[FIX] sign_oca: fix public access, iframe assets, and multi-page fields

[lavacano]

Fixes #146

Summary

This PR addresses three related issues that prevent the sign_oca portal signing flow from working correctly in Odoo 17:

1. Public user ACL error — External signers accessing token-based URLs (/sign_oca/document/<id>/<token>) without logging in receive Access Denied by ACLs for operation: read on sign.oca.request.signer. This is because no ACL entries exist for base.group_public.

2. Iframe asset redirect loop (sign_oca: ERR_TOO_MANY_REDIRECTS #146) — The sign_oca.sign_assets bundle contains only SCSS/CSS, but postIframeFields() injected both a <link> and a <script> tag for it. The JS request to a CSS-only bundle causes ERR_TOO_MANY_REDIRECTS in Odoo 17's asset pipeline, preventing the signing page from loading.

3. Multi-page field persistence — After interacting with sign fields on one page and scrolling to another, fields become unresponsive. pdfjs re-renders pages on scroll, destroying field overlays. The reviewFields() polling only checked a marker div on page 1, so fields on other pages were never re-injected. Additionally, pdfjs's textLayer intercepted pointer events, blocking clicks on sign field overlays.

Changes

Security (ir.model.access.csv, security.xml)

• Add read-only ACL entries for base.group_public on sign.oca.request and sign.oca.request.signer
• Add read-only record rules for base.group_public (real access control is token-based at the controller level)

Backend (sign_oca_request.py)

• Fix get_info() to use sudo() for to_sign computation, with a fallback for public users whose partner won't match any signer
• Set proper PDF filename on email attachments (uses template_name.pdf instead of the raw field name data)

Controller (main.py)

• Add error handling in get_sign_resources for when the bundle has no assets of the requested type (returns empty response instead of crashing/redirecting)

Frontend (sign_oca_pdf_common.esm.js)

• Remove <script> tag injection into the iframe (bundle is CSS-only)
• Add duplicate injection guard — CSS <link> tag is only injected once
• Inject inline critical CSS for z-index and pointer-events to ensure sign fields render above pdfjs layers
• Rewrite reviewFields() to check each field's el.isConnected individually instead of a single marker div on page 1

Frontend (signature.esm.js)

• Add null-check before dispatchEvent in uploadSignature to prevent cascade TypeError

CSS (sign.scss)

• Add z-index: 10 and cursor: pointer to .o_sign_oca_field

Steps to reproduce (before fix)

1. Install sign_oca on Odoo 17
2. Create a sign template, configure fields on multiple pages, send to an external signer
3. Open the signing URL in an incognito/private window (not logged in)
4. Observe: Access Denied error, redirect loops on assets, and/or frozen fields after scrolling between pages

Testing

• Verified signing page loads for anonymous users (HTTP 200, no ACL errors in logs)
• Verified sign fields render on all pages, remain interactive after scrolling between pages
• Verified signature dialog opens, text fields accept input
• Verified signed document email attachment has proper PDF filename

[OCA-git-bot]

Hi @etobella,
some modules you are maintaining are being modified, check this out!