In V5, there is a provision to share documents for users which effectively means that users who should not be allowed to share docs could even give rights to users who are unauthorized to view the documents.

Is there a way to limit who all can share the documents with others?

Sorry, Share functionality is not restrict-able for now. A Github Issue for the same will be helpful.

This is pretty serious

Assume a user with read-only permissions for a doctype.

Using Share, the user can assign themselves Write Access to a record by (1)going to the record (2) sharing the record with themselves and (3)while sharing, assign write permissions.

Then, the user will have write access to the record

I just replicated this on frappe 5.0.29.

I also disabled “share” permissions in “Doctype List” for this doctype for all roles. However, I can still share, which I believe is what Aditya is referring to above.

Yeah,Its basically a SECURITY BREACH…don’t know why this kind of
scenario was not thought out before the release of such a feature.

Make no mistake that this feature is indeed a pretty awesome feature but
the security should have been kept in mind.

Now I think SHARE RIGHT should only be applicable to those users who can
SET PERMISSIONS on the doctype. This ways it would be truly genuine and
inline with expectations.

@adityaduggal looks like this will hopefully be fixed via fix disable write sharing if you dont have write perm by RobertSchouten · Pull Request #1996 · frappe/frappe · GitHub

thanks @RobertSchouten!

1 Like

Honestly due to this I have NOT given sharing rights to those who are restricted users, basically we are NOT using the Share feature at all.

the fix is to stop users with read permission and share permission from giving write permisson but seems is a bigger issue?