[IMP] hr_attendance: do not allow employees to edit their attendances

Revision 7fd74226
takes care to prevent employees to modify manually their attendances,
by removing the edit button from the attendance list.

This is only visual, this doesn't actually
prevent users to change their attendances,
for instance through XMLRPC.

Besides, with the group comment:
```xml
    <record id="group_hr_attendance" model="res.groups">
        <field name="name">User</field>
        <field name="category_id" ref="base.module_category_human_resources_attendances"/>
        <field name="comment">The user will gain access to the human resources attendance menu, enabling him to manage his own attendance.</field>
    </record>
```

To me:
- Employees should be able to sign in and sign out only
- Attendance users should be able to modify their own attendances only
- Attendance managers can modify attendances of anybody.

Hence, instead of removing the edit button on the view,
change the ACLs so employees do not have the rights to modify their
attendances at all.

Part-of: odoo/odoo#98551

addons/hr_attendance/models/hr_employee.py

@@ -164,7 +164,7 @@ class HrEmployee(models.Model):
         action_message['hours_today'] = employee.hours_today
 
         if employee.user_id:
-            modified_attendance = employee.with_user(employee.user_id)._attendance_action_change()
+            modified_attendance = employee.with_user(employee.user_id).sudo()._attendance_action_change()
         else:
             modified_attendance = employee._attendance_action_change()
         action_message['attendance'] = modified_attendance.read()[0]

addons/hr_attendance/security/hr_attendance_security.xml

@@ -72,12 +72,12 @@
         </record>
 
         <record id="hr_attendance_rule_attendance_employee" model="ir.rule">
-            <field name="name">user: read and modify own attendance only</field>
+            <field name="name">user: read own attendance only</field>
             <field name="model_id" ref="model_hr_attendance"/>
             <field name="domain_force">[('employee_id.user_id','=',user.id)]</field>
             <field name="perm_read" eval="1"/>
-            <field name="perm_write" eval="1"/>
-            <field name="perm_create" eval="1"/>
+            <field name="perm_write" eval="0"/>
+            <field name="perm_create" eval="0"/>
             <field name="perm_unlink" eval="0"/>
             <field name="groups" eval="[(4,ref('base.group_user'))]"/>
         </record>

addons/hr_attendance/security/ir.model.access.csv

 id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
-access_hr_attendance_user,hr.attendance.user,model_hr_attendance,hr_attendance.group_hr_attendance_user,1,1,1,1
-access_hr_attendance_system_user,hr.attendance.system.user,model_hr_attendance,base.group_user,1,1,1,0
+access_hr_attendance_officer,hr.attendance.user,model_hr_attendance,group_hr_attendance_user,1,1,1,1
+access_hr_attendance_user,hr.attendance.system.user,model_hr_attendance,group_hr_attendance,1,1,1,0
+access_hr_attendance_system_user,hr.attendance.system.user,model_hr_attendance,base.group_user,1,0,0,0
 access_hr_attendance_overtime_user,hr.attendance.overtime.user,model_hr_attendance_overtime,hr_attendance.group_hr_attendance_user,1,1,1,1
 access_hr_attendance_overtime_system_user,hr.attendance.overtime.system.user,model_hr_attendance_overtime,base.group_user,1,0,0,0
 access_hr_attendance_report_user,hr.attendance.report.user,model_hr_attendance_report,hr_attendance.group_hr_attendance_user,1,1,1,1

addons/hr_attendance/views/hr_attendance_view.xml

@@ -7,7 +7,7 @@
         <field name="name">hr.attendance.tree</field>
         <field name="model">hr.attendance</field>
         <field name="arch" type="xml">
-            <tree string="Employee attendances" edit="0" sample="1">
+            <tree string="Employee attendances" editable="bottom" sample="1">
                 <field name="employee_id"/>
                 <field name="check_in"/>
                 <field name="check_out"/>
@@ -16,19 +16,6 @@
         </field>
     </record>
 
-    <record id="view_attendance_tree_inherit" model="ir.ui.view">
-        <field name="name">hr.attendance.tree.inherit</field>
-        <field name="model">hr.attendance</field>
-        <field name="inherit_id" ref="hr_attendance.view_attendance_tree"/>
-        <field name="groups_id" eval="[(4, ref('hr_attendance.group_hr_attendance_user'))]"/>
-        <field name="arch" type="xml">
-            <tree position="attributes">
-                <attribute name="edit">1</attribute>
-                <attribute name="editable">bottom</attribute>
-            </tree>
-        </field>
-    </record>
-
     <record id="view_hr_attendance_kanban" model="ir.ui.view">
         <field name="name">hr.attendance.kanban</field>
         <field name="model">hr.attendance</field>
@@ -63,7 +50,7 @@
         <field name="name">hr.attendance.form</field>
         <field name="model">hr.attendance</field>
         <field name="arch" type="xml">
-            <form string="Employee attendances" edit="0">
+            <form string="Employee attendances">
                 <sheet>
                     <group>
                         <field name="employee_id"/>
@@ -75,18 +62,6 @@
         </field>
     </record>
 
-    <record id="hr_attendance_view_form_inherit" model="ir.ui.view">
-        <field name="name">hr.attendance.form.inherit</field>
-        <field name="model">hr.attendance</field>
-        <field name="inherit_id" ref="hr_attendance.hr_attendance_view_form"/>
-        <field name="groups_id" eval="[(4, ref('hr_attendance.group_hr_attendance_user'))]"/>
-        <field name="arch" type="xml">
-            <form position="attributes">
-                <attribute name="edit">1</attribute>
-            </form>
-        </field>
-    </record>
-
     <record id="hr_attendance_view_filter" model="ir.ui.view">
         <field name="name">hr_attendance_view_filter</field>
         <field name="model">hr.attendance</field>