From 229e5398b55fc9eaecd34222567e1bc9af314567 Mon Sep 17 00:00:00 2001 From: Pranav Nachnekar Date: Thu, 9 Jan 2020 06:51:26 +0000 Subject: [PATCH] fix: escape % in customer name (#20202) --- .../doctype/authorization_control/authorization_control.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/erpnext/setup/doctype/authorization_control/authorization_control.py b/erpnext/setup/doctype/authorization_control/authorization_control.py index 7db703fadf..0c52b834de 100644 --- a/erpnext/setup/doctype/authorization_control/authorization_control.py +++ b/erpnext/setup/doctype/authorization_control/authorization_control.py @@ -76,7 +76,7 @@ class AuthorizationControl(TransactionBase): add_cond = '' auth_value = av_dis - if val == 1: add_cond += " and system_user = '"+session['user'].replace("'", "\\'")+"'" + if val == 1: add_cond += " and system_user = '"+ frappe.db.escape(session['user'])+"'" elif val == 2: add_cond += " and system_role IN %s" % ("('"+"','".join(frappe.get_roles())+"')") else: add_cond += " and ifnull(system_user,'') = '' and ifnull(system_role,'') = ''" @@ -85,7 +85,7 @@ class AuthorizationControl(TransactionBase): if doc_obj: if doc_obj.doctype == 'Sales Invoice': customer = doc_obj.customer else: customer = doc_obj.customer_name - add_cond = " and master_name = '"+cstr(customer).replace("'", "\\'")+"'" + add_cond = " and master_name = '"+ frappe.db.escape(customer) +"'" if based_on == 'Itemwise Discount': if doc_obj: for t in doc_obj.get("items"):