fix(permission): Role permission check with if_owner enabled (#6726)

* Allow user to access list even if there is only a docperm with if owner enabled * Add test to check if user gets access to the list - User should be able to access list even if the user has only role for which docperm is created with if_owner check * Remove commented code
2019-01-05 14:31:40 +05:30 · 2019-01-05 14:31:40 +05:30 · 9adbbd44c8
commit 9adbbd44c8
parent aa2f23efc4
2 changed files with 13 additions and 1 deletions
--- a/frappe/permissions.py
+++ b/frappe/permissions.py
@ -187,7 +187,9 @@ def get_role_permissions(doctype_meta, user=None):
 				and ptype != 'create'):
 				perms['if_owner'][ptype] = 1
 				# has no access if not owner
-				perms[ptype] = 0
+				# only provide read access so that user is able to at-least access list
+				# (and the documents will be filtered based on owner sin further checks)
+				perms[ptype] = 1 if ptype == 'read' else 0

 		frappe.local.role_permissions[cache_key] = perms

--- a/frappe/tests/test_permissions.py
+++ b/frappe/tests/test_permissions.py
@ -383,7 +383,17 @@ class TestPermissions(unittest.TestCase):
 		update('Blog Post', 'Blogger', 0, 'read', 1)
 		update('Blog Post', 'Blogger', 0, 'write', 1)
 		update('Blog Post', 'Blogger', 0, 'delete', 1)
+
+		# currently test2 user has not created any document
+		# still he should be able to do get_list query which should
+		# not raise permission error but simply return empty list
+		frappe.set_user("test2@example.com")
+		self.assertEqual(frappe.get_list('Blog Post'), [])
+
+		frappe.set_user("Administrator")
+
 		# creates a custom docperm with just read access
+		# now any user can read any blog post (but other rights are limited to the blog post owner)
 		add_permission('Blog Post', 'Blogger')
 		frappe.clear_cache(doctype="Blog Post")