nsinnovations/erpnext
2
0
Fork 0
mirror of https://github.com/frappe/erpnext.git synced 2026-04-14 20:35:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: respect field "ignore_user_permissions" property in employee query

Browse Source 
(cherry picked from commit 91d7bc55be)
This commit is contained in:
ljain112
2025-04-21 12:26:17 +05:30
committed by Mergify
parent e152c72a7b
commit a450ce25b9
1 changed files with 41 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
erpnext/controllers/queries.py
View File

@@ -8,9 +8,10 @@ from collections import OrderedDict, defaultdict
import frappe import frappe
from frappe import qb, scrub from frappe import qb, scrub
from frappe.desk.reportview import get_filters_cond, get_match_cond from frappe.desk.reportview import get_filters_cond, get_match_cond
from frappe.permissions import has_permission
from frappe.query_builder import Criterion, CustomFunction from frappe.query_builder import Criterion, CustomFunction
from frappe.query_builder.functions import Concat, Locate, Sum from frappe.query_builder.functions import Concat, Locate, Sum
from frappe.utils import nowdate, today, unique from frappe.utils import cint, nowdate, today, unique
from pypika import Order from pypika import Order
import erpnext import erpnext
@@ -20,10 +21,28 @@ from erpnext.stock.get_item_details import _get_item_tax_template
# searches for active employees # searches for active employees
@frappe.whitelist() @frappe.whitelist()
@frappe.validate_and_sanitize_search_inputs @frappe.validate_and_sanitize_search_inputs
def employee_query(doctype, txt, searchfield, start, page_len, filters): def employee_query(
doctype,
txt,
searchfield,
start,
page_len,
filters,
reference_doctype: str | None = None,
ignore_user_permissions: bool = False,
):
doctype = "Employee" doctype = "Employee"
conditions = [] conditions = []
fields = get_fields(doctype, ["name", "employee_name"]) fields = get_fields(doctype, ["name", "employee_name"])
ignore_permissions = False
if reference_doctype and ignore_user_permissions:
ignore_permissions = has_ignored_field(reference_doctype, doctype) and has_permission(
doctype,
ptype="select" if frappe.only_has_select_perm(doctype) else "read",
)
mcond = "" if ignore_permissions else get_match_cond(doctype)
return frappe.db.sql( return frappe.db.sql(
"""select {fields} from `tabEmployee` """select {fields} from `tabEmployee`
@@ -42,13 +61,32 @@ def employee_query(doctype, txt, searchfield, start, page_len, filters):
"fields": ", ".join(fields), "fields": ", ".join(fields),
"key": searchfield, "key": searchfield,
"fcond": get_filters_cond(doctype, filters, conditions), "fcond": get_filters_cond(doctype, filters, conditions),
"mcond": get_match_cond(doctype), "mcond": mcond,
} }
), ),
{"txt": "%%%s%%" % txt, "_txt": txt.replace("%", ""), "start": start, "page_len": page_len}, {"txt": "%%%s%%" % txt, "_txt": txt.replace("%", ""), "start": start, "page_len": page_len},
) )
def has_ignored_field(reference_doctype, doctype):
meta = frappe.get_meta(reference_doctype)
for field in meta.fields:
if not field.ignore_user_permissions:
continue
if field.fieldtype == "Link" and field.options == doctype:
return True
elif field.fieldtype == "Dynamic Link":
options = meta.get_link_doctype(field.fieldname)
if not options:
continue
if isinstance(options, str):
options = options.split("\n")
if doctype in options or "Doctype" in options:
return True
return False
# searches for leads which are not converted # searches for leads which are not converted
@frappe.whitelist() @frappe.whitelist()
@frappe.validate_and_sanitize_search_inputs @frappe.validate_and_sanitize_search_inputs