addons-cm/website_sale_aplicoop/security/record_rules.xml

<?xml version="1.0" encoding="utf-8"?>
<odoo>
    <data noupdate="1">

        <!-- Record Rule: Users can read only their company orders -->
        <!-- Record Rule: Internal users (no specific group) - restrict to company + groups -->
        <record id="rule_group_order_user_company_read_internal" model="ir.rule">
            <field name="name">group.order: internal users company access read</field>
            <field name="model_id" ref="model_group_order"/>
            <field name="domain_force">[('company_id','in', user.company_ids.ids)]</field>
            <field name="perm_read">1</field>
            <field name="perm_write">0</field>
            <field name="perm_create">0</field>
            <field name="perm_unlink">0</field>
        </record>

        <record id="rule_group_order_company_read" model="ir.rule">
            <field name="name">group.order: company + group access read</field>
            <field name="model_id" ref="model_group_order"/>
            <field name="groups" eval="[(4, ref('website_sale_aplicoop.group_group_order_user'))]"/>
            <field name="domain_force">[('company_id','=', user.company_id.id)]</field>
            <field name="perm_read">1</field>
            <field name="perm_write">0</field>
            <field name="perm_create">0</field>
            <field name="perm_unlink">0</field>
        </record>


        <!-- Record Rule: Managers can read/write their company orders -->
        <record id="rule_group_order_company_write" model="ir.rule">
            <field name="name">group.order: company access write</field>
            <field name="model_id" ref="model_group_order"/>
            <field name="groups" eval="[(4, ref('website_sale_aplicoop.group_group_order_manager'))]"/>
            <field name="domain_force">[('company_id', '=', user.company_id.id)]</field>
            <field name="perm_read">1</field>
            <field name="perm_write">1</field>
            <field name="perm_create">1</field>
            <field name="perm_unlink">1</field>
        </record>

        <!-- Record Rule: Admins have global unrestricted access -->
        <record id="rule_group_order_manager_global" model="ir.rule">
            <field name="name">group.order: manager global access</field>
            <field name="model_id" ref="model_group_order"/>
            <field name="groups" eval="[(4, ref('base.group_erp_manager'))]"/>
            <field name="domain_force">[]</field>
            <field name="perm_read">1</field>
            <field name="perm_write">1</field>
            <field name="perm_create">1</field>
            <field name="perm_unlink">1</field>
        </record>

        <!-- Record Rule: Portal users can read only their company orders -->
        <record id="rule_group_order_portal_read" model="ir.rule">
            <field name="name">group.order: portal access read (company)</field>
            <field name="model_id" ref="model_group_order"/>
            <field name="groups" eval="[(4, ref('base.group_portal'))]"/>
            <field name="domain_force">[('company_id','=', user.company_id.id)]</field>
            <field name="perm_read">1</field>
            <field name="perm_write">0</field>
            <field name="perm_create">0</field>
            <field name="perm_unlink">0</field>
        </record>

        <!-- Record Rule: Portal users can read product.supplierinfo (for eskaera_shop) -->
        <record id="rule_product_supplierinfo_portal_read" model="ir.rule">
            <field name="name">product.supplierinfo: portal read access</field>
            <field name="model_id" ref="product.model_product_supplierinfo"/>
            <field name="groups" eval="[(4, ref('base.group_portal'))]"/>
            <field name="domain_force">[(1, '=', 1)]</field>
            <field name="perm_read">1</field>
            <field name="perm_write">0</field>
            <field name="perm_create">0</field>
            <field name="perm_unlink">0</field>
        </record>
    </data>
</odoo>