api-reviewer
API Reviewer
Expert guidance for reviewing and securing Frappe API endpoints to prevent security vulnerabilities.
Overview
Frappe makes it easy to expose API endpoints using the @frappe.whitelist() decorator. However, this convenience can lead to security holes if proper permission checks aren't implemented. This skill helps identify and fix common API security issues.
Common Security Issues
The most common API security problems in Frappe applications:
- Missing role validation: Endpoints accessible to any authenticated user
- Using frappe.get_all instead of frappe.get_list: Bypassing permission checks
- No document permission checks: Modifying records without validation
- SQL injection: Unsafe query construction with user input
- Unrestricted data access: Exposing sensitive information
See references/security-best-practices.md for detailed explanations and examples of each issue.
More from kehwar/frappe_tweaks
frappe-tweaks-power-query-expert
Expert guidance for connecting Power Query (Power BI, Excel) to Frappe apps and reports. Use when building Power Query M code for Frappe data access, integrating Frappe reports with Power BI/Excel, implementing authentication for Power Query connections, handling heavy/long-running reports with report_long_polling API to avoid timeouts, applying column types and transformations, or troubleshooting Power Query caching and connection issues.
6open-observe-api-expert
Expert guidance for OpenObserve API integration in Frappe Tweaks. Use when creating, configuring, or troubleshooting OpenObserve API DocType, implementing send_logs() or search_logs() functionality, integrating with Server Scripts/Business Logic/Client-side code, debugging connection issues, or implementing logging, monitoring, error tracking, performance metrics, or audit trail use cases.
5frappe-ci-expert
Expert guidance for setting up CI/CD tests for Frappe apps. Use when users ask about GitHub Actions workflows, CI test setup, continuous integration for Frappe apps, running tests in CI environments, database setup for CI, bench configuration in CI, or automating tests for Frappe/ERPNext applications.
4workflow-expert
Expert guidance on Frappe Workflow system including workflow structure, states and transitions, workflow actions, email notifications, permission hooks (before_transition, after_transition, filter_workflow_transitions, has_workflow_action_permission), and best practices. Use when creating workflows, implementing workflow logic, understanding state transitions, working with workflow actions, configuring email notifications, or troubleshooting workflow-related issues.
4report-expert
Expert guidance on Frappe reports including report types, structure, creation workflow, and best practices. Use when creating standard script reports, query reports, understanding report structure, working with columns and filters, or troubleshooting report-related issues.
4skill-importer
Import and synchronize skills from remote GitHub repositories. Use this skill when you need to copy skills from other repositories, maintain a list of remote skill sources, or update local skills with fresh copies from upstream sources.
4