[security] fixed

Author: rmehta

frappe/desk/form/load.py

@@ -96,8 +96,7 @@ def get_docinfo(doc=None, doctype=None, name=None):
 		"communications": _get_communications(doc.doctype, doc.name),
 		"assignments": get_assignments(doc.doctype, doc.name),
 		"permissions": get_doc_permissions(doc),
-		"shared": frappe.share.get_users(doc.doctype, doc.name,
-			fields=["user", "read", "write", "share", "everyone"])
+		"shared": frappe.share.get_users(doc.doctype, doc.name)
 	}
 
 def get_user_permissions(meta):

frappe/handler.py

@@ -27,7 +27,11 @@ def execute_cmd(cmd, from_async=False):
 		cmd = hook
 		break
 
-	method = get_attr(cmd)
+	try:
+		method = get_attr(cmd)
+	except:
+		frappe.throw('Invalid method', frappe.NotFound)
+
 	if from_async:
 		method = method.queue
 

frappe/public/js/frappe/form/share.js

@@ -15,6 +15,7 @@ frappe.ui.form.Share = Class.extend({
 		this.parent.empty();
 
 		var shared = this.shared || this.frm.get_docinfo().shared;
+		shared = shared.filter(function(d) { return d });
 		var users = [];
 		for (var i=0, l=shared.length; i < l; i++) {
 			var s = shared[i];

frappe/share.py

@@ -83,12 +83,14 @@ def set_permission(doctype, name, user, permission_to, value=1, everyone=0):
 	return share
 
 @frappe.whitelist()
-def get_users(doctype, name, fields="*"):
+def get_users(doctype, name):
 	"""Get list of users with which this document is shared"""
-	if isinstance(fields, (tuple, list)):
-		fields = "`{0}`".format("`, `".join(fields))
-
-	return frappe.db.sql("select {0} from tabDocShare where share_doctype=%s and share_name=%s".format(fields),
+	return frappe.db.sql("""select
+			`name`, `user`, `read`, `write`, `share`, `everyone`
+		from
+			tabDocShare
+		where
+			share_doctype=%s and share_name=%s""",
 		(doctype, name), as_dict=True)
 
 def get_shared(doctype, user=None, rights=None):