Bug on permissions

So I was doing some tests on permissions and I noticed a bug.

I created a user and gave no permission on that user. And I tested if I could see it’s permission.
I called the API on browser

'api/resource/Delivery Note Item?fields="*"

and it returned all the data. I tried with all child tables and it returns all the data. This is risky because users can see the data, even if you have not given them permission.


Any idea on this? This is very serious exploit.

Thanks for sharing, yes, this has to be looked into.

I was able to reproduce the issue (even without any login at all)… in Frappe Framework: v10.1.6 (master)

Affects only child tables, main doctypes are controlled well.

Created a github issue: API protection for child tables not working · Issue #5272 · frappe/frappe · GitHub

Great. You must think of a way that even if I am logged in, it must return the data I have given access, not all of them.

Thank you and I hope this issue is resolved immidiately.

I will keep track of it.


Any updates on this?
I think this is a very worrying bug!

Not yet. I am keeping track of it.

Are you aware of this exploit? @rmehta

1 Like

Thanks for reporting! Can you raise an issue on the GitHub Issues. We will push a fix in the next update.

@lasalesi has raised the issue , API protection for child tables not working · Issue #5272 · frappe/frappe · GitHub , but it seems nobody has noticed. When you fix the update please let us know because it very important.
Thank You!

Fixed and released!


That was quick. Amazing. On master branch I assume, right?

@rmehta thank you! That was quick…

If I interpret your changes in commit 807a300 correctly, then the api for childtables is now completely disabled. Does it make sense? There are certainly cases in which I need the api for childtables …

Yup. I saw the source.
Try to call with frappe.get_all() function, not with frappe.client . I have not tested it, definitely will test it.

Thanks @rmehta ! Bugfix seems to close the exploit.

In some use cases, it might be required to use the API child table function, which should be possible provided access rights. Now, it is completely locked. This is good for a security fix. In the long run, access management should be applied (allow child tables for all logged in users, or define access rules on child table and honor them).

@lasalesi If you need access to child tables, write specific end points.

We are also pushing a new fix that you can get access to childtable if you pass the parent too.

@rmehta , Can i get all child tables if I execute frappe.get_all() ?