OpenSPP
diff --git a/‎spp_dci_client_sr/middleware/signature.py‎
Lines changed: 5 additions & 4 deletions b/‎spp_dci_client_sr/middleware/signature.py‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎spp_dci_client_sr/routers/callback.py‎
Lines changed: 3 additions & 3 deletions b/‎spp_dci_client_sr/routers/callback.py‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎spp_dci_client_sr/services/sr_service.py‎
Lines changed: 2 additions & 2 deletions b/‎spp_dci_client_sr/services/sr_service.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎spp_dci_compliance/__init__.py‎
Lines changed: 4 additions & 2 deletions b/‎spp_dci_compliance/__init__.py‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎spp_dci_compliance/data/ir_cron.xml‎
Lines changed: 12 additions & 17 deletions b/‎spp_dci_compliance/data/ir_cron.xml‎
Lines changed: 12 additions & 17 deletions
diff --git a/‎spp_dci_compliance/data/test_identifiers.xml‎
Lines changed: 2 additions & 4 deletions b/‎spp_dci_compliance/data/test_identifiers.xml‎
Lines changed: 2 additions & 4 deletions
diff --git a/‎spp_dci_compliance/data/test_individuals.xml‎
Lines changed: 85 additions & 87 deletions b/‎spp_dci_compliance/data/test_individuals.xml‎
Lines changed: 85 additions & 87 deletions
@@ -36,9 +36,8 @@ async def verify_sr_signature(
     """
     try:
         # Check if unsigned requests are allowed (development mode)
-        allow_unsigned = (
-            env["ir.config_parameter"].sudo().get_param("dci.allow_unsigned_requests", "false").lower() == "true"
-        )
+        config = env["ir.config_parameter"].sudo()  # nosemgrep: odoo-sudo-without-context
+        allow_unsigned = config.get_param("dci.allow_unsigned_requests", "false").lower() == "true"
 
         # Extract sender_id from header
         sender_id = envelope.header.sender_id
@@ -65,7 +64,9 @@ async def verify_sr_signature(
                 )
 
         # Look up SR sender in registry
-        sr_sender = env["spp.dci.sr.sender"].sudo().search([("sender_id", "=", sender_id)], limit=1)
+        # sudo: sender lookup happens before request authentication
+        SRSender = env["spp.dci.sr.sender"].sudo()  # nosemgrep: odoo-sudo-without-context
+        sr_sender = SRSender.search([("sender_id", "=", sender_id)], limit=1)
 
         if not sr_sender:
             _logger.warning("Unknown SR sender_id in callback: %s", sender_id)
 
@@ -258,7 +258,7 @@ def _find_partner_by_identifier(env: Environment, id_type: str, id_value: str):
     """
     # Search in spp.id records
     id_record = (
-        env["spp.registry.id"]
+        env["spp.registry.id"]  # nosemgrep: odoo-sudo-without-context
         .sudo()
         .search(
             [
@@ -275,7 +275,7 @@ def _find_partner_by_identifier(env: Environment, id_type: str, id_value: str):
     # Also check with namespace URIs
     if not id_type.startswith("urn:"):
         id_record = (
-            env["spp.registry.id"]
+            env["spp.registry.id"]  # nosemgrep: odoo-sudo-without-context
             .sudo()
             .search(
                 [
@@ -305,7 +305,7 @@ def _update_sr_record(
         record: SR person record
         source_registry: Source registry ID
     """
-    SRRecord = env["spp.dci.sr.record"].sudo()
+    SRRecord = env["spp.dci.sr.record"].sudo()  # nosemgrep: odoo-sudo-without-context
 
     # Find existing record
     existing = SRRecord.search(
 
@@ -370,15 +370,15 @@ def sync_person_to_local(
         if not person_data:
             raise UserError(f"Person with {identifier_type}:{identifier_value} not found in SR")
 
-        SRRecord = self.env["spp.dci.sr.record"].sudo()
+        SRRecord = self.env["spp.dci.sr.record"].sudo()  # nosemgrep: odoo-sudo-without-context
 
         # Find or create partner if not provided
         if not partner_id:
             # Try to find by identifier. The model is spp.registry.id;
             # earlier code referenced a non-existent 'spp.id', which
             # raised KeyError on every lookup-by-identifier call.
             id_record = (
-                self.env["spp.registry.id"]
+                self.env["spp.registry.id"]  # nosemgrep: odoo-sudo-without-context
                 .sudo()
                 .search(
                     [
 
@@ -17,10 +17,12 @@ def _post_init_hook(env):
     if public_user and registry_viewer_group:
         # Write to group's user_ids field (Odoo 19 field name)
         if public_user.id not in registry_viewer_group.user_ids.ids:
-            registry_viewer_group.sudo().write({"user_ids": [(4, public_user.id)]})
+            # sudo: install hook granting compliance-test access
+            group_sudo = registry_viewer_group.sudo()  # nosemgrep: odoo-sudo-without-context
+            group_sudo.write({"user_ids": [(4, public_user.id)]})
 
     # Set DCI config parameters for compliance testing
-    config = env["ir.config_parameter"].sudo()
+    config = env["ir.config_parameter"].sudo()  # nosemgrep: odoo-sudo-without-context
 
