From 99952880cc4aa8b9519a33f74517b52dc5ea0b8f Mon Sep 17 00:00:00 2001 From: Ankush Menat Date: Fri, 5 Apr 2024 18:43:55 +0530 Subject: [PATCH] fix!: Don't let users with write access to UP bypass UP IDK why we truly need this, except maybe debugging sometimes. This just causes confusion and people keep reporting this as security issue. --- frappe/permissions.py | 5 ----- frappe/tests/test_permissions.py | 7 ------- 2 files changed, 12 deletions(-) diff --git a/frappe/permissions.py b/frappe/permissions.py index 428b58a847..d0045ff7ab 100644 --- a/frappe/permissions.py +++ b/frappe/permissions.py @@ -332,11 +332,6 @@ def has_user_permission(doc, user=None, debug=False): debug and _debug_log("User is not affected by any user permissions") return True - # user can create own role permissions, so nothing applies - if get_role_permissions("User Permission", user=user).get("write"): - debug and _debug_log("User permission bypassed because user can modify user permissions.") - return True - # don't apply strict user permissions for single doctypes since they contain empty link fields apply_strict_user_permissions = ( False if doc.meta.issingle else frappe.get_system_settings("apply_strict_user_permissions") diff --git a/frappe/tests/test_permissions.py b/frappe/tests/test_permissions.py index 2258e2e817..e63fb59831 100644 --- a/frappe/tests/test_permissions.py +++ b/frappe/tests/test_permissions.py @@ -421,13 +421,6 @@ class TestPermissions(FrappeTestCase): clear_user_permissions_for_doctype("Salutation") clear_user_permissions_for_doctype("Contact") - def test_user_permissions_not_applied_if_user_can_edit_user_permissions(self): - add_user_permission("Blogger", "_Test Blogger 1", "test1@example.com") - - # test1@example.com has rights to create user permissions - # so it should not matter if explicit user permissions are not set - self.assertTrue(frappe.get_doc("Blogger", "_Test Blogger").has_permission("read")) - def test_user_permission_is_not_applied_if_user_roles_does_not_have_permission(self): add_user_permission("Blog Post", "-test-blog-post-1", "test3@example.com") frappe.set_user("test3@example.com")