search

libracore / erpnextswiss

ERPNext application for Switzerland-specific use cases
GNU Affero General Public License v3.0
77 stars 63 forks source link

Sales Invoice data is sent to libracore #51

Closed barredterra closed 5 years ago

barredterra commented 5 years ago

Expected behvauour

QR-Code containing sensitive information should be generated on ERPNext Server.

Actual behaviour

Complete Sales Invoice information is sent to a libracore server, which provides the qr-code. I don't know the Swiss data protection regulations but this seems to be very problematic.

<img src="https://data.libracore.ch/phpqrcode/api/iso20022.php
?iban={{ receiving_account.iban or ''}}
&receiver_name={{ cmp_address_line_detail.name }}
&receiver_street={{ cmp_address_line_detail.street | trim }}
&receiver_number={{ cmp_address_line_detail.number }}
&receiver_pincode={{ cmp_address_line_detail.pin }}
&receiver_town={{ cmp_address_line_detail.city }}
&receiver_country={{ cmp_address_line_detail.country }}
&final_receiver_name={{ cmp_address_line_detail.name }}
&final_receiver_street={{ cmp_address_line_detail.street | trim }}
&final_receiver_number={{ cmp_address_line_detail.number }}
&final_receiver_pincode={{ cmp_address_line_detail.pin }}
&final_receiver_town={{ cmp_address_line_detail.city }}
&final_receiver_country={{ cmp_address_line_detail.country }}
&amount={{ doc.grand_total }}
&currency={{ doc.currency }}
&due_date={{ doc.due_date }}
&payer_name={{ pay_address_line_detail.name }}
&payer_street={{ pay_address_line_detail.street | trim }}&payer_number={{ pay_address_line_detail.number }}
&payer_pincode={{ pay_address_line_detail.pin }}
&payer_town={{ pay_address_line_detail.city }}
&payer_country={{ pay_address_line_detail.country }}
&reference_type=QRR&reference={{ doc.name }}
&message={{ doc.title }}"
style="width: 46mm !important; height: 46mm !important;" />

https://github.com/libracore/erpnextswiss/blob/800ccc9cf6b713aba378bf88a662fcadcb8c7f3c/erpnextswiss/erpnextswiss/print_format/qr_sales_invoice/qr_sales_invoice.json#L10

lasalesi commented 5 years ago

Dear @barredterra,

thank you for your entry. The quoted code above is a sample print format. As you note, it provides a libracore server for generation of the QR-code.

However, anyone can choose any alternative server. The source code for the QR-code generator is available as an open source tool, please refer to https://github.com/lasalesi/phpqrcode Therefore, again, this is only a (working) sample server. In case of concern, please use your own server.

As for your note the ERPNext should generate the QR-code: I basically agree. However, up to this point there is no library available that would fullfil this (even including charts and the like with the used toolchain is afaik not possible if not with a separate server process). We are always happy to accept pull requests.

We will add a disclaimer note regarding the server.