User restriction based on company

ERPNext User Forum
, ,
#1

Hi guys,

Basically what I’m trying to do is, restrict users to see the transactions only related to the company they are linked to. I’m able to achieve most of it, but I’ve stuck with one issue.

Say that I have two companies A and B and two user testuser1 and testuser2. I’ve added user permissions for both the users i.e testuser1 has permission to only company A and testuser2 has got permission to company B as shown in the image below-

image
image1308×493 31.7 KB

So the assumption here is that when you login as testuser1 he should not see the company B. This does happen as expected as shown in the image below-

image
image1280×576 29.8 KB

Restrictions are also proper -
image

But when I take the url of the company B and try to access it from testuser1, I’m able to see the company B as shown in the image below-

image
image1364×689 54.5 KB

I assume it’ll behave the same way all over the system, So coming to the question here-
Is this the normal behaviour?
Is there something I am doing wrong ?
If I’m wrong Is there another way to restrict user based on the permission I set him?

#2

@Paul_Clinton, did you figure this out ? I am also new here and this is what i am working on now.

#3

Nope, I guess it must be a bug from frappe side(Or it must be intended). Not sure. Haven’t got any clarification yet.

#4

Hi Paul,

I think some validation when you access from the url is missing. But while that’s something that needs to be fixed, ignore that for the moment and try and see if one of the users can make a transaction (like Quotation, Sales Order, Stock Entry, Purchase Receipt, etc. etc.) for a company is not authorized to access.

Hope this helps.

Thanks

Jay

#5

Hi

Carrying out some testing on above.

Yes.
When entering or inquiring transactions, the restricted company will not show. The URL will only allow navigating to the company screen. Though you can update the Company Data and save.

Thanks.

Rgds
Fahad

#6

@Paul_Clinton Can you confirm if the user (you are trying to apply User Permission for) does not have System Manager role?

#7

@Paul_Clinton I wonder if you have run into the same issue I have solved for myself.

TLDR - I found that ERPnext / Frappe role restrictions are not “completely exclusive.” Meaning, if you restrict a role based on a field for which some docs are NULL/empty, then those will not be filtered out but instead included with the docs which are filtered in. Said another way, docs with NULL/empty for the filtered field will be included instead of excluded.

Here is the situation I had…

  • I created a doctype
  • I added docs to that doctype
  • I added the field for which I would filter / restrict access (thus the previously created docs had NULL/empty for this new field)
  • I added the role permissions
  • I noticed all previous records which were created prior to my new field were included in my filter / restriction instead of excluded
  • I went back to those previously created docs and entered the appropriate values for the new field from which I would filter / restrict access
  • I noticed that those docs were appropriately filtered / restricted as I intended