ERPNext Conference 2019* ERPNext.com Blog

Leaderboard (which includes financials) always shows regardless of user privilege

bug
erpnext

#1

I’m trying to create some very low privilege users to be able to create tasks for a single project only. The Web Portal is just too unreliable - the Project page always shows as blank and invoices are shown to the customer, which is not what I want.

So I decided to create local accounts for these couple of users instead which means that I can have better access control for them. Except that doesn’t work properly either. It seems that no matter what privileges are assigned to a user, every user is able to see:

  1. The Leaderboard, which includes financial information such as which customers owe money which I obviously wouldn’t want to share with customers
  2. User account details. You can’t hide the ToDo page but I don’t really care too much about that. Except that on the ToDo page you’re able to allocate a ToDo to any user on the system. So a user with essentially zero privileges (just “Read” on a Project) is able to see every user on the system.

So there are two main issues with privileges:

  1. Any user can see any other users account
  2. Any user can see company financial details as it’s impossible to restrict access to the Leaderboard

Users


Leaderboard Permissions Issue
#2

Restrict leaderboard page to for example System Manager only.