def get_link_options(web_form_name, doctype, allow_read_on_all_link_options=False): web_form_doc = dataent.get_doc("Web Form", web_form_name) doctype_validated = False limited_to_user = False if web_form_doc.login_required: # check if dataent session user is not guest or admin if dataent.session.user != 'Guest': doctype_validated = True if not allow_read_on_all_link_options: limited_to_user = True else: for field in web_form_doc.web_form_fields: if field.options == doctype: doctype_validated = True break if doctype_validated: link_options = [] if limited_to_user: link_options = "\n".join([ doc.name for doc in dataent.get_all( doctype, filters={"owner": dataent.session.user}) ]) else: link_options = "\n".join( [doc.name for doc in dataent.get_all(doctype)]) return link_options else: raise dataent.PermissionError('Not Allowed, {0}'.format(doctype))
def delete(web_form_name, docname): web_form = dataent.get_doc("Web Form", web_form_name) owner = dataent.db.get_value(web_form.doc_type, docname, "owner") if dataent.session.user == owner and web_form.allow_delete: dataent.delete_doc(web_form.doc_type, docname, ignore_permissions=True) else: raise dataent.PermissionError("Not Allowed")
def append_table(self, table_name): self.tables.append(table_name) doctype = table_name[4:-1] if (not self.flags.ignore_permissions) and ( not dataent.has_permission(doctype)): dataent.flags.error_message = _( 'Insufficient Permission for {0}').format( dataent.bold(doctype)) raise dataent.PermissionError(doctype)
def is_whitelisted(method): # check if whitelisted if dataent.session['user'] == 'Guest': if (method not in dataent.guest_methods): dataent.msgprint(_("Not permitted")) raise dataent.PermissionError('Not Allowed, {0}'.format(method)) if method not in dataent.xss_safe_methods: # strictly sanitize form_dict # escapes html characters like <> except for predefined tags like a, b, ul etc. for key, value in dataent.form_dict.items(): if isinstance(value, string_types): dataent.form_dict[key] = dataent.utils.sanitize_html(value) else: if not method in dataent.whitelisted: dataent.msgprint(_("Not permitted")) raise dataent.PermissionError('Not Allowed, {0}'.format(method))
def validate_print_permission(doc): if dataent.form_dict.get("key"): if dataent.form_dict.key == doc.get_signature(): return for ptype in ("read", "print"): if (not dataent.has_permission(doc.doctype, ptype, doc) and not dataent.has_website_permission(doc)): raise dataent.PermissionError(_("No {0} permission").format(ptype))
def can_export(doctype, raise_exception=False): if not ("System Manager" in dataent.get_roles() or has_permission(doctype, "export")): if raise_exception: raise dataent.PermissionError( "You are not allowed to export: {doctype}".format( doctype=doctype)) else: return False return True
def get(name): """ Return the :term:`doclist` of the `Page` specified by `name` """ page = dataent.get_doc('Page', name) if page.is_permitted(): page.load_assets() docs = dataent._dict(page.as_dict()) if getattr(page, '_dynamic_page', None): docs['_dynamic_page'] = 1 return docs else: dataent.response['403'] = 1 raise dataent.PermissionError('No read permission for Page %s' % (page.title or name))
def get_list(doctype, *args, **kwargs): '''wrapper for DatabaseQuery''' kwargs.pop('cmd', None) kwargs.pop('ignore_permissions', None) # If doctype is child table if dataent.is_table(doctype): # Example dataent.db.get_list('Purchase Receipt Item', {'parent': 'Purchase Receipt'}) # Here purchase receipt is the parent doctype of the child doctype Purchase Receipt Item if not kwargs.get('parent'): dataent.flags.error_message = _( 'Parent is required to get child table data') raise dataent.PermissionError(doctype) check_parent_permission(kwargs.get('parent'), doctype) del kwargs['parent'] return DatabaseQuery(doctype).execute(None, *args, **kwargs)
def getdoc(doctype, name, user=None): """ Loads a doclist for a given document. This method is called directly from the client. Requries "doctype", "name" as form variables. Will also call the "onload" method on the document. """ if not (doctype and name): raise Exception('doctype and name required!') if not name: name = doctype if not dataent.db.exists(doctype, name): return [] try: doc = dataent.get_doc(doctype, name) run_onload(doc) if not doc.has_permission("read"): dataent.flags.error_message = _( 'Insufficient Permission for {0}').format( dataent.bold(doctype + ' ' + name)) raise dataent.PermissionError(("read", doctype, name)) doc.apply_fieldlevel_read_permissions() # add file list doc.add_viewed() get_docinfo(doc) except Exception: dataent.errprint(dataent.utils.get_traceback()) raise if doc and not name.startswith('_'): dataent.get_user().update_recent(doctype, name) doc.add_seen() dataent.response.docs.append(doc)
def delete_multiple(web_form_name, docnames): web_form = dataent.get_doc("Web Form", web_form_name) docnames = json.loads(docnames) allowed_docnames = [] restricted_docnames = [] for docname in docnames: owner = dataent.db.get_value(web_form.doc_type, docname, "owner") if dataent.session.user == owner and web_form.allow_delete: allowed_docnames.append(docname) else: restricted_docnames.append(docname) for docname in allowed_docnames: dataent.delete_doc(web_form.doc_type, docname, ignore_permissions=True) if restricted_docnames: raise dataent.PermissionError( "You do not have permisssion to delete " + ", ".join(restricted_docnames))
