Hello,
I’m encountering an issue with user permissions while creating users via the REST API in Frappe. Here’s the scenario:
- I’m creating users as Website Users, not System Users, via the REST API.
- The users log in using the ‘OAuth Bearer Token’.
- After logging in, they use the REST API to access data.
The problem arises when users access the api/resource/User endpoint. It returns all the user documents, not just the data specific to the logged-in user.
What I need:
-
I want to configure the system so that when a user logs in and accesses the
api/resource/Userendpoint (or any other relevant endpoint), they should only be able to see their own data and not the data of all users. -
I don’t want users to access the User doctype directly because by default they can update and read all user records. Instead, I need them to only read and edit some fields specific to their own user record.
-
For this, I plan to write some custom endpoints. How can I block user access to the User doctype while achieving this?
Additional Information:
- I’ve added only one role to the users, which is a custom role created by me.
What I’ve tried:
I’ve looked into role-based permissions but it doesn’t seem to restrict access in the way I need for the REST API
How can I configure Frappe so that a user, once logged in, can only access their own data via the REST API? Any guidance or examples would be greatly appreciated.
Thank you!