feat(plating-sec): add 8 consolidated role groups + mark old groups deprecated

Phase A of permissions overhaul (see docs/superpowers/specs/2026-05-23-*). New groups (technician/sales_rep/shop_manager_v2/sales_manager/manager/ quality_manager/owner) defined in fp_security_v2.xml with implied_ids chains that include old groups for backward-compat during 30-day rollback window. Old groups display as [DEPRECATED] in user form. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-24 00:47:54 -04:00
parent 560ffa2cdf
commit a53b03265d
8 changed files with 97 additions and 11 deletions
--- a/fusion_plating/fusion_plating/manifest.py
+++ b/fusion_plating/fusion_plating/manifest.py
@@ -80,6 +80,7 @@ Copyright (c) 2026 Nexa Systems Inc. All rights reserved.
    ],
    'data': [
        'security/fp_security.xml',
        'security/fp_security_v2.xml',
        'security/ir.model.access.csv',
        'data/fp_landing_data.xml',
        'data/fp_sequence_data.xml',
--- a/fusion_plating/fusion_plating/security/fp_security.xml
+++ b/fusion_plating/fusion_plating/security/fp_security.xml
@@ -32,7 +32,7 @@
    <!-- Reads most reference data, writes chemistry logs.                  -->
    <!-- ================================================================== -->
    <record id="group_fusion_plating_operator" model="res.groups">
-        <field name="name">Operator</field>
+        <field name="name">[DEPRECATED] Operator</field>
        <field name="sequence">10</field>
        <field name="privilege_id" ref="res_groups_privilege_fusion_plating"/>
        <field name="implied_ids" eval="[(4, ref('base.group_user'))]"/>
@@ -43,7 +43,7 @@
    <!-- Can manage baths, schedule jobs, review logs.                      -->
    <!-- ================================================================== -->
    <record id="group_fusion_plating_supervisor" model="res.groups">
-        <field name="name">Supervisor</field>
+        <field name="name">[DEPRECATED] Supervisor</field>
        <field name="sequence">20</field>
        <field name="privilege_id" ref="res_groups_privilege_fusion_plating"/>
        <field name="implied_ids" eval="[(4, ref('group_fusion_plating_operator'))]"/>
@@ -54,7 +54,7 @@
    <!-- Full CRUD on configuration objects.                                -->
    <!-- ================================================================== -->
    <record id="group_fusion_plating_manager" model="res.groups">
-        <field name="name">Manager</field>
+        <field name="name">[DEPRECATED] Manager</field>
        <field name="sequence">30</field>
        <field name="privilege_id" ref="res_groups_privilege_fusion_plating"/>
        <field name="implied_ids" eval="[(4, ref('group_fusion_plating_supervisor'))]"/>
@@ -65,7 +65,7 @@
    <!-- Everything a Manager can do, plus system-level settings.           -->
    <!-- ================================================================== -->
    <record id="group_fusion_plating_admin" model="res.groups">
-        <field name="name">Administrator</field>
+        <field name="name">[DEPRECATED] Administrator</field>
        <field name="sequence">40</field>
        <field name="privilege_id" ref="res_groups_privilege_fusion_plating"/>
        <field name="implied_ids" eval="[(4, ref('group_fusion_plating_manager'))]"/>
--- a/fusion_plating/fusion_plating/security/fp_security_v2.xml
+++ b/fusion_plating/fusion_plating/security/fp_security_v2.xml
@@ -0,0 +1,85 @@
 <?xml version="1.0" encoding="utf-8"?>
 <odoo>
    <data noupdate="0">
        <!-- Phase 1 Permissions Overhaul: 8 consolidated roles -->
        <!-- See docs/superpowers/specs/2026-05-23-permissions-overhaul-design.md -->
        <record id="group_fp_technician" model="res.groups">
            <field name="name">Technician</field>
            <field name="sequence">10</field>
            <field name="privilege_id" ref="fusion_plating.res_groups_privilege_fusion_plating"/>
            <field name="implied_ids" eval="[
                (4, ref('base.group_user')),
                (4, ref('fusion_plating.group_fusion_plating_operator')),
            ]"/>
        </record>
        <record id="group_fp_sales_rep" model="res.groups">
            <field name="name">Sales Representative</field>
            <field name="sequence">20</field>
            <field name="privilege_id" ref="fusion_plating.res_groups_privilege_fusion_plating"/>
            <field name="implied_ids" eval="[
                (4, ref('base.group_user')),
                (4, ref('fusion_plating_configurator.group_fp_estimator')),
            ]"/>
        </record>
        <record id="group_fp_shop_manager_v2" model="res.groups">
            <field name="name">Shop Manager</field>
            <field name="sequence">30</field>
            <field name="privilege_id" ref="fusion_plating.res_groups_privilege_fusion_plating"/>
            <field name="implied_ids" eval="[
                (4, ref('group_fp_technician')),
                (4, ref('fusion_plating.group_fusion_plating_supervisor')),
                (4, ref('fusion_plating_receiving.group_fp_receiving')),
            ]"/>
        </record>
        <record id="group_fp_sales_manager" model="res.groups">
            <field name="name">Sales Manager</field>
            <field name="sequence">40</field>
            <field name="privilege_id" ref="fusion_plating.res_groups_privilege_fusion_plating"/>
            <field name="implied_ids" eval="[
                (4, ref('group_fp_sales_rep')),
            ]"/>
        </record>
        <record id="group_fp_manager" model="res.groups">
            <field name="name">Manager</field>
