fix: Remove barcode scanner from portal & add proper org chart security (v18.0.1.0.18)

ISSUE IDENTIFIED (User Feedback):
❌ Barcode scanner exposed to portal customers (field service feature only)
❌ Organization chart missing proper ACL/security rules for portal users

ANALYSIS:
1. Barcode Scanner (/my/barcode/main):
   - Uses batch_barcode_operations model
   - ACL: group_records_user, group_records_manager, group_records_admin
   - NO portal group access
   - Designed for field technicians to scan pickup/retrieval items
   - Should NOT be in customer portal

2. Organization Chart (/my/organization):
   - Uses res.partner hierarchy with .sudo()
   - Missing portal-specific security rules
   - Only has group_portal_company_admin check in controller
   - NO record-level access rules for res.partner organization viewing

CHANGES:
1. Removed barcode scanner from portal (website_portal_menus.xml):
   ❌ Deleted portal_menu_barcode_scanner menu item
   ✅ Feature remains accessible for internal users via backend

2. Restricted organization chart to company admins (website_portal_menus.xml):
   ✅ Added groups_id filter: group_portal_company_admin
   ✅ Only company admins see menu item

3. Updated portal hub cards (website_pages.xml):
   ❌ Removed barcode scanner feature card
   ✅ Added 'Company Admin Only' badge to organization chart
   ✅ Kept advanced search feature
   ✅ Changed to 2-column layout (was 3-column)

4. Created portal organization security (NEW FILE):
   security/portal_organization_security.xml:

   Rule 1 - Read access for all portal users:
   - Domain: res.partner in user's commercial_partner_id hierarchy
   - Groups: base.group_portal
   - Permissions: read only (no write/create/unlink)

   Rule 2 - Create access for company admins:
   - Domain: parent_id within commercial_partner_id
   - Groups: group_portal_company_admin
   - Permissions: read + create (add team members)

5. Updated manifest to include new security file

SECURITY IMPROVEMENTS:
✅ Portal users can only view partners in their organization
✅ Company admins can add sub-contacts to their company
✅ No unauthorized access to other companies' data
✅ Proper record-level filtering with commercial_partner_id

FEATURE ACCESS MATRIX (CORRECTED):
┌─────────────────────┬───────────────┬─────────────────────┐
│ Feature             │ Portal Users  │ Internal Users      │
├─────────────────────┼───────────────┼─────────────────────┤
│ Barcode Scanner     │ ❌ NO ACCESS  │ ✅ Field Service    │
│ Organization Chart  │ ✅ Admin Only │ ✅ All Internal     │
│ Advanced Search     │ ✅ All Users  │ ✅ All Internal     │
└─────────────────────┴───────────────┴─────────────────────┘

PORTAL HUB CARDS NOW:
✅ 8 total feature cards (was 9, removed barcode)
- 6 core features (inventory, requests, docs, billing, certs, help)
- 2 advanced features (organization [admin], search)

USER IMPACT:
✅ Portal customers no longer see field service tools
✅ Organization chart properly secured with ACLs
✅ Only company admins can view/manage team hierarchy
✅ Cleaner portal UX focused on customer needs
✅ Proper separation of customer vs. technician features

Author: John75SunCity

records_management/__manifest__.py

@@ -1,6 +1,6 @@
 {
     "name": "Records Management - Enterprise Edition",
-    'version': '18.0.1.0.17',
+    'version': '18.0.1.0.18',
     'category': 'Productivity/Records',
     "summary": "Complete Enterprise Records Management System with NAID AAA Compliance",
     "description": "Records Management - Enterprise Grade DMS Module. Enterprise physical & digital records lifecycle, NAID AAA + ISO 15489 compliance, portal, shredding, retention, audit, billing.",
@@ -72,6 +72,7 @@
         "security/intelligent_search_security.xml",
         "security/naid_security.xml",
         "security/portal_request_security.xml",
+        "security/portal_organization_security.xml",
         "security/work_order_portal_rules.xml",
         "security/portal_container_rules.xml",
         "security/portal_document_rules.xml",

records_management/data/website_pages.xml

@@ -92,29 +92,20 @@
                                         </div>
                                     </div>
 
