refactor: improve `frappe.only_for`

(cherry picked from commit 61ec026712)

frappe/__init__.py

@@ -818,21 +818,24 @@ def write_only():
 	return innfn
 
 
-def only_for(roles: list[str] | str, message=False):
-	"""Raise `frappe.PermissionError` if the user does not have any of the given **Roles**.
+def only_for(roles: list[str] | tuple[str] | str, message=False):
+	"""
+	Raises `frappe.PermissionError` if the user does not have any of the permitted roles.
+
+	:param roles: Permitted role(s)
+	"""
 
-	:param roles: List of roles to check."""
-	if local.flags.in_test:
+	if local.flags.in_test or local.session.user == "Administrator":
 		return
 
-	if not isinstance(roles, (tuple, list)):
+	if isinstance(roles, str):
 		roles = (roles,)
-	roles = set(roles)
-	myroles = set(get_roles())
-	if not roles.intersection(myroles):
+
+	if not set(roles).intersection(get_roles()):
 		if message:
 			msgprint(
-				_("This action is only allowed for {}").format(bold(", ".join(roles))), _("Not Permitted")
+				_("This action is only allowed for {}").format(bold(", ".join(roles))),
+				_("Not Permitted"),
 			)
 		raise PermissionError
 

frappe/core/report/permitted_documents_for_user/permitted_documents_for_user.py

@@ -4,19 +4,18 @@
 import frappe
 import frappe.utils.user
 from frappe.model import data_fieldtypes
-from frappe.permissions import check_admin_or_system_manager, rights
+from frappe.permissions import rights
 
 
 def execute(filters=None):
+	frappe.only_for("System Manager")
+
 	user, doctype, show_permissions = (
 		filters.get("user"),
 		filters.get("doctype"),
 		filters.get("show_permissions"),
 	)
 
-	if not validate(user, doctype):
-		return [], []
-
 	columns, fields = get_columns_and_fields(doctype)
 	data = frappe.get_list(doctype, fields=fields, as_list=True, user=user)
 
@@ -30,12 +29,6 @@ def execute(filters=None):
 	return columns, data
 
 
-def validate(user, doctype):
-	# check if current user is System Manager
-	check_admin_or_system_manager()
-	return user and doctype
-
-
 def get_columns_and_fields(doctype):
 	columns = [f"Name:Link/{doctype}:200"]
 	fields = ["`name`"]

frappe/permissions.py

@@ -28,6 +28,11 @@ rights = (
 
 
 def check_admin_or_system_manager(user=None):
+	"""
+	DEPRECATED: This function will be removed in version 15.
+	Use `frappe.only_for` instead.
+	"""
+
 	if not user:
 		user = frappe.session.user