Treeview permission (#14232)

* Replace frappe.db.sql to frappe.get_list to apply permissions (#14037) * Replace frappe.db.sql to frappe.get_list to apply permission - All get_children method had frappe.db.sql in them which had no permission check, now its replaced with frappe.get_list which will check permission based on the user. * Fix codacy - Remove trailing whitespace * Add parent filter * Add ifnull checks
2018-05-26 09:12:59 +05:30 · 2018-05-26 09:12:59 +05:30 · 084b0b3a67
commit 084b0b3a67
parent aadfaa4493
6 changed files with 94 additions and 90 deletions
--- a/erpnext/accounts/utils.py
+++ b/erpnext/accounts/utils.py
@ -497,7 +497,7 @@ def get_company_default(company, fieldname):
 	if not value:
 		throw(_("Please set default {0} in Company {1}")
-		      .format(frappe.get_meta("Company").get_label(fieldname), company))
+			.format(frappe.get_meta("Company").get_label(fieldname), company))
 	return value
@ -550,16 +550,16 @@ def get_stock_rbnb_difference(posting_date, company):
 	pr_valuation_amount = frappe.db.sql("""
 		select sum(pr_item.valuation_rate * pr_item.qty * pr_item.conversion_factor)
 		from `tabPurchase Receipt Item` pr_item, `tabPurchase Receipt` pr
-	    where pr.name = pr_item.parent and pr.docstatus=1 and pr.company=%s
+		where pr.name = pr_item.parent and pr.docstatus=1 and pr.company=%s
 		and pr.posting_date <= %s and pr_item.item_code in (%s)""" %
-	    ('%s', '%s', ', '.join(['%s']*len(stock_items))), tuple([company, posting_date] + stock_items))[0][0]
+		('%s', '%s', ', '.join(['%s']*len(stock_items))), tuple([company, posting_date] + stock_items))[0][0]
 	pi_valuation_amount = frappe.db.sql("""
 		select sum(pi_item.valuation_rate * pi_item.qty * pi_item.conversion_factor)
 		from `tabPurchase Invoice Item` pi_item, `tabPurchase Invoice` pi
-	    where pi.name = pi_item.parent and pi.docstatus=1 and pi.company=%s
+		where pi.name = pi_item.parent and pi.docstatus=1 and pi.company=%s
 		and pi.posting_date <= %s and pi_item.item_code in (%s)""" %
-	    ('%s', '%s', ', '.join(['%s']*len(stock_items))), tuple([company, posting_date] + stock_items))[0][0]
+		('%s', '%s', ', '.join(['%s']*len(stock_items))), tuple([company, posting_date] + stock_items))[0][0]
 	# Balance should be
 	stock_rbnb = flt(pr_valuation_amount, 2) - flt(pi_valuation_amount, 2)
@ -681,29 +681,24 @@ def get_companies():
 def get_children(doctype, parent, company, is_root=False):
 	from erpnext.accounts.report.financial_statements import sort_accounts
-	fieldname = frappe.db.escape(doctype.lower().replace(' ','_'))
+	parent_fieldname = 'parent_' + doctype.lower().replace(' ', '_')
-	doctype = frappe.db.escape(doctype)
+	fields = [
 		'name as value',
 		'is_group as expandable'
 	]
 	filters = [['docstatus', '<', 2]]
 	filters.append(['ifnull(`{0}`,"")'.format(parent_fieldname), '=', '' if is_root else parent])
 	# root
 	if is_root:
-		fields = ", root_type, report_type, account_currency" if doctype=="Account" else ""
+		fields += ['root_type', 'report_type', 'account_currency'] if doctype == 'Account' else []
-		acc = frappe.db.sql(""" select
+		filters.append(['company', '=', company])
-			name as value, is_group as expandable {fields}
+
 			from `tab{doctype}`
 			where ifnull(`parent_{fieldname}`,'') = ''
 			and `company` = %s	and docstatus<2
 			order by name""".format(fields=fields, fieldname = fieldname, doctype=doctype),
 				company, as_dict=1)
 	else:
-		# other
+		fields += ['account_currency'] if doctype == 'Account' else []
-		fields = ", account_currency" if doctype=="Account" else ""
+		fields += [parent_fieldname + ' as parent']
-		acc = frappe.db.sql("""select
+
-			name as value, is_group as expandable, parent_{fieldname} as parent {fields}
+	acc = frappe.get_list(doctype, fields=fields, filters=filters)
 			from `tab{doctype}`
 			where ifnull(`parent_{fieldname}`,'') = %s
 			and docstatus<2
 			order by name""".format(fields=fields, fieldname=fieldname, doctype=doctype),
 				parent, as_dict=1)
 	if doctype == 'Account':
 		sort_accounts(acc, is_root, key="value")
--- a/erpnext/agriculture/doctype/land_unit/land_unit.py
+++ b/erpnext/agriculture/doctype/land_unit/land_unit.py
@ -169,11 +169,10 @@ def get_children(doctype, parent, is_root=False):
 	if is_root:
 		parent = ''
-	land_units = frappe.db.sql("""select name as value,
+	land_units = frappe.get_list(doctype,
-		is_group as expandable
+		fields = ['name as value', 'is_group as expandable'],
-		from `tabLand Unit`
+		filters= [['ifnull(`parent_land_unit`, "")', '=', parent]],
-		where ifnull(`parent_land_unit`,'') = %s
+		order_by='name')
 		order by name""", (parent), as_dict=1)
 	# return nodes
 	return land_units
--- a/erpnext/hr/doctype/employee/employee.py
+++ b/erpnext/hr/doctype/employee/employee.py
@ -318,26 +318,26 @@ def get_employee_emails(employee_list):
