From 27e5d5341c8fe7d105edbbd6c2b982087d29435f Mon Sep 17 00:00:00 2001 From: Akhil Narang Date: Mon, 23 Feb 2026 19:30:55 +0530 Subject: [PATCH 1/2] fix: use `JSON.parse()` for filter processing Signed-off-by: Akhil Narang --- frappe/public/js/frappe/utils/utils.js | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/frappe/public/js/frappe/utils/utils.js b/frappe/public/js/frappe/utils/utils.js index bfc1d0ad38..511d49123b 100644 --- a/frappe/public/js/frappe/utils/utils.js +++ b/frappe/public/js/frappe/utils/utils.js @@ -1909,7 +1909,13 @@ Object.assign(frappe.utils, { process_filter_expression(filter) { let filters = []; - filters = filter ? new Function(`return ${filter}`)() : []; + if (filter) { + try { + filters = JSON.parse(filter); + } catch { + console.warn("Invalid JSON in filter expression", filter); + } + } return this.cleanup_filters(filters); }, cleanup_filters(filters) { From b439f9a215b1e40a7ae569ec8ac19c9e18331585 Mon Sep 17 00:00:00 2001 From: Akhil Narang Date: Mon, 23 Feb 2026 20:32:58 +0530 Subject: [PATCH 2/2] fix(workspace): check before allowing user to edit Signed-off-by: Akhil Narang --- frappe/desk/doctype/workspace/workspace.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/frappe/desk/doctype/workspace/workspace.py b/frappe/desk/doctype/workspace/workspace.py index 29d9cb6b0f..1424e2a3d8 100644 --- a/frappe/desk/doctype/workspace/workspace.py +++ b/frappe/desk/doctype/workspace/workspace.py @@ -76,6 +76,18 @@ class Workspace(Document): if self.public and not is_workspace_manager() and not disable_saving_as_public(): frappe.throw(_("You need to be Workspace Manager to edit this document")) + + if ( + not self.public + and self.for_user + and self.for_user != frappe.session.user + and not is_workspace_manager() + ): + frappe.throw( + _("You are not allowed to edit this workspace"), + frappe.PermissionError, + ) + if self.has_value_changed("title"): validate_route_conflict(self.doctype, self.title) else: