Try ERPNext Try Frappe Cloud Buy Support Partners Foundation

Rest API - Restrict Fields for roles

Is there a way to restrict fields for roles when accessed via Rest API?

Eg: GET /api/resource/Person/?fields=[“name”,“first_name”]

Above should return first_name only if one of the roles added to the user has access to it

Role Permission manager doesnt work. It hides the field from UI but data is fetched when using Rest API

This is a known issue in Frappe (https://github.com/frappe/erpnext/issues/16388) and have to wait for the fixes.

1 Like

Hi,

After digging into the code i found that below function is responsible for removing the fields in the response when the document is returned

https://github.com/frappe/frappe/blob/4834985417b8504bcbc346e6f159166a7327bfec/frappe/model/document.py#L591

def apply_fieldlevel_read_permissions(self):
		"""Remove values the user is not allowed to read (called when loading in desk)"""
		has_higher_permlevel = False
		for p in self.get_permissions():
			if p.permlevel > 0:
				has_higher_permlevel = True
				break
.......
.......

The problem is, this function is applied only when the document is loaded in desk.
What if we apply the same function to the function that serves Rest API? Will it impact somewhere else?

Here, before the response is delivered back
https://github.com/frappe/frappe/blob/4834985417b8504bcbc346e6f159166a7327bfec/frappe/api.py#L84

if name:
        if frappe.local.request.method=="GET":
          doc = frappe.get_doc(doctype, name)
          if not doc.has_permission("read"):
            raise frappe.PermissionError
          frappe.local.response.update({"data": doc})
....
....