frappe.has_permission skip "User Permission" rules
tamburro92 opened this issue · 2 comments
Description of the issue
The Frappe function frappe.has_permission() , used to filter doctype for a SQL query, skips the "User Permission" rules if have been added, that leads to an escalation of policy and user can see document that shouldn't see.
For example in module Healthcare, if you configure that only a specific Practictioner can see the owning appointment using a User permission rule, the view calendar for appointment returns all the appointments instead of filter by rule.
Context information (for bug reports)
Output of bench version
frappe-14
Steps to reproduce the issue
- install healthcare module
- configure User permission rule for patient appointment to match only the practitioner name
- create different patient appointments with different practitioner
- use the calendar view for appointment using 1 practitioner as user
- the user see all the appointments also the one that doesn't belong to him
Observed result
Function function frappe.has_permission() ignores User Permission rules.
Expected result
Function function frappe.has_permission() should take care of User Permission rules.
Stacktrace / full error message
(paste here)
Additional information
OS version / distribution, Frappe install method, etc.
This is more of a problem in usage of has_permission.
Both has_perm and frappe.get_list implement user permissions correctly, but other code have to use them over counterparts that don't check it.
tbh frappe.get_list works fine but frappe.has_permission skips something