[security] fixed

frappe/desk/form/load.py

@@ -96,8 +96,7 @@ def get_docinfo(doc=None, doctype=None, name=None):
		"communications": _get_communications(doc.doctype, doc.name),
		"assignments": get_assignments(doc.doctype, doc.name),
		"permissions": get_doc_permissions(doc),
		"shared": frappe.share.get_users(doc.doctype, doc.name,
			fields=["user", "read", "write", "share", "everyone"])
		"shared": frappe.share.get_users(doc.doctype, doc.name)
	}

def get_user_permissions(meta):

frappe/handler.py

@@ -27,7 +27,11 @@ def execute_cmd(cmd, from_async=False):
		cmd = hook
		break

	method = get_attr(cmd)
	try:
		method = get_attr(cmd)
	except:
		frappe.throw('Invalid method', frappe.NotFound)

	if from_async:
		method = method.queue

frappe/public/js/frappe/form/share.js

@@ -15,6 +15,7 @@ frappe.ui.form.Share = Class.extend({
		this.parent.empty();

		var shared = this.shared || this.frm.get_docinfo().shared;
		shared = shared.filter(function(d) { return d });
		var users = [];
		for (var i=0, l=shared.length; i < l; i++) {
			var s = shared[i];

frappe/share.py

@@ -83,12 +83,14 @@ def set_permission(doctype, name, user, permission_to, value=1, everyone=0):
	return share

@frappe.whitelist()
def get_users(doctype, name, fields="*"):
def get_users(doctype, name):
	"""Get list of users with which this document is shared"""
	if isinstance(fields, (tuple, list)):
		fields = "`{0}`".format("`, `".join(fields))

	return frappe.db.sql("select {0} from tabDocShare where share_doctype=%s and share_name=%s".format(fields),
	return frappe.db.sql("""select
			`name`, `user`, `read`, `write`, `share`, `everyone`
		from
			tabDocShare
		where
			share_doctype=%s and share_name=%s""",
		(doctype, name), as_dict=True)

def get_shared(doctype, user=None, rights=None):