[16.0][ADD] project_update_portal: add new module

[marcelsavegnago]

This module extends project updates functionality by allowing portal access for project and update followers.

Main Features

• Portal Access for Followers: Allows project followers and update followers to access project updates through the portal
• Automatic Access Control: Automatically grants access based on follower relationships
• Update List View: Portal users can view all updates for projects they follow
• Update Detail View: Portal users can view detailed information about specific updates
• Breadcrumb Navigation: Integrated breadcrumb navigation for easy access to updates

Benefits

• Keep stakeholders informed about project progress without requiring full system access
• Share project updates with external partners and clients through the portal
• Maintain transparency by allowing followers to track project status
• Easy access to project updates through a dedicated portal interface

Dependencies

This module requires:

• project: Odoo's project management module
• portal: Odoo's portal module for customer access

cc @parzewski @kaynnan

[CristianoMafraJunior]

LGTM

[WesleyOliveira98]

LGTM

[alexey-pelykh]

Thanks for the contribution -- exposing project updates in the portal is a genuinely useful feature. The module structure, tests, and documentation are solid overall. However, there are a few security and correctness issues to address.

Security: auth="public" on detail route is too permissive. The detail route uses auth="public" while the list route uses auth="user". Unauthenticated visitors can probe the detail endpoint, and redirect behavior leaks whether a project ID exists. Both routes should be consistent.

Security: single access_token validates two different records. The same token is used to check access to project.project and project.update. Portal tokens are record-specific -- a token for one won't pass _document_check_access for the other. For portal followers this is bypassed via ir.rule, but for token-based flows both checks will fail.

Correctness: unnecessary @api.depends. _compute_access_url depends on message_partner_ids but only uses project_id and id. Adding/removing followers would trigger needless recomputation.

Accessibility: aria-valuenow in list template. The progress bar has literal string "update.progress" instead of the actual value via t-attf-aria-valuenow.

Happy to re-review once updated.

[alexey-pelykh]

This route uses auth="public" while the list route at line 57 uses auth="user". This inconsistency means unauthenticated users can probe this endpoint. The redirect behavior (/my vs /my/projects/<id>) leaks whether a given project_id exists. Change to auth="user" for consistency.

[alexey-pelykh]

The same access_token is used to validate both the project and the update. Portal access tokens are record-specific -- a token for project.update won't pass _document_check_access for project.project and vice versa.

Consider either removing the project access check here (the update->project_id integrity check is sufficient after validating the update), or checking project access without the token.

[alexey-pelykh]

message_partner_ids in @api.depends but never used in the method body. Remove to avoid needless recomputation on follower changes:

Suggested change

	@api.depends("project_id")

[alexey-pelykh]

aria-valuenow is a literal string "update.progress" instead of the actual value. Should be t-attf-aria-valuenow="{{ update.progress }}" to match the detail view template.

[CristianoMafraJunior]

@alexey-pelykh The corrections from your review have been made. Could you please check again?

[OCA-git-bot]

This PR has the approved label and has been created more than 5 days ago. It should therefore be ready to merge by a maintainer (or a PSC member if the concerned addon has no declared maintainer). 🤖

[alexey-pelykh]

All four items from the previous review have been addressed:

1. Detail route now uses auth="user", consistent with the list route.
2. Project access check no longer passes the access_token -- token is only used for the update record, project access relies on ir.rule. Correct separation.
3. @api.depends reduced to ("project_id") only.
4. aria-valuenow uses t-attf-aria-valuenow with the actual value in both list and detail templates.

Looks good, thank you for the quick turnaround.

[leemannd]

/ocabot merge nobump

[OCA-git-bot]

What a great day to merge this nice PR. Let's do it!
Prepared branch 16.0-ocabot-merge-pr-1599-by-leemannd-bump-nobump, awaiting test results.

[OCA-git-bot]

Congratulations, your PR was merged at aef77c9. Thanks a lot for contributing to OCA. ❤️