Missing record rules for account.move and account.move.line
I think we should add record rules for filtering the current company in account.move and account.move.line.
It is currently not an issue from the UI because the action to open account.move from the menu already filters by company but it can be considered a security issue because the user could get data using JSON-RPC for which he should be banned.