fix(minor): lockdown frappe.client.get_list

(cherry picked from commit 2248c6c410)

frappe/client.py

@@ -8,6 +8,8 @@ import frappe.model
 import frappe.utils
 import json, os
 from frappe.utils import get_safe_filters
+from frappe.desk.reportview import validate_args
+from frappe.model.db_query import check_parent_permission
 
 from six import iteritems, string_types, integer_types
 
@@ -31,8 +33,18 @@ def get_list(doctype, fields=None, filters=None, order_by=None,
 	if frappe.is_table(doctype):
 		check_parent_permission(parent, doctype)
 
-	return frappe.get_list(doctype, fields=fields, filters=filters, order_by=order_by,
-		limit_start=limit_start, limit_page_length=limit_page_length, ignore_permissions=False)
+	args = dict(
+		doctype=doctype,
+		fields=fields,
+		filters=filters,
+		order_by=order_by,
+		limit_start=limit_start,
+		limit_page_length=limit_page_length,
+	)
+
+	validate_args(args)
+
+	return frappe.get_list(**args)
 
 @frappe.whitelist()
 def get_count(doctype, filters=None, debug=False, cache=False):
@@ -91,12 +103,12 @@ def get_value(doctype, fieldname, filters=None, as_dict=True, debug=False, paren
 	if frappe.get_meta(doctype).issingle:
 		value = frappe.db.get_values_from_single(fields, filters, doctype, as_dict=as_dict, debug=debug)
 	else:
-		value = frappe.get_list(doctype, filters=filters, fields=fields, debug=debug, limit=1)
+		value = get_list(doctype, filters=filters, fields=fields, limit_page_length=1)
 
 	if as_dict:
 		value = value[0] if value else {}
 	else:
-		value = value[0].fieldname
+		value = value[0][fieldname]
 
 	return value
 
@@ -378,18 +390,6 @@ def attach_file(filename=None, filedata=None, doctype=None, docname=None, folder
 def get_hooks(hook, app_name=None):
 	return frappe.get_hooks(hook, app_name)
 
-def check_parent_permission(parent, child_doctype):
-	if parent:
-		# User may pass fake parent and get the information from the child table
-		if child_doctype and not frappe.db.exists('DocField',
-			{'parent': parent, 'options': child_doctype}):
-			raise frappe.PermissionError
-
-		if frappe.permissions.has_permission(parent):
-			return
-	# Either parent not passed or the user doesn't have permission on parent doctype of child table!
-	raise frappe.PermissionError
-
 @frappe.whitelist()
 def is_document_amended(doctype, docname):
 	if frappe.permissions.has_permission(doctype):
@@ -400,4 +400,4 @@ def is_document_amended(doctype, docname):
 		except frappe.db.InternalError:
 			pass
 
-	return False
+	return False

frappe/desk/reportview.py

@@ -41,6 +41,9 @@ def get_form_params():
 	"""Stringify GET request parameters."""
 	data = frappe._dict(frappe.local.form_dict)
 	clean_params(data)
+	validate_args(data)
+
+def validate_args(data):
 	parse_json(data)
 	setup_group_by(data)
 

frappe/model/db_query.py

@@ -14,7 +14,6 @@ import frappe.permissions
 from datetime import datetime
 import frappe, json, copy, re
 from frappe.model import optional_fields
-from frappe.client import check_parent_permission
 from frappe.model.utils.user_settings import get_user_settings, update_user_settings
 from frappe.utils import flt, cint, get_time, make_filter_tuple, get_filter, add_to_date, cstr, get_timespan_date_range
 from frappe.model.meta import get_table_columns
@@ -786,6 +785,18 @@ class DatabaseQuery(object):
 
 		update_user_settings(self.doctype, user_settings)
 
+def check_parent_permission(parent, child_doctype):
+	if parent:
+		# User may pass fake parent and get the information from the child table
+		if child_doctype and not frappe.db.exists('DocField',
+			{'parent': parent, 'options': child_doctype}):
+			raise frappe.PermissionError
+
+		if frappe.permissions.has_permission(parent):
+			return
+	# Either parent not passed or the user doesn't have permission on parent doctype of child table!
+	raise frappe.PermissionError
+
 def get_order_by(doctype, meta):
 	order_by = ""