-                                    <!-- Row 3: NEW Features (Previously Hidden) -->
+                                    <!-- Row 3: Advanced Features -->
                                     <div class="row mt-4">
-                                        <div class="col-lg-4 mb-4">
-                                            <div class="card h-100 border-primary">
-                                                <div class="card-body text-center">
-                                                    <i class="fa fa-barcode fa-3x text-primary mb-3"></i>
-                                                    <h4 class="card-title">Barcode Scanner</h4>
-                                                    <p class="card-text">Scan containers, files, and items for quick access</p>
-                                                    <a href="/my/barcode/main" class="btn btn-primary">Launch Scanner</a>
-                                                </div>
-                                            </div>
-                                        </div>
-                                        <div class="col-lg-4 mb-4">
+                                        <div class="col-lg-6 mb-4">
                                             <div class="card h-100 border-success">
                                                 <div class="card-body text-center">
                                                     <i class="fa fa-sitemap fa-3x text-success mb-3"></i>
-                                                    <h4 class="card-title">Organization</h4>
+                                                    <h4 class="card-title">Organization Chart</h4>
                                                     <p class="card-text">View your team hierarchy and manage contacts</p>
+                                                    <span class="badge badge-warning mb-2">Company Admin Only</span>
                                                     <a href="/my/organization" class="btn btn-success">View Organization</a>
                                                 </div>
                                             </div>
                                         </div>
-                                        <div class="col-lg-4 mb-4">
+                                        <div class="col-lg-6 mb-4">
                                             <div class="card h-100 border-info">
                                                 <div class="card-body text-center">
                                                     <i class="fa fa-search fa-3x text-info mb-3"></i>

records_management/data/website_portal_menus.xml

@@ -2,7 +2,7 @@
 <odoo>
     <data noupdate="0">
         <!-- ================================================================== -->
-        <!-- WEBSITE PORTAL MENU CONFIGURATION - OPTIMIZED HIERARCHY          -->  
+        <!-- WEBSITE PORTAL MENU CONFIGURATION - OPTIMIZED HIERARCHY          -->
         <!-- Portal Hub as main menu with all portal features as children     -->
         <!-- ================================================================== -->
 
@@ -89,20 +89,13 @@
             <field name="sequence">80</field>
         </record>
 
-        <!-- Barcode Scanner Hub (NEW - Previously Hidden) -->
-        <record id="portal_menu_barcode_scanner" model="website.menu">
-            <field name="name">Barcode Scanner</field>
-            <field name="url">/my/barcode/main</field>
-            <field name="parent_id" ref="portal_hub_main_menu"/>
-            <field name="sequence">60</field>
-        </record>
-
-        <!-- Organization Chart (NEW - Previously Hidden) -->
+        <!-- Organization Chart (Company Admin Only) -->
         <record id="portal_menu_organization" model="website.menu">
             <field name="name">Organization</field>
             <field name="url">/my/organization</field>
             <field name="parent_id" ref="portal_hub_main_menu"/>
-            <field name="sequence">90</field>
+            <field name="sequence">60</field>
+            <field name="groups_id" eval="[(4, ref('records_management.group_portal_company_admin'))]" />
         </record>
 
     </data>

records_management/security/portal_organization_security.xml

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="utf-8"?>
+<odoo>
+    <data noupdate="1">
+        <!-- ================================================================== -->
+        <!-- PORTAL ORGANIZATION CHART SECURITY RULES                           -->
+        <!-- Ensures portal company admins can view their organization hierarchy -->
+        <!-- ================================================================== -->
+
+        <!-- Portal Company Admin: Can view organization hierarchy (res.partner) -->
+        <!-- NOTE: res.partner already has base portal rules, but we need to ensure -->
+        <!-- organization chart viewing works properly with commercial_partner_id -->
+        <record id="res_partner_portal_organization_rule" model="ir.rule">
+            <field name="name">res.partner: Portal organization chart access</field>
+            <field name="model_id" ref="base.model_res_partner"/>
+            <field name="domain_force">[
+                '|',
+                    ('id', 'child_of', user.partner_id.commercial_partner_id.id),
+                    ('id', '=', user.partner_id.commercial_partner_id.id)
+            ]</field>
+            <field name="groups" eval="[(4, ref('base.group_portal'))]"/>
+            <field name="perm_read" eval="True"/>
+            <field name="perm_write" eval="False"/>
+            <field name="perm_create" eval="False"/>
+            <field name="perm_unlink" eval="False"/>
+        </record>
+
+        <!-- Portal Company Admin: Can create sub-contacts in their organization -->
+        <record id="res_partner_portal_company_admin_create_rule" model="ir.rule">
+            <field name="name">res.partner: Portal company admin can add team members</field>
+            <field name="model_id" ref="base.model_res_partner"/>
+            <field name="domain_force">[
+                ('parent_id', 'child_of', user.partner_id.commercial_partner_id.id)
+            ]</field>
+            <field name="groups" eval="[(4, ref('records_management.group_portal_company_admin'))]"/>
+            <field name="perm_read" eval="True"/>
+            <field name="perm_write" eval="False"/>
+            <field name="perm_create" eval="True"/>
+            <field name="perm_unlink" eval="False"/>
+        </record>
+
+    </data>
+</odoo>