From 7a36e64b9c743e873ed34d45fb3d7aa01380ffeb Mon Sep 17 00:00:00 2001 From: prssanna Date: Mon, 2 Mar 2020 13:23:46 +0530 Subject: [PATCH 1/2] fix: permission validation for child table fields --- frappe/model/base_document.py | 4 ++-- frappe/model/document.py | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/frappe/model/base_document.py b/frappe/model/base_document.py index 5ab31cdf66..569cea9d5f 100644 --- a/frappe/model/base_document.py +++ b/frappe/model/base_document.py @@ -801,8 +801,8 @@ class BaseDocument(object): else: # get values from old doc if self.get('parent_doc'): - self.parent_doc.get_latest() - ref_doc = [d for d in self.parent_doc.get(self.parentfield) if d.name == self.name][0] + parent_doc = self.parent_doc.get_latest() + ref_doc = [d for d in parent_doc.get(self.parentfield) if d.name == self.name][0] else: ref_doc = self.get_latest() diff --git a/frappe/model/document.py b/frappe/model/document.py index 80f18c74c4..86bee6cef8 100644 --- a/frappe/model/document.py +++ b/frappe/model/document.py @@ -583,7 +583,7 @@ class Document(BaseDocument): # check for child tables for df in self.meta.get_table_fields(): - high_permlevel_fields = frappe.get_meta(df.options).meta.get_high_permlevel_fields() + high_permlevel_fields = frappe.get_meta(df.options).get_high_permlevel_fields() if high_permlevel_fields: for d in self.get(df.fieldname): d.reset_values_if_no_permlevel_access(has_access_to, high_permlevel_fields) From 59a85b4b20d64753df694bc0ee263f35ac16a9e3 Mon Sep 17 00:00:00 2001 From: prssanna Date: Mon, 2 Mar 2020 16:40:19 +0530 Subject: [PATCH 2/2] test: add test to check child table field permlevel --- frappe/tests/test_form_load.py | 45 +++++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) diff --git a/frappe/tests/test_form_load.py b/frappe/tests/test_form_load.py index fc53e21fef..5e8ad26b5e 100644 --- a/frappe/tests/test_form_load.py +++ b/frappe/tests/test_form_load.py @@ -40,7 +40,7 @@ class TestFormLoad(unittest.TestCase): user.remove_roles(*user_roles) user.add_roles('Blogger') - make_property_setter('Blog Post', 'published', 'permlevel', 1, 'Int') + make_property_setter('Blog Post', 'published', 'permlevel', 1, 'Int') reset('Blog Post') add('Blog Post', 'Website Manager', 1) update('Blog Post', 'Website Manager', 1, 'write', 1) @@ -79,6 +79,49 @@ class TestFormLoad(unittest.TestCase): user.remove_roles('Blogger', 'Website Manager') user.add_roles(*user_roles) + def test_fieldlevel_permissions_in_load_for_child_table(self): + contact = frappe.new_doc('Contact') + contact.first_name = '_Test Contact 1' + contact.append('phone_nos', {'phone': '123456'}) + contact.insert() + + user = frappe.get_doc('User', 'test@example.com') + + user_roles = frappe.get_roles() + user.remove_roles(*user_roles) + user.add_roles('Accounts User') + + make_property_setter('Contact Phone', 'phone', 'permlevel', 1, 'Data') + reset('Contact Phone') + add('Contact', 'Sales User', 1) + update('Contact', 'Sales User', 1, 'write', 1) + + frappe.set_user(user.name) + + contact = frappe.get_doc('Contact', '_Test Contact 1') + + contact.phone_nos[0].phone = '654321' + contact.save() + + self.assertEqual(contact.phone_nos[0].phone, '123456') + + frappe.set_user('Administrator') + user.add_roles('Sales User') + frappe.set_user(user.name) + + contact.phone_nos[0].phone = '654321' + contact.save() + + contact = frappe.get_doc('Contact', '_Test Contact 1') + self.assertEqual(contact.phone_nos[0].phone, '654321') + + frappe.set_user('Administrator') + + # reset user roles + user.remove_roles('Accounts User', 'Sales User') + user.add_roles(*user_roles) + + def get_blog(blog_name): frappe.response.docs = [] getdoc('Blog Post', blog_name)