From 080d136fd73e538940ac8f36f6601b453f39d6f7 Mon Sep 17 00:00:00 2001
From: Suraj Shetty <13928957+surajshetty3416@users.noreply.github.com>
Date: Tue, 14 Jan 2020 12:55:03 +0530
Subject: [PATCH] fix: Improper escaping (#20248)

* fix:  Improper escaping

issue was introduced in https://github.com/frappe/erpnext/pull/20202

* fix: missing closing parentheses

* style: trim unwanted spaces

Co-authored-by: Pranav Nachnekar <prnvnachnekar@gmail.com>
---
 .../doctype/authorization_control/authorization_control.py    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/erpnext/setup/doctype/authorization_control/authorization_control.py b/erpnext/setup/doctype/authorization_control/authorization_control.py
index 0c52b834de..fec5c7ca95 100644
--- a/erpnext/setup/doctype/authorization_control/authorization_control.py
+++ b/erpnext/setup/doctype/authorization_control/authorization_control.py
@@ -76,7 +76,7 @@ class AuthorizationControl(TransactionBase):
 		add_cond = ''
 		auth_value = av_dis
 
-		if val == 1: add_cond += " and system_user = '"+ frappe.db.escape(session['user'])+"'"
+		if val == 1: add_cond += " and system_user = {}".format(frappe.db.escape(session['user']))
 		elif val == 2: add_cond += " and system_role IN %s" % ("('"+"','".join(frappe.get_roles())+"')")
 		else: add_cond += " and ifnull(system_user,'') = '' and ifnull(system_role,'') = ''"
 
@@ -85,7 +85,7 @@ class AuthorizationControl(TransactionBase):
 			if doc_obj:
 				if doc_obj.doctype == 'Sales Invoice': customer = doc_obj.customer
 				else: customer = doc_obj.customer_name
-				add_cond = " and master_name = '"+ frappe.db.escape(customer) +"'"
+				add_cond = " and master_name = {}".format(frappe.db.escape(customer))
 		if based_on == 'Itemwise Discount':
 			if doc_obj:
 				for t in doc_obj.get("items"):