Closed de-sec closed 2 years ago
Hi, is this more a theoretical issue as the permission in general would allow so? Because when the Approval User Interface is used, then teamleads only see their own team. Or did you experience a situation where this is not the case? If so please provide a more concrete example.
Example:
Katja A and Katja B both needs additionally the role "team lead". The role "view_team_approval" should be all yes, but no for the user. Katja A sees her complete team (Katja A, Katja B and Katja C) whereas Katja B only sees Katja A and Katja B.
Hi,
thanks for the hint - after taking a deeper look into the permission sets I found a misconfiguration of one of our permissions within an additional custom role, which caused this issue.
Best regards
Hi Katja,
first of all thanks for releasing this great plugin for Kimai2!
We figured out a minor issue with the permission structure: If user X is teamlead of Team D and member of Team S and got the permission 'view_team_approval' this user can see approvals and submissions of all users which are in the same team as user X (even if user X is team member in this team only). If this permission is not granted, user X is not able to see or approve their team members submitted weeks.
In terms of usability an additional permission 'view_team_approval (Teamlead)' would be great, which displays week reports of users only if user X is teamlead of the accordingly team.
Best regards