REST API security problem


why permissions level settings not working in rest api? Is there any reason for that ? I think that, this is really security bug! Anybody with little bit knowledge can access to all fields.

Steps to reproduce:

  1. Set permission level for some fields to 2 in any DocType
  2. Give access to this DocType on level 0 for some user role
  3. Try access api/resource/Doctype/?fields[“*”] in browser with user which has this role
  4. You can see that all of fields are there

Any help with that?


ERPnext 10 and also 11


Thank you for reporting this observation janecek.mato!

I’ve reported but not confirmed what you have found [Permissions] Check field level "read" permissions for "fields" in list / report queries · Issue #16388 · frappe/erpnext · GitHub

For further followup notice please subscribe to that.

This may be of interest Is there an ERPNext Security Officer? - #2 by revant_one

@rmehta @umair @revant_one please followup with this, my report assumes that it is critical.


Field level permissions have been defined only for the view and have not been uniformly enforced.

Not a severe issue, but probably should be fixed.