mirror of
https://github.com/frappe/erpnext.git
synced 2026-05-15 19:19:17 +00:00
fix: add permission checks in whitelisted functions (#53103)
This commit is contained in:
Priyal Rawal
@@ -59,7 +59,7 @@ def get_bank_transactions(
|
|||||||
filters.append(["date", "<=", to_date])
|
filters.append(["date", "<=", to_date])
|
||||||
if from_date:
|
if from_date:
|
||||||
filters.append(["date", ">=", from_date])
|
filters.append(["date", ">=", from_date])
|
||||||
transactions = frappe.get_all(
|
transactions = frappe.get_list(
|
||||||
"Bank Transaction",
|
"Bank Transaction",
|
||||||
fields=[
|
fields=[
|
||||||
"date",
|
"date",
|
||||||
@@ -84,6 +84,7 @@ def get_bank_transactions(
|
|||||||
@frappe.whitelist()
|
@frappe.whitelist()
|
||||||
def get_account_balance(bank_account: str, till_date: str | date, company: str):
|
def get_account_balance(bank_account: str, till_date: str | date, company: str):
|
||||||
# returns account balance till the specified date
|
# returns account balance till the specified date
|
||||||
|
frappe.has_permission("Bank Account", "read", bank_account, throw=True)
|
||||||
account = frappe.db.get_value("Bank Account", bank_account, "account")
|
account = frappe.db.get_value("Bank Account", bank_account, "account")
|
||||||
filters = frappe._dict(
|
filters = frappe._dict(
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -955,6 +955,7 @@ def resend_payment_email(docname: str):
|
|||||||
@frappe.whitelist()
|
@frappe.whitelist()
|
||||||
def make_payment_entry(docname: str):
|
def make_payment_entry(docname: str):
|
||||||
doc = frappe.get_doc("Payment Request", docname)
|
doc = frappe.get_doc("Payment Request", docname)
|
||||||
|
doc.check_permission("read")
|
||||||
return doc.create_payment_entry(submit=False).as_dict()
|
return doc.create_payment_entry(submit=False).as_dict()
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -465,6 +465,8 @@ def get_customer_emails(customer_name: str, primary_mandatory: str | int, billin
|
|||||||
when Is Billing Contact checked
|
when Is Billing Contact checked
|
||||||
and Primary email- email with Is Primary checked"""
|
and Primary email- email with Is Primary checked"""
|
||||||
|
|
||||||
|
frappe.has_permission("Customer", "read", customer_name, throw=True)
|
||||||
|
|
||||||
billing_email = frappe.db.sql(
|
billing_email = frappe.db.sql(
|
||||||
"""
|
"""
|
||||||
SELECT
|
SELECT
|
||||||
@@ -508,6 +510,7 @@ def get_customer_emails(customer_name: str, primary_mandatory: str | int, billin
|
|||||||
@frappe.whitelist()
|
@frappe.whitelist()
|
||||||
def download_statements(document_name: str):
|
def download_statements(document_name: str):
|
||||||
doc = frappe.get_doc("Process Statement Of Accounts", document_name)
|
doc = frappe.get_doc("Process Statement Of Accounts", document_name)
|
||||||
|
doc.check_permission("read")
|
||||||
report = get_report_pdf(doc)
|
report = get_report_pdf(doc)
|
||||||
if report:
|
if report:
|
||||||
frappe.local.response.filename = doc.name + ".pdf"
|
frappe.local.response.filename = doc.name + ".pdf"
|
||||||
|
|||||||
@@ -28,28 +28,30 @@ frappe.query_reports["Stock Qty vs Batch Qty"] = {
|
|||||||
},
|
},
|
||||||
],
|
],
|
||||||
onload: function (report) {
|
onload: function (report) {
|
||||||
report.page.add_inner_button(__("Update Batch Qty"), function () {
|
if (frappe.model.can_write("Batch")) {
|
||||||
let indexes = frappe.query_report.datatable.rowmanager.getCheckedRows();
|
report.page.add_inner_button(__("Update Batch Qty"), function () {
|
||||||
let selected_rows = indexes
|
let indexes = frappe.query_report.datatable.rowmanager.getCheckedRows();
|
||||||
.map((i) => frappe.query_report.data[i])
|
let selected_rows = indexes
|
||||||
.filter((row) => row.difference != 0);
|
.map((i) => frappe.query_report.data[i])
|
||||||
|
.filter((row) => row.difference != 0);
|
||||||
|
|
||||||
if (selected_rows.length) {
|
if (selected_rows.length) {
|
||||||
frappe.call({
|
frappe.call({
|
||||||
method: "erpnext.stock.report.stock_qty_vs_batch_qty.stock_qty_vs_batch_qty.update_batch_qty",
|
method: "erpnext.stock.report.stock_qty_vs_batch_qty.stock_qty_vs_batch_qty.update_batch_qty",
|
||||||
args: {
|
args: {
|
||||||
selected_batches: selected_rows,
|
selected_batches: selected_rows,
|
||||||
},
|
},
|
||||||
callback: function (r) {
|
callback: function (r) {
|
||||||
if (!r.exc) {
|
if (!r.exc) {
|
||||||
report.refresh();
|
report.refresh();
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
});
|
});
|
||||||
} else {
|
} else {
|
||||||
frappe.msgprint(__("Please select at least one row with difference value"));
|
frappe.msgprint(__("Please select at least one row with difference value"));
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
}
|
||||||
},
|
},
|
||||||
|
|
||||||
formatter: function (value, row, column, data, default_formatter) {
|
formatter: function (value, row, column, data, default_formatter) {
|
||||||
|
|||||||
@@ -101,6 +101,7 @@ def get_data(filters=None):
|
|||||||
|
|
||||||
@frappe.whitelist()
|
@frappe.whitelist()
|
||||||
def update_batch_qty(selected_batches: str | None = None):
|
def update_batch_qty(selected_batches: str | None = None):
|
||||||
|
frappe.has_permission("Batch", "write", throw=True, ignore_share_permissions=True)
|
||||||
if not selected_batches:
|
if not selected_batches:
|
||||||
return
|
return
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user