Add read-only inventory permission (view stock & selling price only)#4358
Add read-only inventory permission (view stock & selling price only)#4358henri1024 wants to merge 1 commit intoopensourcepos:masterfrom
Conversation
objecttothis
left a comment
objecttothis
left a comment
There was a problem hiding this comment.
Take a look at my comments and let me know what you think.
| /** | ||
| * Check if user has items_stock permission | ||
| */ | ||
| private function has_stock_permission(): bool |
There was a problem hiding this comment.
These functions seem like they could be used by other controllers. Maybe it is better to place them into something like Security_helper.php or a common place so that it can be used globally.
| */ | ||
| public function getInventory(int $item_id = NEW_ENTRY): void | ||
| { | ||
| // Check permission: only users with stock permission can update inventory |
There was a problem hiding this comment.
This comment probably isn't necessary. The if statement makes it pretty clear what the code is doing.
| */ | ||
| public function postSave(int $item_id = NEW_ENTRY): void | ||
| { | ||
| // Check if user has items_stock permission |
| */ | ||
| public function postSaveInventory($item_id = NEW_ENTRY): void | ||
| { | ||
| // Check permission: only users with stock permission can update inventory |
|
|
||
| use CodeIgniter\Database\Migration; | ||
|
|
||
| class Migration_add_items_view_permission extends Migration |
There was a problem hiding this comment.
When we enable the linter, it's not going to like this class naming.
|
|
||
| INSERT INTO `ospos_permissions` (`permission_id`, `module_id`, `location_id`) VALUES | ||
| ('items_stock', 'items', 1), | ||
| ('items_view', 'items', 1), |
There was a problem hiding this comment.
I think this file is frozen and this needs to be done through a migration.
There was a problem hiding this comment.
correct indeed, migration alone is sufficient
| $item_taxes = model(Item_taxes::class); | ||
| $tax_category = model(Tax_category::class); | ||
| $config = config(OSPOS::class)->settings; | ||
| $has_stock_permission = $permissions['has_stock_permission'] ?? true; |
There was a problem hiding this comment.
This probably should use PSR-12 compliant naming so that we are constantly moving toward PSR-12 compliance rather than away from it. $hasStockPermission.
| $icons = []; | ||
|
|
||
| // Only show edit button if user has stock permission | ||
| if ($has_stock_permission) { |
There was a problem hiding this comment.
Couldn't all three of these be placed under just one if ($has_stock_permission) { check?
| * @param string $location_name | ||
| * @return void | ||
| */ | ||
| private function _insert_new_subpermission(string $permission_id, int $location_id, string $location_name): void |
There was a problem hiding this comment.
Since PHP has function scoping (since PHP 5.0), hungarian notation to notate private functions is obsolete. I think this is why we added the TODO on line 189. I don't think we should add new functions with hungarian notation, but instead move to a PSR compliant naming for the function and for parameters. private function insertNewSubpermission(string $permissionId, int $locationId, string $locationName): void
| use App\Models\Employee; | ||
|
|
||
| $employee = model(Employee::class); | ||
| $logged_in_employee = $employee->get_logged_in_employee_info(); |
There was a problem hiding this comment.
let's make these variable names PSR compliant.
| $this->db->table('ospos_permissions')->insert($permission_data); | ||
| log_message('info', 'Inserted items_view permission.'); | ||
|
|
||
| // Grant items_view permission to all existing employees |
There was a problem hiding this comment.
@objecttothis should we grant this permission to an employee if she does not have access to the items module? I would also add this condition.
| $permission_data = [ | ||
| 'permission_id' => 'items_view', | ||
| 'module_id' => 'items', | ||
| 'location_id' => 1 |
There was a problem hiding this comment.
we should insert this data for all current active location ids. Please check if we can get rid of the hardcoded id here by iterating over active stock locations for an employee and generate the data for each of them.
|
|
||
| // Mask cost_price for view-only users | ||
| if (!$this->has_stock_permission()) { | ||
| $item_info->cost_price = 0; |
There was a problem hiding this comment.
I hope this can't lead to accidental cost price updates ? I guess if this condition holds then the user will not be able to post back the values?
|
Thanks for this useful addition, hope you can get the comments worked out so we can merge it. |
3 participants
🧾 Description
This PR introduces a new read-only inventory permission that allows specific users (e.g. shop intern) to:
while restricting access to:
This feature is intended for retail shops where clerks should be able to sell items and check stock availability without being able to modify inventory data or see sensitive cost information.
✨ Key Changes
items_view🔐 Permission Behavior
🎯 Use Case
🧪 Testing
📎 Notes