diff --git a/frappe/core/doctype/report/report.js b/frappe/core/doctype/report/report.js index f78fd3e812..71ed0dac64 100644 --- a/frappe/core/doctype/report/report.js +++ b/frappe/core/doctype/report/report.js @@ -25,7 +25,7 @@ frappe.ui.form.on('Report', { } }, "fa fa-table"); - if (doc.is_standard === "Yes") { + if (doc.is_standard === "Yes" && frm.perm[0].write) { frm.add_custom_button(doc.disabled ? __("Enable Report") : __("Disable Report"), function() { frm.call('toggle_disable', { disable: doc.disabled ? 0 : 1 diff --git a/frappe/core/doctype/report/report.py b/frappe/core/doctype/report/report.py index fb44e61cc8..af2c4e5dc2 100644 --- a/frappe/core/doctype/report/report.py +++ b/frappe/core/doctype/report/report.py @@ -307,6 +307,9 @@ class Report(Document): @frappe.whitelist() def toggle_disable(self, disable): + if not self.has_permission('write'): + frappe.throw(_("You are not allowed to edit the report.")) + self.db_set("disabled", cint(disable)) @frappe.whitelist() diff --git a/frappe/core/doctype/report/test_report.py b/frappe/core/doctype/report/test_report.py index d76a1470e4..9c76c839f3 100644 --- a/frappe/core/doctype/report/test_report.py +++ b/frappe/core/doctype/report/test_report.py @@ -201,3 +201,27 @@ result = [ # check values self.assertTrue('System User' in [d.get('type') for d in data[1]]) + + def test_toggle_disabled(self): + """Make sure that authorization is respected. + """ + # Assuming that there will be reports in the system. + reports = frappe.get_all(doctype='Report', limit=1) + report_name = reports[0]['name'] + doc = frappe.get_doc('Report', report_name) + status = doc.disabled + + # User has write permission on reports and should pass through + frappe.set_user('test@example.com') + doc.toggle_disable(not status) + doc.reload() + self.assertNotEqual(status, doc.disabled) + + # User has no write permission on reports, permission error is expected. + frappe.set_user('test1@example.com') + doc = frappe.get_doc('Report', report_name) + with self.assertRaises(frappe.exceptions.ValidationError): + doc.toggle_disable(1) + + # Set user back to administrator + frappe.set_user('Administrator')