From c8d632ddff37893216be4c795ce415f16269b958 Mon Sep 17 00:00:00 2001 From: Zlash65 Date: Tue, 22 Jan 2019 12:46:13 +0530 Subject: [PATCH 1/5] fix: add set query for payroll entry in JV --- .../doctype/journal_entry/journal_entry.js | 7 +++++++ erpnext/hr/doctype/payroll_entry/payroll_entry.py | 14 ++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/erpnext/accounts/doctype/journal_entry/journal_entry.js b/erpnext/accounts/doctype/journal_entry/journal_entry.js index 60c974f262..a37e7a03e0 100644 --- a/erpnext/accounts/doctype/journal_entry/journal_entry.js +++ b/erpnext/accounts/doctype/journal_entry/journal_entry.js @@ -145,6 +145,13 @@ erpnext.accounts.JournalEntry = frappe.ui.form.Controller.extend({ }; } + // payroll entry + if(jvd.reference_type==="Payroll Entry") { + return { + query: "erpnext.hr.doctype.payroll_entry.payroll_entry.get_payroll_entries_for_jv", + }; + } + var out = { filters: [ [jvd.reference_type, "docstatus", "=", 1] diff --git a/erpnext/hr/doctype/payroll_entry/payroll_entry.py b/erpnext/hr/doctype/payroll_entry/payroll_entry.py index c9d6290f26..0f2e5f4fa1 100644 --- a/erpnext/hr/doctype/payroll_entry/payroll_entry.py +++ b/erpnext/hr/doctype/payroll_entry/payroll_entry.py @@ -525,3 +525,17 @@ def payroll_entry_has_bank_entries(name): response['submitted'] = 1 if bank_entries else 0 return response + +def get_payroll_entries_for_jv(doctype, txt, searchfield, start, page_len, filters): + print(doctype) + return frappe.db.sql(""" + select name from `tabPayroll Entry` + where `{key}` LIKE %(txt)s + and name not in + (select reference_name from `tabJournal Entry Account` + where reference_type="Payroll Entry") + order by name limit %(start)s, %(page_len)s""" + .format(key=searchfield), { + 'txt': "%%%s%%" % frappe.db.escape(txt), + 'start': start, 'page_len': page_len + }) From 270c4c2a87716b82cd8894fdcd536217b560e893 Mon Sep 17 00:00:00 2001 From: Zlash65 Date: Tue, 22 Jan 2019 12:47:25 +0530 Subject: [PATCH 2/5] fix: push party filter only if applicable --- .../accounts/doctype/journal_entry/journal_entry.js | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/erpnext/accounts/doctype/journal_entry/journal_entry.js b/erpnext/accounts/doctype/journal_entry/journal_entry.js index a37e7a03e0..c0a9a965e2 100644 --- a/erpnext/accounts/doctype/journal_entry/journal_entry.js +++ b/erpnext/accounts/doctype/journal_entry/journal_entry.js @@ -175,9 +175,15 @@ erpnext.accounts.JournalEntry = frappe.ui.form.Controller.extend({ out.filters.push([jvd.reference_type, "per_billed", "<", 100]); } - if(jvd.party_type && jvd.party) { - out.filters.push([jvd.reference_type, - (jvd.reference_type.indexOf("Sales")===0 ? "customer" : "supplier"), "=", jvd.party]); + var party_field = ""; + if(jvd.reference_type.indexOf("Sales")===0) { + var party_field = "customer"; + } else if (jvd.reference_type.indexOf("Purchase")===0) { + var party_field = "supplier"; + } + + if (party_field) { + out.filters.push([jvd.reference_type, party_field, "=", jvd.party]); } return out; From 141c543f9765b11df09fef4e57157b2aae5fd172 Mon Sep 17 00:00:00 2001 From: Nabin Hait Date: Wed, 23 Jan 2019 12:14:55 +0530 Subject: [PATCH 3/5] Update journal_entry.js --- .../doctype/journal_entry/journal_entry.js | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/erpnext/accounts/doctype/journal_entry/journal_entry.js b/erpnext/accounts/doctype/journal_entry/journal_entry.js index c0a9a965e2..0aa62d510c 100644 --- a/erpnext/accounts/doctype/journal_entry/journal_entry.js +++ b/erpnext/accounts/doctype/journal_entry/journal_entry.js @@ -174,16 +174,18 @@ erpnext.accounts.JournalEntry = frappe.ui.form.Controller.extend({ out.filters.push([jvd.reference_type, "per_billed", "<", 100]); } + + if(jvd.party_type && jvd.party) { + var party_field = ""; + if(jvd.reference_type.indexOf("Sales")===0) { + var party_field = "customer"; + } else if (jvd.reference_type.indexOf("Purchase")===0) { + var party_field = "supplier"; + } - var party_field = ""; - if(jvd.reference_type.indexOf("Sales")===0) { - var party_field = "customer"; - } else if (jvd.reference_type.indexOf("Purchase")===0) { - var party_field = "supplier"; - } - - if (party_field) { - out.filters.push([jvd.reference_type, party_field, "=", jvd.party]); + if (party_field) { + out.filters.push([jvd.reference_type, party_field, "=", jvd.party]); + } } return out; From 06607fda4e4d5a55c8107e30de5568d7d522e8fa Mon Sep 17 00:00:00 2001 From: Nabin Hait Date: Wed, 23 Jan 2019 12:15:48 +0530 Subject: [PATCH 4/5] fix: removed print statement --- erpnext/hr/doctype/payroll_entry/payroll_entry.py | 1 - 1 file changed, 1 deletion(-) diff --git a/erpnext/hr/doctype/payroll_entry/payroll_entry.py b/erpnext/hr/doctype/payroll_entry/payroll_entry.py index 0f2e5f4fa1..734509592f 100644 --- a/erpnext/hr/doctype/payroll_entry/payroll_entry.py +++ b/erpnext/hr/doctype/payroll_entry/payroll_entry.py @@ -527,7 +527,6 @@ def payroll_entry_has_bank_entries(name): return response def get_payroll_entries_for_jv(doctype, txt, searchfield, start, page_len, filters): - print(doctype) return frappe.db.sql(""" select name from `tabPayroll Entry` where `{key}` LIKE %(txt)s From 9acb885e60f77cd4e9ea8c98bdc39c18abcac731 Mon Sep 17 00:00:00 2001 From: Aditya Hase Date: Tue, 29 Jan 2019 10:52:37 +0530 Subject: [PATCH 5/5] fix(sqli): Avoid SQL Injection with sender param (#16509) --- erpnext/templates/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/erpnext/templates/utils.py b/erpnext/templates/utils.py index eb84bcc8d8..8e14c067f1 100644 --- a/erpnext/templates/utils.py +++ b/erpnext/templates/utils.py @@ -16,7 +16,7 @@ def send_message(subject="Website Query", message="", sender="", status="Open"): customer = frappe.db.sql("""select distinct dl.link_name from `tabDynamic Link` dl left join `tabContact` c on dl.parent=c.name where dl.link_doctype='Customer' - and c.email_id='{email_id}'""".format(email_id=sender)) + and c.email_id = %s""", sender) if not customer: lead = frappe.db.get_value('Lead', dict(email_id=sender))