nsinnovations/erpnext
2
0
Fork 0
mirror of https://github.com/frappe/erpnext.git synced 2026-04-13 03:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: use qb to prevent incorrect sql due to user permissions

Browse Source 
(cherry picked from commit 04b967bd6d)

# Conflicts:
#	erpnext/controllers/queries.py
This commit is contained in:
ruthra kumar
2026-03-17 15:48:47 +05:30
parent f232024fa4
commit 03f09222cf
1 changed files with 51 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

94
erpnext/controllers/queries.py
View File

@@ -15,6 +15,7 @@ from frappe.utils import cint, nowdate, today, unique
from pypika import Order from pypika import Order
import erpnext import erpnext
from erpnext.accounts.utils import build_qb_match_conditions
from erpnext.stock.get_item_details import _get_item_tax_template from erpnext.stock.get_item_details import _get_item_tax_template
@@ -607,39 +608,38 @@ def get_blanket_orders(doctype, txt, searchfield, start, page_len, filters):
@frappe.whitelist() @frappe.whitelist()
@frappe.validate_and_sanitize_search_inputs @frappe.validate_and_sanitize_search_inputs
<<<<<<< HEAD
def get_income_account(doctype, txt, searchfield, start, page_len, filters): def get_income_account(doctype, txt, searchfield, start, page_len, filters):
from erpnext.controllers.queries import get_match_cond
=======
def get_income_account(doctype: str, txt: str, searchfield: str, start: int, page_len: int, filters: dict):
>>>>>>> fc2edfbded (chore: remove incorrect import)
# income account can be any Credit account, # income account can be any Credit account,
# but can also be a Asset account with account_type='Income Account' in special circumstances. # but can also be a Asset account with account_type='Income Account' in special circumstances.
# Hence the first condition is an "OR" # Hence the first condition is an "OR"
if not filters: if not filters:
filters = {} filters = {}
doctype = "Account" dt = "Account"
condition = ""
acc = qb.DocType(dt)
condition = [
(acc.report_type.eq("Profit and Loss") | acc.account_type.isin(["Income Account", "Temporary"])),
acc.is_group.eq(0),
acc.disabled.eq(0),
]
if txt:
condition.append(acc.name.like(f"%{txt}%"))
if filters.get("company"): if filters.get("company"):
condition += "and tabAccount.company = %(company)s" condition.append(acc.company.eq(filters.get("company")))
condition += " and tabAccount.disabled = %(disabled)s" user_perms = build_qb_match_conditions(dt)
condition.extend(user_perms)
return frappe.db.sql( return (
f"""select tabAccount.name from `tabAccount` qb.from_(acc)
where (tabAccount.report_type = "Profit and Loss" .select(acc.name)
or tabAccount.account_type in ("Income Account", "Temporary")) .where(Criterion.all(condition))
and tabAccount.is_group=0 .orderby(acc.idx, order=Order.desc)
and tabAccount.`{searchfield}` LIKE %(txt)s .orderby(acc.name)
{condition} {get_match_cond(doctype)} .run()
order by idx desc, name""",
{
"txt": "%" + txt + "%",
"company": filters.get("company", ""),
"disabled": cint(filters.get("disabled", 0)),
},
) )
@@ -699,31 +699,39 @@ def get_filtered_dimensions(doctype, txt, searchfield, start, page_len, filters,
@frappe.whitelist() @frappe.whitelist()
@frappe.validate_and_sanitize_search_inputs @frappe.validate_and_sanitize_search_inputs
<<<<<<< HEAD
def get_expense_account(doctype, txt, searchfield, start, page_len, filters): def get_expense_account(doctype, txt, searchfield, start, page_len, filters):
from erpnext.controllers.queries import get_match_cond
=======
def get_expense_account(doctype: str, txt: str, searchfield: str, start: int, page_len: int, filters: dict):
>>>>>>> fc2edfbded (chore: remove incorrect import)
if not filters: if not filters:
filters = {} filters = {}
doctype = "Account" dt = "Account"
condition = ""
if filters.get("company"):
condition += "and tabAccount.company = %(company)s"
return frappe.db.sql( acc = qb.DocType(dt)
f"""select tabAccount.name from `tabAccount` condition = [
where (tabAccount.report_type = "Profit and Loss" (
or tabAccount.account_type in ("Expense Account", "Fixed Asset", "Temporary", "Asset Received But Not Billed", "Capital Work in Progress")) acc.report_type.eq("Profit and Loss")
and tabAccount.is_group=0 | acc.account_type.isin(
and tabAccount.disabled = 0 [
and tabAccount.{searchfield} LIKE %(txt)s "Expense Account",
{condition} {get_match_cond(doctype)}""", "Fixed Asset",
{"company": filters.get("company", ""), "txt": "%" + txt + "%"}, "Temporary",
) "Asset Received But Not Billed",
"Capital Work in Progress",
]
)
),
acc.is_group.eq(0),
acc.disabled.eq(0),
]
if txt:
condition.append(acc.name.like(f"%{txt}%"))
if filters.get("company"):
condition.append(acc.company.eq(filters.get("company")))
user_perms = build_qb_match_conditions(dt)
condition.extend(user_perms)
return qb.from_(acc).select(acc.name).where(Criterion.all(condition)).run()
@frappe.whitelist() @frappe.whitelist()