[Authorization Bug] User still able access the not authorized doctype

As Administrator, I setup a RoleA which full access on DoctypeA and create/assign some users to it (User1, User2…).

Logout Administrator, and Login with User1,
I observed that, User1 can access and see the list of Users when I copy and paste the url to browser, ex: https://somedomain/app/user

Expected User1 just only see data in DoctypeA list, and get access denied if go anywhere else.

This seems to be critical.
Please anyone get similar issue?

Hi @Max_Power,

Because In User doctype has “Select” Permission for “All” role, so user just sees the all user.

So please remove “Select” rights from the role and check the user list from the User A.

Thank You!


That’s great @NCP ,
Remove that mapping it works well.

But just wonder why Frappe have that mapping as default?
Since any user can access and see full list of user.

If I remove/uncheck that Role mapping what will impact to the app?

Thank you.

No @Max_Power

1 Like

Thank you @NCP ,

So, In my opinion, Frappe may should not set that mapping for all as default.
Because administrator may forget to remove that, then someone can see all users (with fullname, phone, email… which show on list) that leads to an information leak.

Thank you.

Right @Max_Power,

But logic has been defined in the backend, but we haven’t idea about too much.

Thank You!

1 Like