nsinnovations/erpnext
2
0
Fork 0
mirror of https://github.com/frappe/erpnext.git synced 2026-06-17 11:52:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: add permission checks in accounts whitelisted methods

Browse Source 
(cherry picked from commit 5dbf3fdde0)
This commit is contained in:
Shllokkk
2026-05-31 04:40:02 +05:30
committed by Mergify
parent ecd3a19912
commit b9eb52b171
2 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
erpnext/accounts/doctype/payment_entry/payment_entry.py
View File

@@ -2294,6 +2294,9 @@ def get_outstanding_reference_documents(args, validate=False):
if args.get("party_type") == "Member":
return
if args.get("party_type") and args.get("party"):
frappe.has_permission(args["party_type"], "read", args["party"], throw=True)
if not args.get("get_outstanding_invoices") and not args.get("get_orders_to_be_billed"):
args["get_outstanding_invoices"] = True
@@ -2785,6 +2788,7 @@ def get_reference_details(
):
total_amount = outstanding_amount = exchange_rate = account = None
frappe.has_permission(reference_doctype, "read", reference_name, throw=True)
ref_doc = frappe.get_lazy_doc(reference_doctype, reference_name)
company_currency = ref_doc.get("company_currency") or erpnext.get_company_currency(ref_doc.company)

1
erpnext/accounts/utils.py
View File

@@ -303,6 +303,7 @@ def get_balance_on(
)
if party_type and party:
frappe.has_permission(party_type, "read", party, throw=True)
cond.append(
f"""gle.party_type = {frappe.db.escape(party_type)} and gle.party = {frappe.db.escape(party)} """
)