fix: Child table data can be get easily by passing fake parent id (#6509)
This commit is contained in:
rohitwaghchaure
Suraj Shetty
parent
5718685602
commit
a3f63ca1bd
1 changed files with 10 additions and 5 deletions
|
|
@ -28,7 +28,7 @@ def get_list(doctype, fields=None, filters=None, order_by=None,
|
|||
:param limit_start: Start at this index
|
||||
:param limit_page_length: Number of records to be returned (default 20)'''
|
||||
if frappe.is_table(doctype):
|
||||
check_parent_permission(parent)
|
||||
check_parent_permission(parent, doctype)
|
||||
|
||||
return frappe.get_list(doctype, fields=fields, filters=filters, order_by=order_by,
|
||||
limit_start=limit_start, limit_page_length=limit_page_length, ignore_permissions=False)
|
||||
|
|
@ -41,7 +41,7 @@ def get(doctype, name=None, filters=None, parent=None):
|
|||
:param name: return document of this `name`
|
||||
:param filters: If name is not set, filter by these values and return the first match'''
|
||||
if frappe.is_table(doctype):
|
||||
check_parent_permission(parent)
|
||||
check_parent_permission(parent, doctype)
|
||||
|
||||
if filters and not name:
|
||||
name = frappe.db.get_value(doctype, json.loads(filters))
|
||||
|
|
@ -62,7 +62,7 @@ def get_value(doctype, fieldname, filters=None, as_dict=True, debug=False, paren
|
|||
:param fieldname: Field to be returned (default `name`)
|
||||
:param filters: dict or string for identifying the record'''
|
||||
if frappe.is_table(doctype):
|
||||
check_parent_permission(parent)
|
||||
check_parent_permission(parent, doctype)
|
||||
|
||||
if not frappe.has_permission(doctype):
|
||||
frappe.throw(_("No permission for {0}".format(doctype)), frappe.PermissionError)
|
||||
|
|
@ -314,9 +314,14 @@ def get_time_zone():
|
|||
'''Returns default time zone'''
|
||||
return {"time_zone": frappe.defaults.get_defaults().get("time_zone")}
|
||||
|
||||
def check_parent_permission(parent):
|
||||
def check_parent_permission(parent, child_doctype):
|
||||
if parent:
|
||||
# User may pass fake parent and get the information from the child table
|
||||
if child_doctype and not frappe.db.exists('DocField',
|
||||
{'parent': parent, 'options': child_doctype}):
|
||||
raise frappe.PermissionError
|
||||
|
||||
if frappe.permissions.has_permission(parent):
|
||||
return
|
||||
# Either parent not passed or the user doesn't have permission on parent doctype of child table!
|
||||
raise frappe.PermissionError
|
||||
raise frappe.PermissionError
|
||||
Loading…
Add table
Reference in a new issue