I developed a system (inspired in location - user authority) to restrict the GL accounts the users can see / update in webERP.
Probably our chief accountant has the right to see / update all the accounts, but some accountants, just registering bank payments / receipts should not be able to update some accounts.
As examples, almost no-one in a company should be able to check how much the owners took as dividends or how much the company spend in the new CEO car :-). Or only the HR accountant should be able to see how much the company spends in salaries... Thousand examples, deending on every organization.
So I created a table glaccountusers with the same fields and spirit than locationusers and modified all the GL scripts needing it.
In scripts where the user can create a GL transaction, she must have the canupdate = 1 to be able to select that account.
In scripts where the user just reads information there's two possible outcomes:
a) if we can hide that account, we hide it, as in P/L or B/S.
b) if we can't hide the account (as example in a Journal inquiry) we show a fixed text "Other GL accounts" and show no details
I know outcome a) is vurtually non-possible, as users having access to P/L or B/S for sure will be allowed to see/update all GL accounts, but as a double safety measure have been done.
By default, webERp will work as it works now, so when we create a new user, she will be allowed to see/update all GL accounts, so it's a task of webERP admin to "cut rights" if needed. If you won't be using this feature, no worries, webERP will work as usual.
It has been commited just now. Has been tested, but please let me know if there's any bug.