Oh boy ! This would be awesome !!! I know some seasoned Frappe implementation teams that still struggle with this design because it’s just counter-intuitive. Several times users are given access that they shouldn’t have just because of this very issue… still had to fix one just a couple of days ago
The suggestion you have made does seem very light but would make a WORLD of difference. I hope this gets built and merged yesterday !
Kind regards,
I had this problem some time ago and it is certainly scary every time that I have to give permissions to a user, not to say give the responsibility to someone else.
Even though it looks like it’s going to be another year without any attention to this, your post is of great help for us, the community, specially the newcomers.
I wish there could be a non official ERPNext Tips and “be aware of” this kind of things
Thanks Peter
Thanks @peterg for the explanation and highlighting this problem. I had written in past that ERPNext has serious confidentiality issues as user is able to escape their permissions - as certain standard reports do not force the use of filters (default is blank).
Dont know if this fix will address that??? A branch accounts user (assigned to specific accounting dimension or cost center) given access to the standard P&L or Balance sheet report can see the P&L for the whole company even if a user permission was set to only allow documents for the branch cost center.
Hi @ankush
Looks like this PR went cold… Is there a plan to revive it or is the issue being addressed some other way ?
Kind regards,
So as I see, there is no implementation of any of this permission features yet? How did @szufisher handle the problems? I would love to help to implement this. I really need a strong permission system and the current one is really bad…
I also seen the danger of current user permission. And I attempt to fix it by a new doctype “DocType Permission”.
As soon as this document is created, there will be no permission to this document. And then by addion each Role’s Additional Permission, the permission will be added (using OR condition).
So, the combined condition would be,
doc_perm_conditions = (false OR role_1_cond OR role_2_cond)
This doc_perm_conditions will then be AND with other permission query, user permissions.
It works for me so far, but do you see any flaw?
seems a smart solution. if there is any user request, I will try.
thanks for sharing.
We came up with this extension. It is used with custom frappe framework apps. It is not currently used with ERPNext. It should work.
Home page: https://frappe-manual-castlecraft-b249c70d8b6d99bd095c0ef03e4a3115a94f5.gitlab.io/
Repositories are mentioned in there.
I found interesting stuff, but it is not readable as the CSS is not working correctly, so the content is not readable , please look into to fix
You’re visiting pages that are moved.
Access it from here https://frappe-manual-castlecraft-b249c70d8b6d99bd095c0ef03e4a3115a94f5.gitlab.io
@revant_one, Probably I’ll never be able to learn 3%, but … thanks for sharing your treasure vault.
I had the similar case, but here looking for workaround.
I unchecked the field Hide Descendants
And then by using the code in from hrms.hr.utils import share_doc_with_approver have shared the entries with other users.
The only benefits I had was majority cases we needed to hide the entries from the manager or approvers, so using the solution was possible.
None can defend possible leaks in the roles and permissions of ERPNext unfortunately. If you’re willing to spend ages, you can control sensitive data acces… That is generally only salary data.
Shame when you have such a powerful tool for Salary Calculations.
this was indeed an interesting read actually
