WARNING: THIS SITE IS A MIRROR OF GITHUB.COM / IT CANNOT LOGIN OR REGISTER ACCOUNTS / THE CONTENTS ARE PROVIDED AS-IS / THIS SITE ASSUMES NO RESPONSIBILITY FOR ANY DISPLAYED CONTENT OR LINKS / IF YOU FOUND SOMETHING MAY NOT GOOD FOR EVERYONE, CONTACT ADMIN AT ilovescratch@foxmail.com
Skip to content

Able to access any employee field without considering permissions #3765

New issue
New issue
Open
Open
Able to access any employee field without considering permissions#3765
Labels
bugSomething isn't working
@shivamsn97

Description

@shivamsn97
shivamsn97
opened on Nov 24, 2025

Information about bug

There is an API endpoint that can leak any value from the Employee doctype to Desk/Website users while skipping all the permission checks.

The issue is on this line: https://github.com/frappe/hrms/blob/develop/hrms/hr/utils.py#L174

Module

HR

Version

It is reproducible on all versions

Installation method

docker

Relevant log output / Stack trace / Full Error Message.



Code of Conduct


    

  •  I agree to follow this project's Code of Conduct
    • 

Metadata
Metadata
Assignees
No one assigned
    Labels
    bugSomething isn't working
    Type
    No type
    Projects
    Frappe HR  Roadmap (Version 16)
    Status
    No status
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions