fix: validate parentfield while checking child perms

2022-12-05 00:19:33 +05:30 · 2022-12-05 00:19:33 +05:30 · 73edbf7ff3
commit 73edbf7ff3
parent 41c8a808d0
1 changed files with 28 additions and 11 deletions
--- a/frappe/permissions.py
+++ b/frappe/permissions.py
@ -707,8 +707,10 @@ def has_child_permission(

 	parent_meta = frappe.get_meta(parent_doctype)

-	if parent_meta.istable or all(
-		df.options != child_doctype for df in parent_meta.get_table_fields()
+	if parent_meta.istable or not (
+		valid_parentfields := [
+			df.fieldname for df in parent_meta.get_table_fields() if df.options == child_doctype
+		]
 	):
 		push_perm_check_log(
 			_("{0} is not a valid parent DocType for {1}").format(
@ -717,15 +719,30 @@ def has_child_permission(
 		)
 		return False

-	if (
-		child_doc
-		and (permlevel := parent_meta.get_field(child_doc.parentfield).permlevel) > 0
-		and permlevel not in parent_meta.get_permlevel_access(ptype, user=user)
-	):
-		push_perm_check_log(
-			_("Insufficient Permission Level for {0}").format(frappe.bold(parent_doctype))
-		)
-		return False
+	if child_doc:
+		parentfield = child_doc.parentfield
+		if not parentfield:
+			push_perm_check_log(
+				_("Parentfield not specified in {0}: {1}").format(
+					frappe.bold(child_doctype), frappe.bold(child_doc.name)
+				)
+			)
+			return False
+
+		if parentfield not in valid_parentfields:
+			push_perm_check_log(
+				_("{0} is not a valid parentfield for {1}").format(
+					frappe.bold(parentfield), frappe.bold(child_doctype)
+				)
+			)
+			return False
+
+		permlevel = parent_meta.get_field(parentfield).permlevel
+		if permlevel > 0 and permlevel not in parent_meta.get_permlevel_access(ptype, user=user):
+			push_perm_check_log(
+				_("Insufficient Permission Level for {0}").format(frappe.bold(parent_doctype))
+			)
+			return False

 	return has_permission(
 		parent_doctype,