A simple exploit can completely bypass User Permissions.
When using a Link field, a request is made to frappe.desk.search.search_link and a field ignore_user_permissions is sent. By copying the request and change the value from 0 to 1 an user can have access to documents he shouldn’t have access to, regardless of doctype configuration.
Here is the link for the whitelisted methods that receive a ignore_user_permissions as an argument frappe/frappe/desk/search.py at v15.72.3 · frappe/frappe · GitHub
I can’t figure out the intention of allowing the frontend to decide if permissions will be applied or not, must be a mistake. It seems to me that the field level configuration of “Ignore User Permissions” should always be validated in the backend.
Does this make the whole document available, or just the info exposed in the link field? It’s a problem either way.
From my tests the search_link whitelisted method returns only the name and title. search_widget in the same file is also a whitelisted method with the same problem. Don’t know if there is any other whitelisted method with this issue that provides more fields.