From 80b2ba2b9a2b0b489c72b0391d07a1c0579281c1 Mon Sep 17 00:00:00 2001
From: Makarand Bauskar <mbauskar@gmail.com>
Date: Sun, 10 Sep 2017 12:04:28 +0530
Subject: [PATCH] [hotfix] fixed Not Permitted issue for System user while
 accessing documents on portal (#10725)

* [hotfix] dont allow guest user to list the invoices or orders

* [hotfix] fixed Not Permitted issue for System user while accessing documents on portal

* [codecy] removed trailing whitespace

* [fixes] added filters for supplier in RFQ and other minor fixes
---
 .../request_for_quotation.js                  |  6 +--
 .../request_for_quotation.py                  |  6 +--
 .../controllers/website_list_for_contact.py   | 41 ++++++++++++++-----
 3 files changed, 36 insertions(+), 17 deletions(-)

diff --git a/erpnext/buying/doctype/request_for_quotation/request_for_quotation.js b/erpnext/buying/doctype/request_for_quotation/request_for_quotation.js
index 8509d77e20..f6d9ca9fdf 100644
--- a/erpnext/buying/doctype/request_for_quotation/request_for_quotation.js
+++ b/erpnext/buying/doctype/request_for_quotation/request_for_quotation.js
@@ -12,11 +12,11 @@ frappe.ui.form.on("Request for Quotation",{
 			'Supplier Quotation': 'Supplier Quotation'
 		}
 
-		frm.fields_dict["suppliers"].grid.get_field("contact").get_query = function(doc, cdt, cdn){
-			var d =locals[cdt][cdn];
+		frm.fields_dict["suppliers"].grid.get_field("contact").get_query = function(doc, cdt, cdn) {
+			let d = locals[cdt][cdn];
 			return {
 				query: "erpnext.buying.doctype.request_for_quotation.request_for_quotation.get_supplier_contacts",
-				filters: {'supplier': doc.supplier}
+				filters: {'supplier': d.supplier}
 			}
 		}
 	},
diff --git a/erpnext/buying/doctype/request_for_quotation/request_for_quotation.py b/erpnext/buying/doctype/request_for_quotation/request_for_quotation.py
index a775f5f345..97c4438dd3 100644
--- a/erpnext/buying/doctype/request_for_quotation/request_for_quotation.py
+++ b/erpnext/buying/doctype/request_for_quotation/request_for_quotation.py
@@ -204,9 +204,9 @@ def get_list_context(context=None):
 	return list_context
 
 def get_supplier_contacts(doctype, txt, searchfield, start, page_len, filters):
-	return frappe.db.sql(""" select `tabContact`.name from `tabContact`, `tabDynamic Link`
-		where `tabDynamic Link`.link_doctype = 'Supplier' and (`tabDynamic Link`.link_name = %(name)s
-		or `tabDynamic Link`.link_name like %(txt)s) and `tabContact`.name = `tabDynamic Link`.parent
+	return frappe.db.sql("""select `tabContact`.name from `tabContact`, `tabDynamic Link`
+		where `tabDynamic Link`.link_doctype = 'Supplier' and (`tabDynamic Link`.link_name=%(name)s
+		and `tabDynamic Link`.link_name like %(txt)s) and `tabContact`.name = `tabDynamic Link`.parent
 		limit %(start)s, %(page_len)s""", {"start": start, "page_len":page_len, "txt": "%%%s%%" % txt, "name": filters.get('supplier')})
 
