minor permission issue

[de-sec]

Hi Katja,

first of all thanks for releasing this great plugin for Kimai2!

We figured out a minor issue with the permission structure: If user X is teamlead of Team D and member of Team S and got the permission 'view_team_approval' this user can see approvals and submissions of all users which are in the same team as user X (even if user X is team member in this team only). If this permission is not granted, user X is not able to see or approve their team members submitted weeks.

In terms of usability an additional permission 'view_team_approval (Teamlead)' would be great, which displays week reports of users only if user X is teamlead of the accordingly team.

Best regards

[KatjaGlassConsulting]

Hi, is this more a theoretical issue as the permission in general would allow so? Because when the Approval User Interface is used, then teamleads only see their own team. Or did you experience a situation where this is not the case? If so please provide a more concrete example.

Example:

Katja A and Katja B both needs additionally the role "team lead". The role "view_team_approval" should be all yes, but no for the user. Katja A sees her complete team (Katja A, Katja B and Katja C) whereas Katja B only sees Katja A and Katja B.

[de-sec]

Hi,

thanks for the hint - after taking a deeper look into the permission sets I found a misconfiguration of one of our permissions within an additional custom role, which caused this issue.

Best regards