From d3c01452c4d6987b718c65dacb6164e04db196ce Mon Sep 17 00:00:00 2001
From: Henrique <henrique@falconer.com.br>
Date: Fri, 18 Apr 2025 02:19:55 -0300
Subject: [PATCH] fix: correct field level permissions filtering in
 frappe.get_list

---
 frappe/model/db_query.py | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/frappe/model/db_query.py b/frappe/model/db_query.py
index 2aa951ee9f..36af28af0b 100644
--- a/frappe/model/db_query.py
+++ b/frappe/model/db_query.py
@@ -610,7 +610,6 @@ class DatabaseQuery:
 		if self.flags.ignore_permissions:
 			return
 
-		asterisk_fields = []
 		permitted_fields = set(
 			get_permitted_fields(
 				doctype=self.doctype,
@@ -621,7 +620,10 @@ class DatabaseQuery:
 		)
 		permitted_child_table_fields = {}
 
-		for i, field in enumerate(self.fields):
+		# Create a copy of the fields list and reverse it to avoid index issues when removing fields
+		fields_to_check = list(enumerate(self.fields))[::-1]
+
+		for i, field in fields_to_check:
 			# field: 'count(distinct `tabPhoto`.name) as total_count'
 			# column: 'tabPhoto.name'
 			# field: 'count(`tabPhoto`.name) as total_count'
@@ -631,9 +633,10 @@ class DatabaseQuery:
 				continue
 
 			column = columns[0]
+			# handle * fields
 			if column == "*" and "*" in field:
 				if not in_function("*", field):
-					asterisk_fields.append(i)
+					self.fields[i : i + 1] = permitted_fields
 				continue
 
 			# handle pseudo columns
@@ -688,12 +691,6 @@ class DatabaseQuery:
 			else:
 				self.remove_field(i)
 
-		# handle * fields
-		j = 0
-		for i in asterisk_fields:
-			self.fields[i + j : i + j + 1] = permitted_fields
-			j = j + len(permitted_fields) - 1
-
 	def prepare_filter_condition(self, ft: FilterTuple) -> str:
 		"""Return a filter condition in the format: