I’m trying to create some very low privilege users to be able to create tasks for a single project only. The Web Portal is just too unreliable - the Project page always shows as blank and invoices are shown to the customer, which is not what I want.
So I decided to create local accounts for these couple of users instead which means that I can have better access control for them. Except that doesn’t work properly either. It seems that no matter what privileges are assigned to a user, every user is able to see:
- The Leaderboard, which includes financial information such as which customers owe money which I obviously wouldn’t want to share with customers
- User account details. You can’t hide the ToDo page but I don’t really care too much about that. Except that on the ToDo page you’re able to allocate a ToDo to any user on the system. So a user with essentially zero privileges (just “Read” on a Project) is able to see every user on the system.
So there are two main issues with privileges:
- Any user can see any other users account
- Any user can see company financial details as it’s impossible to restrict access to the Leaderboard
