From 5d22ee7b2b895e8d27ed0ff434fa6f4d41e099cc Mon Sep 17 00:00:00 2001 From: Sumit Bhanushali Date: Wed, 4 Dec 2024 17:24:34 +0530 Subject: [PATCH 1/3] fix: check at doc level when if owner role permission is checked during export from report view (cherry picked from commit c7ad3296c9664f5d6b2946f46082f57b91c1bac8) --- frappe/desk/reportview.py | 13 +++++++++++-- frappe/permissions.py | 4 ++-- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/frappe/desk/reportview.py b/frappe/desk/reportview.py index 3666f30910..9a0e3dc2d7 100644 --- a/frappe/desk/reportview.py +++ b/frappe/desk/reportview.py @@ -357,14 +357,13 @@ def export_query(): form_params["limit_page_length"] = None form_params["as_list"] = True doctype = form_params.pop("doctype") + form_params["fields"].append(f"`tab{doctype}`.`owner`") file_format_type = form_params.pop("file_format_type") title = form_params.pop("title", doctype) csv_params = pop_csv_params(form_params) add_totals_row = 1 if form_params.pop("add_totals_row", None) == "1" else None translate_values = 1 if form_params.pop("translate_values", None) == "1" else None - frappe.permissions.can_export(doctype, raise_exception=True) - if selection := form_params.pop("selected_items", None): form_params["filters"] = {"name": ("in", json.loads(selection))} @@ -378,6 +377,16 @@ def export_query(): db_query = DatabaseQuery(doctype) ret = db_query.execute(**form_params) + if not frappe.permissions.can_export(doctype): + if frappe.permissions.can_export(doctype, is_owner=True): + for row in ret: + if row[-1] != frappe.session.user: + raise frappe.PermissionError( + _("You are not allowed to export {} doctype").format(doctype) + ) + else: + raise frappe.PermissionError(_("You are not allowed to export {} doctype").format(doctype)) + if add_totals_row: ret = append_totals_row(ret) diff --git a/frappe/permissions.py b/frappe/permissions.py index f37d8bb550..44878710f7 100644 --- a/frappe/permissions.py +++ b/frappe/permissions.py @@ -593,11 +593,11 @@ def can_import(doctype, raise_exception=False): return True -def can_export(doctype, raise_exception=False): +def can_export(doctype, raise_exception=False, is_owner=False): if "System Manager" in frappe.get_roles(): return True else: - role_permissions = frappe.permissions.get_role_permissions(doctype) + role_permissions = frappe.permissions.get_role_permissions(doctype, is_owner=is_owner) has_access = role_permissions.get("export") or role_permissions.get("if_owner").get("export") if not has_access and raise_exception: raise frappe.PermissionError(_("You are not allowed to export {} doctype").format(doctype)) From 1bb26f68d3997386ddc765d12c22c6dd7c2695bc Mon Sep 17 00:00:00 2001 From: Sumit Bhanushali Date: Wed, 4 Dec 2024 17:25:06 +0530 Subject: [PATCH 2/3] fix: check at doc level when if owner role permission is checked during export from list view (cherry picked from commit 1ed45ceb97868c9b517dd3066f0b4ea2cd5358f5) --- frappe/core/doctype/data_import/exporter.py | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/frappe/core/doctype/data_import/exporter.py b/frappe/core/doctype/data_import/exporter.py index 4128ba396a..3300693e26 100644 --- a/frappe/core/doctype/data_import/exporter.py +++ b/frappe/core/doctype/data_import/exporter.py @@ -110,11 +110,21 @@ class Exporter: return fields or [] def get_data_to_export(self): - frappe.permissions.can_export(self.doctype, raise_exception=True) - table_fields = [f for f in self.exportable_fields if f != self.doctype] data = self.get_data_as_docs() + if not frappe.permissions.can_export(self.doctype): + if frappe.permissions.can_export(self.doctype, is_owner=True): + for doc in data: + if doc.get("owner") != frappe.session.user: + raise frappe.PermissionError( + _("You are not allowed to export {} doctype").format(self.doctype) + ) + else: + raise frappe.PermissionError( + _("You are not allowed to export {} doctype").format(self.doctype) + ) + for doc in data: rows = [] rows = self.add_data_row(self.doctype, None, doc, rows, 0) @@ -163,7 +173,7 @@ class Exporter: parent_data = frappe.db.get_list( self.doctype, filters=filters, - fields=["name", *parent_fields], + fields=["name", "owner", *parent_fields], limit_page_length=self.export_page_length, order_by=order_by, as_list=0, From 9a331d30c6749fa8e8847b3a4c97f5953059ccc1 Mon Sep 17 00:00:00 2001 From: Sumit Bhanushali Date: Wed, 4 Dec 2024 22:11:52 +0530 Subject: [PATCH 3/3] chore: fix for failing test (cherry picked from commit 0f3dad71e69e829171ac7c48de065f797a1357bd) --- frappe/desk/reportview.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/frappe/desk/reportview.py b/frappe/desk/reportview.py index 9a0e3dc2d7..fa4992c9f4 100644 --- a/frappe/desk/reportview.py +++ b/frappe/desk/reportview.py @@ -357,7 +357,10 @@ def export_query(): form_params["limit_page_length"] = None form_params["as_list"] = True doctype = form_params.pop("doctype") - form_params["fields"].append(f"`tab{doctype}`.`owner`") + if isinstance(form_params["fields"], list): + form_params["fields"].append("owner") + elif isinstance(form_params["fields"], tuple): + form_params["fields"] = form_params["fields"] + ("owner",) file_format_type = form_params.pop("file_format_type") title = form_params.pop("title", doctype) csv_params = pop_csv_params(form_params)