Skip to content

Commit 68e14d4

Browse files
committed
[security] fixed
1 parent 7dbe38e commit 68e14d4

File tree

4 files changed

+14
-8
lines changed

4 files changed

+14
-8
lines changed

frappe/desk/form/load.py

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -96,8 +96,7 @@ def get_docinfo(doc=None, doctype=None, name=None):
9696
"communications": _get_communications(doc.doctype, doc.name),
9797
"assignments": get_assignments(doc.doctype, doc.name),
9898
"permissions": get_doc_permissions(doc),
99-
"shared": frappe.share.get_users(doc.doctype, doc.name,
100-
fields=["user", "read", "write", "share", "everyone"])
99+
"shared": frappe.share.get_users(doc.doctype, doc.name)
101100
}
102101

103102
def get_user_permissions(meta):

frappe/handler.py

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,11 @@ def execute_cmd(cmd, from_async=False):
2727
cmd = hook
2828
break
2929

30-
method = get_attr(cmd)
30+
try:
31+
method = get_attr(cmd)
32+
except:
33+
frappe.throw('Invalid method', frappe.NotFound)
34+
3135
if from_async:
3236
method = method.queue
3337

frappe/public/js/frappe/form/share.js

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ frappe.ui.form.Share = Class.extend({
1515
this.parent.empty();
1616

1717
var shared = this.shared || this.frm.get_docinfo().shared;
18+
shared = shared.filter(function(d) { return d });
1819
var users = [];
1920
for (var i=0, l=shared.length; i < l; i++) {
2021
var s = shared[i];

frappe/share.py

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -83,12 +83,14 @@ def set_permission(doctype, name, user, permission_to, value=1, everyone=0):
8383
return share
8484

8585
@frappe.whitelist()
86-
def get_users(doctype, name, fields="*"):
86+
def get_users(doctype, name):
8787
"""Get list of users with which this document is shared"""
88-
if isinstance(fields, (tuple, list)):
89-
fields = "`{0}`".format("`, `".join(fields))
90-
91-
return frappe.db.sql("select {0} from tabDocShare where share_doctype=%s and share_name=%s".format(fields),
88+
return frappe.db.sql("""select
89+
`name`, `user`, `read`, `write`, `share`, `everyone`
90+
from
91+
tabDocShare
92+
where
93+
share_doctype=%s and share_name=%s""",
9294
(doctype, name), as_dict=True)
9395

9496
def get_shared(doctype, user=None, rights=None):

0 commit comments

Comments
 (0)