Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[security] fixed
  • Loading branch information
rmehta committed Dec 21, 2016
1 parent 7dbe38e commit 68e14d4
Show file tree
Hide file tree
Showing 4 changed files with 14 additions and 8 deletions.
3 changes: 1 addition & 2 deletions frappe/desk/form/load.py
Expand Up @@ -96,8 +96,7 @@ def get_docinfo(doc=None, doctype=None, name=None):
"communications": _get_communications(doc.doctype, doc.name),
"assignments": get_assignments(doc.doctype, doc.name),
"permissions": get_doc_permissions(doc),
"shared": frappe.share.get_users(doc.doctype, doc.name,
fields=["user", "read", "write", "share", "everyone"])
"shared": frappe.share.get_users(doc.doctype, doc.name)
}

def get_user_permissions(meta):
Expand Down
6 changes: 5 additions & 1 deletion frappe/handler.py
Expand Up @@ -27,7 +27,11 @@ def execute_cmd(cmd, from_async=False):
cmd = hook
break

method = get_attr(cmd)
try:
method = get_attr(cmd)
except:
frappe.throw('Invalid method', frappe.NotFound)

if from_async:
method = method.queue

Expand Down
1 change: 1 addition & 0 deletions frappe/public/js/frappe/form/share.js
Expand Up @@ -15,6 +15,7 @@ frappe.ui.form.Share = Class.extend({
this.parent.empty();

var shared = this.shared || this.frm.get_docinfo().shared;
shared = shared.filter(function(d) { return d });
var users = [];
for (var i=0, l=shared.length; i < l; i++) {
var s = shared[i];
Expand Down
12 changes: 7 additions & 5 deletions frappe/share.py
Expand Up @@ -83,12 +83,14 @@ def set_permission(doctype, name, user, permission_to, value=1, everyone=0):
return share

@frappe.whitelist()
def get_users(doctype, name, fields="*"):
def get_users(doctype, name):
"""Get list of users with which this document is shared"""
if isinstance(fields, (tuple, list)):
fields = "`{0}`".format("`, `".join(fields))

return frappe.db.sql("select {0} from tabDocShare where share_doctype=%s and share_name=%s".format(fields),
return frappe.db.sql("""select
`name`, `user`, `read`, `write`, `share`, `everyone`
from
tabDocShare
where
share_doctype=%s and share_name=%s""",
(doctype, name), as_dict=True)

def get_shared(doctype, user=None, rights=None):
Expand Down

0 comments on commit 68e14d4

Please sign in to comment.