fix: use allowed pages to check perms

2026-01-14 13:20:03 +05:30 · 2026-01-14 13:20:03 +05:30 · 14eaff022c
commit 14eaff022c
parent 43393bc4f6
2 changed files with 5 additions and 10 deletions
--- a/frappe/boot.py
+++ b/frappe/boot.py
@ -161,8 +161,8 @@ def load_desktop_data(bootinfo):
 	from frappe.desk.desktop import get_workspace_sidebar_items

 	bootinfo.workspaces = get_workspace_sidebar_items()
-	bootinfo.workspace_sidebar_item = get_sidebar_items()
 	allowed_pages = [d.name for d in bootinfo.workspaces.get("pages")]
+	bootinfo.workspace_sidebar_item = get_sidebar_items(allowed_pages)
 	bootinfo.module_wise_workspaces = get_controller("Workspace").get_module_wise_workspaces()
 	bootinfo.dashboards = frappe.get_all("Dashboard")
 	bootinfo.app_data = []
@ -533,7 +533,7 @@ def get_sentry_dsn():
 	return os.getenv("FRAPPE_SENTRY_DSN")


-def get_sidebar_items():
+def get_sidebar_items(allowed_workspaces):
 	from frappe import _
 	from frappe.desk.doctype.workspace_sidebar.workspace_sidebar import auto_generate_sidebar_from_module

@ -585,7 +585,7 @@ def get_sidebar_items():
 			if (
 				"My Workspaces" in sidebar_title
 				or si.type == "Section Break"
-				or w.is_item_allowed(si.link_to, si.link_type)
+				or w.is_item_allowed(si.link_to, si.link_type, allowed_workspaces)
 			):
 				sidebar_items[sidebar_title.lower()]["items"].append(workspace_sidebar)
 	add_user_specific_sidebar(sidebar_items)
--- a/frappe/desk/doctype/workspace_sidebar/workspace_sidebar.py
+++ b/frappe/desk/doctype/workspace_sidebar/workspace_sidebar.py
@ -77,7 +77,7 @@ class WorkspaceSidebar(Document):
 		else:
 			frappe.throw(_("You need to be Workspace Manager to delete a public workspace."))

-	def is_item_allowed(self, name, item_type):
+	def is_item_allowed(self, name, item_type, allowed_workspaces):
 		if frappe.session.user == "Administrator":
 			return True

@ -100,12 +100,7 @@ class WorkspaceSidebar(Document):
 		if item_type == "url":
 			return True
 		if item_type == "workspace":
-			try:
-				workspace = frappe.get_cached_doc("Workspace", name)
-				if workspace.module in self.allowed_modules:
-					return True
-			except frappe.DoesNotExistError:
-				return False
+			return name in allowed_workspaces

 	def get_cached(self, cache_key, fallback_fn):
 		value = frappe.cache.get_value(cache_key, user=frappe.session.user)