 # This method is used to make supplier quotation from material request form.
diff --git a/erpnext/controllers/website_list_for_contact.py b/erpnext/controllers/website_list_for_contact.py
index 65360ec9ff..ed48fd1ab4 100644
--- a/erpnext/controllers/website_list_for_contact.py
+++ b/erpnext/controllers/website_list_for_contact.py
@@ -5,7 +5,7 @@ from __future__ import unicode_literals
 import json
 import frappe
 from frappe import _
-from frappe.utils import flt
+from frappe.utils import flt, has_common
 from frappe.utils.user import is_website_user
 
 def get_list_context(context=None):
@@ -55,14 +55,16 @@ def get_transaction_list(doctype, txt=None, filters=None, limit_start=0, limit_p
 	return post_process(doctype, get_list_for_transactions(doctype, txt, filters, limit_start, limit_page_length,
 		fields="name", order_by="modified desc"))
 
-def get_list_for_transactions(doctype, txt, filters, limit_start, limit_page_length=20, ignore_permissions=False,fields=None, order_by=None):
+def get_list_for_transactions(doctype, txt, filters, limit_start, limit_page_length=20,
+	ignore_permissions=False,fields=None, order_by=None):
+	""" Get List of transactions like Invoices, Orders """
 	from frappe.www.list import get_list
 	meta = frappe.get_meta(doctype)
 	data = []
 	or_filters = []
 
 	for d in get_list(doctype, txt, filters=filters, fields="name", limit_start=limit_start,
-		limit_page_length=limit_page_length, ignore_permissions=True, order_by="modified desc"):
+		limit_page_length=limit_page_length, ignore_permissions=ignore_permissions, order_by="modified desc"):
 		data.append(d)
 
 	if txt:
@@ -74,9 +76,9 @@ def get_list_for_transactions(doctype, txt, filters, limit_start, limit_page_len
 					or_filters.append([doctype, "name", "=", child.parent])
 
 	if or_filters:
-		for r in frappe.get_list(doctype, fields=fields,filters=filters, or_filters=or_filters, limit_start=limit_start,
-			limit_page_length=limit_page_length, ignore_permissions=ignore_permissions,
-			order_by=order_by):
+		for r in frappe.get_list(doctype, fields=fields,filters=filters, or_filters=or_filters,
+			limit_start=limit_start, limit_page_length=limit_page_length, 
+			ignore_permissions=ignore_permissions, order_by=order_by):
 			data.append(r)
 
 	return data
@@ -124,13 +126,30 @@ def post_process(doctype, data):
 	return result
 
 def get_customers_suppliers(doctype, user):
+	customers = []
+	suppliers = []
 	meta = frappe.get_meta(doctype)
-	contacts = frappe.db.sql(""" select  `tabContact`.email_id, `tabDynamic Link`.link_doctype, `tabDynamic Link`.link_name
-		from `tabContact`, `tabDynamic Link` where
-			`tabContact`.name = `tabDynamic Link`.parent and `tabContact`.email_id =%s """, user, as_dict=1)
 
-	customers = [c.link_name for c in contacts if c.link_doctype == 'Customer'] if meta.get_field("customer") else None
-	suppliers = [c.link_name for c in contacts if c.link_doctype == 'Supplier'] if meta.get_field("supplier") else None
+	if has_common(["Supplier", "Customer"], frappe.get_roles(user)):
+		contacts = frappe.db.sql("""
+			select 
+				`tabContact`.email_id,
+				`tabDynamic Link`.link_doctype,
+				`tabDynamic Link`.link_name
+			from 
+				`tabContact`, `tabDynamic Link`
+			where
+				`tabContact`.name=`tabDynamic Link`.parent and `tabContact`.email_id =%s
+			""", user, as_dict=1)
+		customers = [c.link_name for c in contacts if c.link_doctype == 'Customer'] \
+			if meta.get_field("customer") else None
+		suppliers = [c.link_name for c in contacts if c.link_doctype == 'Supplier'] \
+			if meta.get_field("supplier") else None
+	elif frappe.has_permission(doctype, 'read', user=user):
+		customers = [customer.name for customer in frappe.get_list("Customer")] \
+			if meta.get_field("customer") else None
+		suppliers = [supplier.name for supplier in frappe.get_list("Customer")] \
+			if meta.get_field("supplier") else None
 
 	return customers, suppliers