[EPIC] Permissions (refactor?)

[matmair]

The permission system currently uses a mixture of stock Django permissions, a self-written role-mapping engine and a ownership model for stock. This is not well documented and the behaviour is not consistent - making it harder to understand/predict.

There are a few issues regarding permissions, some quite old

### Related issues
- [ ] https://github.com/inventree/InvenTree/issues/7446
- [ ] https://github.com/inventree/InvenTree/issues/7003
- [ ] https://github.com/inventree/InvenTree/issues/2323
- [ ] https://github.com/inventree/InvenTree/issues/5755
- [ ] https://github.com/inventree/InvenTree/issues/4022

Requirements

TODO: Categorize in needed / good to habe

Requirements for the overhaul: 1) Interoperable (additional to) with Djangos default system 2) Using existing fine-grained control patterns (Tree per Location -> Part -> Stock items) 3) API-enforced and auto-documented 4) Generic / pluggable so plugins can use the same systems (maybe with a permission register?) 5) Extendable with per-model actions (ie. allocate stock, count stock, create revision, ship order but not change it) 6) Integrate well with (LDAP/SSO synced) groups and be transparent to users

User stories

TBD

Feel free to submit your user stories / requirements / issues here - I will update / remove points as consensus is reached on them.

[wolflu05]

I think it would be pretty helpful, if we could assign some users only permissions to:

• CRUD parts, categories (including SP, MP, ...) from a specific category (and their nested children categories)
• CRUD locations (including stock items) only from a specific location (and their nested children locations)
• CRUD only specific companies, BOMs ... maybe here it would be helpful to create different "profiles" which can be assigned to a user, and to some models like BOMs, Companies, ...

This would be helpful to my personal inventree instance which I use for my electronics hobby, to add a separate profile for my family so we can manage our cellar, garage, ... too, without them having appearing my electronics inventory when they search for something they have in their garage. I could just run two inventree instances, but 1. this costs double RAM, CPU, ... and 2. I have to use two different logins.

As well, this could also be useful for business who have different departments: manufacturing, selling, .. different categories of products. Where the employees should not be able to mess with the parts, locations in other departments.

[SergeoLacruz]

I think it would also be nice be bind this somehow to projects.

• Assign users to projects
• Assign parts/stock whatever to projects

Everyone in the project gets access to every item in the project. User groups already exist and can be used.

[SchrodingersGat]

Additional consideration: with the upcoming "lock part" feature, it would be a good idea to control who can lock / unlock a part. Maybe part "ownership" (either of individual parts or part categories) could come into play here.