permission add

accounting/views.py

@@ -14,6 +14,9 @@ import json
 
 @login_required
 def vat_report(request):
+    if not (request.user.is_staff or request.user.has_perm('core.view_reports')):
+        messages.error(request, _("You do not have permission to view reports."))
+        return redirect('index')
     start_date = request.GET.get('start_date')
     end_date = request.GET.get('end_date')
 

core/migrations/0038_alter_systemsetting_options.py

@@ -0,0 +1,17 @@
+# Generated by Django 5.2.7 on 2026-02-11 17:17
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('core', '0037_alter_systemsetting_options'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='systemsetting',
+            options={'permissions': [('view_dashboard', 'Can view dashboard'), ('view_pos', 'Can access POS'), ('view_reports', 'Can view reports'), ('view_accounting', 'Can view accounting'), ('view_hr', 'Can view HR'), ('view_inventory', 'Can view inventory'), ('view_sales', 'Can view sales'), ('view_purchases', 'Can view purchases'), ('view_customers', 'Can view customers'), ('view_suppliers', 'Can view suppliers'), ('view_expenses', 'Can view expenses'), ('view_lpo', 'Can view LPO'), ('view_quotations', 'Can view quotations'), ('view_system', 'Can view system settings')]},
+        ),
+    ]

core/migrations/0039_alter_systemsetting_options.py

@@ -0,0 +1,17 @@
+# Generated by Django 5.2.7 on 2026-02-11 17:19
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('core', '0038_alter_systemsetting_options'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='systemsetting',
+            options={'permissions': [('view_dashboard', 'Can view dashboard'), ('view_pos', 'Can access POS'), ('view_reports', 'Can view reports'), ('view_accounting', 'Can view accounting'), ('view_hr', 'Can view HR'), ('view_inventory', 'Can view inventory'), ('view_sales', 'Can view sales'), ('view_purchases', 'Can view purchases'), ('view_customers', 'Can view customers'), ('view_suppliers', 'Can view suppliers'), ('view_expenses', 'Can view expenses'), ('view_lpo', 'Can view LPO'), ('view_quotations', 'Can view quotations'), ('view_system', 'Can view system settings')], 'verbose_name': 'System & App Access', 'verbose_name_plural': 'System & App Access'},
+        ),
+    ]

core/models.py

@@ -415,6 +415,8 @@ class SystemSetting(models.Model):
     allow_zero_stock_sales = models.BooleanField(_("Allow selling items with 0 stock"), default=False)
 
     class Meta:
+        verbose_name = _("System & App Access")
+        verbose_name_plural = _("System & App Access")
         permissions = [
             ("view_dashboard", "Can view dashboard"),
             ("view_pos", "Can access POS"),
@@ -429,6 +431,7 @@ class SystemSetting(models.Model):
             ("view_expenses", "Can view expenses"),
             ("view_lpo", "Can view LPO"),
             ("view_quotations", "Can view quotations"),
+            ("view_system", "Can view system settings"),
         ]
 
     def __str__(self):

core/templates/base.html

@@ -328,7 +328,7 @@
                 </li>
                 {% endif %}
 
-                {% if user.is_staff %}
+                {% if user.is_staff or perms.core.view_system %}
                 <!-- System Group -->
                 <li class="sidebar-group-header mt-1">
                     <a href="#systemSubmenu" data-bs-toggle="collapse" aria-expanded="{% if url_name == 'settings' or url_name == 'user_management' or url_name == 'cashier_registry' or '/admin/' in path %}true{% else %}false{% endif %}" class="dropdown-toggle-custom">
@@ -336,16 +336,21 @@
                         <i class="bi bi-chevron-down chevron"></i>
                     </a>
                     <ul class="collapse list-unstyled sub-menu {% if url_name == 'settings' or url_name == 'user_management' or url_name == 'cashier_registry' or '/admin/' in path %}show{% endif %}" id="systemSubmenu">
+                        {% if user.is_staff or perms.core.view_system %}
                         <li>
                             <a href="{% url 'settings' %}" class="{% if url_name == 'settings' %}active{% endif %}">
                                 <i class="bi bi-gear"></i> {% trans "Settings" %}
                             </a>
                         </li>
+                        {% endif %}
+                        {% if user.is_staff %}
                         <li>
                             <a href="{% url 'user_management' %}" class="{% if url_name == 'user_management' %}active{% endif %}">
                                 <i class="bi bi-person-lock"></i> {% trans "User Management" %}
                             </a>
                         </li>
+                        {% endif %}
+                        {% if user.is_staff or perms.core.view_system %}
                         <li>
                             <a href="{% url 'cashier_registry' %}" class="{% if url_name == 'cashier_registry' %}active{% endif %}">
                                 <i class="bi bi-display"></i> {% trans "Cashier Registry" %}
@@ -356,11 +361,14 @@
                                 <i class="bi bi-clock-history"></i> {% trans "Cashier Sessions" %}
                             </a>
                         </li>
+                        {% endif %}
+                        {% if user.is_staff %}
                         <li>
                             <a href="/admin/">
                                 <i class="bi bi-shield-lock"></i> {% trans "Django Admin" %}
                             </a>
                         </li>
+                        {% endif %}
                     </ul>
                 </li>
                 {% endif %}

core/views.py

@@ -1031,7 +1031,11 @@ def expense_category_delete_view(request, pk):
 
 @login_required
 def expense_report(request):
-    return render(request, 'core/expense_report.html')
+    if not (request.user.is_staff or request.user.has_perm('core.view_reports')):
+        messages.error(request, _("You do not have permission to view reports."))
+        return redirect('index')
+    start_date = request.GET.get('start_date')
+    end_date = request.GET.get('end_date')
 
 @login_required
 def export_expenses_excel(request):
@@ -1041,10 +1045,16 @@ def export_expenses_excel(request):
 
 @login_required
 def reports(request):
+    if not (request.user.is_staff or request.user.has_perm('core.view_reports')):
+        messages.error(request, _("You do not have permission to view reports."))
+        return redirect('index')
     return render(request, 'core/reports.html')
 
 @login_required
 def customer_statement(request):
+    if not (request.user.is_staff or request.user.has_perm('core.view_reports')):
+        messages.error(request, _("You do not have permission to view reports."))
+        return redirect('index')
     customers = Customer.objects.all().order_by('name')
     selected_customer = None
     sales = []
@@ -1090,6 +1100,9 @@ def customer_statement(request):
 
 @login_required
 def supplier_statement(request):
+    if not (request.user.is_staff or request.user.has_perm('core.view_reports')):
+        messages.error(request, _("You do not have permission to view reports."))
+        return redirect('index')
     suppliers = Supplier.objects.all().order_by('name')
     selected_supplier = None
     purchases = []
@@ -1135,6 +1148,9 @@ def supplier_statement(request):
 
 @login_required
 def cashflow_report(request):
+    if not (request.user.is_staff or request.user.has_perm('core.view_reports')):
+        messages.error(request, _("You do not have permission to view reports."))
+        return redirect('index')
     start_date = request.GET.get('start_date')
     end_date = request.GET.get('end_date')