Is there a way to restrict fields for roles when accessed via Rest API?
Eg: GET /api/resource/Person/?fields=[“name”,“first_name”]
Above should return first_name only if one of the roles added to the user has access to it
Role Permission manager doesnt work. It hides the field from UI but data is fetched when using Rest API
This is a known issue in Frappe ([Permissions] Check field level "read" permissions for "fields" in list / report queries · Issue #16388 · frappe/erpnext · GitHub) and have to wait for the fixes.
Hi,
After digging into the code i found that below function is responsible for removing the fields in the response when the document is returned
def apply_fieldlevel_read_permissions(self):
"""Remove values the user is not allowed to read (called when loading in desk)"""
has_higher_permlevel = False
for p in self.get_permissions():
if p.permlevel > 0:
has_higher_permlevel = True
break
.......
.......
The problem is, this function is applied only when the document is loaded in desk.
What if we apply the same function to the function that serves Rest API? Will it impact somewhere else?
Here, before the response is delivered back
https://github.com/frappe/frappe/blob/4834985417b8504bcbc346e6f159166a7327bfec/frappe/api.py#L84
if name:
if frappe.local.request.method=="GET":
doc = frappe.get_doc(doctype, name)
if not doc.has_permission("read"):
raise frappe.PermissionError
frappe.local.response.update({"data": doc})
....
....