From 0482530ffd3813b9cfb2b7ecb40d1c5b2ed181ca Mon Sep 17 00:00:00 2001
From: Shariq Ansari <sharique.rik@gmail.com>
Date: Fri, 3 Feb 2023 20:04:11 +0530
Subject: [PATCH 1/6] fix: do not allow restricted fieldnames for custom fields

---
 .../custom/doctype/custom_field/custom_field.py   | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/frappe/custom/doctype/custom_field/custom_field.py b/frappe/custom/doctype/custom_field/custom_field.py
index 758d9c1e64..8953153be6 100644
--- a/frappe/custom/doctype/custom_field/custom_field.py
+++ b/frappe/custom/doctype/custom_field/custom_field.py
@@ -18,6 +18,18 @@ class CustomField(Document):
 		self.name = self.dt + "-" + self.fieldname
 
 	def set_fieldname(self):
+		restricted = (
+			"name",
+			"parent",
+			"creation",
+			"modified",
+			"modified_by",
+			"parentfield",
+			"parenttype",
+			"file_list",
+			"flags",
+			"docstatus",
+		)
 		if not self.fieldname:
 			label = self.label
 			if not label:
@@ -34,6 +46,9 @@ class CustomField(Document):
 		# fieldnames should be lowercase
 		self.fieldname = self.fieldname.lower()
 
+		if self.fieldname in restricted:
+			self.fieldname = self.fieldname + "1"
+
 	def before_insert(self):
 		self.set_fieldname()
 

From 80a49329831233a4472e0bd8d868b875c3a10d68 Mon Sep 17 00:00:00 2001
From: Shariq Ansari <sharique.rik@gmail.com>
Date: Thu, 16 Feb 2023 18:42:24 +0530
Subject: [PATCH 2/6] fix: ask before changing restricted fieldnames

---
 .../doctype/customize_form/customize_form.js  | 61 ++++++++++++++-----
 1 file changed, 46 insertions(+), 15 deletions(-)

diff --git a/frappe/custom/doctype/customize_form/customize_form.js b/frappe/custom/doctype/customize_form/customize_form.js
index fed8505147..73981eaf28 100644
--- a/frappe/custom/doctype/customize_form/customize_form.js
+++ b/frappe/custom/doctype/customize_form/customize_form.js
@@ -310,22 +310,53 @@ frappe.ui.form.on("DocType State", {
 	},
 });
 
-frappe.customize_form.set_primary_action = function (frm) {
-	frm.page.set_primary_action(__("Update"), function () {
-		if (frm.doc.doc_type) {
-			return frm.call({
-				doc: frm.doc,
-				freeze: true,
-				btn: frm.page.btn_primary,
-				method: "save_customization",
-				callback: function (r) {
-					if (!r.exc) {
-						frappe.customize_form.clear_locals_and_refresh(frm);
-						frm.script_manager.trigger("doc_type");
-					}
-				},
-			});
+frappe.customize_form.validate_fieldnames = async function (frm) {
+	for (let i = 0; i < frm.doc.fields.length; i++) {
+		let field = frm.doc.fields[i];
+
+		let fieldname = field.label && frappe.model.scrub(field.label).toLowerCase();
+		if (
+			field.label &&
+			!field.fieldname &&
+			in_list(frappe.model.restricted_fields, fieldname)
+		) {
+			let message = __(
+				"For field <b>{0}</b> in row <b>{1}</b>, fieldname <b>{2}</b> is restricted it will be renamed as <b>{2}1</b>. Do you want to continue?",
+				[field.label, field.idx, fieldname]
+			);
+			await pause_to_confirm(message);
 		}
+	}
+
+	function pause_to_confirm(message) {
+		return new Promise((resolve) => {
+			frappe.confirm(message, () => resolve());
+		});
+	}
+};
+
+frappe.customize_form.save_customization = function (frm) {
+	if (frm.doc.doc_type) {
+		return frm.call({
+			doc: frm.doc,
+			freeze: true,
+			freeze_message: __("Updating Customization..."),
+			btn: frm.page.btn_primary,
+			method: "save_customization",
+			callback: function (r) {
+				if (!r.exc) {
+					frappe.customize_form.clear_locals_and_refresh(frm);
+					frm.script_manager.trigger("doc_type");
+				}
+			},
+		});
+	}
+};
+
+frappe.customize_form.set_primary_action = function (frm) {
+	frm.page.set_primary_action(__("Update"), async () => {
+		await this.validate_fieldnames(frm);
+		this.save_customization(frm);
 	});
 };
 

From 908545241bde7fe0561ac8b196f9c1e440e46a31 Mon Sep 17 00:00:00 2001
From: Shariq Ansari <sharique.rik@gmail.com>
Date: Thu, 16 Feb 2023 19:31:07 +0530
Subject: [PATCH 3/6] fix: enable update button if fieldname change is rejected

