why permissions level settings not working in rest api? Is there any reason for that ? I think that, this is really security bug! Anybody with little bit knowledge can access to all fields.
Steps to reproduce:
- Set permission level for some fields to 2 in any DocType
- Give access to this DocType on level 0 for some user role
- Try access api/resource/Doctype/?fields["*"] in browser with user which has this role
- You can see that all of fields are there
Any help with that?
ERPnext 10 and also 11