Bug: User can view data even when they don't have permission

Vulnerable: DocType Report Ignored User Role Permissions and DocType Permission Level.

User can access field that admin want to hide by simply change
/desk#List/Purchase%20Receipt/List to /desk#List/Purchase%20Receipt/Report

There’re 2 main problem regarding this issues.

  1. User can access report page even Report has been disable from User Role Permission.
    If we disable Report from User Role Permission, all it does is remove Report button on Doctype List page.
    But user can still access Report page directly from url.
    ie http://localhost:8000/desk#List/Purchase%20Receipt/Report



  1. When User is on DocType Report page doctype permission level will be ignored.



I’m on
Python 3
ERPNext: v11.0.3-beta.31 () (staging)
Frappe Framework: v11.0.3-beta.40 () (staging)

Github issue: [Bug: Important] V11 - DocType Report Ignored User Role Permissions · Issue #6674 · frappe/frappe · GitHub

1 Like

Hi, I think this is really important and big vulnerable.

Should anyone take a look at this?

Possibly what you have found is similar in nature to this recent report in the erpnext queue that rmehta reviewed [Permissions] Check field level "read" permissions for "fields" in list / report queries · Issue #16388 · frappe/erpnext · GitHub

Someone well versed and qualified could comment here thanks?