From 68e14d40c2d496173d8e687e2e80b4637db9d83b Mon Sep 17 00:00:00 2001
From: Rushabh Mehta <rmehta@gmail.com>
Date: Wed, 21 Dec 2016 11:17:24 +0530
Subject: [PATCH] [security] fixed

---
 frappe/desk/form/load.py              |  3 +--
 frappe/handler.py                     |  6 +++++-
 frappe/public/js/frappe/form/share.js |  1 +
 frappe/share.py                       | 12 +++++++-----
 4 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/frappe/desk/form/load.py b/frappe/desk/form/load.py
index 2a1006c424..94c7345406 100644
--- a/frappe/desk/form/load.py
+++ b/frappe/desk/form/load.py
@@ -96,8 +96,7 @@ def get_docinfo(doc=None, doctype=None, name=None):
 		"communications": _get_communications(doc.doctype, doc.name),
 		"assignments": get_assignments(doc.doctype, doc.name),
 		"permissions": get_doc_permissions(doc),
-		"shared": frappe.share.get_users(doc.doctype, doc.name,
-			fields=["user", "read", "write", "share", "everyone"])
+		"shared": frappe.share.get_users(doc.doctype, doc.name)
 	}
 
 def get_user_permissions(meta):
diff --git a/frappe/handler.py b/frappe/handler.py
index 811eb89ffb..a96228c0b1 100755
--- a/frappe/handler.py
+++ b/frappe/handler.py
@@ -27,7 +27,11 @@ def execute_cmd(cmd, from_async=False):
 		cmd = hook
 		break
 
-	method = get_attr(cmd)
+	try:
+		method = get_attr(cmd)
+	except:
+		frappe.throw('Invalid method', frappe.NotFound)
+
 	if from_async:
 		method = method.queue
 
diff --git a/frappe/public/js/frappe/form/share.js b/frappe/public/js/frappe/form/share.js
index 9f13b1cfef..41f811953f 100644
--- a/frappe/public/js/frappe/form/share.js
+++ b/frappe/public/js/frappe/form/share.js
@@ -15,6 +15,7 @@ frappe.ui.form.Share = Class.extend({
 		this.parent.empty();
 
 		var shared = this.shared || this.frm.get_docinfo().shared;
+		shared = shared.filter(function(d) { return d });
 		var users = [];
 		for (var i=0, l=shared.length; i < l; i++) {
 			var s = shared[i];
diff --git a/frappe/share.py b/frappe/share.py
index 15b878f6c7..e277570504 100644
--- a/frappe/share.py
+++ b/frappe/share.py
@@ -83,12 +83,14 @@ def set_permission(doctype, name, user, permission_to, value=1, everyone=0):
 	return share
 
 @frappe.whitelist()
-def get_users(doctype, name, fields="*"):
+def get_users(doctype, name):
 	"""Get list of users with which this document is shared"""
-	if isinstance(fields, (tuple, list)):
-		fields = "`{0}`".format("`, `".join(fields))
-
-	return frappe.db.sql("select {0} from tabDocShare where share_doctype=%s and share_name=%s".format(fields),
+	return frappe.db.sql("""select
+			`name`, `user`, `read`, `write`, `share`, `everyone`
+		from
+			tabDocShare
+		where
+			share_doctype=%s and share_name=%s""",
 		(doctype, name), as_dict=True)
 
 def get_shared(doctype, user=None, rights=None):