search

kimai / kimai

Kimai is a web-based multi-user time-tracking application. Works great for everyone: freelancers, companies, organizations - everyone can track their times, generate reports, create invoices and do so much more. SaaS version available at https://www.kimai.cloud
https://www.kimai.org
GNU Affero General Public License v3.0
3.1k stars 543 forks source link

User with view_invoice permission can't download existing PDF invoices from invoice list #3123

Closed rbuehler-teletrend closed 2 years ago

rbuehler-teletrend commented 2 years ago

Describe the bug Users with _viewinvoice permission assigned but without _createinvoice permission, can't download existing PDF invoices from the invoice list. I would expect that with _viewinvoice permission one should be able to view all details in the invoice list (_view_alldata permission is given as well). Also, it is a pitty that for those users the /invoice/ page is loaded by default as this will throw an error message due to insufficient permissions. Instead, for those users with viewer permission only, the /invoice/show/ page should be loaded by default.

To Reproduce

  1. Edit a role and set permissions _createinvoice, _deleteinvoice, _manage_invoicetemplate, _upload_invoicetemplate to No and _viewinvoice to Yes. Set _view_alldata to Yes.
  2. Assign role to a user and log in with that user
  3. Go to invoices (you will be presented with a permission error), then move on to the invoice list and try to download the PDF of one of the invoices shown.

Logfile [2022-02-03 08:40:23] request.ERROR: Uncaught PHP Exception Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException: "Access denied." at /var/www/kimai2/vendor/symfony/security-http/Firewall/ExceptionListener.php line 137 {"exception":"[object] (Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException(code: 0): Access denied. at /var/www/kimai2/vendor/symfony/security-http/Firewall/ExceptionListener.php:137, Symfony\Component\Security\Core\Exception\AccessDeniedException(code: 403): Access denied. at /var/www/kimai2/vendor/sensio/framework-extra-bundle/src/EventListener/SecurityListener.php:79)"} [] [2022-02-03 08:40:23] request.INFO: Matched route "admin_invoice_download". {"route":"admin_invoice_download","route_parameters":{"_route":"admin_invoice_download","_controller":"App\Controller\InvoiceController::downloadAction","_locale":"de_CH","id":"5"},"request_uri":"https://xxxxxxxxx/de_CH/invoice/download/5","method":"GET"} []

Additional context

kevinpapst commented 2 years ago

Will be fixed for the next major release. You can already test it here: https://demo-branch.kimai.org/ with susan_super and kitten

kevinpapst commented 2 years ago

The next major version will have a different navigation structure, with single entries for the different invoice screens:

Bildschirmfoto 2022-08-02 um 13 14 19

Creating a user/role with the described permissions now leads to this navigation:

Bildschirmfoto 2022-08-02 um 13 13 43

This user will be able to only download existing invoices in 2.0

github-actions[bot] commented 1 year ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. If you use Kimai on a daily basis, please consider donating to support further development of Kimai.