant ``group_area_viewer`` (read-only) to
+  spp_user_roles support roles (Global Support, Global Support Manager,
+  Local Support) so they can browse area records per the OP#951 menu
+  audit.
+
 19.0.2.0.0
 ~~~~~~~~~~
 

diff --git a/spp_area/__manifest__.py b/spp_area/__manifest__.py
@@ -6,7 +6,7 @@
     "name": "OpenSPP Area Management",
     "summary": "Establishes direct associations between OpenSPP registrants, beneficiary groups, and their corresponding geographical administrative areas. It validates registrant-area linkages against official area types, ensuring data integrity and enabling targeted program delivery and analysis.",
     "category": "OpenSPP/Core",
-    "version": "19.0.2.0.0",
+    "version": "19.0.2.0.1",
     "sequence": 1,
     "author": "OpenSPP.org",
     "website": "https://github.com/OpenSPP/OpenSPP2",
@@ -33,6 +33,7 @@
         "security/privileges.xml",
         "security/groups.xml",
         "security/ir.model.access.csv",
+        "data/user_roles.xml",
         "wizard/area_import_language_wizard_views.xml",
         "views/area_base.xml",
         "views/area_tag.xml",

diff --git a/spp_area/data/user_roles.xml b/spp_area/data/user_roles.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!--
+Part of OpenSPP. See LICENSE file for full copyright and licensing details.
+
+Role extensions: grant `group_area_viewer` (read-only) to spp_user_roles support
+roles whose audited menu visibility should include "Area" (OP#951).
+
+System Admin sees the menu via `spp_security.group_spp_admin` → `group_area_manager`.
+-->
+<odoo noupdate="1">
+    <record id="spp_user_roles.global_role_support" model="res.users.role">
+        <field name="implied_ids" eval="[Command.link(ref('group_area_viewer'))]" />
+    </record>
+    <record id="spp_user_roles.global_role_support_manager" model="res.users.role">
+        <field name="implied_ids" eval="[Command.link(ref('group_area_viewer'))]" />
+    </record>
+    <record id="spp_user_roles.local_role_support" model="res.users.role">
+        <field name="implied_ids" eval="[Command.link(ref('group_area_viewer'))]" />
+    </record>
+</odoo>
diff --git a/spp_area/readme/HISTORY.md b/spp_area/readme/HISTORY.md
@@ -1,3 +1,7 @@
+### 19.0.2.0.1
+
+- fix(security): grant `group_area_viewer` (read-only) to spp_user_roles support roles (Global Support, Global Support Manager, Local Support) so they can browse area records per the OP#951 menu audit.
+
 ### 19.0.2.0.0
 
 - Initial migration to OpenSPP2
diff --git a/spp_area/static/description/index.html b/spp_area/static/description/index.html
@@ -537,6 +537,15 @@ <h2><a class="toc-backref" href="#toc-entry-1">Changelog</a></h2>
 </div>
 </div>
 <div class="section" id="section-1">
+<h1>19.0.2.0.1</h1>
+<ul class="simple">
+<li>fix(security): grant <tt class="docutils literal">group_area_viewer</tt> (read-only) to
+spp_user_roles support roles (Global Support, Global Support Manager,
+Local Support) so they can browse area records per the OP#951 menu
+audit.</li>
+</ul>
+</div>
+<div class="section" id="section-2">
 <h1>19.0.2.0.0</h1>
 <ul class="simple">
 <li>Initial migration to OpenSPP2</li>

diff --git a/spp_base_common/README.rst b/spp_base_common/README.rst
@@ -120,6 +120,21 @@ Dependencies
 Changelog
 =========
 
+19.0.2.0.1
+~~~~~~~~~~
+
+- fix(security): add ``groups="base.group_system"`` to the existing
+  ``<menuitem id="base.menu_management" />`` override in
+  ``views/main_view.xml``. Out of the box the Apps top-level menu has no
+  group restriction and is visible to every logged-in user, violating
+  the OP#951 audit's ``Apps: no`` rows. The override here is the single
+  authoritative declaration for this menu's attributes in the OpenSPP
+  install (sequence, custom OpenSPP icon, and now group_ids); doing the
+  gating anywhere upstream (e.g. a ``post_init_hook`` in
+  ``spp_security``) is unreliable because this ``<menuitem>`` reload
+  re-writes the record without a ``groups`` attribute and resets
+  ``group_ids`` to empty.
+
 19.0.2.0.0
 ~~~~~~~~~~
 

