Merge pull request #34015 from iamejaaz/47622-report-link-field-permission
fix(QueryReport): respect user permissions in Link fields
This commit is contained in:
Ejaaz Khan
GitHub
commit
e66b6acc90
2 changed files with 19 additions and 8 deletions
|
|
@ -199,10 +199,11 @@ def run(
|
|||
is_tree=False,
|
||||
parent_field=None,
|
||||
are_default_filters=True,
|
||||
js_filters=None,
|
||||
):
|
||||
if not user:
|
||||
user = frappe.session.user
|
||||
validate_filters_permissions(report_name, filters, user)
|
||||
validate_filters_permissions(report_name, filters, user, js_filters)
|
||||
report = get_report_doc(report_name)
|
||||
if not frappe.has_permission(report.ref_doctype, "report"):
|
||||
frappe.msgprint(
|
||||
|
|
@ -893,25 +894,34 @@ def get_user_match_filters(doctypes, user):
|
|||
return match_filters
|
||||
|
||||
|
||||
def validate_filters_permissions(report_name, filters=None, user=None):
|
||||
def validate_filters_permissions(report_name, filters=None, user=None, js_filters=None):
|
||||
if not filters:
|
||||
return
|
||||
|
||||
if js_filters is None:
|
||||
js_filters = []
|
||||
|
||||
if isinstance(js_filters, str):
|
||||
js_filters = json.loads(js_filters)
|
||||
|
||||
if isinstance(filters, str):
|
||||
filters = json.loads(filters)
|
||||
|
||||
report = frappe.get_doc("Report", report_name)
|
||||
for field in report.filters:
|
||||
if field.fieldname in filters and field.fieldtype == "Link":
|
||||
linked_doctype = field.options
|
||||
|
||||
for field in report.filters + js_filters:
|
||||
if hasattr(field, "as_dict"):
|
||||
field = field.as_dict()
|
||||
if field.get("fieldname") in filters and field.get("fieldtype") == "Link":
|
||||
linked_doctype = field.get("options")
|
||||
if not has_permission(
|
||||
doctype=linked_doctype, ptype="read", doc=filters[field.fieldname], user=user
|
||||
doctype=linked_doctype, ptype="read", doc=filters[field.get("fieldname")], user=user
|
||||
) and not has_permission(
|
||||
doctype=linked_doctype, ptype="select", doc=filters[field.fieldname], user=user
|
||||
doctype=linked_doctype, ptype="select", doc=filters[field.get("fieldname")], user=user
|
||||
):
|
||||
frappe.throw(
|
||||
_("You do not have permission to access {0}: {1}.").format(
|
||||
linked_doctype, filters[field.fieldname]
|
||||
linked_doctype, filters[field.get("fieldname")]
|
||||
)
|
||||
)
|
||||
|
||||
|
|
|
|||
|
|
@ -730,6 +730,7 @@ frappe.views.QueryReport = class QueryReport extends frappe.views.BaseList {
|
|||
is_tree: this.report_settings.tree,
|
||||
parent_field: this.report_settings.parent_field,
|
||||
are_default_filters: are_default_filters,
|
||||
js_filters: frappe.query_reports[this.report_name]?.filters,
|
||||
},
|
||||
callback: resolve,
|
||||
always: () => this.page.btn_secondary.prop("disabled", false),
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue