An employee can access and change(read and write) other employee's data using url

an employee who has “user permission” of himself and his company and role permission to read and write employee docType can navigate to any other employees profile using direct url and not only read his info but also change write-able fields.

if I remove role permission for employee doctype then the employee cannot access/write his own profile even if there are user permissions still there, and we need him to be able to read/write his own profile.

note: in list view of employee list, employee is unable to view other employees, only his record is showing which is correct but if he inputs url then he can navigate to other employee’s profile.

am I missing something or Is frappe handling role/uers permissions only in listing and not putting any restriction on urls?

PS: we are using version 11; latest by feb 2019

1 Like

Same here.
I think we should consider open an Issue in github for this. it is a big security flaw in the system.

1 Like