vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Merge pull request #27771 from jabir-elat/develop

Browse source 
Fix: Enforced user permissions on report filters for linked doctypes
This commit is contained in:
Akhil Narang 2024-10-01 12:50:10 +05:30 committed by GitHub
commit 789f0a58c7
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 21 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
frappe/desk/query_report.py
View file

@ -14,7 +14,7 @@ from frappe.desk.reportview import clean_params, parse_json
from frappe.model.utils import render_include
from frappe.modules import get_module_path, scrub
from frappe.monitor import add_data_to_monitor
from frappe.permissions import get_role_permissions
from frappe.permissions import get_role_permissions, has_permission
from frappe.utils import cint, cstr, flt, format_duration, get_html_format, sbool
@ -195,6 +195,7 @@ def run(
parent_field=None,
are_default_filters=True,
):
validate_filters_permissions(report_name, filters, user)
report = get_report_doc(report_name)
if not user:
user = frappe.session.user
@ -780,3 +781,22 @@ def get_user_match_filters(doctypes, user):
match_filters[dt] = filter_list
return match_filters
def validate_filters_permissions(report_name, filters=None, user=None):
if not filters:
return
if isinstance(filters, str):
filters = json.loads(filters)
report = frappe.get_doc("Report", report_name)
for field in report.filters:
if field.fieldname in filters and field.fieldtype == "Link":
linked_doctype = field.options
if not has_permission(doctype=linked_doctype, doc=filters[field.fieldname], user=user):
frappe.throw(
_("You do not have permission to access {0}: {1}.").format(
linked_doctype, filters[field.fieldname]
)
)