search

frappe / erpnext

Free and Open Source Enterprise Resource Planning (ERP)
https://erpnext.com
GNU General Public License v3.0
20.48k stars 7.09k forks source link

Security Issue: User can open Document which is not supposed to be seen by the user #21759

Closed paulator closed 4 years ago

paulator commented 4 years ago

Description of the issue

I have discovered this in the CRM Module: I changed Role Permission of document Lead to and activated "Only If Creator". When I go to the Leads list, I see only the Leads of the User (this is the expected behavior).

But if the user opens the document by ID, every other available document can be opened by the user which has not been created by that user. (e.g. http://localhost/desk#Form/Lead/LEAD-00012)

Context information (for bug reports)

Output of bench version

ERPNext v12.8.0
Frappe: v12.5.2

Steps to reproduce the issue

  1. Set permissions for particular user to "Only If Creator" for a Document Type
  2. Check, if the user can only see its own Document
  3. Open the URL for a document that the user should not see

Observed result

User can open the Document

Expected result

User should get a message, that he is not allowed to open the document

Stacktrace / full error message

No error message presented

Additional information

Using current frappe_docker images.

surajshetty3416 commented 4 years ago

This issue has been fixed with https://github.com/frappe/erpnext/pull/21692

For a quick-fix, remove role permission for Guest(for Lead doctype) from Role Permission Manager.