I am having trouble preventing ERPNext from leaking information out via the website.
We have a large number of suppliers. We add various contacts to these suppliers to keep track of them. Just because we have added a contact, doesn’t mean we want them to see any of our internal documents (which includes all the PO, PINV, PREC etc).
If one of these suppliers goes and registers on our website, their account will automatically get set to ‘Supplier’. There appears to be no way to disable this (it is set in erpnext hooks.py).
If they are a ‘Supplier’, they see a load of sidebar menus including Project, PINV, PO etc that we don’t want them to see. There appears to be no (non-hacky) way of hiding these, since Portal Settings is read-only (albeit only in the JS).
If they click on (for example) one of the POs, they can see all the details. They even get the ‘create PINV’ button.
Removing all permissions from ‘Supplier’ has not fixed this issue - despite having no system permissions or user permissions for these POs and PINVs they can still see these documents.
It should be hard to reveal data and easy to hide it. Nowhere does it say in the ERPNext documentation ‘oh, by the way, if you add an email contact for a supplier they will be able to see their documents and even create new ones’! This is a horrible security problem for us.