From 65ce737c2dbbd5e76bb152c3070d12be1e2f9e0d Mon Sep 17 00:00:00 2001 From: venkat102 Date: Thu, 4 Sep 2025 21:00:52 +0530 Subject: [PATCH 1/2] fix: add condition for name (cherry picked from commit cf5a2d6351c9e98ffc828c09e8cf0ecd7378a765) --- erpnext/accounts/utils.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/erpnext/accounts/utils.py b/erpnext/accounts/utils.py index 3c0485798b1..18cbc65731c 100644 --- a/erpnext/accounts/utils.py +++ b/erpnext/accounts/utils.py @@ -2475,6 +2475,10 @@ def build_qb_match_conditions(doctype, user=None) -> list: for filter in match_filters: for link_option, allowed_values in filter.items(): fieldnames = link_fields_map.get(link_option, []) + cond = None + + if link_option == doctype: + cond = _dt["name"].isin(allowed_values) for fieldname in fieldnames: field = _dt[fieldname] @@ -2483,6 +2487,7 @@ def build_qb_match_conditions(doctype, user=None) -> list: if not apply_strict_user_permissions: cond = (Coalesce(field, "") == "") | cond + if cond: criterion.append(cond) return criterion From 089c068ee8fae4787b0ee870cbeaff894016e0bc Mon Sep 17 00:00:00 2001 From: venkat102 Date: Thu, 18 Sep 2025 00:02:10 +0530 Subject: [PATCH 2/2] test: add test to validate user permission in qb (cherry picked from commit a5b881ea74d303fb6caec96d5ab3ac89878ef771) # Conflicts: # erpnext/setup/doctype/employee/test_employee.py --- .../setup/doctype/employee/test_employee.py | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/erpnext/setup/doctype/employee/test_employee.py b/erpnext/setup/doctype/employee/test_employee.py index 9b706836269..1e9a8278ec2 100644 --- a/erpnext/setup/doctype/employee/test_employee.py +++ b/erpnext/setup/doctype/employee/test_employee.py @@ -5,8 +5,10 @@ import unittest import frappe import frappe.utils +from frappe.query_builder import Criterion import erpnext +from erpnext.accounts.utils import build_qb_match_conditions from erpnext.setup.doctype.employee.employee import InactiveEmployeeStatusError test_records = frappe.get_test_records("Employee") @@ -34,6 +36,32 @@ class TestEmployee(unittest.TestCase): employee_doc.save() self.assertTrue("Employee" not in frappe.get_roles(user)) + def test_employee_user_permission(self): + employee1 = make_employee("employee_1_test@company.com", create_user_permission=1) + employee2 = make_employee("employee_2_test@company.com", create_user_permission=1) + make_employee("employee_3_test@company.com", create_user_permission=1) + + employee1_doc = frappe.get_doc("Employee", employee1) + employee2_doc = frappe.get_doc("Employee", employee2) + + employee2_doc.reload() + employee2_doc.reports_to = employee1_doc.name + employee2_doc.save() + + frappe.set_user(employee1_doc.user_id) + + Employee = frappe.qb.DocType("Employee") + qb_employee_list = ( + frappe.qb.from_(Employee) + .select(Employee.name) + .where(Criterion.all(build_qb_match_conditions("Employee"))) + .orderby(Employee.Name) + ).run(pluck=Employee.name) + employee_list = frappe.db.get_list("Employee", pluck="name", order_by="name") + + self.assertEqual(qb_employee_list, employee_list) + frappe.set_user("Administrator") + def tearDown(self): frappe.db.rollback()