Link fields can be exploited to completely bypass User Permissions

A simple exploit can completely bypass User Permissions.

When using a Link field, a request is made to frappe.desk.search.search_link and a field ignore_user_permissions is sent. By copying the request and change the value from 0 to 1 an user can have access to documents he shouldn’t have access to, regardless of doctype configuration.

Here is the link for the whitelisted methods that receive a ignore_user_permissions as an argument frappe/frappe/desk/search.py at v15.72.3 · frappe/frappe · GitHub

I can’t figure out the intention of allowing the frontend to decide if permissions will be applied or not, must be a mistake. It seems to me that the field level configuration of “Ignore User Permissions” should always be validated in the backend.

1 Like

Does this make the whole document available, or just the info exposed in the link field? It’s a problem either way.

From my tests the search_link whitelisted method returns only the name and title. search_widget in the same file is also a whitelisted method with the same problem. Don’t know if there is any other whitelisted method with this issue that provides more fields.