[Bug] User without stock location role can see locations of individual items.
Please verify that this bug has NOT been raised before.
- I checked and didn't find similar issue
Describe the bug*
Not sure if this is a bug, or just an oversight in the current permissions / roles system.
A user without permission to view stock locations (ie, not assigned to a group with the stock locations role), can still see the stock locations of individual stock items, both in the stock items list (/stock/) and in the individual stock items' pages (/stock/item/xx/).
See screenshot. I've had to remove part of the stock location, because it contains an address.
Steps to Reproduce
Create a new user, and assign it to a new group with Stock Item view permission but uncheck all permissions related to Stock Location.
Expected behavior
I would expect the stock location information to be hidden everywhere, for users without that role.
Deployment Method
- Docker
- Bare metal
Version Information
Version Information:
InvenTree-Version: 0.8.1
Django Version: 3.2.15
Commit Hash: fb97385
Commit Date: 2022-08-08
Database: postgresql
Debug-Mode: False
Deployed using Docker: True
Relevant log output
No response
How does funding with Polar work?
Pay now to fund the work behind this issue.
Get updates on progress being made.
Maintainer is rewarded once the issue is completed.
Backer
You're funding impactful open source efforts
Contributor
You want to contribute to this effort
Maintainer
You want to get funding like this too