[hotfix] fixed Not Permitted issue for System user while accessing documents on portal (#10725)

* [hotfix] dont allow guest user to list the invoices or orders * [hotfix] fixed Not Permitted issue for System user while accessing documents on portal * [codecy] removed trailing whitespace * [fixes] added filters for supplier in RFQ and other minor fixes
2017-09-10 12:04:28 +05:30 · 2017-09-10 12:04:28 +05:30 · 80b2ba2b9a
commit 80b2ba2b9a
parent 197901108e
3 changed files with 36 additions and 17 deletions
--- a/erpnext/buying/doctype/request_for_quotation/request_for_quotation.js
+++ b/erpnext/buying/doctype/request_for_quotation/request_for_quotation.js
@ -13,10 +13,10 @@ frappe.ui.form.on("Request for Quotation",{
 		}

 		frm.fields_dict["suppliers"].grid.get_field("contact").get_query = function(doc, cdt, cdn) {
-			var d =locals[cdt][cdn];
+			let d = locals[cdt][cdn];
 			return {
 				query: "erpnext.buying.doctype.request_for_quotation.request_for_quotation.get_supplier_contacts",
-				filters: {'supplier': doc.supplier}
+				filters: {'supplier': d.supplier}
 			}
 		}
 	},
--- a/erpnext/buying/doctype/request_for_quotation/request_for_quotation.py
+++ b/erpnext/buying/doctype/request_for_quotation/request_for_quotation.py
@ -206,7 +206,7 @@ def get_list_context(context=None):
 def get_supplier_contacts(doctype, txt, searchfield, start, page_len, filters):
 	return frappe.db.sql("""select `tabContact`.name from `tabContact`, `tabDynamic Link`
 		where `tabDynamic Link`.link_doctype = 'Supplier' and (`tabDynamic Link`.link_name=%(name)s
-		or `tabDynamic Link`.link_name like %(txt)s) and `tabContact`.name = `tabDynamic Link`.parent
+		and `tabDynamic Link`.link_name like %(txt)s) and `tabContact`.name = `tabDynamic Link`.parent
 		limit %(start)s, %(page_len)s""", {"start": start, "page_len":page_len, "txt": "%%%s%%" % txt, "name": filters.get('supplier')})

 # This method is used to make supplier quotation from material request form.
--- a/erpnext/controllers/website_list_for_contact.py
+++ b/erpnext/controllers/website_list_for_contact.py
@ -5,7 +5,7 @@ from __future__ import unicode_literals
 import json
 import frappe
 from frappe import _
-from frappe.utils import flt
+from frappe.utils import flt, has_common
 from frappe.utils.user import is_website_user

 def get_list_context(context=None):
@ -55,14 +55,16 @@ def get_transaction_list(doctype, txt=None, filters=None, limit_start=0, limit_p
 	return post_process(doctype, get_list_for_transactions(doctype, txt, filters, limit_start, limit_page_length,
 		fields="name", order_by="modified desc"))

-def get_list_for_transactions(doctype, txt, filters, limit_start, limit_page_length=20, ignore_permissions=False,fields=None, order_by=None):
+def get_list_for_transactions(doctype, txt, filters, limit_start, limit_page_length=20,
+	ignore_permissions=False,fields=None, order_by=None):
+	""" Get List of transactions like Invoices, Orders """
 	from frappe.www.list import get_list
 	meta = frappe.get_meta(doctype)
 	data = []
 	or_filters = []

 	for d in get_list(doctype, txt, filters=filters, fields="name", limit_start=limit_start,
-		limit_page_length=limit_page_length, ignore_permissions=True, order_by="modified desc"):
+		limit_page_length=limit_page_length, ignore_permissions=ignore_permissions, order_by="modified desc"):
 		data.append(d)

 	if txt:
@ -74,9 +76,9 @@ def get_list_for_transactions(doctype, txt, filters, limit_start, limit_page_len
 					or_filters.append([doctype, "name", "=", child.parent])

 	if or_filters:
-		for r in frappe.get_list(doctype, fields=fields,filters=filters, or_filters=or_filters, limit_start=limit_start,
-			limit_page_length=limit_page_length, ignore_permissions=ignore_permissions,
-			order_by=order_by):
+		for r in frappe.get_list(doctype, fields=fields,filters=filters, or_filters=or_filters,
+			limit_start=limit_start, limit_page_length=limit_page_length, 
+			ignore_permissions=ignore_permissions, order_by=order_by):
 			data.append(r)

 	return data
@ -124,13 +126,30 @@ def post_process(doctype, data):
 	return result

 def get_customers_suppliers(doctype, user):
+	customers = []
+	suppliers = []
 	meta = frappe.get_meta(doctype)
-	contacts = frappe.db.sql(""" select  `tabContact`.email_id, `tabDynamic Link`.link_doctype, `tabDynamic Link`.link_name
-		from `tabContact`, `tabDynamic Link` where
-			`tabContact`.name = `tabDynamic Link`.parent and `tabContact`.email_id =%s """, user, as_dict=1)

-	customers = [c.link_name for c in contacts if c.link_doctype == 'Customer'] if meta.get_field("customer") else None
-	suppliers = [c.link_name for c in contacts if c.link_doctype == 'Supplier'] if meta.get_field("supplier") else None
+	if has_common(["Supplier", "Customer"], frappe.get_roles(user)):
+		contacts = frappe.db.sql("""
+			select 
+				`tabContact`.email_id,
+				`tabDynamic Link`.link_doctype,
+				`tabDynamic Link`.link_name
+			from 
+				`tabContact`, `tabDynamic Link`
+			where
+				`tabContact`.name=`tabDynamic Link`.parent and `tabContact`.email_id =%s
+			""", user, as_dict=1)
+		customers = [c.link_name for c in contacts if c.link_doctype == 'Customer'] \
+			if meta.get_field("customer") else None
+		suppliers = [c.link_name for c in contacts if c.link_doctype == 'Supplier'] \
+			if meta.get_field("supplier") else None
+	elif frappe.has_permission(doctype, 'read', user=user):
+		customers = [customer.name for customer in frappe.get_list("Customer")] \
+			if meta.get_field("customer") else None
+		suppliers = [supplier.name for supplier in frappe.get_list("Customer")] \
+			if meta.get_field("supplier") else None

 	return customers, suppliers