TL;DR
Some things really scare me: I was checking my sitemap.xml file as an unauthenticated user and I found I could reach some default pages which I didn’t think I could. However couldn’t find any role/permission setting to disable and/or restrict access. It looks to be like an issue, and I could access pages of users in this community who’s website I could easily recognize as ERPNext instances. Some pages even returned me some error logs, revealing files and folder structure which I don’t think is a good idea showing.
But mostly, it’s having access to some portal pages where access should not be allowed at all for anything related to portal, no matter how secure/insecure. Being able to access the demo page and stuff… I don’t think it should be possible.
I thought these guys might have some poor configured servers, but that happens on your demo site, no matter if I’m logged or not (well, all but the demo thing… I do think it’s working for a reason there 
Here are some accessible uri which returned me some unwanted feedback:
project
profile
message
cart_terms => returns error log
complete_signup => returns invalid api call
search
cart
product_search => returns list of products and I can access them
demo
task_info => returns uncaught server exception log
timelog_info => returns uncaught server exception log
partners
list
courses
order => returns uncaught server exception log
job_application
tasks
discussion
all-item-groups/products
all-item-groups/products/[items-discovered]
I think there should be a lot more control over pages and routes and maybe it’s just ignorance by my side. Can anybody point me to where I can effectively restrict access to what I explicitly make available publicly?
