Merge pull request #28715 from frappe/mergify/bp/develop/pr-28663

fix: check at doc level when if owner role permission is checked during export (backport #28663)

frappe/core/doctype/data_import/exporter.py

@@ -110,11 +110,21 @@ class Exporter:
 		return fields or []
 
 	def get_data_to_export(self):
-		frappe.permissions.can_export(self.doctype, raise_exception=True)
-
 		table_fields = [f for f in self.exportable_fields if f != self.doctype]
 		data = self.get_data_as_docs()
 
+		if not frappe.permissions.can_export(self.doctype):
+			if frappe.permissions.can_export(self.doctype, is_owner=True):
+				for doc in data:
+					if doc.get("owner") != frappe.session.user:
+						raise frappe.PermissionError(
+							_("You are not allowed to export {} doctype").format(self.doctype)
+						)
+			else:
+				raise frappe.PermissionError(
+					_("You are not allowed to export {} doctype").format(self.doctype)
+				)
+
 		for doc in data:
 			rows = []
 			rows = self.add_data_row(self.doctype, None, doc, rows, 0)
@@ -163,7 +173,7 @@ class Exporter:
 		parent_data = frappe.db.get_list(
 			self.doctype,
 			filters=filters,
-			fields=["name", *parent_fields],
+			fields=["name", "owner", *parent_fields],
 			limit_page_length=self.export_page_length,
 			order_by=order_by,
 			as_list=0,

frappe/desk/reportview.py

@@ -357,14 +357,16 @@ def export_query():
 	form_params["limit_page_length"] = None
 	form_params["as_list"] = True
 	doctype = form_params.pop("doctype")
+	if isinstance(form_params["fields"], list):
+		form_params["fields"].append("owner")
+	elif isinstance(form_params["fields"], tuple):
+		form_params["fields"] = form_params["fields"] + ("owner",)
 	file_format_type = form_params.pop("file_format_type")
 	title = form_params.pop("title", doctype)
 	csv_params = pop_csv_params(form_params)
 	add_totals_row = 1 if form_params.pop("add_totals_row", None) == "1" else None
 	translate_values = 1 if form_params.pop("translate_values", None) == "1" else None
 
-	frappe.permissions.can_export(doctype, raise_exception=True)
-
 	if selection := form_params.pop("selected_items", None):
 		form_params["filters"] = {"name": ("in", json.loads(selection))}
 
@@ -378,6 +380,16 @@ def export_query():
 	db_query = DatabaseQuery(doctype)
 	ret = db_query.execute(**form_params)
 
+	if not frappe.permissions.can_export(doctype):
+		if frappe.permissions.can_export(doctype, is_owner=True):
+			for row in ret:
+				if row[-1] != frappe.session.user:
+					raise frappe.PermissionError(
+						_("You are not allowed to export {} doctype").format(doctype)
+					)
+		else:
+			raise frappe.PermissionError(_("You are not allowed to export {} doctype").format(doctype))
+
 	if add_totals_row:
 		ret = append_totals_row(ret)
 

frappe/permissions.py

@@ -593,11 +593,11 @@ def can_import(doctype, raise_exception=False):
 	return True
 
 
-def can_export(doctype, raise_exception=False):
+def can_export(doctype, raise_exception=False, is_owner=False):
 	if "System Manager" in frappe.get_roles():
 		return True
 	else:
-		role_permissions = frappe.permissions.get_role_permissions(doctype)
+		role_permissions = frappe.permissions.get_role_permissions(doctype, is_owner=is_owner)
 		has_access = role_permissions.get("export") or role_permissions.get("if_owner").get("export")
 		if not has_access and raise_exception:
 			raise frappe.PermissionError(_("You are not allowed to export {} doctype").format(doctype))