diff --git a/spp_base_common/__manifest__.py b/spp_base_common/__manifest__.py
@@ -5,7 +5,7 @@
 {
     "name": "OpenSPP Base (Common)",
     "category": "OpenSPP/Core",
-    "version": "19.0.2.0.0",
+    "version": "19.0.2.0.1",
     "sequence": 1,
     "author": "OpenSPP.org",
     "website": "https://github.com/OpenSPP/OpenSPP2",

diff --git a/spp_base_common/readme/HISTORY.md b/spp_base_common/readme/HISTORY.md
@@ -1,3 +1,7 @@
+### 19.0.2.0.1
+
+- fix(security): add `groups="base.group_system"` to the existing `<menuitem id="base.menu_management" />` override in `views/main_view.xml`. Out of the box the Apps top-level menu has no group restriction and is visible to every logged-in user, violating the OP#951 audit's `Apps: no` rows. The override here is the single authoritative declaration for this menu's attributes in the OpenSPP install (sequence, custom OpenSPP icon, and now group_ids); doing the gating anywhere upstream (e.g. a `post_init_hook` in `spp_security`) is unreliable because this `<menuitem>` reload re-writes the record without a `groups` attribute and resets `group_ids` to empty.
+
 ### 19.0.2.0.0
 
 - Initial migration to OpenSPP2
diff --git a/spp_base_common/static/description/index.html b/spp_base_common/static/description/index.html
@@ -495,6 +495,22 @@ <h2><a class="toc-backref" href="#toc-entry-1">Changelog</a></h2>
 </div>
 </div>
 <div class="section" id="section-1">
+<h1>19.0.2.0.1</h1>
+<ul class="simple">
+<li>fix(security): add <tt class="docutils literal"><span class="pre">groups=&quot;base.group_system&quot;</span></tt> to the existing
+<tt class="docutils literal">&lt;menuitem <span class="pre">id=&quot;base.menu_management&quot;</span> /&gt;</tt> override in
+<tt class="docutils literal">views/main_view.xml</tt>. Out of the box the Apps top-level menu has no
+group restriction and is visible to every logged-in user, violating
+the OP#951 audit’s <tt class="docutils literal">Apps: no</tt> rows. The override here is the single
+authoritative declaration for this menu’s attributes in the OpenSPP
+install (sequence, custom OpenSPP icon, and now group_ids); doing the
+gating anywhere upstream (e.g. a <tt class="docutils literal">post_init_hook</tt> in
+<tt class="docutils literal">spp_security</tt>) is unreliable because this <tt class="docutils literal">&lt;menuitem&gt;</tt> reload
+re-writes the record without a <tt class="docutils literal">groups</tt> attribute and resets
+<tt class="docutils literal">group_ids</tt> to empty.</li>
+</ul>
+</div>
+<div class="section" id="section-2">
 <h1>19.0.2.0.0</h1>
 <ul class="simple">
 <li>Initial migration to OpenSPP2</li>

diff --git a/spp_base_common/views/main_view.xml b/spp_base_common/views/main_view.xml
@@ -7,10 +7,22 @@
         sequence="-1"
     />
 
