fix: comprehensive permission overhaul for fusion_faxes and fusion_ringcentral

Users without fax/RC groups could not open Sale Orders, Invoices, or
Contacts because the One2many computed fields triggered AccessError
on fusion.fax. Now base.group_user gets read-only access so computed
fields work silently, while all UI elements (smart buttons, header
buttons, menus, partner fields, settings) are restricted to the
proper security groups. Both modules now use Odoo 19 privilege
pattern for the user settings dropdown.

Co-authored-by: Cursor <cursoragent@cursor.com>

fusion_ringcentral/views/res_partner_views.xml

@@ -8,19 +8,21 @@
         <field name="inherit_id" ref="base.view_partner_form"/>
         <field name="arch" type="xml">
 
-            <!-- Smart button for call count -->
+            <!-- Smart button for call count (RC users only) -->
             <xpath expr="//div[@name='button_box']" position="inside">
                 <button name="action_view_rc_calls" type="object"
                         class="oe_stat_button" icon="fa-phone"
-                        invisible="rc_call_count == 0">
+                        invisible="rc_call_count == 0"
+                        groups="fusion_ringcentral.group_rc_user">
                     <field name="rc_call_count" widget="statinfo" string="Calls"/>
                 </button>
             </xpath>
 
-            <!-- RingCentral Calls tab -->
+            <!-- RingCentral Calls tab (RC users only) -->
             <xpath expr="//page[@name='internal_notes']" position="after">
                 <page string="RingCentral Calls" name="rc_calls"
-                      invisible="rc_call_count == 0">
+                      invisible="rc_call_count == 0"
+                      groups="fusion_ringcentral.group_rc_user">
                     <field name="rc_call_ids" readonly="1">
                         <list decoration-danger="status in ('missed', 'no_answer')"
                               decoration-success="status == 'answered'">