diff --git a/website_sale_aplicoop/security/record_rules.xml b/website_sale_aplicoop/security/record_rules.xml
index 9dd9994..aa9ac98 100644
--- a/website_sale_aplicoop/security/record_rules.xml
+++ b/website_sale_aplicoop/security/record_rules.xml
@@ -1,13 +1,14 @@
 <?xml version="1.0" encoding="utf-8"?>
 <odoo>
-    <data noupdate="1">
+    <data>
 
         <!-- Record Rule: Users can read only their company orders -->
         <!-- Record Rule: Internal users (no specific group) - restrict to company + groups -->
         <record id="rule_group_order_user_company_read_internal" model="ir.rule">
             <field name="name">group.order: internal users company access read</field>
             <field name="model_id" ref="model_group_order"/>
-            <field name="domain_force">[('company_id','in', user.company_ids.ids)]</field>
+            <field name="groups" eval="[(4, ref('base.group_user'))]"/>
+            <field name="domain_force">[('company_id', 'in', user.company_ids.ids)] if not user.share else [(0, '=', 1)]</field>
             <field name="perm_read">1</field>
             <field name="perm_write">0</field>
             <field name="perm_create">0</field>
@@ -50,12 +51,12 @@
             <field name="perm_unlink">1</field>
         </record>
 
-        <!-- Record Rule: Portal users can read only their company orders -->
+        <!-- Record Rule: Portal users can read only orders from their company and assigned consumer groups -->
         <record id="rule_group_order_portal_read" model="ir.rule">
-            <field name="name">group.order: portal access read (company)</field>
+            <field name="name">group.order: portal access read (company + consumer group)</field>
             <field name="model_id" ref="model_group_order"/>
             <field name="groups" eval="[(4, ref('base.group_portal'))]"/>
-            <field name="domain_force">[('company_id','=', user.company_id.id)]</field>
+            <field name="domain_force">[('company_id', '=', user.company_id.id), ('group_ids', 'in', user.partner_id.group_ids.ids)]</field>
             <field name="perm_read">1</field>
             <field name="perm_write">0</field>
             <field name="perm_create">0</field>
diff --git a/website_sale_aplicoop/tests/test_record_rules.py b/website_sale_aplicoop/tests/test_record_rules.py
index e8be191..8440f13 100644
--- a/website_sale_aplicoop/tests/test_record_rules.py
+++ b/website_sale_aplicoop/tests/test_record_rules.py
@@ -62,6 +62,7 @@ class TestGroupOrderRecordRules(TransactionCase):
         self.group1 = self.env["res.partner"].create(
             {
                 "name": "Grupo Company 1",
+                "is_group": True,
                 "is_company": True,
                 "email": "grupo1@test.com",
                 "company_id": self.company1.id,
@@ -71,12 +72,56 @@ class TestGroupOrderRecordRules(TransactionCase):
         self.group2 = self.env["res.partner"].create(
             {
                 "name": "Grupo Company 2",
+                "is_group": True,
                 "is_company": True,
                 "email": "grupo2@test.com",
                 "company_id": self.company2.id,
             }
         )
 
+        # Crear miembro de grupo + usuario portal de Company 1
+        self.portal_member_c1 = self.env["res.partner"].create(
+            {
+                "name": "Portal Member C1",
+                "email": "portal_c1@test.com",
+                "company_id": self.company1.id,
+                "group_ids": [(6, 0, [self.group1.id])],
+            }
+        )
+
+        self.portal_user_c1 = self.env["res.users"].create(
+            {
+                "name": "Portal User C1",
+                "login": "portal_c1",
+                "password": "pass123",
+                "partner_id": self.portal_member_c1.id,
+                "company_id": self.company1.id,
+                "company_ids": [(6, 0, [self.company1.id])],
+                "groups_id": [(6, 0, [self.env.ref("base.group_portal").id])],
+            }
+        )
+
+        # Usuario portal de Company 1 sin grupo de consumo asignado
+        self.portal_member_no_group = self.env["res.partner"].create(
+            {
+                "name": "Portal Member No Group",
+                "email": "portal_no_group@test.com",
+                "company_id": self.company1.id,
+            }
+        )
+
+        self.portal_user_no_group = self.env["res.users"].create(
+            {
+                "name": "Portal User No Group",
+                "login": "portal_no_group",
+                "password": "pass123",
+                "partner_id": self.portal_member_no_group.id,
+                "company_id": self.company1.id,
+                "company_ids": [(6, 0, [self.company1.id])],
+                "groups_id": [(6, 0, [self.env.ref("base.group_portal").id])],
+            }
+        )
+
         # Crear órdenes en cada compañía
         self.order1 = self.env["group.order"].create(
             {
@@ -168,3 +213,17 @@ class TestGroupOrderRecordRules(TransactionCase):
         order2_admin = self.order2.with_user(self.admin_user)
         self.assertEqual(order2_admin.name, "Pedido Company 2")
         self.assertEqual(order2_admin.company_id, self.company2)
+
+    def test_portal_user_can_read_only_assigned_consumer_group_orders(self):
+        """Portal solo debe ver órdenes de su grupo de consumo dentro de su compañía."""
+        orders = self.env["group.order"].with_user(self.portal_user_c1).search([])
+
+        self.assertIn(self.order1, orders)
+        self.assertNotIn(self.order2, orders)
+        self.assertEqual(len(orders), 1)
+
+    def test_portal_user_without_consumer_group_cannot_read_orders(self):
+        """Portal sin grupo de consumo asignado no debe ver ninguna group.order."""
+        orders = self.env["group.order"].with_user(self.portal_user_no_group).search([])
+
+        self.assertEqual(len(orders), 0)