From 807a300fd8ccf3a2aa29d2a6757bfb11e2087a96 Mon Sep 17 00:00:00 2001
From: Rushabh Mehta <rmehta@gmail.com>
Date: Wed, 28 Mar 2018 06:40:35 +0530
Subject: [PATCH 1/2] [hotfix] dont allow API query for child table

---
 frappe/client.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/frappe/client.py b/frappe/client.py
index 9bf2bd9b1b..ed1e2cac4c 100644
--- a/frappe/client.py
+++ b/frappe/client.py
@@ -27,6 +27,10 @@ def get_list(doctype, fields=None, filters=None, order_by=None,
 	:param order_by: Order by this fieldname
 	:param limit_start: Start at this index
 	:param limit_page_length: Number of records to be returned (default 20)'''
+	if frappe.is_table(doctype):
+		# not allowed for child tables!
+		raise frappe.PermissionError
+
 	return frappe.get_list(doctype, fields=fields, filters=filters, order_by=order_by,
 		limit_start=limit_start, limit_page_length=limit_page_length, ignore_permissions=False)
 
@@ -37,6 +41,10 @@ def get(doctype, name=None, filters=None):
 	:param doctype: DocType of the document to be returned
 	:param name: return document of this `name`
 	:param filters: If name is not set, filter by these values and return the first match'''
+	if frappe.is_table(doctype):
+		# not allowed for child tables!
+		raise frappe.PermissionError
+
 	if filters and not name:
 		name = frappe.db.get_value(doctype, json.loads(filters))
 		if not name:
@@ -55,6 +63,9 @@ def get_value(doctype, fieldname, filters=None, as_dict=True, debug=False):
 	:param doctype: DocType to be queried
 	:param fieldname: Field to be returned (default `name`)
 	:param filters: dict or string for identifying the record'''
+	if frappe.is_table(doctype):
+		# not allowed for child tables!
+		raise frappe.PermissionError
 
 	if not frappe.has_permission(doctype):
 		frappe.throw(_("No permission for {0}".format(doctype)), frappe.PermissionError)

From bc03a7eaec1a0c7d3dac1307074699ae2f8888c2 Mon Sep 17 00:00:00 2001
From: Nabin Hait <nabinhait@gmail.com>
Date: Wed, 28 Mar 2018 09:13:49 +0600
Subject: [PATCH 2/2] bumped to version 10.1.14

---
 frappe/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frappe/__init__.py b/frappe/__init__.py
index 9e10d560c3..bfdeb20024 100644
--- a/frappe/__init__.py
+++ b/frappe/__init__.py
@@ -14,7 +14,7 @@ import os, sys, importlib, inspect, json
 from .exceptions import *
 from .utils.jinja import get_jenv, get_template, render_template, get_email_from_template
 
-__version__ = '10.1.13'
+__version__ = '10.1.14'
 __title__ = "Frappe Framework"
 
 local = Local()