nsinnovations/erpnext
2
0
Fork 0
mirror of https://github.com/frappe/erpnext.git synced 2026-06-10 16:33:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: add permission checks in accounts whitelisted methods

Browse Source 
(cherry picked from commit 5dbf3fdde0)

# Conflicts:
#	erpnext/accounts/doctype/payment_entry/payment_entry.py
This commit is contained in:
Shllokkk
2026-05-31 04:40:02 +05:30
committed by ruthra kumar
parent 7852ea65af
commit 2d1c0dcb53
2 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
erpnext/accounts/doctype/payment_entry/payment_entry.py
View File

@@ -2279,6 +2279,9 @@ def get_outstanding_reference_documents(args, validate=False):
if args.get("party_type") == "Member":
return
if args.get("party_type") and args.get("party"):
frappe.has_permission(args["party_type"], "read", args["party"], throw=True)
if not args.get("get_outstanding_invoices") and not args.get("get_orders_to_be_billed"):
args["get_outstanding_invoices"] = True
@@ -2788,7 +2791,8 @@ def get_reference_details(
):
total_amount = outstanding_amount = exchange_rate = account = None
ref_doc = frappe.get_doc(reference_doctype, reference_name)
frappe.has_permission(reference_doctype, "read", reference_name, throw=True)
ref_doc = frappe.get_lazy_doc(reference_doctype, reference_name)
company_currency = ref_doc.get("company_currency") or erpnext.get_company_currency(ref_doc.company)
# Only applies for Reverse Payment Entries

1
erpnext/accounts/utils.py
View File

@@ -278,6 +278,7 @@ def get_balance_on(
)
if party_type and party:
frappe.has_permission(party_type, "read", party, throw=True)
cond.append(
f"""gle.party_type = {frappe.db.escape(party_type)} and gle.party = {frappe.db.escape(party)} """
)