nsinnovations/erpnext
2
0
Fork 0
mirror of https://github.com/frappe/erpnext.git synced 2026-05-26 00:14:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Replace frappe.db.sql to frappe.get_list to apply permissions (#14037)

Browse Source 
* Replace frappe.db.sql to frappe.get_list to apply permission
- All get_children method had frappe.db.sql in them which
had no permission check, now its replaced with frappe.get_list
which will check permission based on the user.

* Fix codacy
- Remove trailing whitespace
This commit is contained in:
Suraj Shetty
2018-05-16 10:44:38 +05:30
committed by Rushabh Mehta
parent 11f3e8155b
commit 8501010f12
6 changed files with 75 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
erpnext/accounts/utils.py
View File

@@ -660,29 +660,23 @@ def get_companies():
def get_children(doctype, parent, company, is_root=False):
from erpnext.accounts.report.financial_statements import sort_accounts
fieldname = frappe.db.escape(doctype.lower().replace(' ','_'))
doctype = frappe.db.escape(doctype)
# root
parent_fieldname = 'parent_' + doctype.lower().replace(' ', '_')
fields = [
'name as value',
'is_group as expandable'
]
filters = [['docstatus', '<', 2]]
if is_root:
fields = ", root_type, report_type, account_currency" if doctype=="Account" else ""
acc = frappe.db.sql(""" select
name as value, is_group as expandable {fields}
from `tab{doctype}`
where ifnull(`parent_{fieldname}`,'') = ''
and `company` = %s and docstatus<2
order by name""".format(fields=fields, fieldname = fieldname, doctype=doctype),
company, as_dict=1)
fields += ['root_type', 'report_type', 'account_currency'] if doctype == 'Account' else []
filters.append([parent_fieldname, '=', ''])
filters.append(['company', '=', company])
else:
# other
fields = ", account_currency" if doctype=="Account" else ""
acc = frappe.db.sql("""select
name as value, is_group as expandable, parent_{fieldname} as parent {fields}
from `tab{doctype}`
where ifnull(`parent_{fieldname}`,'') = %s
and docstatus<2
order by name""".format(fields=fields, fieldname=fieldname, doctype=doctype),
parent, as_dict=1)
fields += ['account_currency'] if doctype == 'Account' else []
fields += [parent_fieldname + ' as parent']
acc = frappe.get_list(doctype, fields=fields, filters=filters)
if doctype == 'Account':
sort_accounts(acc, is_root, key="value")