     # Allow unsigned requests for signature verification testing
     config.set_param("dci.allow_unsigned_requests", "true")
 
@@ -1,19 +1,14 @@
 <?xml version="1.0" encoding="utf-8" ?>
-<odoo>
-    <data noupdate="1">
-        <!-- Automated cleanup of old DCI callback logs -->
-        <record id="ir_cron_cleanup_dci_callback_logs" model="ir.cron">
-            <field name="name">DCI: Cleanup Old Callback Logs</field>
-            <field
-                name="model_id"
-                ref="spp_dci_compliance.model_spp_dci_callback_log"
-            />
-            <field name="state">code</field>
-            <field name="code">model.cleanup_old_logs(days=7)</field>
-            <field name="user_id" ref="base.user_root" />
-            <field name="interval_number">1</field>
-            <field name="interval_type">days</field>
-            <field name="priority">10</field>
-        </record>
-    </data>
+<odoo noupdate="1">
+    <!-- Automated cleanup of old DCI callback logs -->
+    <record id="ir_cron_cleanup_dci_callback_logs" model="ir.cron">
+        <field name="name">DCI: Cleanup Old Callback Logs</field>
+        <field name="model_id" ref="spp_dci_compliance.model_spp_dci_callback_log" />
+        <field name="state">code</field>
+        <field name="code">model.cleanup_old_logs(days=7)</field>
+        <field name="user_id" ref="base.user_root" />
+        <field name="interval_number">1</field>
+        <field name="interval_type">days</field>
+        <field name="priority">10</field>
+    </record>
 </odoo>
@@ -1,10 +1,8 @@
 <?xml version="1.0" encoding="utf-8" ?>
-<odoo>
-    <data noupdate="1">
-        <!--
+<odoo noupdate="1">
+    <!--
             Test Identifier Type for DCI Compliance
             References spp_dci.id_type_uin which defines urn:dci:id:uin
             No need to create a duplicate - use the existing one from spp_dci module
         -->
-    </data>
 </odoo>
@@ -1,98 +1,96 @@
 <?xml version="1.0" encoding="utf-8" ?>
-<odoo>
-    <data noupdate="1">
-        <!-- Test Individual with UIN 847951632 (matching DR compliance tests) -->
-        <record id="test_individual_847951632" model="res.partner">
-            <field name="name">Test Individual 847951632</field>
-            <field name="is_registrant" eval="True" />
-            <field name="is_group" eval="False" />
-            <field name="given_name">John</field>
-            <field name="family_name">Doe</field>
-            <field name="addl_name">Michael</field>
-            <field name="birthdate">1994-06-15</field>
-            <field name="phone">+1234567890</field>
-            <field name="email">john.doe@example.com</field>
-            <field name="street">123 Test Street</field>
-            <field name="street2">Apt 4B</field>
-            <field name="city">Test City</field>
-            <field name="zip">12345</field>
-        </record>
+<odoo noupdate="1">
+    <!-- Test Individual with UIN 847951632 (matching DR compliance tests) -->
+    <record id="test_individual_847951632" model="res.partner">
+        <field name="name">Test Individual 847951632</field>
+        <field name="is_registrant" eval="True" />
+        <field name="is_group" eval="False" />
+        <field name="given_name">John</field>
+        <field name="family_name">Doe</field>
+        <field name="addl_name">Michael</field>
+        <field name="birthdate">1994-06-15</field>
+        <field name="phone">+1234567890</field>
+        <field name="email">john.doe@example.com</field>
+        <field name="street">123 Test Street</field>
+        <field name="street2">Apt 4B</field>
+        <field name="city">Test City</field>
+        <field name="zip">12345</field>
+    </record>
 
-        <!-- Identifier for test individual matching compliance test value -->
-        <record id="test_individual_847951632_identifier" model="spp.registry.id">
-            <field name="partner_id" ref="test_individual_847951632" />
-            <field name="id_type_id" ref="spp_dci.id_type_uin" />
-            <field name="value">847951632</field>
-        </record>
+    <!-- Identifier for test individual matching compliance test value -->
+    <record id="test_individual_847951632_identifier" model="spp.registry.id">
+        <field name="partner_id" ref="test_individual_847951632" />
+        <field name="id_type_id" ref="spp_dci.id_type_uin" />
+        <field name="value">847951632</field>
+    </record>
 
-        <!-- Test Individual with disability information -->
-        <record id="test_individual_with_disability" model="res.partner">
-            <field name="name">Test Individual with Disability</field>
-            <field name="is_registrant" eval="True" />
-            <field name="is_group" eval="False" />
-            <field name="given_name">Jane</field>
-            <field name="family_name">Smith</field>
-            <field name="birthdate">1999-03-22</field>
-            <field name="phone">+1234567891</field>
-            <field name="email">jane.smith@example.com</field>
-        </record>
+    <!-- Test Individual with disability information -->
+    <record id="test_individual_with_disability" model="res.partner">
+        <field name="name">Test Individual with Disability</field>
+        <field name="is_registrant" eval="True" />
+        <field name="is_group" eval="False" />
+        <field name="given_name">Jane</field>
+        <field name="family_name">Smith</field>
+        <field name="birthdate">1999-03-22</field>
+        <field name="phone">+1234567891</field>
+        <field name="email">jane.smith@example.com</field>
+    </record>
 
