fix: comprehensive permission overhaul for fusion_faxes and fusion_ringcentral

Users without fax/RC groups could not open Sale Orders, Invoices, or
Contacts because the One2many computed fields triggered AccessError
on fusion.fax. Now base.group_user gets read-only access so computed
fields work silently, while all UI elements (smart buttons, header
buttons, menus, partner fields, settings) are restricted to the
proper security groups. Both modules now use Odoo 19 privilege
pattern for the user settings dropdown.

Co-authored-by: Cursor <cursoragent@cursor.com>

fusion_faxes/security/security.xml

@@ -1,22 +1,51 @@
 <?xml version="1.0" encoding="utf-8"?>
 <odoo>
+
+    <!-- Module category (appears in Settings > Users) -->
+    <record id="module_category_fusion_faxes" model="ir.module.category">
+        <field name="name">Fusion Faxes</field>
+        <field name="sequence">47</field>
+    </record>
+
+    <!-- Privilege (Odoo 19 user settings dropdown) -->
+    <record id="res_groups_privilege_fusion_faxes" model="res.groups.privilege">
+        <field name="name">Fusion Faxes</field>
+        <field name="sequence">47</field>
+        <field name="category_id" ref="module_category_fusion_faxes"/>
+    </record>
+
+    <!-- User group: can send faxes and view own fax history -->
+    <record id="group_fax_user" model="res.groups">
+        <field name="name">User</field>
+        <field name="sequence">10</field>
+        <field name="implied_ids" eval="[(4, ref('base.group_user'))]"/>
+        <field name="privilege_id" ref="res_groups_privilege_fusion_faxes"/>
+    </record>
+
+    <!-- Manager group: can view all faxes and configure settings -->
+    <record id="group_fax_manager" model="res.groups">
+        <field name="name">Manager</field>
+        <field name="sequence">20</field>
+        <field name="implied_ids" eval="[(4, ref('group_fax_user'))]"/>
+        <field name="privilege_id" ref="res_groups_privilege_fusion_faxes"/>
+        <field name="user_ids" eval="[(4, ref('base.user_root')), (4, ref('base.user_admin'))]"/>
+    </record>
+
     <data noupdate="0">
 
-        <!-- User group: can send faxes and view own fax history -->
-        <record id="group_fax_user" model="res.groups">
-            <field name="name">Fusion Faxes / User</field>
-            <field name="implied_ids" eval="[(4, ref('base.group_user'))]"/>
+        <!-- Base users can read fax records (needed for One2many computed fields on sale.order etc.) -->
+        <record id="rule_fax_base_read" model="ir.rule">
+            <field name="name">Fax: all internal users read-only</field>
+            <field name="model_id" ref="model_fusion_fax"/>
+            <field name="domain_force">[(1, '=', 1)]</field>
+            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
+            <field name="perm_read" eval="True"/>
+            <field name="perm_write" eval="False"/>
+            <field name="perm_create" eval="False"/>
+            <field name="perm_unlink" eval="False"/>
         </record>
 
-        <!-- Manager group: can view all faxes and configure settings -->
-        <record id="group_fax_manager" model="res.groups">
-            <field name="name">Fusion Faxes / Manager</field>
-            <field name="implied_ids" eval="[(4, ref('group_fax_user'))]"/>
-        </record>
-
-        <!-- Record rules -->
-
-        <!-- Users see only their own faxes -->
+        <!-- Fax users see only their own faxes (full CRUD minus unlink) -->
         <record id="rule_fax_user_own" model="ir.rule">
             <field name="name">Fax: user sees own faxes</field>
             <field name="model_id" ref="model_fusion_fax"/>