fix(rest): Delete doc attr if insufficient field permissions

frappe/model/base_document.py

@@ -32,6 +32,7 @@ DOCTYPE_TABLE_FIELDS = [
 
 TABLE_DOCTYPES_FOR_DOCTYPE = {df["fieldname"]: df["options"] for df in DOCTYPE_TABLE_FIELDS}
 DOCTYPES_FOR_DOCTYPE = {"DocType", *TABLE_DOCTYPES_FOR_DOCTYPE.values()}
+_DOC_DELETED_ATTR = object()
 
 
 def get_controller(doctype):
@@ -298,8 +299,14 @@ class BaseDocument:
 	) -> dict:
 		d = _dict()
 		for fieldname in self.meta.get_valid_columns():
+			field_value = getattr(self, fieldname, _DOC_DELETED_ATTR)
+
+			# don't set if field is deleted
+			if field_value is _DOC_DELETED_ATTR:
+				continue
+
 			# column is valid, we can use getattr
-			d[fieldname] = getattr(self, fieldname, None)
+			d[fieldname] = field_value
 
 			# if no need for sanitization and value is None, continue
 			if not sanitize and d[fieldname] is None:

frappe/model/document.py

@@ -675,14 +675,14 @@ class Document(BaseDocument):
 		has_access_to = self.get_permlevel_access("read")
 
 		for df in self.meta.fields:
-			if df.permlevel and not df.permlevel in has_access_to:
-				self.set(df.fieldname, None)
+			if df.permlevel and df.permlevel not in has_access_to:
+				delattr(self, df.fieldname)
 
 		for table_field in self.meta.get_table_fields():
 			for df in frappe.get_meta(table_field.options).fields or []:
-				if df.permlevel and not df.permlevel in has_access_to:
+				if df.permlevel and df.permlevel not in has_access_to:
 					for child in self.get(table_field.fieldname) or []:
-						child.set(df.fieldname, None)
+						delattr(child, df.fieldname)
 
 	def validate_higher_perm_levels(self):
 		"""If the user does not have permissions at permlevel > 0, then reset the values to original / default"""