-        <!-- Identifier for individual with disability -->
-        <record id="test_individual_with_disability_identifier" model="spp.registry.id">
-            <field name="partner_id" ref="test_individual_with_disability" />
-            <field name="id_type_id" ref="spp_dci.id_type_uin" />
-            <field name="value">987654321</field>
-        </record>
+    <!-- Identifier for individual with disability -->
+    <record id="test_individual_with_disability_identifier" model="spp.registry.id">
+        <field name="partner_id" ref="test_individual_with_disability" />
+        <field name="id_type_id" ref="spp_dci.id_type_uin" />
+        <field name="value">987654321</field>
+    </record>
 
-        <!-- Test Household/Group -->
-        <record id="test_household_group" model="res.partner">
-            <field name="name">Test Household Group</field>
-            <field name="is_registrant" eval="True" />
-            <field name="is_group" eval="True" />
-            <field name="street">456 Family Avenue</field>
-            <field name="city">Test Town</field>
-            <field name="zip">54321</field>
-        </record>
+    <!-- Test Household/Group -->
+    <record id="test_household_group" model="res.partner">
+        <field name="name">Test Household Group</field>
+        <field name="is_registrant" eval="True" />
+        <field name="is_group" eval="True" />
+        <field name="street">456 Family Avenue</field>
+        <field name="city">Test Town</field>
+        <field name="zip">54321</field>
+    </record>
 
-        <!-- Identifier for test household -->
-        <record id="test_household_group_identifier" model="spp.registry.id">
-            <field name="partner_id" ref="test_household_group" />
-            <field name="id_type_id" ref="spp_dci.id_type_uin" />
-            <field name="value">HH123456</field>
-        </record>
+    <!-- Identifier for test household -->
+    <record id="test_household_group_identifier" model="spp.registry.id">
+        <field name="partner_id" ref="test_household_group" />
+        <field name="id_type_id" ref="spp_dci.id_type_uin" />
+        <field name="value">HH123456</field>
+    </record>
 
-        <!-- Test Individual - Member of Household -->
-        <record id="test_household_member_1" model="res.partner">
-            <field name="name">Test Household Member 1</field>
-            <field name="is_registrant" eval="True" />
-            <field name="is_group" eval="False" />
-            <field name="given_name">Alice</field>
-            <field name="family_name">Johnson</field>
-            <field name="birthdate">1989-11-08</field>
-        </record>
+    <!-- Test Individual - Member of Household -->
+    <record id="test_household_member_1" model="res.partner">
+        <field name="name">Test Household Member 1</field>
+        <field name="is_registrant" eval="True" />
+        <field name="is_group" eval="False" />
+        <field name="given_name">Alice</field>
+        <field name="family_name">Johnson</field>
+        <field name="birthdate">1989-11-08</field>
+    </record>
 
-        <!-- Identifier for household member 1 -->
-        <record id="test_household_member_1_identifier" model="spp.registry.id">
-            <field name="partner_id" ref="test_household_member_1" />
-            <field name="id_type_id" ref="spp_dci.id_type_uin" />
-            <field name="value">111222333</field>
-        </record>
+    <!-- Identifier for household member 1 -->
+    <record id="test_household_member_1_identifier" model="spp.registry.id">
+        <field name="partner_id" ref="test_household_member_1" />
+        <field name="id_type_id" ref="spp_dci.id_type_uin" />
+        <field name="value">111222333</field>
+    </record>
 
-        <!-- Test Individual - Member 2 of Household -->
-        <record id="test_household_member_2" model="res.partner">
-            <field name="name">Test Household Member 2</field>
-            <field name="is_registrant" eval="True" />
-            <field name="is_group" eval="False" />
-            <field name="given_name">Bob</field>
-            <field name="family_name">Johnson</field>
-            <field name="birthdate">2014-07-20</field>
-        </record>
+    <!-- Test Individual - Member 2 of Household -->
+    <record id="test_household_member_2" model="res.partner">
+        <field name="name">Test Household Member 2</field>
+        <field name="is_registrant" eval="True" />
+        <field name="is_group" eval="False" />
+        <field name="given_name">Bob</field>
+        <field name="family_name">Johnson</field>
+        <field name="birthdate">2014-07-20</field>
+    </record>
 
-        <!-- Identifier for household member 2 -->
-        <record id="test_household_member_2_identifier" model="spp.registry.id">
-            <field name="partner_id" ref="test_household_member_2" />
-            <field name="id_type_id" ref="spp_dci.id_type_uin" />
-            <field name="value">444555666</field>
-        </record>
-    </data>
+    <!-- Identifier for household member 2 -->
+    <record id="test_household_member_2_identifier" model="spp.registry.id">
+        <field name="partner_id" ref="test_household_member_2" />
+        <field name="id_type_id" ref="spp_dci.id_type_uin" />
+        <field name="value">444555666</field>
+    </record>
 </odoo>