@frappe.whitelist()
 def get_children(doctype, parent=None, company=None, is_root=False, is_tree=False):
-	condition = ''
+	filters = [['company', '=', company]]
 	fields = ['name as value', 'employee_name as title']
 	if is_root:
-		parent = ""
+		parent = ''
 	if parent and company and parent!=company:
-		condition = ' and reports_to = "{0}"'.format(frappe.db.escape(parent))
+		filters.append(['reports_to', '=', parent])
 	else:
-		condition = ' and ifnull(reports_to, "")=""'
+		filters.append(['reports_to', '=', ''])
-	employee = frappe.db.sql("""
+	employees = frappe.get_list(doctype, fields=fields,
-		select
+		filters=filters, order_by='name')
 			name as value, employee_name as title,
 			exists(select name from `tabEmployee` where reports_to=emp.name) as expandable
 		from
 			`tabEmployee` emp
 		where company='{company}' {condition} order by name"""
 		.format(company=company, condition=condition),  as_dict=1)
-	# return employee
+	for employee in employees:
-	return employee
+		is_expandable = frappe.get_all(doctype, filters=[
 			['reports_to', '=', employee.get('value')]
 		])
 		employee.expandable = 1 if is_expandable else 0
 	return employees
 def on_doctype_update():
--- a/erpnext/manufacturing/doctype/bom/bom.py
+++ b/erpnext/manufacturing/doctype/bom/bom.py
@ -626,18 +626,28 @@ def get_children(doctype, parent=None, is_root=False, **filters):
 		return
 	if frappe.form_dict.parent:
-		return frappe.db.sql("""select
+		bom_items = frappe.get_list('BOM Item',
-			bom_item.item_code,
+			fields=['item_code', 'bom_no as value', 'stock_qty'],
-			bom_item.bom_no as value,
+			filters=[['parent', '=', frappe.form_dict.parent]],
-			bom_item.stock_qty,
+			order_by='idx')
-			if(ifnull(bom_item.bom_no, "")!="", 1, 0) as expandable,
+
-			item.image,
+		item_names = tuple(d.get('item_code') for d in bom_items)
-			item.description
+
-			from `tabBOM Item` bom_item, tabItem item
+		items = frappe.get_list('Item',
-			where bom_item.parent=%s
+			fields=['image', 'description', 'name'],
-			and bom_item.item_code = item.name
+			filters=[['name', 'in', item_names]]) # to get only required item dicts
-			order by bom_item.idx
+
-			""", frappe.form_dict.parent, as_dict=True)
+		for bom_item in bom_items:
 			# extend bom_item dict with respective item dict
 			bom_item.update(
 				# returns an item dict from items list which matches with item_code
 				(item for item in items if item.get('name')
 					== bom_item.get('item_code')).next()
 			)
 			bom_item.expandable = 0 if bom_item.value in ('', None)  else 1
 		return bom_items
 def get_boms_in_bottom_up_order(bom_no=None):
 	def _get_parent(bom_no):
--- a/erpnext/projects/doctype/task/task.py
+++ b/erpnext/projects/doctype/task/task.py
@ -186,27 +186,25 @@ def set_tasks_as_overdue():
@frappe.whitelist()
 def get_children(doctype, parent, task=None, project=None, is_root=False):
-	conditions = ''
+
 	filters = [['docstatus', '<', '2']]
 	if task:
-		# via filters
+		filters.append(['parent_task', '=', task])
 		conditions += ' and parent_task = "{0}"'.format(frappe.db.escape(task))
 	elif parent and not is_root:
 		# via expand child
-		conditions += ' and parent_task = "{0}"'.format(frappe.db.escape(parent))
+		filters.append(['parent_task', '=', parent])
 	else:
-		conditions += ' and ifnull(parent_task, "")=""'
+		filters.append(['ifnull(`parent_task`, "")', '=', ''])
 	if project:
-		conditions += ' and project = "{0}"'.format(frappe.db.escape(project))
+		filters.append(['project', '=', project])
-	tasks = frappe.db.sql("""select name as value,
+	tasks = frappe.get_list(doctype, fields=[
-		subject as title,
+		'name as value',
-		is_group as expandable
+		'subject as title',
-		from `tabTask`
+		'is_group as expandable'
-		where docstatus < 2
+	], filters=filters, order_by='name')
 		{conditions}
 		order by name""".format(conditions=conditions), as_dict=1)
 	# return tasks
 	return tasks
--- a/erpnext/stock/doctype/warehouse/warehouse.py
+++ b/erpnext/stock/doctype/warehouse/warehouse.py
@ -144,17 +144,19 @@ def get_children(doctype, parent=None, company=None, is_root=False):
 	if is_root:
 		parent = ""
-	warehouses = frappe.db.sql("""select name as value,
+	fields = ['name as value', 'is_group as expandable']
-		is_group as expandable
+	filters = [
-		from `tabWarehouse`
+		['docstatus', '<', '2'],
-		where docstatus < 2
+		['ifnull(`parent_warehouse`, "")', '=', parent],
-		and ifnull(`parent_warehouse`,'') = %s
+		['company', 'in', (company, None,'')]
-		and (`company` = %s or company is null or company = '')
+	]
-		order by name""", (parent, company), as_dict=1)
+
 	warehouses = frappe.get_list(doctype, fields=fields, filters=filters, order_by='name')
 	# return warehouses
 	for wh in warehouses:
 		wh["balance"] = get_stock_value_on(warehouse=wh.value)
 	return warehouses
@frappe.whitelist()