vassili/seitime-frappe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Child table permission error fix (#5311)

Browse source 
Initially there were no permission checks on child table, which made the
child table data exposable through the API. The fix issued in commit
807a300fd8 involved default denying
permission to access child tables via client.py . The current fix checks
the permissions on the parent doctype and allows access if the user has
access on the parent
This commit is contained in:
Ameya Shenoy 2018-03-29 13:11:36 +05:30 committed by Manas Solanki
parent 19a8ef39c1
commit a5788e1746
1 changed files with 13 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
frappe/client.py
View file

@ -18,7 +18,7 @@ Requests via FrappeClient are also handled here.
@frappe.whitelist()
def get_list(doctype, fields=None, filters=None, order_by=None,
limit_start=None, limit_page_length=20):
limit_start=None, limit_page_length=20, parent=None):
'''Returns a list of records by filters, fields, ordering and limit
:param doctype: DocType of the data to be queried
@ -28,22 +28,20 @@ def get_list(doctype, fields=None, filters=None, order_by=None,
:param limit_start: Start at this index
:param limit_page_length: Number of records to be returned (default 20)'''
if frappe.is_table(doctype):
# not allowed for child tables!
raise frappe.PermissionError
check_parent_permission(parent)
return frappe.get_list(doctype, fields=fields, filters=filters, order_by=order_by,
limit_start=limit_start, limit_page_length=limit_page_length, ignore_permissions=False)
@frappe.whitelist()
def get(doctype, name=None, filters=None):
def get(doctype, name=None, filters=None, parent=None):
'''Returns a document by name or filters
:param doctype: DocType of the document to be returned
:param name: return document of this `name`
:param filters: If name is not set, filter by these values and return the first match'''
if frappe.is_table(doctype):
# not allowed for child tables!
raise frappe.PermissionError
check_parent_permission(parent)
if filters and not name:
name = frappe.db.get_value(doctype, json.loads(filters))
@ -57,15 +55,14 @@ def get(doctype, name=None, filters=None):
return frappe.get_doc(doctype, name).as_dict()
@frappe.whitelist()
def get_value(doctype, fieldname, filters=None, as_dict=True, debug=False):
def get_value(doctype, fieldname, filters=None, as_dict=True, debug=False, parent=None):
'''Returns a value form a document
:param doctype: DocType to be queried
:param fieldname: Field to be returned (default `name`)
:param filters: dict or string for identifying the record'''
if frappe.is_table(doctype):
# not allowed for child tables!
raise frappe.PermissionError
check_parent_permission(parent)
if not frappe.has_permission(doctype):
frappe.throw(_("No permission for {0}".format(doctype)), frappe.PermissionError)
@ -316,3 +313,10 @@ def get_js(items):
def get_time_zone():
'''Returns default time zone'''
return {"time_zone": frappe.defaults.get_defaults().get("time_zone")}
def check_parent_permission(parent):
if parent:
if frappe.permissions.has_permission(parent):
return
# Either parent not passed or the user doesn't have permission on parent doctype of child table!
raise frappe.PermissionError