def execute(self, query=None, fields=None, filters=None, or_filters=None, docstatus=None, group_by=None, order_by=None, limit_start=False, limit_page_length=None, as_list=False, with_childnames=False, debug=False, ignore_permissions=False, user=None, with_comment_count=False, join='left join', distinct=False, start=None, page_length=None, limit=None, ignore_ifnull=False, save_user_settings=False, save_user_settings_fields=False, update=None, add_total_row=None, user_settings=None, reference_doctype=None): if not ignore_permissions and not dataent.has_permission( self.doctype, "read", user=user): dataent.flags.error_message = _( 'Insufficient Permission for {0}').format( dataent.bold(self.doctype)) raise dataent.PermissionError(self.doctype) # filters and fields swappable # its hard to remember what comes first if (isinstance(fields, dict) or (isinstance(fields, list) and fields and isinstance(fields[0], list))): # if fields is given as dict/list of list, its probably filters filters, fields = fields, filters elif fields and isinstance(filters, list) \ and len(filters) > 1 and isinstance(filters[0], string_types): # if `filters` is a list of strings, its probably fields filters, fields = fields, filters if fields: self.fields = fields else: self.fields = ["`tab{0}`.`name`".format(self.doctype)] if start: limit_start = start if page_length: limit_page_length = page_length if limit: limit_page_length = limit self.filters = filters or [] self.or_filters = or_filters or [] self.docstatus = docstatus or [] self.group_by = group_by self.order_by = order_by self.limit_start = 0 if (limit_start is False) else cint(limit_start) self.limit_page_length = cint( limit_page_length) if limit_page_length else None self.with_childnames = with_childnames self.debug = debug self.join = join self.distinct = distinct self.as_list = as_list self.ignore_ifnull = ignore_ifnull self.flags.ignore_permissions = ignore_permissions self.user = user or dataent.session.user self.update = update self.user_settings_fields = copy.deepcopy(self.fields) # for contextual user permission check # to determine which user permission is applicable on link field of specific doctype self.reference_doctype = reference_doctype or self.doctype if user_settings: self.user_settings = json.loads(user_settings) if query: result = self.run_custom_query(query) else: result = self.build_and_run() if with_comment_count and not as_list and self.doctype: self.add_comment_count(result) if save_user_settings: self.save_user_settings_fields = save_user_settings_fields self.update_user_settings() return result
def make(doctype=None, name=None, content=None, subject=None, sent_or_received="Sent", sender=None, sender_full_name=None, recipients=None, communication_medium="Email", send_email=False, print_html=None, print_format=None, attachments='[]', send_me_a_copy=False, cc=None, bcc=None, flags=None, read_receipt=None, print_letterhead=True): """Make a new communication. :param doctype: Reference DocType. :param name: Reference Document name. :param content: Communication body. :param subject: Communication subject. :param sent_or_received: Sent or Received (default **Sent**). :param sender: Communcation sender (default current user). :param recipients: Communication recipients as list. :param communication_medium: Medium of communication (default **Email**). :param send_mail: Send via email (default **False**). :param print_html: HTML Print format to be sent as attachment. :param print_format: Print Format name of parent document to be sent as attachment. :param attachments: List of attachments as list of files or JSON string. :param send_me_a_copy: Send a copy to the sender (default **False**). """ is_error_report = (doctype == "User" and name == dataent.session.user and subject == "Error Report") send_me_a_copy = cint(send_me_a_copy) if doctype and name and not is_error_report and not dataent.has_permission( doctype, "email", name) and not (flags or {}).get('ignore_doctype_permissions'): raise dataent.PermissionError( "You are not allowed to send emails related to: {doctype} {name}". format(doctype=doctype, name=name)) if not sender: sender = get_formatted_email(dataent.session.user) comm = dataent.get_doc({ "doctype": "Communication", "subject": subject, "content": content, "sender": sender, "sender_full_name": sender_full_name, "recipients": recipients, "cc": cc or None, "bcc": bcc or None, "communication_medium": communication_medium, "sent_or_received": sent_or_received, "reference_doctype": doctype, "reference_name": name, "message_id": get_message_id().strip(" <>"), "read_receipt": read_receipt, "has_attachment": 1 if attachments else 0 }) comm.insert(ignore_permissions=True) if not doctype: # if no reference given, then send it against the communication comm.db_set( dict(reference_doctype='Communication', reference_name=comm.name)) if isinstance(attachments, string_types): attachments = json.loads(attachments) # if not committed, delayed task doesn't find the communication if attachments: add_attachments("Communication", comm.name, attachments) dataent.db.commit() if cint(send_email): dataent.flags.print_letterhead = cint(print_letterhead) comm.send(print_html, print_format, attachments, send_me_a_copy=send_me_a_copy) return { "name": comm.name, "emails_not_sent_to": ", ".join(comm.emails_not_sent_to) if hasattr(comm, "emails_not_sent_to") else None }