The design of User Permissions is dangerous

Sharing szufisher’s proposal and PR for reference

In case of frappe apps (no erpnext) I have a workaround. May not be appropriate for employee case. Sharing here if anyone else finds it helpful.

  • user given basic role on login to create a “Permission Request”.
  • fresh user selects and create request to ask for Roles and User Permission.
  • on approval of the request by user with higher role, programmatically create User Permission and assign roles.
  • instead of updating role and user permission directly, update programmatically through the “Permission Request” workflow and doc_events. You can even track changes here.
4 Likes