From e4485bebb0a0d981e35acde0ee5387f076402211 Mon Sep 17 00:00:00 2001 From: jabir-elat Date: Fri, 13 Sep 2024 16:15:31 +0000 Subject: [PATCH 1/5] fix(query_report): enforced user permissions on report filters for linked doctypes --- frappe/desk/query_report.py | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/frappe/desk/query_report.py b/frappe/desk/query_report.py index 2f19ae6645..3379d9013d 100644 --- a/frappe/desk/query_report.py +++ b/frappe/desk/query_report.py @@ -14,7 +14,7 @@ from frappe.desk.reportview import clean_params, parse_json from frappe.model.utils import render_include from frappe.modules import get_module_path, scrub from frappe.monitor import add_data_to_monitor -from frappe.permissions import get_role_permissions +from frappe.permissions import get_role_permissions, has_permission from frappe.utils import cint, cstr, flt, format_duration, get_html_format, sbool @@ -195,6 +195,7 @@ def run( parent_field=None, are_default_filters=True, ): + validate_filters_permissions(report_name, filters, user) report = get_report_doc(report_name) if not user: user = frappe.session.user @@ -780,3 +781,20 @@ def get_user_match_filters(doctypes, user): match_filters[dt] = filter_list return match_filters + +def validate_filters_permissions(report_name, filters=None, user=None): + if isinstance(filters, str): + filters = json.loads(filters) + + if filters: + report = frappe.get_doc("Report", report_name) + for fieldname, value in filters.items(): + for field in report.filters: + if field.fieldname == fieldname and field.fieldtype == "Link": + linked_doctype = field.options + if not has_permission( + doctype=linked_doctype, doc=value, user=user + ): + frappe.throw( + _("You do not have permission to access {0}: {1}.").format(linked_doctype, value) + ) From b754bdb03db7e689a5bddedd324b575908e0fc97 Mon Sep 17 00:00:00 2001 From: jabir-elat Date: Mon, 16 Sep 2024 21:43:53 +0530 Subject: [PATCH 2/5] refactor(query_report): filter check --- frappe/desk/query_report.py | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/frappe/desk/query_report.py b/frappe/desk/query_report.py index 3379d9013d..d8bb7703cc 100644 --- a/frappe/desk/query_report.py +++ b/frappe/desk/query_report.py @@ -782,19 +782,18 @@ def get_user_match_filters(doctypes, user): return match_filters -def validate_filters_permissions(report_name, filters=None, user=None): - if isinstance(filters, str): - filters = json.loads(filters) - if filters: - report = frappe.get_doc("Report", report_name) - for fieldname, value in filters.items(): - for field in report.filters: - if field.fieldname == fieldname and field.fieldtype == "Link": - linked_doctype = field.options - if not has_permission( - doctype=linked_doctype, doc=value, user=user - ): - frappe.throw( - _("You do not have permission to access {0}: {1}.").format(linked_doctype, value) - ) +def validate_filters_permissions(report_name, filters=None, user=None): + if not filters: + return + if isinstance(filters, str): + filters = json.loads(filters) + report = frappe.get_doc("Report", report_name) + for fieldname, value in filters.items(): + for field in report.filters: + if field.fieldname == fieldname and field.fieldtype == "Link": + linked_doctype = field.options + if not has_permission(doctype=linked_doctype, doc=value, user=user): + frappe.throw( + _("You do not have permission to access {0}: {1}.").format(linked_doctype, value) + ) From b17238f99707fa22bc61ac3a4ebc074b0f745e7c Mon Sep 17 00:00:00 2001 From: Akhil Narang Date: Tue, 17 Sep 2024 12:09:08 +0530 Subject: [PATCH 3/5] fix(query_report): fix indentation, add some newlines Signed-off-by: Akhil Narang --- frappe/desk/query_report.py | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/frappe/desk/query_report.py b/frappe/desk/query_report.py index d8bb7703cc..d17caaba1e 100644 --- a/frappe/desk/query_report.py +++ b/frappe/desk/query_report.py @@ -786,14 +786,16 @@ def get_user_match_filters(doctypes, user): def validate_filters_permissions(report_name, filters=None, user=None): if not filters: return + if isinstance(filters, str): filters = json.loads(filters) - report = frappe.get_doc("Report", report_name) - for fieldname, value in filters.items(): - for field in report.filters: - if field.fieldname == fieldname and field.fieldtype == "Link": - linked_doctype = field.options - if not has_permission(doctype=linked_doctype, doc=value, user=user): - frappe.throw( - _("You do not have permission to access {0}: {1}.").format(linked_doctype, value) - ) + + report = frappe.get_doc("Report", report_name) + for fieldname, value in filters.items(): + for field in report.filters: + if field.fieldname == fieldname and field.fieldtype == "Link": + linked_doctype = field.options + if not has_permission(doctype=linked_doctype, doc=value, user=user): + frappe.throw( + _("You do not have permission to access {0}: {1}.").format(linked_doctype, value) + ) From 90bd55690a33207abecc87bb9fec0975f792d176 Mon Sep 17 00:00:00 2001 From: Akhil Narang Date: Wed, 25 Sep 2024 17:57:13 +0530 Subject: [PATCH 4/5] refactor(query_report): simplify logic Reduce one level of nesting Signed-off-by: Akhil Narang --- frappe/desk/query_report.py | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/frappe/desk/query_report.py b/frappe/desk/query_report.py index d17caaba1e..0579321a0d 100644 --- a/frappe/desk/query_report.py +++ b/frappe/desk/query_report.py @@ -791,11 +791,10 @@ def validate_filters_permissions(report_name, filters=None, user=None): filters = json.loads(filters) report = frappe.get_doc("Report", report_name) - for fieldname, value in filters.items(): - for field in report.filters: - if field.fieldname == fieldname and field.fieldtype == "Link": - linked_doctype = field.options - if not has_permission(doctype=linked_doctype, doc=value, user=user): - frappe.throw( - _("You do not have permission to access {0}: {1}.").format(linked_doctype, value) - ) + for field in report.filters: + if field.fieldname in filters and field.fieldtype == "Link": + linked_doctype = field.options + if not has_permission(doctype=linked_doctype, doc=filters[field], user=user): + frappe.throw( + _("You do not have permission to access {0}: {1}.").format(linked_doctype, filters[field]) + ) From 0c6d5de8052923ee6d12e6bfdb1aaca8e72a5bda Mon Sep 17 00:00:00 2001 From: Akhil Narang Date: Wed, 25 Sep 2024 18:36:46 +0530 Subject: [PATCH 5/5] fix(query_report): use the correct key Signed-off-by: Akhil Narang --- frappe/desk/query_report.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/frappe/desk/query_report.py b/frappe/desk/query_report.py index 0579321a0d..adfc4e4692 100644 --- a/frappe/desk/query_report.py +++ b/frappe/desk/query_report.py @@ -794,7 +794,9 @@ def validate_filters_permissions(report_name, filters=None, user=None): for field in report.filters: if field.fieldname in filters and field.fieldtype == "Link": linked_doctype = field.options - if not has_permission(doctype=linked_doctype, doc=filters[field], user=user): + if not has_permission(doctype=linked_doctype, doc=filters[field.fieldname], user=user): frappe.throw( - _("You do not have permission to access {0}: {1}.").format(linked_doctype, filters[field]) + _("You do not have permission to access {0}: {1}.").format( + linked_doctype, filters[field.fieldname] + ) )