It appears that a brand-new user, with an extremely limited set of given permissions, is able to see way more than allowed. Any ideas?
Reproduction steps:
I have created a new role, with a very limited set of permissions, for just one doctype (Lead):
Then I created a new user and assigned only that one role.
And I limited the allowed modules to only CRM:
Now, when I login as that user, I am able to see way more stuff, including the full user list in the system!
My setup is vanilla, the default install, from the docker frappe repo.
ERPNext: v14.25.1
Frappe Framework: v14.36.3
This is my installation:
git clone git@github.com:frappe/frappe_docker.git
cd frappe_docker
docker compose -f pwd.yml up --pull=always
I didn’t do any other modifications or extra configurations.