From 968791195a846c1484cd1e0a129619ec7901d489 Mon Sep 17 00:00:00 2001 From: Suraj Shetty Date: Mon, 8 Oct 2018 17:04:26 +0530 Subject: [PATCH 1/8] [Hotfix] [Permission] Fix custom docperm check in get_valid_perm (#6200) * Fix custom docperm check in get_valid_perm - Previously to get_valid perm we just used to check all the custom docperms available for the user's role and apply standard perm for any missing doctype But there might be some doctypes with custom docperms which might not match any of user's role. Such doctype's perms should not be replaced by standard docperm. This PR fixes that. * Avoids admin lock --- frappe/permissions.py | 19 +++++++++++++------ frappe/public/js/frappe/model/perm.js | 7 ++++--- 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/frappe/permissions.py b/frappe/permissions.py index cd657b7456..3b3c5b1f6d 100644 --- a/frappe/permissions.py +++ b/frappe/permissions.py @@ -330,7 +330,7 @@ def get_valid_perms(doctype=None, user=None): perms = get_perms_for(roles) custom_perms = get_perms_for(roles, 'Custom DocPerm') - doctypes_with_custom_perms = list(set([d.parent for d in custom_perms])) + doctypes_with_custom_perms = get_doctypes_with_custom_docperms() for p in perms: if not p.parent in doctypes_with_custom_perms: custom_perms.append(p) @@ -374,11 +374,18 @@ def get_roles(user=None, with_standard=True): def get_perms_for(roles, perm_doctype='DocPerm'): '''Get perms for given roles''' - return frappe.db.sql(""" - select * from `tab{doctype}` where docstatus=0 - and ifnull(permlevel,0)=0 - and role in ({roles})""".format(doctype = perm_doctype, - roles=", ".join(["%s"]*len(roles))), tuple(roles), as_dict=1) + filters = { + 'permlevel': 0, + 'docstatus': 0, + 'role': ['in', roles] + } + return frappe.db.get_all(perm_doctype, fields=['*'], filters=filters) + +def get_doctypes_with_custom_docperms(): + '''Returns all the doctypes with Custom Docperms''' + + doctypes = frappe.db.get_all('Custom DocPerm', fields=['parent'], distinct=1) + return [d.parent for d in doctypes] def can_set_user_permissions(doctype, docname=None): # System Manager can always set user permissions diff --git a/frappe/public/js/frappe/model/perm.js b/frappe/public/js/frappe/model/perm.js index 05899119ab..3238e66b10 100644 --- a/frappe/public/js/frappe/model/perm.js +++ b/frappe/public/js/frappe/model/perm.js @@ -41,14 +41,15 @@ $.extend(frappe.perm, { var perm = [{ read: 0, apply_user_permissions: {} }]; var meta = frappe.get_doc("DocType", doctype); - if (!meta) { - return perm; - } if (frappe.session.user === "Administrator" || frappe.user_roles.includes("Administrator")) { perm[0].read = 1; } + if (!meta) { + return perm; + } + frappe.perm.build_role_permissions(perm, meta); if(doc) { From 301fcdefdc4d567e5159b4e23335f4b681cec211 Mon Sep 17 00:00:00 2001 From: rohitwaghchaure Date: Mon, 8 Oct 2018 18:33:41 +0530 Subject: [PATCH 2/8] [Fix] User permissions (#6218) * [Fix] User permissions * Update permissions.py --- frappe/permissions.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/frappe/permissions.py b/frappe/permissions.py index 0c53722de1..3f526775bb 100644 --- a/frappe/permissions.py +++ b/frappe/permissions.py @@ -117,8 +117,6 @@ def get_doc_permissions(doc, verbose=False, user=None, ptype=None): if(doc.owner == frappe.session.user): permissions = permissions.get("if_owner") - # if_owner does not come with create rights... - permissions['create'] = 0 else: permissions = {} @@ -460,4 +458,4 @@ def allow_everything(): eg. {"read": 1, "write": 1, ...} ''' perm = {ptype: 1 for ptype in rights} - return perm \ No newline at end of file + return perm From f8501b3b936a5fd93f76922bfde8f69a74ad4c90 Mon Sep 17 00:00:00 2001 From: Prateeksha Singh Date: Wed, 10 Oct 2018 15:27:50 +0530 Subject: [PATCH 3/8] [fix] prepared report: check data format for csv --- .../core/doctype/prepared_report/prepared_report.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/frappe/core/doctype/prepared_report/prepared_report.py b/frappe/core/doctype/prepared_report/prepared_report.py index 3d8481c696..3b06251564 100644 --- a/frappe/core/doctype/prepared_report/prepared_report.py +++ b/frappe/core/doctype/prepared_report/prepared_report.py @@ -59,7 +59,16 @@ def remove_header_meta(columns): def create_csv_file(columns, data, dt, dn): csv_filename = '{0}.csv'.format(frappe.utils.data.format_datetime(frappe.utils.now(), "Y-m-d-H:M")) - rows = [tuple(columns)] + data + + rows = [] + + if data: + row = data[0] + if type(row) == list: + rows = [tuple(columns)] + data + else: + rows = [tuple(columns)] + [row.values() for row in data] + encoded = base64.b64encode(frappe.safe_encode(to_csv(rows))) # Call save_file function to upload and attach the file save_file( From 2a7dd1603191e08fbbd783f29ddc9e1ff0871736 Mon Sep 17 00:00:00 2001 From: Saurabh Date: Thu, 11 Oct 2018 11:24:44 +0530 Subject: [PATCH 4/8] [fix] removing injected security breach --- frappe/core/doctype/user/user.py | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/frappe/core/doctype/user/user.py b/frappe/core/doctype/user/user.py index fd5e0671d8..4056267f7b 100644 --- a/frappe/core/doctype/user/user.py +++ b/frappe/core/doctype/user/user.py @@ -797,24 +797,17 @@ def sign_up(email, full_name, redirect_to): return 2, _("Please ask your administrator to verify your sign-up") @frappe.whitelist(allow_guest=True) -def reset_password(user, send_email=True): +def reset_password(user): if user=="Administrator": return 'not allowed' - if isinstance(send_email, unicode) or isinstance(send_email, basestring): - if send_email=='false': - send_email = False - try: user = frappe.get_doc("User", user) if not user.enabled: return 'disabled' user.validate_reset_password() - link = user.reset_password(send_email=send_email) - - if not send_email: - return { "link": link } + user.reset_password(send_email=True) return frappe.msgprint(_("Password reset instructions have been sent to your email")) From 18da179639c1f6ec88e02c71b44cc8baa62e00d5 Mon Sep 17 00:00:00 2001 From: Rohit Waghchaure Date: Thu, 11 Oct 2018 11:38:56 +0530 Subject: [PATCH 5/8] [Fix] General ledger prepared report --- .../doctype/prepared_report/prepared_report.py | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/frappe/core/doctype/prepared_report/prepared_report.py b/frappe/core/doctype/prepared_report/prepared_report.py index 3b06251564..5dd714f2a3 100644 --- a/frappe/core/doctype/prepared_report/prepared_report.py +++ b/frappe/core/doctype/prepared_report/prepared_report.py @@ -36,7 +36,7 @@ class PreparedReport(Document): def run_background(instance): report = frappe.get_doc("Report", instance.ref_report_doctype) result = generate_report_result(report, filters=json.loads(instance.filters), user=instance.owner) - create_csv_file(remove_header_meta(result['columns']), result['result'], 'Prepared Report', instance.name) + create_csv_file(result['columns'], result['result'], 'Prepared Report', instance.name) instance.status = "Completed" instance.report_end_time = frappe.utils.now() @@ -63,11 +63,20 @@ def create_csv_file(columns, data, dt, dn): rows = [] if data: + columns_without_meta = remove_header_meta(columns) + row = data[0] if type(row) == list: - rows = [tuple(columns)] + data + rows = [tuple(columns_without_meta)] + data else: - rows = [tuple(columns)] + [row.values() for row in data] + for row in data: + new_row = [] + for col in columns: + key = col.get('fieldname') or col.get('label') + new_row.append(frappe.format(row.get(key, ''), col)) + rows.append(new_row) + + rows = [tuple(columns_without_meta)] + rows encoded = base64.b64encode(frappe.safe_encode(to_csv(rows))) # Call save_file function to upload and attach the file From c0cf13149a5a6db6a3409e990645ac9f8e2b1200 Mon Sep 17 00:00:00 2001 From: Rohit Waghchaure Date: Thu, 11 Oct 2018 12:12:47 +0530 Subject: [PATCH 6/8] Fixed permissions --- frappe/desk/query_report.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frappe/desk/query_report.py b/frappe/desk/query_report.py index 04b78c0741..c75a7df09e 100644 --- a/frappe/desk/query_report.py +++ b/frappe/desk/query_report.py @@ -180,7 +180,7 @@ def run(report_name, filters=None, user=None): def get_prepared_report_result(report, filters, dn=""): latest_report_data = {} - doc_list = frappe.get_list("Prepared Report", filters={"status": "Completed", "report_name": report.name}) + doc_list = frappe.get_all("Prepared Report", filters={"status": "Completed", "report_name": report.name}) doc = None if len(doc_list): if dn: From 6371cba97e9bf0350f211aa0988c00f82016e2da Mon Sep 17 00:00:00 2001 From: Ameya Shenoy Date: Thu, 11 Oct 2018 06:47:36 +0000 Subject: [PATCH 7/8] bumped to version 10.1.51 --- frappe/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frappe/__init__.py b/frappe/__init__.py index adf326c420..64dda2f529 100644 --- a/frappe/__init__.py +++ b/frappe/__init__.py @@ -14,7 +14,7 @@ import os, sys, importlib, inspect, json from .exceptions import * from .utils.jinja import get_jenv, get_template, render_template, get_email_from_template -__version__ = '10.1.50' +__version__ = '10.1.51' __title__ = "Frappe Framework" local = Local() From 55af089c3b52e0d89250ef177f61546e77fabd29 Mon Sep 17 00:00:00 2001 From: Ameya Shenoy Date: Thu, 11 Oct 2018 06:55:08 +0000 Subject: [PATCH 8/8] bumped to version 11.0.3-beta.7 --- frappe/hooks.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frappe/hooks.py b/frappe/hooks.py index ea851cd093..eb6731caa3 100644 --- a/frappe/hooks.py +++ b/frappe/hooks.py @@ -12,7 +12,7 @@ source_link = "https://github.com/frappe/frappe" app_license = "MIT" develop_version = '11.x.x-develop' -staging_version = '11.0.3-beta.6' +staging_version = '11.0.3-beta.7' app_email = "info@frappe.io"