Permission on field without permission on document

Hi,

we currently try to get the user_image via public API. However, since user_image is a field of the doctype “User” we are facing some problems. We do not want to allow any users to view user profiles - even if we increase the permission level of each field on the “User” doctype, they would still be able to send passwort reset E-Mails or change desktop settings for any user.

So we decided to allow access to the doctype user only for system-managers. However we still want to read the user_image via public api. Is there any way how we could achieve this?

What I can suggest is to have another doctype for photos.

That doctype can have the following fields:

  1. User (Link)
  2. Attach Image

Everytime the user gets updated it will also update the entry of that doctype.