Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

frappe.has_permission skip "User Permission" rules #415

Open
tamburro92 opened this issue Mar 12, 2024 · 2 comments
Open

frappe.has_permission skip "User Permission" rules #415

tamburro92 opened this issue Mar 12, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@tamburro92
Copy link
Contributor

tamburro92 commented Mar 12, 2024

Description of the issue

The Frappe function frappe.has_permission() , used to filter doctype for a SQL query, skips the "User Permission" rules if have been added, that leads to an escalation of policy and user can see document that shouldn't see.

For example in module Healthcare, if you configure that only a specific Practictioner can see the owning appointment using a User permission rule, the view calendar for appointment returns all the appointments instead of filter by rule.

Context information (for bug reports)

Output of bench version

frappe-14

Steps to reproduce the issue

  1. install healthcare module
  2. configure User permission rule for patient appointment to match only the practitioner name
  3. create different patient appointments with different practitioner
  4. use the calendar view for appointment using 1 practitioner as user
  5. the user see all the appointments also the one that doesn't belong to him

Observed result

Function function frappe.has_permission() ignores User Permission rules.

Expected result

Function function frappe.has_permission() should take care of User Permission rules.

Stacktrace / full error message

(paste here)

Additional information

OS version / distribution, Frappe install method, etc.

@tamburro92 tamburro92 added the bug Something isn't working label Mar 12, 2024
@ankush
Copy link
Collaborator

ankush commented Mar 12, 2024

This is more of a problem in usage of has_permission.

Both has_perm and frappe.get_list implement user permissions correctly, but other code have to use them over counterparts that don't check it.

@ankush ankush transferred this issue from frappe/frappe Mar 12, 2024
@tamburro92
Copy link
Contributor Author

tbh frappe.get_list works fine but frappe.has_permission skips something

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants