fix: permissions in workstation file

(cherry picked from commit cf127e8900) # Conflicts: # erpnext/manufacturing/doctype/workstation/workstation.py
2026-06-17 11:52:38 +00:00 · 2026-06-12 13:01:44 +05:30
parent a7dfc55d02
commit 0fea93388d
1 changed files with 24 additions and 7 deletions
--- a/erpnext/manufacturing/doctype/workstation/workstation.py
+++ b/erpnext/manufacturing/doctype/workstation/workstation.py
@@ -83,7 +83,7 @@ class Workstation(Document):

 	def before_save(self):
 		if self.has_value_changed("workstation_type"):
-			self.set_data_based_on_workstation_type()
+			self._set_data_based_on_workstation_type()

 		self.set_hour_rate()
 		self.set_total_working_hours()
@@ -114,6 +114,10 @@ class Workstation(Document):

 	@frappe.whitelist()
 	def set_data_based_on_workstation_type(self):
+		self.check_permission("write")
+		self._set_data_based_on_workstation_type()
+
+	def _set_data_based_on_workstation_type(self):
 		if self.workstation_type:
 			data = frappe.get_all(
 				"Workstation Cost",
@@ -211,6 +215,8 @@ class Workstation(Document):
 	@frappe.whitelist()
 	def start_job(self, job_card, from_time, employee):
 		doc = frappe.get_doc("Job Card", job_card)
+		doc.check_permission("write")
+
 		doc.append("time_logs", {"from_time": from_time, "employee": employee})
 		doc.save(ignore_permissions=True)

@@ -219,6 +225,8 @@ class Workstation(Document):
 	@frappe.whitelist()
 	def complete_job(self, job_card, qty, to_time):
 		doc = frappe.get_doc("Job Card", job_card)
+		doc.check_permission("submit")
+
 		for row in doc.time_logs:
 			if not row.to_time:
 				row.to_time = to_time
@@ -316,7 +324,13 @@ def get_status_color(status):


@frappe.whitelist()
+<<<<<<< HEAD
 def get_raw_materials(job_card):
+=======
+def get_raw_materials(job_card: str):
+	frappe.has_permission("Job Card", "read", doc=job_card, throw=True)
+
+>>>>>>> cf127e8900 (fix: permissions in workstation file)
 	raw_materials = frappe.get_all(
 		"Job Card",
 		fields=[
@@ -460,6 +474,8 @@ def check_workstation_for_holiday(workstation, from_datetime, to_datetime):

@frappe.whitelist()
 def get_workstations(**kwargs):
+	frappe.has_permission("Workstation", "read", throw=True)
+
 	kwargs = frappe._dict(kwargs)
 	_workstation = frappe.qb.DocType("Workstation")

@@ -535,13 +551,8 @@ def update_job_card(job_card: str, method: str, **kwargs):
 			title=_("Not Allowed"),
 		)

-	frappe.has_permission("Job Card", "read", throw=True)
-
 	doc = frappe.get_doc("Job Card", job_card)
-
-	# These methods mutate the Job Card, but frappe.get_doc does not enforce permissions —
-	# require write access before running anything.
-	frappe.has_permission("Job Card", "write", doc=doc, throw=True)
+	doc.check_permission("write")

 	if isinstance(kwargs, dict):
 		kwargs = frappe._dict(kwargs)
@@ -556,7 +567,13 @@ def update_job_card(job_card: str, method: str, **kwargs):


@frappe.whitelist()
+<<<<<<< HEAD
 def validate_job_card(job_card, status):
+=======
+def validate_job_card(job_card: str, status: str):
+	frappe.has_permission("Job Card", "read", doc=job_card, throw=True)
+
+>>>>>>> cf127e8900 (fix: permissions in workstation file)
 	job_card_details = frappe.db.get_value("Job Card", job_card, ["status", "for_quantity"], as_dict=1)

 	current_status = job_card_details.status