search

horilla-opensource / horilla

Horilla is a free and open source HR software.
https://www.horilla.com/
GNU Lesser General Public License v2.1
204 stars 139 forks source link

New employee without any permissions can view list of employees & "about" information on any given employee #306

Open 1reason opened 2 months ago

1reason commented 2 months ago

Bug Report

Description

New employee without any permissions can view list of employees & "about" information on any given employee

Steps to Reproduce

create new employee Employee logs in On sidebar, Under "employee" is "Employees" and when clicking on any given employee, is able to view private "about" information

Expected Behavior

user without permissions should not have access to list of employees, nor have ability to view employee information

Actual Behavior

[What actually happened.]

Screenshots

[If applicable, provide screenshots illustrating the issue.]

Environment

Django verison 4.2.11 Python 3.10.12 Ubuntu 22.04 Firefox for user

Additional Information

New install

Possible Solution

Create the proper filter to avoid behavior

vanyell commented 2 months ago

is there any update to this? this is a valid concern. since employee's PII is visible to everyone not just their manager and hr

stevenfamy commented 2 months ago

up vote for this, need an improvement for the employees page permission

vanyell commented 1 month ago

Not all fields should be visible to fellow employees

Under Work Info, Salary field should not be visible No personal info should be visible except for immediate manager or HR

image

horilla-opensource commented 1 month ago

Hi @vanyell @stevenfamy , Sorry for the delay in the update. The team is working on this and checking the areas causing the issue. Will provide you an update asap.

With Regards, Team Horilla

horilla-opensource commented 1 month ago

Hi @vanyell @stevenfamy ,

We have added a feature for restricting access for employees to other employee data.

Restrict Accessibility Restrict accessibility is a feature in Horilla that is used to limit default access provided by Horilla for normal users. All features mentioned in the accessibility are accessible to HR administrators, Managers, and users with permission.

How do you restrict/limit employee detailed view access to normal users? To do that you need to add a category of employees so they can access the feature, If you want to restrict to all, add an employee type, department, job position, role, or User group that you never gonna assign to an employee. for example, create an empty user group called “Normal User” in Settings>General Settings>User Groups.

Screenshot 2024-09-24 at 5 36 43 PM

Then add the user group to the accessibility form. Settings > Accessibility Restrict > Default Employee View then add the “Normal Users” in the Groups field. If you fill multiple fields then any employees included in the category can access the feature.

Screenshot 2024-09-24 at 5 36 53 PM

So the accessibility of employee view is limited to those normal users who are part of the “Normal Users” group.