From d6c6af46905610b09e27f63a675385317c76bd7a Mon Sep 17 00:00:00 2001 From: Shariq Ansari Date: Tue, 8 Apr 2025 15:28:19 +0530 Subject: [PATCH] fix: check read access before loading data (cherry picked from commit e92ee3b730df73017aa409cbdbce23eed7e9defd) --- crm/api/contact.py | 6 +++--- crm/fcrm/doctype/crm_deal/api.py | 5 ++++- crm/fcrm/doctype/crm_lead/api.py | 5 ++++- 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/crm/api/contact.py b/crm/api/contact.py index 6cab9c10..b8d8f578 100644 --- a/crm/api/contact.py +++ b/crm/api/contact.py @@ -23,11 +23,11 @@ def update_deals_email_mobile_no(doc): @frappe.whitelist() def get_contact(name): - Contact = frappe.qb.DocType("Contact") + contact = frappe.get_doc("Contact", name) + contact.check_permission("read") - query = frappe.qb.from_(Contact).select("*").where(Contact.name == name).limit(1) + contact = contact.as_dict() - contact = query.run(as_dict=True) if not len(contact): frappe.throw(_("Contact not found"), frappe.DoesNotExistError) contact = contact.pop() diff --git a/crm/fcrm/doctype/crm_deal/api.py b/crm/fcrm/doctype/crm_deal/api.py index 9b5ee368..5eaf2899 100644 --- a/crm/fcrm/doctype/crm_deal/api.py +++ b/crm/fcrm/doctype/crm_deal/api.py @@ -6,7 +6,10 @@ from crm.fcrm.doctype.crm_form_script.crm_form_script import get_form_script @frappe.whitelist() def get_deal(name): - deal = frappe.get_doc("CRM Deal", name).as_dict() + deal = frappe.get_doc("CRM Deal", name) + deal.check_permission("read") + + deal = deal.as_dict() deal["fields_meta"] = get_fields_meta("CRM Deal") deal["_form_script"] = get_form_script("CRM Deal") diff --git a/crm/fcrm/doctype/crm_lead/api.py b/crm/fcrm/doctype/crm_lead/api.py index 613cbb46..77e4fc58 100644 --- a/crm/fcrm/doctype/crm_lead/api.py +++ b/crm/fcrm/doctype/crm_lead/api.py @@ -6,7 +6,10 @@ from crm.fcrm.doctype.crm_form_script.crm_form_script import get_form_script @frappe.whitelist() def get_lead(name): - lead = frappe.get_doc("CRM Lead", name).as_dict() + lead = frappe.get_doc("CRM Lead", name) + lead.check_permission("read") + + lead = lead.as_dict() lead["fields_meta"] = get_fields_meta("CRM Lead") lead["_form_script"] = get_form_script("CRM Lead")