Employee with Leave Approver role should not be able to submit his own Leave Application!?

rajeeb · January 8, 2020, 9:54am

I have set myself as a leave approver by assigning Leave Approver role so that i can submit leave approvals for some people who are working under me. Now i am also reporting to somebody who is above in the hierarchy.

So the issue is when i add a leave application for my self i am able to submit. I can submit my own leave application.

It should not be possible right ? I don’t want anybody to submit their own leave approval rather than his subordinates. How can i rectify this issue ??
Any kind of helps is much appreciated !!

clarkej · January 8, 2020, 6:25pm

The Role Permissions Manager page notes include this:

“Apart from System Manager, roles with Set User Permissions right can set permissions for other users for that Document Type.”

So the general BIG rule seems to be a User can not and should not be able change their own permissions.

The code and supporting tests (presumably!) enforce and validate that is the case!?

github.com

frappe/frappe/blob/develop/frappe/tests/test_permissions.py

# Copyright (c) 2015, Frappe Technologies Pvt. Ltd. and Contributors
# License: MIT. See LICENSE
"""Use blog post test to test user permissions logic"""

import frappe
import frappe.defaults
import frappe.model.meta
from frappe.core.doctype.user_permission.user_permission import clear_user_permissions
from frappe.core.page.permission_manager.permission_manager import reset, update
from frappe.desk.form.load import getdoc
from frappe.permissions import (
	add_permission,
	add_user_permission,
	clear_user_permissions_for_doctype,
	get_doc_permissions,
	remove_user_permission,
	update_permission_property,
)
from frappe.test_runner import make_test_records_for_doctype
from frappe.tests.utils import FrappeTestCase

This file has been truncated. show original

github.com

frappe/frappe/blob/develop/frappe/core/doctype/user_permission/test_user_permission.py

# Copyright (c) 2021, Frappe Technologies and Contributors
# See LICENSE
import frappe
from frappe.core.doctype.doctype.test_doctype import new_doctype
from frappe.core.doctype.user_permission.user_permission import (
	add_user_permissions,
	remove_applicable,
)
from frappe.permissions import has_user_permission
from frappe.tests.utils import FrappeTestCase
from frappe.website.doctype.blog_post.test_blog_post import make_test_blog


class TestUserPermission(FrappeTestCase):
	def setUp(self):
		test_users = (
			"test_bulk_creation_update@example.com",
			"test_user_perm1@example.com",
			"nested_doc_user@example.com",
		)

This file has been truncated. show original

https://github.com/frappe/erpnext/blob/develop/erpnext/hr/doctype/leave_application/test_leave_application.py

The docs propose an HR Manager or HR User to resolve the case of permission conflicts? Role Based Permissions

edit: FWIW like Google, Frappe follows this basic permissions model:

In the case of Google: “manage access control by defining who (identity) has what access (role) for which resource”

In the case of Frappe: identify == User, role == Role and resource == DocType

To learn more best practice check out Google IAM docs

“Cloud IAM lets you grant granular access to specific Google Cloud resources and helps prevent access to other resources. Cloud IAM lets you adopt the security principle of least privilege, where you grant only necessary permissions to access specific resources.”

Probably one key to the principle of least privilege POLP, is a consistent convention you opt to use? Say whether you to add/grant or deny/restrict privilege to avoid access chaos?

kaustubhd · January 9, 2020, 5:40am

Hi,
From Above reply the second point is correct (other mentioned points are also correct).Just addition to this as you have leave approver role assigned therefore you can submit your leave application (According to erpnext logic perspective) & you can restrict it by customizing it .

rajeeb · January 9, 2020, 5:44am

@kaustubhd now i got it. i know i can submit because i’m having Leave Approver role. I want to restrict approving my own leave application with having Leave Approver role. how i can customize it for acheiving this ?

kaustubhd · January 9, 2020, 6:07am

@rajeeb , I have regret that I am not able to provide you the solution on how to customize it because I am black box tester , I can share my knowledge , logic & understanding of erpnext. you will get appropriate solution by respective developer only.

Shwetang_Dalvi · August 7, 2020, 1:04pm

Hi, @rajeeb Have you got any solution for this? as I am facing the same issue

Rajat96318 · March 18, 2024, 12:44pm

@rajeeb @Shwetang_Dalvi @clarkej @kaustubhd Did you find the solution