REST API security problem

janecek.mato · January 11, 2019, 8:25pm

Hi,

why permissions level settings not working in rest api? Is there any reason for that ? I think that, this is really security bug! Anybody with little bit knowledge can access to all fields.

Steps to reproduce:

Set permission level for some fields to 2 in any DocType
Give access to this DocType on level 0 for some user role
Try access api/resource/Doctype/?fields[“*”] in browser with user which has this role
You can see that all of fields are there

Any help with that?

Thanks

ERPnext 10 and also 11

clarkej · January 12, 2019, 3:41pm

Thank you for reporting this observation janecek.mato!

I’ve reported but not confirmed what you have found [Permissions] Check field level "read" permissions for "fields" in list / report queries · Issue #16388 · frappe/erpnext · GitHub

For further followup notice please subscribe to that.

This may be of interest Is there an ERPNext Security Officer? - #2 by revant_one

@rmehta @umair @revant_one please followup with this, my report assumes that it is critical.

rmehta · January 12, 2019, 4:22pm

Field level permissions have been defined only for the view and have not been uniformly enforced.

Not a severe issue, but probably should be fixed.