opensourcepos icon indicating copy to clipboard operation
opensourcepos copied to clipboard
verified publisher icon opensourcepos

(Disable) Ability to impersonate employee adding new expense or editing receivings and expenses

Open jaysnm opened this issue 3 years ago • 5 comments

Background information

Hello.

First and foremost I thank the maintainers for keeping such an impactful project active.

I noticed one is able to impersonate an employee when adding a new expense or editing a receiving or expense record. This goes against system integrity where we would like to track responsible individuals performing specific actions. If the selection input can be removed and insted the value for the input picked from details of the currently logged in user it will make more sense. See the screenshots below:

image

image

Once again, thank you.

IMPORTANT: If you choose to ignore this issue report template, your issue will be closed as we cannot help without the requested information.

Please make sure you tick (add an x between the square brackets with no spaces) the following check boxes:

  • [x] Reporting an issue of an unmodified OSPOS installation
  • [x] Checked open and closed issues and no similar issue was already reported (please make sure you searched!)
  • [x] Read README, WHATS_NEW, INSTALL.md and UPGRADE
  • [x] Read the FAQ for any known install and/or upgrade gotchas (in specific PHP extensions installed)
  • [x] Read the wiki
  • [x] Executed any database upgrade scripts if an upgrade pre 3.0.0 (e.g. database/2.4_to_3.0.sql)
  • [x] Aware the installation code that GitHub master is for developers only and therefore not complete nor stable.

Installation information

  • OSPOS version is: 3.3.8 - ffe492
  • OSPOS git commit hash is: ffe49278fcbd936f34a9644debd0b7ff9bd83e31
  • PHP version is: 7.4.30
  • MySQL or MariaDB version is: 5.5.5-10.5.18-MariaDB-1:10.5.18+maria~ubu2004
  • OS and version is: Fedora 37
  • WebServer is: default apache included on docker-compose stack
  • Selected language is: en-US
  • (If applicable) Docker installation: yes docker-compose.yml stack
  • (If applicable) Installation package for the LAMP/LEMP stack is:

Issue / Bug / Question / New Feature

Please write your issue here. If a bug, please make sure to provide as much information as possible including configuration settings (e.g. Decimals set, Tax mode), language and steps to reproduce the bug.

jaysnm avatar Dec 22 '22 04:12 jaysnm

Why don't just change the permissions and assign it to certain users or maybe only admin

hoststatic avatar Dec 22 '22 07:12 hoststatic

Yo lo solucione agregando un tipo perfil a los Usuarios dónde si el perfil es tipo administrador pueda ver en el select todos los empleados, de lo contrario sino es administrador solo vea su nombre de empleado

nukerj avatar Jan 10 '23 04:01 nukerj

Es fácil de hacer esa restricción

nukerj avatar Jan 10 '23 04:01 nukerj

Thank you both for reverting.

I have thoroughly gone through the docs here and my local installation looking on ways to assign different admin levels to users.

I am yet to see anything around role based control. All I can see is an employee module where user access can be limited through ticking permission boxes.

An employee with permission to add/edit/delete (these are bundled together) expense/receivings with no permission to add/edit/delete/search other employee still gets options to impersonate. See the attached screenshot of the test user permissions.

image

jaysnm avatar Jan 10 '23 16:01 jaysnm

Agreed that something needs to be implemented at the permission level to allow/disallow assigning of other employees to receivings, sales, etc. I am moving this to the 3.5.0 milestone as the CI4 upgrade needs to happen first.

objecttothis avatar Dec 12 '23 08:12 objecttothis