Rest API - Restrict Fields for roles

Is there a way to restrict fields for roles when accessed via Rest API?

Eg: GET /api/resource/Person/?fields=[“name”,“first_name”]

Above should return first_name only if one of the roles added to the user has access to it

Role Permission manager doesnt work. It hides the field from UI but data is fetched when using Rest API

This is a known issue in Frappe ([Permissions] Check field level "read" permissions for "fields" in list / report queries · Issue #16388 · frappe/erpnext · GitHub) and have to wait for the fixes.

1 Like


After digging into the code i found that below function is responsible for removing the fields in the response when the document is returned

def apply_fieldlevel_read_permissions(self):
		"""Remove values the user is not allowed to read (called when loading in desk)"""
		has_higher_permlevel = False
		for p in self.get_permissions():
			if p.permlevel > 0:
				has_higher_permlevel = True

The problem is, this function is applied only when the document is loaded in desk.
What if we apply the same function to the function that serves Rest API? Will it impact somewhere else?

Here, before the response is delivered back

if name:
        if frappe.local.request.method=="GET":
          doc = frappe.get_doc(doctype, name)
          if not doc.has_permission("read"):
            raise frappe.PermissionError
          frappe.local.response.update({"data": doc})