Hello,
I’m going to use REST API extensively, so I want to set up a User for this purpose.
Basically this User will be used in JS functions to retrieve data. I want this User to be able to read all docs of DocType User - meaning he can retrieve all other Users’ Level 1 fields only.
There are a number of new DocFields that are set to Level 1. All other DocFields are 0.
I have set up a new Role for this User, assigned User DocType, Level 1, Permissions as Read.
I wonder if I also have to use User Permissions. But then I’m stuck in the For Value field… this only accept 1 value. But I need to be able to access all Docs. Ended up I specified the User’s own name as value.
Calling api/resource/User I am able to retrieve all the “name” values:
So far so good.
Then I try to retrieve Level 1 fields of a particular user.
Calling api/resource/User?filters=[[“name",“=”,"abc@yahoo.com”]]&fields=[“last_name”,“theme_no”,“idx”, “email”]
where
last_name = level 0
idx = level 0
email = level 0
theme_no = level 1
Strangely, all fields are returned. All values can be retrieved, which is not right! This creates a big loophole where it is possible for someone to use this account to retrieve all sort of Level 0 fields!
What am I missing in the setup?
frappe/ERPNext v13.49