fix: Check permission_type in get_permitted_fieldnames [v14] #20905

gavindsouza · 2023-05-05T05:52:58Z

Backport of #20810

Added check for system setting `apply_perm_level_on_api_calls` on this change

gavindsouza · 2023-05-05T06:00:22Z

Additional change: frappe.get_system_settings("apply_perm_level_on_api_calls") while resolving permitted fields in reportview

* fix: Dont assume user & permission_type in get_permitted_fileds * fix: Allow only search fields for select permission type * test: Add check for permitted fields with select perm * fix: Setup permission_map & use get_permitted_fields * fix: Pass current dt as fallback parent_doctype * fix(reportview): Use get_permitted_fields for resource API Added check for system setting `apply_perm_level_on_api_calls` on this change * test: Enable permlevel restrictions to test select query (cherry picked from commit 707e485) # Conflicts: # frappe/desk/reportview.py # frappe/model/__init__.py # frappe/model/db_query.py # frappe/tests/test_permissions.py

…#20905) (#20955) * fix: Check permission_type in get_permitted_fieldnames [v14] (#20905) * fix: Dont assume user & permission_type in get_permitted_fileds * fix: Allow only search fields for select permission type * test: Add check for permitted fields with select perm * fix: Setup permission_map & use get_permitted_fields * fix: Pass current dt as fallback parent_doctype * fix(reportview): Use get_permitted_fields for resource API Added check for system setting `apply_perm_level_on_api_calls` on this change * test: Enable permlevel restrictions to test select query (cherry picked from commit 707e485) # Conflicts: # frappe/desk/reportview.py # frappe/model/__init__.py # frappe/model/db_query.py # frappe/tests/test_permissions.py * fix: Resolve conflicts * Fixed imports * Compatible typing * Revert permission_map * fix(db_query): Remove parent_doctype usage * test: assertSequenceSubset util doesnt exist --------- Co-authored-by: gavin <gavin18d@gmail.com>

## [14.36.1](v14.36.0...v14.36.1) (2023-05-16) ### Bug Fixes * avoid internal arrays in get_all_docs (backport [#20950](#20950)) ([#20959](#20959)) ([44ea1a3](44ea1a3)) * call make_columns before update_order (backport [#20710](#20710)) ([#20964](#20964)) ([fb01789](fb01789)) * Check permission_type in get_permitted_fieldnames [v14] ([#20905](#20905)) ([707e485](707e485)) * colwidth should be acceptable ([58d0018](58d0018)) * do not consider time while formating date range value ([76f1b2c](76f1b2c)) * don't use default filters for auto-email report ([#20876](#20876)) ([1c97472](1c97472)) * email: get unsub email: use `cstr` instead of `encode` ([#20985](#20985)) ([f44bcf6](f44bcf6)) * filters while exporting or creating new auto email reports for custom reports (backport [#20960](#20960)) ([#21021](#21021)) ([4de6990](4de6990)) * limit RQ job refresh to list view only ([00215d7](00215d7)) * maintain frappe.router.current_router ([7c98b14](7c98b14)) * naming part should be empty if field is empty ([#20978](#20978)) ([#20982](#20982)) ([58a5a0f](58a5a0f)) * process filters for prepared_report while making and getting prepared report missed in ([#19565](#19565)) ([#20981](#20981)) ([b857eab](b857eab)) * Remove unnecessary request from boot ([e9dab33](e9dab33)) * remove unwanted imports ([6b350dd](6b350dd)) * report print view not working ([#21002](#21002)) ([#21004](#21004)) ([4028b5c](4028b5c)) * Request on "/login" instead of "/" ([337b149](337b149)) * Resolve conflicts ([11dfadc](11dfadc)) * unable to access url file from the timeline section ([#20836](#20836)) ([573c6ad](573c6ad)) * use sentinel value for checking existence of key in doc while parsing naming series ([#20994](#20994)) ([#20995](#20995)) ([785e52b](785e52b)) * **UX:** Show alert instead msgprint ([#21016](#21016)) ([#21017](#21017)) ([91f957b](91f957b)) * **UX:** sort modules on user doctype ([#20998](#20998)) ([#20999](#20999)) ([89c00d2](89c00d2)) * validate email on setup wizard (backport [#20979](#20979)) ([#20987](#20987)) ([3bcf450](3bcf450)), closes [#19601](#19601) ### Performance Improvements * Faster scheduled job deduplication (backport [#20937](#20937)) ([#20949](#20949)) ([60f118e](60f118e))

frappe-pr-bot · 2023-05-16T13:55:13Z

🎉 This PR is included in version 14.36.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

## [13.56.3](v13.56.2...v13.56.3) (2023-05-16) ### Bug Fixes * avoid internal arrays in get_all_docs (backport [#20950](#20950)) ([#20958](#20958)) ([43b051f](43b051f)) * Check permission_type in get_permitted_fieldnames [v13] (backport [#20905](#20905)) ([#20955](#20955)) ([ea6d350](ea6d350)) * don't use default filters for auto-email report ([#20876](#20876)) ([7d7500f](7d7500f)) * filters while exporting or creating new auto email reports for custom reports (backport [#20960](#20960)) ([#21020](#21020)) ([723ec9a](723ec9a)) * report print view not working ([#21002](#21002)) ([#21003](#21003)) ([ca73d72](ca73d72))

gavindsouza added 5 commits May 5, 2023 11:16

fix: Dont assume user & permission_type in get_permitted_fileds

c4b8aa6

fix: Allow only search fields for select permission type

7d9ad24

test: Add check for permitted fields with select perm

f905436

fix: Setup permission_map & use get_permitted_fields

36347ec

fix: Pass current dt as fallback parent_doctype

c41e621

gavindsouza requested review from a team and phot0n and removed request for a team May 5, 2023 05:52

fix(reportview): Use get_permitted_fields for resource API

caac777

Added check for system setting `apply_perm_level_on_api_calls` on this change

gavindsouza force-pushed the fix-20689-v14 branch from fb6c2d6 to caac777 Compare May 5, 2023 05:55

gavindsouza added the backport version-13-hotfix label May 5, 2023

gavindsouza added the tests-failing Automated tests are failing. Please resolve if it is due to the changes in current PR. label May 5, 2023

test: Enable permlevel restrictions to test select query

006f8b1

gavindsouza removed the tests-failing Automated tests are failing. Please resolve if it is due to the changes in current PR. label May 6, 2023

surajshetty3416 assigned ankush May 9, 2023

ankush approved these changes May 10, 2023

View reviewed changes

ankush merged commit 707e485 into frappe:version-14-hotfix May 10, 2023

mergify bot mentioned this pull request May 10, 2023

fix: Check permission_type in get_permitted_fieldnames [v13] (backport #20905) #20955

Merged

frappe-pr-bot added the released label May 16, 2023

github-actions bot locked as resolved and limited conversation to collaborators May 31, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: Check permission_type in get_permitted_fieldnames [v14] #20905

fix: Check permission_type in get_permitted_fieldnames [v14] #20905

gavindsouza commented May 5, 2023

gavindsouza commented May 5, 2023

frappe-pr-bot commented May 16, 2023

fix: Check permission_type in get_permitted_fieldnames [v14] #20905

fix: Check permission_type in get_permitted_fieldnames [v14] #20905

Conversation

gavindsouza commented May 5, 2023

gavindsouza commented May 5, 2023

frappe-pr-bot commented May 16, 2023