I have a case where REST API and Role Based Permissions do not work as expected.
Here are the steps of what I did:
1- Created a NEW User as a “Web User” with all roles unchecked
2- Created API Keys for the new user
3- Created a NEW Role named “Website”
4- I assigned Role Based Permission for Doc Type “Item” with NO Permissions to Role “website”
5- I assigned only Role “Website” to the new user
6- I do an API call using the users API Keys to get “Item” list and I get ALL the items
I want to restrict what Doc Types are allowed to be accessed from API using user API Keys
NOT only for “Item” but any Doc Type.
Am I wrong or should it not let me get any Items based on Role Permissions?
Am I missing something here?
Hi there,
I’m not able to reproduce the behavior you’re describing. When my Web User tries to hit the Items API endpoint, I’m given a permissions error. Is it possible that you have an “All” permission on the Item doctype that’s giving your Web User access?
Yes Item Doctype had “All” Role access BUT It is the default setting i.e I cannot remove it
since “Save” button is hidden for DocType “Item”
I used “Role Based Permission Manager” to uncheck all Permissions for Role “All” and DocType “Item” that worked and removed “All” Role and now REST API behaves as Expected.
One thing : I could only do this as “Administrator” not any other user even if that user has all the Permissions…For any other user “All” Role is hidden from dropdown list in Role Permissions Manager.
Also I am not sure if removing “All” Role from “Item” DocType will have any side effects somewhere else…
Yes, this is intentional. Only the administrator can edit standard doctypes. For general customization (including permissions), you generally wouldn’t edit the doctype directly.
The only effect would be that users without the right roles will get permission errors when trying to read the Items table. As long as you’ve defined your role assignments to suit your use case, it shouldn’t be a problem.