I have discovered this in the CRM Module: I changed Role Permission of document Lead to and activated "Only If Creator". When I go to the Leads list, I see only the Leads of the User (this is the expected behavior).
But if the user opens the document by ID, every other available document can be opened by the user which has not been created by that user.
(e.g. http://localhost/desk#Form/Lead/LEAD-00012)
Context information (for bug reports)
Output of bench version
ERPNext v12.8.0
Frappe: v12.5.2
Steps to reproduce the issue
Set permissions for particular user to "Only If Creator" for a Document Type
Check, if the user can only see its own Document
Open the URL for a document that the user should not see
Observed result
User can open the Document
Expected result
User should get a message, that he is not allowed to open the document
Description of the issue
I have discovered this in the CRM Module: I changed Role Permission of document Lead to and activated "Only If Creator". When I go to the Leads list, I see only the Leads of the User (this is the expected behavior).
But if the user opens the document by ID, every other available document can be opened by the user which has not been created by that user. (e.g. http://localhost/desk#Form/Lead/LEAD-00012)
Context information (for bug reports)
Output of
bench version
Steps to reproduce the issue
Observed result
User can open the Document
Expected result
User should get a message, that he is not allowed to open the document
Stacktrace / full error message
Additional information
Using current frappe_docker images.