CalvinBackup/erpnext
1
0
Fork 0
mirror of https://github.com/frappe/erpnext.git synced 2026-03-23 13:12:22 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: add permission checks in whitelisted functions (#53103)

Browse Source
This commit is contained in:
Priyal Rawal
2026-03-10 12:34:15 +05:30
committed by GitHub
parent f2f47d6d88
commit a6e78c2eea
5 changed files with 30 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
erpnext/accounts/doctype/bank_reconciliation_tool/bank_reconciliation_tool.py
View File

@@ -59,7 +59,7 @@ def get_bank_transactions(
filters.append(["date", "<=", to_date])
if from_date:
filters.append(["date", ">=", from_date])
transactions = frappe.get_all(
transactions = frappe.get_list(
"Bank Transaction",
fields=[
"date",
@@ -84,6 +84,7 @@ def get_bank_transactions(
@frappe.whitelist()
def get_account_balance(bank_account: str, till_date: str | date, company: str):
# returns account balance till the specified date
frappe.has_permission("Bank Account", "read", bank_account, throw=True)
account = frappe.db.get_value("Bank Account", bank_account, "account")
filters = frappe._dict(
{

1
erpnext/accounts/doctype/payment_request/payment_request.py
View File

@@ -955,6 +955,7 @@ def resend_payment_email(docname: str):
@frappe.whitelist()
def make_payment_entry(docname: str):
doc = frappe.get_doc("Payment Request", docname)
doc.check_permission("read")
return doc.create_payment_entry(submit=False).as_dict()

3
erpnext/accounts/doctype/process_statement_of_accounts/process_statement_of_accounts.py
View File

@@ -465,6 +465,8 @@ def get_customer_emails(customer_name: str, primary_mandatory: str | int, billin
when Is Billing Contact checked
and Primary email- email with Is Primary checked"""
frappe.has_permission("Customer", "read", customer_name, throw=True)
billing_email = frappe.db.sql(
"""
SELECT
@@ -508,6 +510,7 @@ def get_customer_emails(customer_name: str, primary_mandatory: str | int, billin
@frappe.whitelist()
def download_statements(document_name: str):
doc = frappe.get_doc("Process Statement Of Accounts", document_name)
doc.check_permission("read")
report = get_report_pdf(doc)
if report:
frappe.local.response.filename = doc.name + ".pdf"

44
erpnext/stock/report/stock_qty_vs_batch_qty/stock_qty_vs_batch_qty.js
View File

@@ -28,28 +28,30 @@ frappe.query_reports["Stock Qty vs Batch Qty"] = {
},
],
onload: function (report) {
report.page.add_inner_button(__("Update Batch Qty"), function () {
let indexes = frappe.query_report.datatable.rowmanager.getCheckedRows();
let selected_rows = indexes
.map((i) => frappe.query_report.data[i])
.filter((row) => row.difference != 0);
if (frappe.model.can_write("Batch")) {
report.page.add_inner_button(__("Update Batch Qty"), function () {
let indexes = frappe.query_report.datatable.rowmanager.getCheckedRows();
let selected_rows = indexes
.map((i) => frappe.query_report.data[i])
.filter((row) => row.difference != 0);
if (selected_rows.length) {
frappe.call({
method: "erpnext.stock.report.stock_qty_vs_batch_qty.stock_qty_vs_batch_qty.update_batch_qty",
args: {
selected_batches: selected_rows,
},
callback: function (r) {
if (!r.exc) {
report.refresh();
}
},
});
} else {
frappe.msgprint(__("Please select at least one row with difference value"));
}
});
if (selected_rows.length) {
frappe.call({
method: "erpnext.stock.report.stock_qty_vs_batch_qty.stock_qty_vs_batch_qty.update_batch_qty",
args: {
selected_batches: selected_rows,
},
callback: function (r) {
if (!r.exc) {
report.refresh();
}
},
});
} else {
frappe.msgprint(__("Please select at least one row with difference value"));
}
});
}
},
formatter: function (value, row, column, data, default_formatter) {

1
erpnext/stock/report/stock_qty_vs_batch_qty/stock_qty_vs_batch_qty.py
View File

@@ -101,6 +101,7 @@ def get_data(filters=None):
@frappe.whitelist()
def update_batch_qty(selected_batches: str | None = None):
frappe.has_permission("Batch", "write", throw=True, ignore_share_permissions=True)
if not selected_batches:
return