Bug: Updation through rest API can be done without authentication atleast once.

[itusedyetnew]

I created a frappe whitelist function with update query to a doctype and added a line:
frappe.session.user = username where username must be one with permission to update that doctype. For the first time it updates the database without authentication. The most common username you can use is Administrator.

[Zyten]

EDIT: This should probably be an issue in the frappe repo (I'm not using erpnext)

Found this while googling how to authenticate my API call to update a doctype. It does seems like I can update without using token or password if I just add frappe.session.user = 'Administrator'

New to Frappe though so unsure if this is expected. Here's my code:

@whitelist(allow_guest=True)
def activate_account(token):
    try:
        extracted_email = decode_token(token)
        user = frappe.db.get_all('openldap_signup', filters={
            'email': extracted_email}, fields=['name', 'email', 'user_name', 'is_verified'])

        if user:
            frappe.session.user = 'Administrator'
            user_doc = frappe.get_doc('openldap_signup', user[0]['name'])
            if (user_doc.is_verified):
                return "Account already verified"
            user_doc.is_verified = 1
            user_doc.save()
            return "Successfully account created"
        else:
            return "User Verification Fail"
    except jwt.ExpiredSignatureError:
        print("Token has expired.")
        return "Account Verification Fail"
    except jwt.DecodeError:
        print("Token is invalid or cannot be decoded.")
        return "Account Verification Fail"