GST Setting Write Access for GST Balance Report

Basant · August 20, 2024, 8:45am

I found it too extreme to mandate WRITE access to GST settings Doctype to access GST Balance Report.
Settings should only be editable for admins. The operators who will access the reports need not have write access to settings. The current check makes it mandatory to provide write access to settings, which is dangerous. Including the code below. I suggest, the check should be removed or changed to Read Access:
frappe.has_permission(“GST Settings”, “write”, throw=True)

@frappe.whitelist()
def get_pending_voucher_types(company=None):
    frappe.has_permission("GST Settings", "write", throw=True)

    company_accounts = ""
    if company:
        company_accounts = get_all_gst_accounts(company)

    return verify_gstin_update(company_accounts), company_accounts

Path: india_compliance/india_compliance/gst_india/report/gst_balance/gst_balance.py

Alternatively, if the check is truly required to toggle Allow_on_update field for company_gstin, the check could be moved inside the function and made optional:
In the following code,
Path: india_compliance/india_compliance/patches/post_install/update_company_gstin.py

def verify_gstin_update(gst_accounts=None):
    if not gst_accounts:
        gst_accounts = get_gst_accounts()

    voucher_types = get_pending_voucher_types(gst_accounts)

    if voucher_types:
        toggle_allow_on_submit(True, voucher_types)
        return voucher_types

    toggle_allow_on_submit(False)

Change this to

if voucher_types:
        toggle_allow_on_submit(True, voucher_types)
        return voucher_types

this

if voucher_types:
        if frappe.has_permission("GST Settings", "write", throw=False):
                  toggle_allow_on_submit(True, voucher_types)
        return voucher_types

Smit_Vora · August 20, 2024, 12:06pm

Thanks for the suggestion.
Fixed here: fix: better permission check for viewing pending vouchers by vorasmit · Pull Request #2528 · resilient-tech/india-compliance · GitHub

Basant · August 21, 2024, 6:28am

Thanks, @Smit_Vora for the quick action. The question still beacons: Why is the read access on Settings still needed?
I understand the Write access check as the function was modifying the toggle_allow_on_submit(True, voucher_types) for the vouchers that didn’t have Company_GSTIN.
Can we simply throw error that not all transactions (of a particular type) have company_gstin on accessing gst balance report. When the user with admin rights opens the report, then the GL entries will be marked as Allow on Submit.

This can ease even the Read Access for Settings for folks who don’t strictly need it.

Smit_Vora · August 21, 2024, 8:21am

You need to understand that this is a one-time manual patch, and it requires authority of system admins.

There are two functions:

Check list of documents where company GSTIN is not set: get_pending_voucher_types
Update Company GSTINs to GL Entries from documents where it’s manually updated: update_company_gstin

Second one requires write access, and is not doable without first one. Hence read permissions shouldn’t harm here.

Once this is done, the report will start working as expected and the button Update GSTIN will hide.

Basant · August 21, 2024, 2:00pm

Once this is done by the admin who have write access, why should the operators continue to need read access? There is no setting information used in this report differently than Sales and Purchase register.

It’s okay to block access to report until the issue is fixed (one time). Forcing read permission for Setting forever is not needed in my opinion.

The permission check should be thought through again.