From 80c26612eab710ef4ff3c4c6f9a2f65daec36354 Mon Sep 17 00:00:00 2001 From: Rushabh Mehta Date: Tue, 30 Mar 2021 11:25:40 +0530 Subject: [PATCH] fix(minor): lockdown frappe.client.get_list (cherry picked from commit 2248c6c410d8cd9db18e6bc71942a3e42d9af3d8) --- frappe/client.py | 34 +++++++++++++++++----------------- frappe/desk/reportview.py | 3 +++ frappe/model/db_query.py | 13 ++++++++++++- 3 files changed, 32 insertions(+), 18 deletions(-) diff --git a/frappe/client.py b/frappe/client.py index 2217b53673..62317055fb 100644 --- a/frappe/client.py +++ b/frappe/client.py @@ -8,6 +8,8 @@ import frappe.model import frappe.utils import json, os from frappe.utils import get_safe_filters +from frappe.desk.reportview import validate_args +from frappe.model.db_query import check_parent_permission from six import iteritems, string_types, integer_types @@ -31,8 +33,18 @@ def get_list(doctype, fields=None, filters=None, order_by=None, if frappe.is_table(doctype): check_parent_permission(parent, doctype) - return frappe.get_list(doctype, fields=fields, filters=filters, order_by=order_by, - limit_start=limit_start, limit_page_length=limit_page_length, ignore_permissions=False) + args = dict( + doctype=doctype, + fields=fields, + filters=filters, + order_by=order_by, + limit_start=limit_start, + limit_page_length=limit_page_length, + ) + + validate_args(args) + + return frappe.get_list(**args) @frappe.whitelist() def get_count(doctype, filters=None, debug=False, cache=False): @@ -91,12 +103,12 @@ def get_value(doctype, fieldname, filters=None, as_dict=True, debug=False, paren if frappe.get_meta(doctype).issingle: value = frappe.db.get_values_from_single(fields, filters, doctype, as_dict=as_dict, debug=debug) else: - value = frappe.get_list(doctype, filters=filters, fields=fields, debug=debug, limit=1) + value = get_list(doctype, filters=filters, fields=fields, limit_page_length=1) if as_dict: value = value[0] if value else {} else: - value = value[0].fieldname + value = value[0][fieldname] return value @@ -378,18 +390,6 @@ def attach_file(filename=None, filedata=None, doctype=None, docname=None, folder def get_hooks(hook, app_name=None): return frappe.get_hooks(hook, app_name) -def check_parent_permission(parent, child_doctype): - if parent: - # User may pass fake parent and get the information from the child table - if child_doctype and not frappe.db.exists('DocField', - {'parent': parent, 'options': child_doctype}): - raise frappe.PermissionError - - if frappe.permissions.has_permission(parent): - return - # Either parent not passed or the user doesn't have permission on parent doctype of child table! - raise frappe.PermissionError - @frappe.whitelist() def is_document_amended(doctype, docname): if frappe.permissions.has_permission(doctype): @@ -400,4 +400,4 @@ def is_document_amended(doctype, docname): except frappe.db.InternalError: pass - return False \ No newline at end of file + return False diff --git a/frappe/desk/reportview.py b/frappe/desk/reportview.py index 1e6b4e35b5..7f1fec826d 100644 --- a/frappe/desk/reportview.py +++ b/frappe/desk/reportview.py @@ -41,6 +41,9 @@ def get_form_params(): """Stringify GET request parameters.""" data = frappe._dict(frappe.local.form_dict) clean_params(data) + validate_args(data) + +def validate_args(data): parse_json(data) setup_group_by(data) diff --git a/frappe/model/db_query.py b/frappe/model/db_query.py index 2d553335ee..b29e143759 100644 --- a/frappe/model/db_query.py +++ b/frappe/model/db_query.py @@ -14,7 +14,6 @@ import frappe.permissions from datetime import datetime import frappe, json, copy, re from frappe.model import optional_fields -from frappe.client import check_parent_permission from frappe.model.utils.user_settings import get_user_settings, update_user_settings from frappe.utils import flt, cint, get_time, make_filter_tuple, get_filter, add_to_date, cstr, get_timespan_date_range from frappe.model.meta import get_table_columns @@ -786,6 +785,18 @@ class DatabaseQuery(object): update_user_settings(self.doctype, user_settings) +def check_parent_permission(parent, child_doctype): + if parent: + # User may pass fake parent and get the information from the child table + if child_doctype and not frappe.db.exists('DocField', + {'parent': parent, 'options': child_doctype}): + raise frappe.PermissionError + + if frappe.permissions.has_permission(parent): + return + # Either parent not passed or the user doesn't have permission on parent doctype of child table! + raise frappe.PermissionError + def get_order_by(doctype, meta): order_by = ""