Merge pull request #38815 from AarDG10/fix-client

fix(client): add stronger checks in save and set_value endpoints

frappe/client.py

@@ -189,18 +189,21 @@ def set_value(doctype: str, name: str | int, fieldname: str | dict[str, Any], va
 	:param fieldname: fieldname string or JSON / dict with key value pair
 	:param value: value if fieldname is JSON / dict"""
 
-	if fieldname in (frappe.model.default_fields + frappe.model.child_table_fields):
+	values = {}
-		frappe.throw(_("Cannot edit standard fields"))
+	if value is not None:
-
-	if not value:
-		values = fieldname
-		if isinstance(fieldname, str):
-			try:
-				values = json.loads(fieldname)
-			except ValueError:
-				values = {fieldname: ""}
-	else:
 		values = {fieldname: value}
+	elif isinstance(fieldname, dict):
+		values = fieldname
+	elif isinstance(fieldname, str):
+		try:
+			values = json.loads(fieldname)
+		except ValueError:
+			values = {fieldname: ""}
+
+	forbidden = set(frappe.model.default_fields + frappe.model.child_table_fields)
+	for field in values:
+		if field in forbidden:
+			frappe.throw(_("Cannot edit standard fields"))
 
 	# check for child table doctype
 	if not frappe.get_meta(doctype).istable:
@@ -250,6 +253,11 @@ def save(doc: str | dict[str, Any]):
 	if isinstance(doc, str):
 		doc = json.loads(doc)
 
+	forbidden = {"docstatus", "idx"}
+	for field in doc:
+		if field in forbidden:
+			frappe.throw(_("Cannot edit standard fields"))
+
 	doc = frappe.get_doc(doc)
 	doc.save()