ERPNext Foundation ERPNext Cloud User Manual Blog Discuss Frappé* Donate

REST API security problem

bug
security
rest-api

#1

Hi,

why permissions level settings not working in rest api? Is there any reason for that ? I think that, this is really security bug! Anybody with little bit knowledge can access to all fields.

Steps to reproduce:

  1. Set permission level for some fields to 2 in any DocType
  2. Give access to this DocType on level 0 for some user role
  3. Try access api/resource/Doctype/?fields["*"] in browser with user which has this role
  4. You can see that all of fields are there

Any help with that?

Thanks

ERPnext 10 and also 11


#2

Thank you for reporting this observation janecek.mato!

I’ve reported but not confirmed what you have found https://github.com/frappe/erpnext/issues/16388

For further followup notice please subscribe to that.

This may be of interest Is there an ERPNext Security Officer?

@rmehta @umair @revant_one please followup with this, my report assumes that it is critical.


#3

Field level permissions have been defined only for the view and have not been uniformly enforced.

Not a severe issue, but probably should be fixed.