From 6dcf12d5096435528aaa48527cf2de47aa007df1 Mon Sep 17 00:00:00 2001
From: Ankush Menat <ankush@frappe.io>
Date: Fri, 3 Feb 2023 18:07:21 +0530
Subject: [PATCH] fix: Apply permissions on Report sidebar

Alternate to https://github.com/frappe/frappe/pull/19588

Co-Authored-By: marination <maricadsouza221197@gmail.com>
---
 frappe/boot.py            |  6 ++++-
 frappe/tests/test_boot.py | 46 ++++++++++++++++++++++++++++++++++++++-
 2 files changed, 50 insertions(+), 2 deletions(-)

diff --git a/frappe/boot.py b/frappe/boot.py
index 31e101aedc..c56b30a3cb 100644
--- a/frappe/boot.py
+++ b/frappe/boot.py
@@ -234,7 +234,7 @@ def get_user_pages_or_reports(parent, cache=False):
 				has_role[p.name] = {"modified": p.modified, "title": p.title}
 
 	elif parent == "Report":
-		reports = frappe.get_all(
+		reports = frappe.get_list(
 			"Report",
 			fields=["name", "report_type"],
 			filters={"name": ("in", has_role.keys())},
@@ -243,6 +243,10 @@ def get_user_pages_or_reports(parent, cache=False):
 		for report in reports:
 			has_role[report.name]["report_type"] = report.report_type
 
+		non_permitted_reports = set(has_role.keys()) - {r.name for r in reports}
+		for r in non_permitted_reports:
+			has_role.pop(r, None)
+
 	# Expire every six hours
 	_cache.set_value("has_role:" + parent, has_role, frappe.session.user, 21600)
 	return has_role
diff --git a/frappe/tests/test_boot.py b/frappe/tests/test_boot.py
index 0b688d6aee..232c379e08 100644
--- a/frappe/tests/test_boot.py
+++ b/frappe/tests/test_boot.py
@@ -1,5 +1,5 @@
 import frappe
-from frappe.boot import get_unseen_notes
+from frappe.boot import get_unseen_notes, get_user_pages_or_reports
 from frappe.desk.doctype.note.note import mark_as_seen
 from frappe.tests.utils import FrappeTestCase
 
@@ -26,3 +26,47 @@ class TestBootData(FrappeTestCase):
 		mark_as_seen(note.name)
 		unseen_notes = [d.title for d in get_unseen_notes()]
 		self.assertListEqual(unseen_notes, [])
+
+	def test_get_user_pages_or_reports_with_permission_query(self):
+		# Create a ToDo custom report with admin user
+		frappe.set_user("Administrator")
+		frappe.get_doc(
+			{
+				"doctype": "Report",
+				"ref_doctype": "ToDo",
+				"report_name": "Test Admin Report",
+				"report_type": "Report Builder",
+				"is_standard": "No",
+			}
+		).insert()
+
+		# Add permission query such that each user can only see their own custom reports
+		frappe.get_doc(
+			dict(
+				doctype="Server Script",
+				name="test_report_permission_query",
+				script_type="Permission Query",
+				reference_doctype="Report",
+				script="""conditions = f"(`tabReport`.is_standard = 'Yes' or `tabReport`.owner = '{frappe.session.user}')"
+				""",
+			)
+		).insert()
+
+		# Create a ToDo custom report with test user
+		frappe.set_user("test@example.com")
+		frappe.get_doc(
+			{
+				"doctype": "Report",
+				"ref_doctype": "ToDo",
+				"report_name": "Test User Report",
+				"report_type": "Report Builder",
+				"is_standard": "No",
+			}
+		).insert(ignore_permissions=True)
+
+		get_user_pages_or_reports("Report")
+		allowed_reports = frappe.cache().get_value("has_role:Report", user=frappe.session.user)
+
+		# Test user must not see admin user's report
+		self.assertNotIn("Test Admin Report", allowed_reports)
+		self.assertIn("Test User Report", allowed_reports)