anoopmb
/
frappe
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12798 Commits
1 Branch
314 MiB
 
 
 
 
 
 
Tree: 49ac5cc9e5
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '49ac5cc9e5'
${ noResults }
frappe/frappe/permissions.py

483 lines
16 KiB
Raw Blame History 

  1. # Copyright (c) 2015, Frappe Technologies Pvt. Ltd. and Contributors

  2. # MIT License. See license.txt

  3. 

  4. from __future__ import unicode_literals, print_function

  5. from six.moves import range

  6. import frappe, copy, json

  7. from frappe import _, msgprint

  8. from frappe.utils import cint

  9. import frappe.share

  10. 

  11. rights = ("read", "write", "create", "delete", "submit", "cancel", "amend",

  12. 	"print", "email", "report", "import", "export", "set_user_permissions", "share")

  13. 

  14. def check_admin_or_system_manager(user=None):

  15. 	if not user: user = frappe.session.user

  16. 

  17. 	if ("System Manager" not in frappe.get_roles(user)) and (user!="Administrator"):

  18. 		frappe.throw(_("Not permitted"), frappe.PermissionError)

  19. 

  20. def has_permission(doctype, ptype="read", doc=None, verbose=False, user=None):

  21. 	"""Returns True if user has permission `ptype` for given `doctype`.

  22. 	If `doc` is passed, it also checks user, share and owner permissions.

  23. 

  24. 	Note: if Table DocType is passed, it always returns True.

  25. 	"""

  26. 	if not user: user = frappe.session.user

  27. 

  28. 	if frappe.is_table(doctype):

  29. 		if verbose: print("Table type, always true")

  30. 		return True

  31. 

  32. 	meta = frappe.get_meta(doctype)

  33. 

  34. 	if ptype=="submit" and not cint(meta.is_submittable):

  35. 		if verbose: print("Not submittable")

  36. 		return False

  37. 

  38. 	if ptype=="import" and not cint(meta.allow_import):

  39. 		if verbose: print("Not importable")

  40. 		return False

  41. 

  42. 	if user=="Administrator":

  43. 		if verbose: print("Administrator")

  44. 		return True

  45. 

  46. 	def false_if_not_shared():

  47. 		if ptype in ("read", "write", "share", "email", "print"):

  48. 			shared = frappe.share.get_shared(doctype, user,

  49. 				["read" if ptype in ("email", "print") else ptype])

  50. 

  51. 			if doc:

  52. 				doc_name = doc if isinstance(doc, basestring) else doc.name

  53. 				if doc_name in shared:

  54. 					if verbose: print("Shared")

  55. 					if ptype in ("read", "write", "share") or meta.permissions[0].get(ptype):

  56. 						if verbose: print("Is shared")

  57. 						return True

  58. 

  59. 			elif shared:

  60. 				# if atleast one shared doc of that type, then return True

  61. 				# this is used in db_query to check if permission on DocType

  62. 				if verbose: print("Has a shared document")

  63. 				return True

  64. 

  65. 		if verbose: print("Not Shared")

  66. 		return False

  67. 

  68. 	role_permissions = get_role_permissions(meta, user=user, verbose=verbose)

  69. 

  70. 	if not role_permissions.get(ptype):

  71. 		return false_if_not_shared()

  72. 

  73. 	perm = True

  74. 

  75. 	if doc:

  76. 		if isinstance(doc, basestring):

  77. 			doc = frappe.get_doc(meta.name, doc)

  78. 

  79. 		owner_perm = user_perm = controller_perm = None

  80. 

  81. 		if role_permissions["if_owner"].get(ptype) and ptype!="create":

  82. 			owner_perm = doc.owner == frappe.session.user

  83. 			if verbose: print("Owner permission: {0}".format(owner_perm))

  84. 

  85. 		# check if user permission

  86. 		if not owner_perm and role_permissions["apply_user_permissions"].get(ptype):

  87. 			user_perm = user_has_permission(doc, verbose=verbose, user=user,

  88. 				user_permission_doctypes=role_permissions.get("user_permission_doctypes", {}).get(ptype) or [])

  89. 

  90. 			if verbose: print("User permission: {0}".format(user_perm))

  91. 

  92. 		if not owner_perm and not user_perm:

  93. 			controller_perm = has_controller_permissions(doc, ptype, user=user)

  94. 

  95. 			if verbose: print("Controller permission: {0}".format(controller_perm))

  96. 

  97. 		# permission true if any one condition is explicitly True or all permissions are undefined (None)

  98. 		perm = any([owner_perm, user_perm, controller_perm]) or \

  99. 			all([owner_perm==None, user_perm==None, controller_perm==None])

  100. 

  101. 		if not perm:

  102. 			perm = false_if_not_shared()

  103. 

  104. 	if verbose: print("Final Permission: {0}".format(perm))

  105. 

  106. 	return perm

  107. 

  108. def get_doc_permissions(doc, verbose=False, user=None):

  109. 	"""Returns a dict of evaluated permissions for given `doc` like `{"read":1, "write":1}`"""

  110. 	if not user: user = frappe.session.user

  111. 

  112. 	if frappe.is_table(doc.doctype):

  113. 		return {"read":1, "write":1}

  114. 

  115. 	meta = frappe.get_meta(doc.doctype)

  116. 

  117. 	role_permissions = copy.deepcopy(get_role_permissions(meta, user=user, verbose=verbose))

  118. 

  119. 	if not cint(meta.is_submittable):

  120. 		role_permissions["submit"] = 0

  121. 

  122. 	if not cint(meta.allow_import):

  123. 		role_permissions["import"] = 0

  124. 

  125. 	if role_permissions.get("apply_user_permissions"):

  126. 		# no user permissions, switch off all user-level permissions

  127. 		for ptype in role_permissions:

  128. 			if role_permissions["apply_user_permissions"].get(ptype) and not user_has_permission(doc, verbose=verbose, user=user,

  129. 		user_permission_doctypes=role_permissions.get("user_permission_doctypes", {}).get(ptype) or []):

  130. 				role_permissions[ptype] = 0

  131. 

  132. 	# apply owner permissions on top of existing permissions

  133. 	if doc.owner == frappe.session.user:

  134. 		role_permissions.update(role_permissions.if_owner)

  135. 

  136. 	update_share_permissions(role_permissions, doc, user)

  137. 

  138. 	return role_permissions

  139. 

  140. def update_share_permissions(role_permissions, doc, user):

  141. 	"""Updates share permissions on `role_permissions` for given doc, if shared"""

  142. 	share_ptypes = ("read", "write", "share")

  143. 	permissions_by_share = frappe.db.get_value("DocShare",

  144. 		{"share_doctype": doc.doctype, "share_name": doc.name, "user": user},

  145. 		share_ptypes, as_dict=True)

  146. 

  147. 	if permissions_by_share:

  148. 		for ptype in share_ptypes:

  149. 			if permissions_by_share[ptype]:

  150. 				role_permissions[ptype] = 1

  151. 

  152. def get_role_permissions(meta, user=None, verbose=False):

  153. 	"""Returns dict of evaluated role permissions like `{"read": True, "write":False}`

  154. 

  155. 	If user permissions are applicable, it adds a dict of user permissions like

  156. 

  157. 		{

  158. 			// user permissions will apply on these rights

  159. 			"apply_user_permissions": {"read": 1, "write": 1},

  160. 

  161. 			// doctypes that will be applicable for each right

  162. 			"user_permission_doctypes": {

  163. 				"read": [

  164. 					// AND between "DocType 1" and "DocType 2"

  165. 					["DocType 1", "DocType 2"],

  166. 

  167. 					// OR

  168. 

  169. 					["DocType 3"]

  170. 

  171. 				]

  172. 			}

  173. 

  174. 			"if_owner": {"read": 1, "write": 1}

  175. 		}

  176. 	"""

  177. 	if not user: user = frappe.session.user

  178. 	cache_key = (meta.name, user)

  179. 

  180. 	if not frappe.local.role_permissions.get(cache_key):

  181. 		perms = frappe._dict(

  182. 			apply_user_permissions={},

  183. 			user_permission_doctypes={},

  184. 			if_owner={}

  185. 		)

  186. 		roles = frappe.get_roles(user)

  187. 		dont_match = []

  188. 		has_a_role_with_apply_user_permissions = False

  189. 

  190. 		for p in meta.permissions:

  191. 			if cint(p.permlevel)==0 and (p.role in roles):

  192. 				# apply only for level 0

  193. 

  194. 				for ptype in rights:

  195. 					# build if_owner dict if applicable for this right

  196. 					perms[ptype] = perms.get(ptype, 0) or cint(p.get(ptype))

  197. 

  198. 					if ptype != "set_user_permissions" and p.get(ptype):

  199. 						perms["apply_user_permissions"][ptype] = (perms["apply_user_permissions"].get(ptype, 1)

  200. 							and p.get("apply_user_permissions"))

  201. 

  202. 					if p.if_owner and p.get(ptype):

  203. 						perms["if_owner"][ptype] = 1

  204. 

  205. 					if p.get(ptype) and not p.if_owner and not p.get("apply_user_permissions"):

  206. 						dont_match.append(ptype)

  207. 

  208. 				if p.apply_user_permissions:

  209. 					has_a_role_with_apply_user_permissions = True

  210. 

  211. 					if p.user_permission_doctypes:

  212. 						# set user_permission_doctypes in perms

  213. 						user_permission_doctypes = json.loads(p.user_permission_doctypes)

  214. 					else:

  215. 						user_permission_doctypes = get_linked_doctypes(meta.name)

  216. 

  217. 					if user_permission_doctypes:

  218. 						# perms["user_permission_doctypes"][ptype] would be a list of list like [["User", "Blog Post"], ["User"]]

  219. 						for ptype in rights:

  220. 							if p.get(ptype):

  221. 								perms["user_permission_doctypes"].setdefault(ptype, []).append(user_permission_doctypes)

  222. 

