Security Issue on searching box

Hi,

I’ve just found that user can almost open another documents/modules by utilizing searching box (on top nav bar) even they don’t have permission. I have checked role permission and module access, but via search-box they can find and open other modules/pages/documents.

Anybody experiencing the same? I’m using v5.1.2… Any setup settings I missed that cause this?

Pls help…This is pretty serious…

Thanks

Tested on demo,
I doesn’t find this problem.
https://demo.erpnext.com/desk#

Can you check Role Permissions Manager? Using this you can check Role permission.
After this check Permitted Documents For User, to see all permitted document.

I checked Role ‘All’ then remove the permission.

But if you assign User X with Role:Material User to Item Doctype then when he/she typing in searching box, then he/she can access Manufacturing module but only Item Document appears…Even for that user you don’t give access to module Manufacturing…

I think it’s becaused Item doctype is linked to not only Stock module but Manufacturing too.

But in my opinion, if we only assign that user to Stock module only, then searching box needs to reflect all security settings like on desktop, so both desktop view and searching box treat the same for users following their security profile.

Thank you