Permission through specific endpoint

Steven_Athouel · December 2, 2020, 10:42am

HI,
i am trying to enable any user or guest to see a tracking URL by accessing a specific URL of my frappe instance.
the Problem is that in order to resolve the tracking url, the server need to read some protected documents. I was wondering if it’s possible to allow limited access only through specific endpoint/method.

adding @frappe.whitelist(allow_guest=True) decorator does not help because the server return an error when trying to request the protected doc
I also tried to swap user within the method using frappe.set_user method with a pre defined user with limited access but i am getting an error ‘User Note Found’

someone could help please.

Steven_Athouel · December 3, 2020, 2:52pm

It seems that changing the user via frappe.set_user without changing the user again (with the original one) is working. Frappe automaticaly reset the right user after the method call (maybe it’s computed based on the cookies in client side)
But i am not sure at all that what i am saying is true
could someone help me to understand please

i.e:

@frappe.whitelist(allow_guest=True)
def some_method():
    frappe.set_user({USER_WITH_HIGHER_PERMS})
    #some stuff
    return

Thanks

Steven_Athouel · December 8, 2020, 5:05pm

I found an easier solution.
In each query using frappe.db.{some_method} adding the param ignore_permissions=True solve my problem
Of corse you have to use it carefuly !