+    <!--
+        Gate the Apps top-level menu on base.group_system per the OP#951
+        role/menu audit (only System Admin should see Apps). spp_base_common
+        already overrides this menuitem to set the OpenSPP web_icon; adding
+        the groups attribute here is reliable because this <menuitem> runs
+        AFTER any upstream module's post_init_hook on fresh install AND on
+        every subsequent module upgrade. Doing the same gating from a
+        post_init_hook in an upstream module (e.g. spp_security) does not
+        survive because a later `<menuitem>` reload re-writes the record
+        without a `groups` attribute, resetting group_ids to empty.
+    -->
     <menuitem
         id="base.menu_management"
         name="Apps"
         web_icon="spp_base_common,static/description/OpenSPP-Icons-App.png"
+        groups="base.group_system"
     />
     <menuitem
         id="base.menu_administration"

diff --git a/spp_change_request_v2/README.rst b/spp_change_request_v2/README.rst
@@ -853,6 +853,17 @@ Before declaring a new CR type complete:
 Changelog
 =========
 
+19.0.2.0.4
+~~~~~~~~~~
+
+- fix(security): align CR Requestor / CR Local Validator / CR HQ
+  Validator roles with the OP#951 menu audit — replace the
+  ``spp_registry.group_registry_read`` (Tier-3, no menu) link with
+  ``spp_registry.group_registry_viewer`` so these roles see the Registry
+  menu; add ``spp_hazard.group_hazard_viewer`` so they retain Hazard
+  visibility once the menu root is gated. Adds ``spp_hazard`` to module
+  dependencies.
+
 19.0.2.0.3
 ~~~~~~~~~~
 

diff --git a/spp_change_request_v2/__manifest__.py b/spp_change_request_v2/__manifest__.py
@@ -1,6 +1,6 @@
 {
     "name": "OpenSPP Change Request V2",
-    "version": "19.0.2.0.3",
+    "version": "19.0.2.0.4",
     "sequence": 50,
     "category": "OpenSPP",
     "summary": "Configuration-driven change request system with UX improvements, conflict detection and duplicate prevention",
@@ -16,6 +16,7 @@
         "spp_security",
         "spp_approval",
         "spp_event_data",
+        "spp_hazard",
         "spp_dms",
         "spp_vocabulary",
     ],

diff --git a/spp_change_request_v2/data/user_roles.xml b/spp_change_request_v2/data/user_roles.xml
@@ -18,7 +18,8 @@ User roles for Change Request module.
             eval="[
                 Command.link(ref('base.group_user')),
                 Command.link(ref('group_cr_manager')),
-                Command.link(ref('spp_registry.group_registry_read')),
+                Command.link(ref('spp_registry.group_registry_viewer')),
+                Command.link(ref('spp_hazard.group_hazard_viewer')),
             ]"
         />
     </record>
@@ -34,7 +35,8 @@ User roles for Change Request module.
             eval="[
                 Command.link(ref('base.group_user')),
                 Command.link(ref('group_cr_validator')),
-                Command.link(ref('spp_registry.group_registry_read')),
+                Command.link(ref('spp_registry.group_registry_viewer')),
+                Command.link(ref('spp_hazard.group_hazard_viewer')),
             ]"
         />
     </record>
@@ -50,7 +52,8 @@ User roles for Change Request module.
             eval="[
