ERPNext Conference 2019* Blog

Leaderboard (which includes financials) always shows regardless of user privilege



I’m trying to create some very low privilege users to be able to create tasks for a single project only. The Web Portal is just too unreliable - the Project page always shows as blank and invoices are shown to the customer, which is not what I want.

So I decided to create local accounts for these couple of users instead which means that I can have better access control for them. Except that doesn’t work properly either. It seems that no matter what privileges are assigned to a user, every user is able to see:

  1. The Leaderboard, which includes financial information such as which customers owe money which I obviously wouldn’t want to share with customers
  2. User account details. You can’t hide the ToDo page but I don’t really care too much about that. Except that on the ToDo page you’re able to allocate a ToDo to any user on the system. So a user with essentially zero privileges (just “Read” on a Project) is able to see every user on the system.

So there are two main issues with privileges:

  1. Any user can see any other users account
  2. Any user can see company financial details as it’s impossible to restrict access to the Leaderboard


Leaderboard Permissions Issue

Restrict leaderboard page to for example System Manager only.