`_default_role_lines()` copies roles from arbitrary users to all new users on Odoo 19

[haklyray]

Describe the bug

_default_role_lines() in spp_user_roles/models/user.py copies role lines from an arbitrary user to every newly created user when base.default_user is missing (which is always the case in Odoo 19, since that XMLID was removed).

The fallback at line 36 picks the first user in the database that has any role lines:

if not default_user:
    default_user = self.env["res.users"].search([("role_line_ids", "!=", False)], limit=1)

This can match service accounts, API users, or any non-human user. Once matched, every new user inherits that user's roles, which triggers set_groups_from_roles() and silently overwrites any group_ids passed in the create() call.

To Reproduce

1. Install spp_user_roles on Odoo 19 (where base.default_user does not exist)
2. Create any user with a role line (e.g. a service account, or any user assigned a global role)
3. Create a new user with explicit group_ids but without specifying role_line_ids
4. Observe that the new user has inherited the role from step 2, and the group_ids passed in step 3 have been replaced by the role's implied groups

Expected behavior

• New users should not inherit role lines from unrelated users
• group_ids passed during create() should be respected
• If no default user template exists, _default_role_lines() should return an empty list rather than picking an arbitrary user

Screenshots

N/A

Additional context

• base.default_user was removed in Odoo 19, so the fallback search fires on every installation — this is not an edge case
• The search has no filtering: it can pick up service accounts, system users, or the admin — whichever has the lowest ID and has role lines
• The inherited role triggers set_groups_from_roles() during user creation, which silently replaces any directly assigned groups with the role's implied groups
• This also breaks test suites: any test that creates users with specific group_ids will fail once any user in the database has a role line
• Current workaround: pass role_line_ids=[] explicitly on every res.users.create() call to suppress the default

🔔 Note: This ticket should address common considerations without including country-specific content. Please ensure all references are generic and applicable across various contexts.

[gonzalesedwin1123]

Root Cause

The _default_role_lines() override in spp_user_roles was written to work around the removal of base.default_user in Odoo 19, but its fallback — picking the first user in the database with any role lines — introduced the exact behavior described here. Since base.default_user never resolves in Odoo 19, the fallback fires on every user creation.

What we found

The upstream base_user_role OCA module (already in our dependency chain) has already solved this for Odoo 19. It added an is_default boolean on res.users.role — admins mark which roles should be auto-assigned to new users. Our override was completely shadowing this working mechanism.

The spp_area module had a similar dead override that tried to enrich defaults with area data from base.default_user — also a no-op since the Odoo 19 migration.

Fix (PR #163)

• Removed the buggy _default_role_lines() override from spp_user_roles and the dead one from spp_area
• The upstream is_default mechanism now takes over — no default roles are assigned unless an admin explicitly opts in via the "Default on new users" checkbox on the role form
• Rewrote the test to verify the is_default behavior
• 760 tests pass across spp_user_roles, spp_area, spp_approval, and spp_programs

For admins: after this fix, go to Settings → User Roles and check "Default on new users" on any roles that should be automatically assigned to newly created users.