                 Command.link(ref('base.group_user')),
                 Command.link(ref('group_cr_validator_hq')),
-                Command.link(ref('spp_registry.group_registry_read')),
+                Command.link(ref('spp_registry.group_registry_viewer')),
+                Command.link(ref('spp_hazard.group_hazard_viewer')),
             ]"
         />
     </record>

diff --git a/spp_change_request_v2/readme/HISTORY.md b/spp_change_request_v2/readme/HISTORY.md
@@ -1,3 +1,7 @@
+### 19.0.2.0.4
+
+- fix(security): align CR Requestor / CR Local Validator / CR HQ Validator roles with the OP#951 menu audit — replace the `spp_registry.group_registry_read` (Tier-3, no menu) link with `spp_registry.group_registry_viewer` so these roles see the Registry menu; add `spp_hazard.group_hazard_viewer` so they retain Hazard visibility once the menu root is gated. Adds `spp_hazard` to module dependencies.
+
 ### 19.0.2.0.3
 
 - fix: add HTML escaping to all computed Html fields with `sanitize=False` to prevent stored XSS (#50)

diff --git a/spp_change_request_v2/static/description/index.html b/spp_change_request_v2/static/description/index.html
@@ -1339,26 +1339,38 @@ <h2>Changelog</h2>
 </div>
 </div>
 <div class="section" id="section-1">
+<h1>19.0.2.0.4</h1>
+<ul class="simple">
+<li>fix(security): align CR Requestor / CR Local Validator / CR HQ
+Validator roles with the OP#951 menu audit — replace the
+<tt class="docutils literal">spp_registry.group_registry_read</tt> (Tier-3, no menu) link with
+<tt class="docutils literal">spp_registry.group_registry_viewer</tt> so these roles see the Registry
+menu; add <tt class="docutils literal">spp_hazard.group_hazard_viewer</tt> so they retain Hazard
+visibility once the menu root is gated. Adds <tt class="docutils literal">spp_hazard</tt> to module
+dependencies.</li>
+</ul>
+</div>
+<div class="section" id="section-2">
 <h1>19.0.2.0.3</h1>
 <ul class="simple">
 <li>fix: add HTML escaping to all computed Html fields with
 <tt class="docutils literal">sanitize=False</tt> to prevent stored XSS (#50)</li>
 </ul>
 </div>
-<div class="section" id="section-2">
+<div class="section" id="section-3">
 <h1>19.0.2.0.2</h1>
 <ul class="simple">
 <li>fix: fix batch approval wizard line deletion (#130)</li>
 </ul>
 </div>
-<div class="section" id="section-3">
+<div class="section" id="section-4">
 <h1>19.0.2.0.1</h1>
 <ul class="simple">
 <li>fix: skip field types before getattr and isolate detail prefetch
 (#129)</li>
 </ul>
 </div>
-<div class="section" id="section-4">
+<div class="section" id="section-5">
 <h1>19.0.2.0.0</h1>
 <ul class="simple">
 <li>Initial migration to OpenSPP2</li>

diff --git a/spp_farmer_registry/README.rst b/spp_farmer_registry/README.rst
@@ -68,6 +68,16 @@ Model                 Description
 Changelog
 =========
 
+19.0.2.0.1
+~~~~~~~~~~
+
+- fix(security): align Farm User / Farm Manager roles with the OP#951
+  menu audit — both farm roles now imply
+  ``spp_hazard.group_hazard_viewer`` and
+  ``spp_gis_report.group_gis_report_user`` so they retain Hazard and GIS
+  Reports menu visibility once those menu roots are gated. Adds
+  ``spp_hazard`` and ``spp_gis_report`` to module dependencies.
+
 19.0.2.0.0
 ~~~~~~~~~~
 

