fix(plating-perms): deploy-time cascade fixes from entech I3

5 fixes discovered during the live deploy to entech LXC 111: 1. pre-migrate.py to rename old configurator's 'Shop Manager' group BEFORE new core 'Shop Manager v2' XML loads (cross-module name collision on res_groups_name_uniq). 2. res_company_views.xml: dropped ref() inside <field domain=> attribute (Odoo 19 view validator interprets it as a field name). 3. sale_order_views.xml: replaced 3 separate xpaths for amount_total / amount_untaxed / amount_tax with a single xpath on tax_totals widget (Odoo 19 sale.view_order_form uses one widget instead of separate fields). 4. fp_cert_security.xml: certificate_type field, not cert_type. FAIR is a separate model so the rule only restricts cert_type='nadcap_cert' now. 5. fp_certificate_views.xml + fp_capa_views.xml + fp_customer_spec_views.xml: stripped user_has_groups() from invisible= / readonly= attrs (Odoo 19 view validator interprets as field name). Model-layer ACLs and ir.rules already enforce the same restrictions. Also fixed res.groups.users -> user_ids in fp_migration.py (Odoo 19 rename, caught when manually invoking _fp_notify_owners post-deploy). CLAUDE.md updated with 4 new rules (13e cross-module name collisions, 13f ref() in domain, 13g tax_totals widget, 13h user_has_groups in attrs). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-24 09:07:13 -04:00
parent 0047f49d2c
commit 7bcbcb4008
9 changed files with 120 additions and 48 deletions
--- a/fusion_plating/fusion_plating_certificates/security/fp_cert_security.xml
+++ b/fusion_plating/fusion_plating_certificates/security/fp_cert_security.xml
@@ -1,10 +1,14 @@
 <?xml version="1.0" encoding="utf-8"?>
 <odoo>
    <data noupdate="0">
-        <record id="rule_fp_certificate_fair_nadcap_qm_only" model="ir.rule">
-            <field name="name">FP Certificate: FAIR/Nadcap edit restricted to Quality Manager</field>
+        <!-- fp.certificate.certificate_type Selection values (per fp_certificate.py:27):
+             'coc', 'thickness_report', 'mill_test', 'nadcap_cert', 'customer_specific'.
+             FAIR is a separate model (fusion.plating.fair); no 'fair' value here.
+             Nadcap is the only QM-restricted type at the model level. -->
+        <record id="rule_fp_certificate_nadcap_qm_only" model="ir.rule">
+            <field name="name">FP Certificate: Nadcap edit restricted to Quality Manager</field>
            <field name="model_id" ref="model_fp_certificate"/>
-            <field name="domain_force">[('cert_type', 'not in', ('fair', 'nadcap'))]</field>
+            <field name="domain_force">[('certificate_type', '!=', 'nadcap_cert')]</field>
            <field name="groups" eval="[(4, ref('fusion_plating.group_fp_manager'))]"/>
            <field name="perm_read" eval="False"/>
            <field name="perm_write" eval="True"/>
--- a/fusion_plating/fusion_plating_certificates/views/fp_certificate_views.xml
+++ b/fusion_plating/fusion_plating_certificates/views/fp_certificate_views.xml
@@ -39,19 +39,17 @@
        <field name="arch" type="xml">
            <form>
                <header>
-                    <!-- Phase D5 — Nadcap certs are QM-only to Issue per spec
-                         section 2.C (FAIR/Nadcap sign/issue restricted to
-                         Quality Manager). Strategy B: single button visible
-                         to all when state=draft and cert_type is routine
-                         (coc/thickness_report/mill_test/customer_specific);
-                         hidden for non-QM when cert_type=nadcap_cert. The
-                         ir.rule from Phase C also restricts model writes on
-                         FAIR/Nadcap so model-layer enforcement is independent.
-                         No separate action_sign exists on this model — Issue
-                         is the sign + publish action. -->
+                    <!-- Phase D5 — Nadcap-cert restriction enforced at MODEL
+                         layer via ir.rule (rule_fp_certificate_nadcap_qm_only
+                         in fp_cert_security.xml). Single Issue button visible
+                         to all Manager+ when state=draft. Manager clicking
+                         Issue on a Nadcap cert gets AccessError from the rule.
+                         (Strategy B with user_has_groups() inside invisible=
+                         was rejected by Odoo 19 view validator — see CLAUDE.md
+                         rule 13f.) -->
                    <button name="action_issue" string="Issue"
                            type="object" class="btn-primary"
-                            invisible="state != 'draft' or (certificate_type == 'nadcap_cert' and not user_has_groups('fusion_plating.group_fp_quality_manager'))"/>
+                            invisible="state != 'draft'"/>
                    <!-- Print = the same EN report action the gear-menu
                         Print > Certificate of Conformance (English)
                         calls. Routes through fusion_pdf_preview's