search

frappe / hrms

Open Source HR and Payroll Software
https://frappe.io/hr
GNU General Public License v3.0
1.39k stars 729 forks source link

Minor security issue: no permissions checks on bulk leave policy assignment #469

Closed gbm001 closed 1 year ago

gbm001 commented 1 year ago

Information about bug

https://github.com/frappe/hrms/blob/9ec2d108ef06f447aa6dd4dc3735d9b9521beb25/hrms/hr/doctype/leave_policy_assignment/leave_policy_assignment.py#L262

create_assignment_for_multiple_employees() in leave_policy_assignment is a whitelisted function, and should have some permissions checks on them.

I don't think this can be escalated to anything beyond 'annoying' behaviour and confirming that certain Employees exist, otherwise I would have reported this through the normal security route.

Module

HR

Version

Current Develop branch

Installation method

None

Relevant log output / Stack trace / Full Error Message.

No response

Code of Conduct

gbm001 commented 1 year ago

never mind; I've just realised the doc.save() will do permissions...