diff --git a/spp_farmer_registry/__manifest__.py b/spp_farmer_registry/__manifest__.py
@@ -3,7 +3,7 @@
     "name": "OpenSPP Farmer Registry",
     "summary": "Farmer Registry with vocabulary-based fields, CEL variables, and Logic Studio integration",
     "category": "OpenSPP",
-    "version": "19.0.2.0.0",
+    "version": "19.0.2.0.1",
     "sequence": 1,
     "author": "OpenSPP.org",
     "website": "https://github.com/OpenSPP/OpenSPP2",
@@ -26,6 +26,9 @@
         "spp_land_record",
         "spp_irrigation",
         "spp_gis",
+        # OP#951 menu audit — roles get hazard / GIS reports menu access
+        "spp_hazard",
+        "spp_gis_report",
     ],
     "excludes": [
         "spp_base_farmer_registry",  # V1 module - incompatible _inherits definitions

diff --git a/spp_farmer_registry/data/user_roles.xml b/spp_farmer_registry/data/user_roles.xml
@@ -17,6 +17,8 @@
                 Command.link(ref('base.group_user')),
                 Command.link(ref('group_spp_farm_user')),
                 Command.link(ref('spp_registry.group_registry_officer')),
+                Command.link(ref('spp_hazard.group_hazard_viewer')),
+                Command.link(ref('spp_gis_report.group_gis_report_user')),
             ]"
         />
     </record>
@@ -35,6 +37,8 @@
                 Command.link(ref('group_spp_farm_manager')),
                 Command.link(ref('spp_irrigation.group_irrigation_manager')),
                 Command.link(ref('spp_registry.group_registry_manager')),
+                Command.link(ref('spp_hazard.group_hazard_viewer')),
+                Command.link(ref('spp_gis_report.group_gis_report_user')),
             ]"
         />
     </record>

diff --git a/spp_farmer_registry/readme/HISTORY.md b/spp_farmer_registry/readme/HISTORY.md
@@ -1,3 +1,7 @@
+### 19.0.2.0.1
+
+- fix(security): align Farm User / Farm Manager roles with the OP#951 menu audit — both farm roles now imply `spp_hazard.group_hazard_viewer` and `spp_gis_report.group_gis_report_user` so they retain Hazard and GIS Reports menu visibility once those menu roots are gated. Adds `spp_hazard` and `spp_gis_report` to module dependencies.
+
 ### 19.0.2.0.0
 
 - Initial migration to OpenSPP2
diff --git a/spp_farmer_registry/static/description/index.html b/spp_farmer_registry/static/description/index.html
@@ -436,6 +436,17 @@ <h2><a class="toc-backref" href="#toc-entry-1">Changelog</a></h2>
 </div>
 </div>
 <div class="section" id="section-1">
+<h1>19.0.2.0.1</h1>
+<ul class="simple">
+<li>fix(security): align Farm User / Farm Manager roles with the OP#951
+menu audit — both farm roles now imply
+<tt class="docutils literal">spp_hazard.group_hazard_viewer</tt> and
+<tt class="docutils literal">spp_gis_report.group_gis_report_user</tt> so they retain Hazard and GIS
+Reports menu visibility once those menu roots are gated. Adds
+<tt class="docutils literal">spp_hazard</tt> and <tt class="docutils literal">spp_gis_report</tt> to module dependencies.</li>
+</ul>
+</div>
+<div class="section" id="section-2">
 <h1>19.0.2.0.0</h1>
 <ul class="simple">
 <li>Initial migration to OpenSPP2</li>

diff --git a/spp_gis_report/README.rst b/spp_gis_report/README.rst
@@ -151,6 +151,20 @@ Dependencies
 Changelog
 =========
 
+19.0.2.0.1
+~~~~~~~~~~
+
+- fix(security): grant ``group_gis_report_user`` to spp_user_roles'
+  Global Program Manager role so the OP#951 menu audit expectation
+  (Program Manager sees GIS Reports) is preserved once the GIS Reports
+  menu root is gated.
+- fix(views): gate the "GIS Reports" top-level menu
+  (``menu_gis_report_root``) on ``group_gis_report_user``. Previously
+  visible to every logged-in user; the OP#951 audit requires several
+  roles to NOT see it (Registry Viewer, Global Finance, Global Support,
+  Global Support Manager, Local Support, Global Registrar, Local
+  Registrar, CR roles).
+
 19.0.2.0.0
 ~~~~~~~~~~
 

diff --git a/spp_gis_report/__manifest__.py b/spp_gis_report/__manifest__.py
@@ -1,6 +1,6 @@
 {
     "name": "OpenSPP GIS Reports",
-    "version": "19.0.2.0.0",
+    "version": "19.0.2.0.1",
     "category": "OpenSPP",
     "summary": "Geographic visualization and reporting for social protection data",
     "author": "OpenSPP.org, OpenSPP",
@@ -26,6 +26,7 @@
         "security/ir.model.access.csv",
         # Data
         "data/gis_report_category_data.xml",
+        "data/user_roles.xml",
         "data/templates/coverage_templates.xml",
         "data/templates/disaster_templates.xml",
         "data/templates/demographic_templates.xml",