Explore with JnK

Curious About Everything — From Mountains to Machines.

Products

Random News

Mastering Frappe Framework – Part 6: User Permissions & Roles

Jigar Tarpara04 mins

Why Permissions Matter in Frappe

If your app lets everyone see everything, it’s a security disaster.

Frappe’s built-in Role-Based Access Control (RBAC) lets you:

  • Control who can read, write, create, delete
  • Restrict access to specific documents
  • Apply complex permission rules based on field values

1. The Basics: Roles in Frappe

  • User → An account that logs into your system.
  • Role → A label that defines what a user can do (e.g., Admin, Manager, Employee).
  • Role Profile → A collection of roles assigned to a user.

Example:

  • User: John → Roles: Task Manager, Employee
  • Role Task Manager → Can create, edit, and assign tasks.
  • Role Employee → Can only view tasks assigned to them.

2. Setting Up Roles

  1. Go to Desk → Role → New
  2. Name: Task Manager
  3. Save.

Repeat for Employee.

3. Assigning Roles to Users

  1. Go to Desk → User
  2. Select a user
  3. Under Roles, tick the ones you want.
  4. Save.

4. Setting Permissions for a DocType

  1. Go to Desk → DocType → ToDo Plus
  2. Open the Permissions tab.
  3. Add a rule for Task Manager:
    • Read: ✅
    • Write: ✅
    • Create: ✅
    • Delete: ✅
  4. Add a rule for Employee:
    • Read: ✅
    • Write: ❌
    • Create: ❌
    • Delete: ❌

This ensures employees can only view tasks, while managers can manage them fully.

5. Document-Level Permissions (Per User)

Sometimes you want each user to see only their own data.

Example: An Employee should only see tasks assigned to them.

  1. Go to Desk → User Permission → New
  2. User: Select the user
  3. Allow: ToDo Plus
  4. For Value: Select the tasks assigned to them (or a linked field).

Now, even if they try to access another user’s task via URL, they’ll be denied.

6. Dynamic Permissions with Scripts

You can also define permissions in Python.

In todo_plus/todo_plus/doctype/todo_plus/todo_plus.py:

def has_permission(doc, ptype, user):
    if "Task Manager" in frappe.get_roles(user):
        return True
    return doc.assigned_to == user

This checks:

  • If user is a Task Manager → allow access.
  • If not → allow only if they are assigned.

7. Field-Level Permissions

Sometimes you want certain fields hidden or read-only for specific roles.

  1. Open your DocType.
  2. Edit the field properties:
    • Read Only: Yes
    • Perm Level: 1
  3. In Permissions, grant level 1 access only to specific roles.

Best Practices

  • Always test permissions with a non-admin account.
  • Avoid giving System Manager role unless absolutely necessary.
  • Use User Permissions for per-record security.
  • Use custom has_permission() methods for advanced logic.

Key Learnings from Part 6

  • How to create and assign roles
  • How to set read/write/create/delete permissions
  • How to restrict access to specific documents
  • How to use dynamic permissions in Python
  • How to secure fields from certain roles

What’s Next?

In Part 7, we’ll dive into Advanced Frappe Features:

  • Webhooks & external API integrations
  • Real-time updates with socket.io
  • Workflows for approvals

Leave a Reply

Related News