Permalink
Browse files

[security] fixed

  • Loading branch information...
rmehta committed Dec 21, 2016
1 parent 7dbe38e commit 68e14d40c2d496173d8e687e2e80b4637db9d83b
Showing with 14 additions and 8 deletions.
  1. +1 −2 frappe/desk/form/load.py
  2. +5 −1 frappe/handler.py
  3. +1 −0 frappe/public/js/frappe/form/share.js
  4. +7 −5 frappe/share.py
View
@@ -96,8 +96,7 @@ def get_docinfo(doc=None, doctype=None, name=None):
"communications": _get_communications(doc.doctype, doc.name),
"assignments": get_assignments(doc.doctype, doc.name),
"permissions": get_doc_permissions(doc),
"shared": frappe.share.get_users(doc.doctype, doc.name,
fields=["user", "read", "write", "share", "everyone"])
"shared": frappe.share.get_users(doc.doctype, doc.name)
}
def get_user_permissions(meta):
View
@@ -27,7 +27,11 @@ def execute_cmd(cmd, from_async=False):
cmd = hook
break
method = get_attr(cmd)
try:
method = get_attr(cmd)
except:
frappe.throw('Invalid method', frappe.NotFound)
if from_async:
method = method.queue
@@ -15,6 +15,7 @@ frappe.ui.form.Share = Class.extend({
this.parent.empty();
var shared = this.shared || this.frm.get_docinfo().shared;
shared = shared.filter(function(d) { return d });
var users = [];
for (var i=0, l=shared.length; i < l; i++) {
var s = shared[i];
View
@@ -83,12 +83,14 @@ def set_permission(doctype, name, user, permission_to, value=1, everyone=0):
return share
@frappe.whitelist()
def get_users(doctype, name, fields="*"):
def get_users(doctype, name):
"""Get list of users with which this document is shared"""
if isinstance(fields, (tuple, list)):
fields = "`{0}`".format("`, `".join(fields))
return frappe.db.sql("select {0} from tabDocShare where share_doctype=%s and share_name=%s".format(fields),
return frappe.db.sql("""select
`name`, `user`, `read`, `write`, `share`, `everyone`
from
tabDocShare
where
share_doctype=%s and share_name=%s""",
(doctype, name), as_dict=True)
def get_shared(doctype, user=None, rights=None):

0 comments on commit 68e14d4

Please sign in to comment.