Is there a way to restrict fields for roles when accessed via Rest API?
Eg: GET /api/resource/Person/?fields=[“name”,“first_name”]
Above should return first_name only if one of the roles added to the user has access to it
Role Permission manager doesnt work. It hides the field from UI but data is fetched when using Rest API
After digging into the code i found that below function is responsible for removing the fields in the response when the document is returned
"""Remove values the user is not allowed to read (called when loading in desk)"""
has_higher_permlevel = False
for p in self.get_permissions():
if p.permlevel > 0:
has_higher_permlevel = True
The problem is, this function is applied only when the document is loaded in desk.
What if we apply the same function to the function that serves Rest API? Will it impact somewhere else?
Here, before the response is delivered back
doc = frappe.get_doc(doctype, name)
if not doc.has_permission("read"):