search

frappe / erpnext

Free and Open Source Enterprise Resource Planning (ERP)
https://erpnext.com
GNU General Public License v3.0
20.24k stars 7.07k forks source link

New setup permissions issues #42893

Closed BLenich-threadb closed 2 weeks ago

BLenich-threadb commented 3 weeks ago

Information about bug

Issue: new erpnext instance has permissions issues for all accounts, for example using the administrator account, trying to change the permissions for the default user, I am given an error that says "You do not have enough permissions to access this resource. Please contact your manager to get access." This only happens when a specific number of checkboxes are selected however, for example if I select any combination of roles that has less than 10 roles, I can save and I do not get the permissions error. I have tried creating new instances, adding no apps on the site, I have quadruple checked that I am following the setup guide, and I have setup an instance before with no issue before this, but no matter what I have tried I still get this issue. I have tried running this on an Ubuntu and Debian machine on their latest updates, and have tried older versions of erpnext.

Module

accounts

Version

Bench- 5.22.8 erpnext 15.33.5 frappe 15.39.0 hrms 16.0.0-dev payments 0.0.1 NOTE:I have tried other versions, this is just on the most recent test I have tried.

Installation method

None

Relevant log output / Stack trace / Full Error Message.

I cant find anything helpful in the logs, but theonly error is in the actual site itself, which is: You do not have enough permissions to access this resource. Please contact your manager to get access.
Nihantra-Patel commented 2 weeks ago

That for, you have to learn the Role Permission Manager and also User Permission.

Reference:

BLenich-threadb commented 2 weeks ago

@Nihantra-Patel None of this really answers my problem, I physically can not give role profiles or users access to more than a specific number of roles or modules, and we randomly get permission denied errors when working on pages we specifically have access too, at times that feel essentially random, the role permissions section is just the most easily repeatable part of this.

For example I do not think this is an intended interaction, lets say I have a new user profile for someone working in our lab, and us being a small company they need access to multiple parts of the erp system, so they have this role setup.

image

I just threw in some roles that seem applicable for now, but lets say they want to do some writing for our website, and they also are bilingual and can translate their articles into multiple languages, so I give them the blogger and translator role

image

This gives a permission error, despite my account being the admin account I made during setup. An important note is any 2 roles would have broken this, but this is just an easy example. Unless there is a reason for it to block permission under this specific circumstance that I am missing from the links you provided.

Nihantra-Patel commented 2 weeks ago

you have to check the doctype-related condition, if the user has no access to that doctype then they can't be accessed.

BLenich-threadb commented 2 weeks ago

you have to check the doctype-related condition, if the user has no access to that doctype then they can't be accessed.

But its not tied to specific doctypes, thats the confusion to me, for example this role setup works

image

This doesnt:

image

BUT if I remove a previously allowed doctype, than suddenly I can confirm him as an academics user:

image

This problem why would removing an unrelated doctype allow me to confirm permissions for academics user? When it wouldnt let me confirm it before. The permissions error is tied to a specific number of roles being allocated, not actual doctype conditions, we have no restrictions on roles yet and no doctype restrictions.

I would like to note this is a fresh install, we backed up and removed our old one to test this issue, so there should be no specific conditions blocking us from doing this

Nihantra-Patel commented 2 weeks ago

Without understanding the concept you will know otherwise just read the documentation or watch the video calmly that i provided.

Check each user's role and assign the related doctype permissions. Grant access if needed and disable any client scripts.

https://github.com/user-attachments/assets/4d557219-3a2b-478f-8c48-42e4d5543008

BLenich-threadb commented 2 weeks ago

I understand how the role permissions manager sets access to specific doctypes for specific roles, The problem I am dealing with is specifically the inconsistency in the roles and permissions tab, for example why does admin start with all roles, as it should be, but can not be given all roles again, why can I select and combination of roles that are bellow a specific amount? Is this just an issue with the frappe itself? I realize I can just give a role that has access to all doc types needed to admin, but why can I still select only a specific number of roles? Here I just recorded creating a new role profile for manager, gave it access to all manager roles, only to get an error when I try changing any of the roles, which shows up inconsistently with what roles are chosen. I understand I can work around this but the actual function of not being able to select all needed roles bothers me,

https://github.com/user-attachments/assets/24e0dc95-887f-4bc3-b9bc-bed04924518d

If I just have to work around this issue I can with the info you provided, but I am just afraid inconsistencies like this can cause larger issues down the line

BLenich-threadb commented 2 weeks ago

@Nihantra-Patel Here is another example of why this is not the issue you are claiming it is, why can password be set up until it hits the cap of allowed roles? This is an issue that isnt just permissions, the error message I'm being given feels misleading and the issue is something more than just set permissions.

https://github.com/user-attachments/assets/0e9b34f5-81e9-4829-950f-89a3dc94416f

Also when I checked the actual post on the console its not giving the not permitted error, instead im getting this: image So I don't think its just the permissions issue

BLenich-threadb commented 2 weeks ago

@Nihantra-Patel We fixed it, the request was being blocked by amazons firewall settings, the actual issue here is poor error messages in response to what was actually happening, I would recommend posting a new issue request for adding more possible error outputs because this was very hard to find.