---
 frappe/custom/doctype/customize_form/customize_form.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/frappe/custom/doctype/customize_form/customize_form.js b/frappe/custom/doctype/customize_form/customize_form.js
index a0be0f3d63..d1ee27faba 100644
--- a/frappe/custom/doctype/customize_form/customize_form.js
+++ b/frappe/custom/doctype/customize_form/customize_form.js
@@ -334,7 +334,13 @@ frappe.customize_form.validate_fieldnames = async function (frm) {
 
 	function pause_to_confirm(message) {
 		return new Promise((resolve) => {
-			frappe.confirm(message, () => resolve());
+			frappe.confirm(
+				message,
+				() => resolve(),
+				() => {
+					frm.page.btn_primary.prop("disabled", false);
+				}
+			);
 		});
 	}
 };

From 7afc46401b7c23620982745181ab659b636df1a3 Mon Sep 17 00:00:00 2001
From: Shariq Ansari <30859809+shariquerik@users.noreply.github.com>
Date: Mon, 20 Feb 2023 11:21:24 +0530
Subject: [PATCH 4/6] chore: changed freeze message

---
 frappe/custom/doctype/customize_form/customize_form.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frappe/custom/doctype/customize_form/customize_form.js b/frappe/custom/doctype/customize_form/customize_form.js
index d1ee27faba..4ab693b415 100644
--- a/frappe/custom/doctype/customize_form/customize_form.js
+++ b/frappe/custom/doctype/customize_form/customize_form.js
@@ -350,7 +350,7 @@ frappe.customize_form.save_customization = function (frm) {
 		return frm.call({
 			doc: frm.doc,
 			freeze: true,
-			freeze_message: __("Updating Customization..."),
+			freeze_message: __("Saving Customization..."),
 			btn: frm.page.btn_primary,
 			method: "save_customization",
 			callback: function (r) {

From 0219eab82000411a8ef1a7a255e5bb93d76fe763 Mon Sep 17 00:00:00 2001
From: Ankush Menat <ankush@frappe.io>
Date: Mon, 20 Feb 2023 18:19:12 +0530
Subject: [PATCH 5/6] fix: Dont fetch report if not permitted

---
 frappe/boot.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/frappe/boot.py b/frappe/boot.py
index 7c43c68488..9594635c70 100644
--- a/frappe/boot.py
+++ b/frappe/boot.py
@@ -12,6 +12,7 @@ from frappe.desk.doctype.route_history.route_history import frequently_visited_l
 from frappe.desk.form.load import get_meta_bundle
 from frappe.email.inbox import get_email_accounts
 from frappe.model.base_document import get_controller
+from frappe.permissions import has_permission
 from frappe.query_builder import DocType
 from frappe.query_builder.functions import Count
 from frappe.query_builder.terms import ParameterizedValueWrapper, SubQuery
@@ -234,6 +235,9 @@ def get_user_pages_or_reports(parent, cache=False):
 				has_role[p.name] = {"modified": p.modified, "title": p.title}
 
 	elif parent == "Report":
+		if not has_permission("Report", raise_exception=False):
+			return {}
+
 		reports = frappe.get_list(
 			"Report",
 			fields=["name", "report_type"],

From 8409caef6fd40169c532cae36169f922147b818c Mon Sep 17 00:00:00 2001
From: Ankush Menat <ankush@frappe.io>
Date: Mon, 20 Feb 2023 18:31:06 +0530
Subject: [PATCH 6/6] fix: show proper error with traceback when boot fails

---
 frappe/exceptions.py            | 4 ++++
 frappe/public/js/frappe/desk.js | 9 ---------
 frappe/www/app.py               | 3 +--
 3 files changed, 5 insertions(+), 11 deletions(-)

diff --git a/frappe/exceptions.py b/frappe/exceptions.py
index f09583e215..20e858c543 100644
--- a/frappe/exceptions.py
+++ b/frappe/exceptions.py
@@ -244,6 +244,10 @@ class InReadOnlyMode(ValidationError):
 	http_status_code = 503  # temporarily not available
 
 
+class SessionBootFailed(ValidationError):
+	http_status_code = 500
+
+
 class TooManyWritesError(Exception):
 	pass
 
diff --git a/frappe/public/js/frappe/desk.js b/frappe/public/js/frappe/desk.js
index 4a81e8620b..74e1c4f1e7 100644
--- a/frappe/public/js/frappe/desk.js
+++ b/frappe/public/js/frappe/desk.js
@@ -34,15 +34,6 @@ frappe.Application = class Application {
 		frappe.socketio.init();
 		frappe.model.init();
 
-		if (frappe.boot.status === "failed") {
-			frappe.msgprint({
-				message: frappe.boot.error,
-				title: __("Session Start Failed"),
-				indicator: "red",
-			});
-			throw "boot failed";
-		}
-
 		this.load_bootinfo();
 		this.load_user_permissions();
 		this.make_nav_bar();
diff --git a/frappe/www/app.py b/frappe/www/app.py
index a32fef5748..dcb326af36 100644
--- a/frappe/www/app.py
+++ b/frappe/www/app.py
@@ -27,8 +27,7 @@ def get_context(context):
 	try:
 		boot = frappe.sessions.get()
 	except Exception as e:
-		boot = frappe._dict(status="failed", error=str(e))
-		print(frappe.get_traceback())
+		raise frappe.SessionBootFailed from e
 
 	# this needs commit
 	csrf_token = frappe.sessions.get_csrf_token()