            <field name="sequence">50</field>
            <field name="privilege_id" ref="fusion_plating.res_groups_privilege_fusion_plating"/>
            <field name="implied_ids" eval="[
                (4, ref('group_fp_shop_manager_v2')),
                (4, ref('group_fp_sales_manager')),
                (4, ref('fusion_plating.group_fusion_plating_manager')),
                (4, ref('fusion_plating_invoicing.group_fp_accounting')),
            ]"/>
        </record>
        <record id="group_fp_quality_manager" model="res.groups">
            <field name="name">Quality Manager</field>
            <field name="sequence">60</field>
            <field name="privilege_id" ref="fusion_plating.res_groups_privilege_fusion_plating"/>
            <field name="implied_ids" eval="[
                (4, ref('group_fp_manager')),
                (4, ref('fusion_plating_cgp.group_fusion_plating_cgp_officer')),
            ]"/>
        </record>
        <record id="group_fp_owner" model="res.groups">
            <field name="name">Owner</field>
            <field name="sequence">70</field>
            <field name="privilege_id" ref="fusion_plating.res_groups_privilege_fusion_plating"/>
            <field name="implied_ids" eval="[
                (4, ref('group_fp_quality_manager')),
                (4, ref('fusion_plating.group_fusion_plating_admin')),
                (4, ref('fusion_plating_cgp.group_fusion_plating_cgp_designated_official')),
                (4, ref('base.group_system')),
            ]"/>
            <field name="user_ids" eval="[
                (4, ref('base.user_root')),
                (4, ref('base.user_admin')),
            ]"/>
        </record>
    </data>
 </odoo>
--- a/fusion_plating/fusion_plating_cgp/security/fp_cgp_security.xml
+++ b/fusion_plating/fusion_plating_cgp/security/fp_cgp_security.xml
@@ -17,7 +17,7 @@
    <!-- CGP OFFICER: day-to-day CGP compliance operator -->
    <record id="group_fusion_plating_cgp_officer" model="res.groups">
-        <field name="name">CGP Officer</field>
+        <field name="name">[DEPRECATED] CGP Officer</field>
        <field name="sequence">50</field>
        <field name="privilege_id"
               ref="fusion_plating.res_groups_privilege_fusion_plating"/>
@@ -27,7 +27,7 @@
    <!-- CGP DESIGNATED OFFICIAL: legally accountable per PSPC registration -->
    <record id="group_fusion_plating_cgp_designated_official" model="res.groups">
-        <field name="name">CGP Designated Official</field>
+        <field name="name">[DEPRECATED] CGP Designated Official</field>
        <field name="sequence">60</field>
        <field name="privilege_id"
               ref="fusion_plating.res_groups_privilege_fusion_plating"/>
--- a/fusion_plating/fusion_plating_configurator/security/fp_configurator_security.xml
+++ b/fusion_plating/fusion_plating_configurator/security/fp_configurator_security.xml
@@ -7,14 +7,14 @@
 <odoo>
    <record id="group_fp_estimator" model="res.groups">
-        <field name="name">Estimator</field>
+        <field name="name">[DEPRECATED] Estimator</field>
        <field name="sequence">50</field>
        <field name="privilege_id" ref="fusion_plating.res_groups_privilege_fusion_plating"/>
        <field name="implied_ids" eval="[(4, ref('fusion_plating.group_fusion_plating_supervisor'))]"/>
    </record>
    <record id="group_fp_shop_manager" model="res.groups">
-        <field name="name">Shop Manager</field>
+        <field name="name">[DEPRECATED] Shop Manager</field>
        <field name="sequence">60</field>
        <field name="privilege_id" ref="fusion_plating.res_groups_privilege_fusion_plating"/>
        <field name="implied_ids" eval="[
--- a/fusion_plating/fusion_plating_invoicing/security/fp_invoicing_security.xml
+++ b/fusion_plating/fusion_plating_invoicing/security/fp_invoicing_security.xml
@@ -7,7 +7,7 @@
 <odoo>
    <record id="group_fp_accounting" model="res.groups">
-        <field name="name">Accounting</field>
+        <field name="name">[DEPRECATED] Accounting</field>
        <field name="sequence">58</field>
        <field name="privilege_id" ref="fusion_plating.res_groups_privilege_fusion_plating"/>
        <field name="implied_ids" eval="[(4, ref('fusion_plating.group_fusion_plating_supervisor'))]"/>
--- a/fusion_plating/fusion_plating_jobs/security/legacy_groups.xml
+++ b/fusion_plating/fusion_plating_jobs/security/legacy_groups.xml
@@ -6,7 +6,7 @@
         admin can manually add themselves via Settings > Users if
         they need to access historical MO/WO data. -->
    <record id="group_fusion_plating_legacy_menus" model="res.groups">
-        <field name="name">Plating Legacy Menus</field>
+        <field name="name">[DEPRECATED] Plating Legacy Menus</field>
        <field name="comment">Internal group to hide legacy MO/WO menus that have been replaced by the native fp.job model. Add a user to this group only if they need to navigate historical mrp.production / mrp.workorder records directly.</field>
    </record>
 </odoo>
--- a/fusion_plating/fusion_plating_receiving/security/fp_receiving_security.xml
+++ b/fusion_plating/fusion_plating_receiving/security/fp_receiving_security.xml
@@ -7,7 +7,7 @@
 <odoo>
    <record id="group_fp_receiving" model="res.groups">
-        <field name="name">Receiving</field>
+        <field name="name">[DEPRECATED] Receiving</field>
        <field name="sequence">55</field>
        <field name="privilege_id" ref="fusion_plating.res_groups_privilege_fusion_plating"/>
        <field name="implied_ids" eval="[(4, ref('fusion_plating.group_fusion_plating_operator'))]"/>