fix: comprehensive permission overhaul for fusion_faxes and fusion_ringcentral

Users without fax/RC groups could not open Sale Orders, Invoices, or
Contacts because the One2many computed fields triggered AccessError
on fusion.fax. Now base.group_user gets read-only access so computed
fields work silently, while all UI elements (smart buttons, header
buttons, menus, partner fields, settings) are restricted to the
proper security groups. Both modules now use Odoo 19 privilege
pattern for the user settings dropdown.

Co-authored-by: Cursor <cursoragent@cursor.com>

fusion_faxes/views/account_move_views.xml

@@ -8,16 +8,17 @@
         <field name="inherit_id" ref="account.view_move_form"/>
         <field name="arch" type="xml">
 
-            <!-- Smart button for fax count -->
+            <!-- Smart button for fax count (fax users only) -->
             <xpath expr="//div[@name='button_box']" position="inside">
                 <button name="action_view_faxes" type="object"
                         class="oe_stat_button" icon="fa-fax"
-                        invisible="x_ff_fax_count == 0">
+                        invisible="x_ff_fax_count == 0"
+                        groups="fusion_faxes.group_fax_user">
                     <field name="x_ff_fax_count" widget="statinfo" string="Faxes"/>
                 </button>
             </xpath>
 
-            <!-- Send Fax header button -->
+            <!-- Send Fax header button (fax users only) -->
             <xpath expr="//header" position="inside">
                 <button name="action_send_fax" string="Send Fax"
                         type="object" class="btn-secondary"