  223. 		# if atleast one record having both Apply User Permission and If Owner unchecked is found,

  224. 		# don't match for those rights

  225. 		for ptype in rights:

  226. 			if ptype in dont_match:

  227. 				if perms["apply_user_permissions"].get(ptype):

  228. 					del perms["apply_user_permissions"][ptype]

  229. 

  230. 				if perms["if_owner"].get(ptype):

  231. 					del perms["if_owner"][ptype]

  232. 

  233. 		# if one row has only "Apply User Permissions" checked and another has only "If Owner" checked,

  234. 		# set Apply User Permissions as checked

  235. 		# i.e. the case when there is a role with apply_user_permissions as 1, but resultant apply_user_permissions is 0

  236. 		if has_a_role_with_apply_user_permissions:

  237. 			for ptype in rights:

  238. 				if perms["if_owner"].get(ptype) and perms["apply_user_permissions"].get(ptype)==0:

  239. 					perms["apply_user_permissions"][ptype] = 1

  240. 

  241. 		# delete 0 values

  242. 		for key, value in perms.get("apply_user_permissions").items():

  243. 			if not value:

  244. 				del perms["apply_user_permissions"][key]

  245. 

  246. 		frappe.local.role_permissions[cache_key] = perms

  247. 

  248. 	return frappe.local.role_permissions[cache_key]

  249. 

  250. def user_has_permission(doc, verbose=True, user=None, user_permission_doctypes=None):

  251. 	from frappe.defaults import get_user_permissions

  252. 	user_permissions = get_user_permissions(user)

  253. 	user_permission_doctypes = get_user_permission_doctypes(user_permission_doctypes, user_permissions)

  254. 

  255. 	def check_user_permission(d):

  256. 		meta = frappe.get_meta(d.get("doctype"))

  257. 		end_result = False

  258. 

  259. 		messages = {}

  260. 

  261. 		# check multiple sets of user_permission_doctypes using OR condition

  262. 		for doctypes in user_permission_doctypes:

  263. 			result = True

  264. 

  265. 			for df in meta.get_fields_to_check_permissions(doctypes):

  266. 				if (d.get(df.fieldname)

  267. 					and d.get(df.fieldname) not in user_permissions.get(df.options, [])):

  268. 					result = False

  269. 

  270. 					if verbose:

  271. 						msg = _("Not allowed to access {0} with {1} = {2}").format(df.options, _(df.label), d.get(df.fieldname))

  272. 						if d.parentfield:

  273. 							msg = "{doctype}, {row} #{idx}, ".format(doctype=_(d.doctype),

  274. 								row=_("Row"), idx=d.idx) + msg

  275. 

  276. 						messages[df.fieldname] = msg

  277. 

  278. 			end_result = end_result or result

  279. 

  280. 		if not end_result and messages:

  281. 			for fieldname, msg in messages.items():

  282. 				msgprint(msg)

  283. 

  284. 		return end_result

  285. 

  286. 	_user_has_permission = check_user_permission(doc)

  287. 	for d in doc.get_all_children():

  288. 		_user_has_permission = check_user_permission(d) and _user_has_permission

  289. 

  290. 	return _user_has_permission

  291. 

  292. def has_controller_permissions(doc, ptype, user=None):

  293. 	"""Returns controller permissions if defined. None if not defined"""

  294. 	if not user: user = frappe.session.user

  295. 

  296. 	methods = frappe.get_hooks("has_permission").get(doc.doctype, [])

  297. 

  298. 	if not methods:

  299. 		return None

  300. 

  301. 	for method in methods:

  302. 		controller_permission = frappe.call(frappe.get_attr(method), doc=doc, ptype=ptype, user=user)

  303. 		if controller_permission is not None:

  304. 			return controller_permission

  305. 

  306. 	# controller permissions could not decide on True or False

  307. 	return None

  308. 

  309. def get_doctypes_with_read():

  310. 	return list(set([p.parent for p in get_valid_perms()]))

  311. 

  312. def get_valid_perms(doctype=None):

  313. 	'''Get valid permissions for the current user from DocPerm and Custom DocPerm'''

  314. 	roles = get_roles()

  315. 

  316. 	perms = get_perms_for(roles)

  317. 	custom_perms = get_perms_for(roles, 'Custom DocPerm')

  318. 

  319. 	doctypes_with_custom_perms = list(set([d.parent for d in custom_perms]))

  320. 	for p in perms:

  321. 		if not p.parent in doctypes_with_custom_perms:

  322. 			custom_perms.append(p)

  323. 

  324. 	if doctype:

  325. 		return [p for p in custom_perms if p.parent == doctype]

  326. 	else:

  327. 		return custom_perms

  328. 

  329. def get_all_perms(role):

  330. 	'''Returns valid permissions for a given role'''

  331. 	perms = frappe.get_all('DocPerm', fields='*', filters=dict(role=role))

  332. 	custom_perms = frappe.get_all('Custom DocPerm', fields='*', filters=dict(role=role))

  333. 	doctypes_with_custom_perms = frappe.db.sql_list("""select distinct parent 

  334. 		from `tabCustom DocPerm`""")

  335. 

  336. 	for p in perms:

  337. 		if p.parent not in doctypes_with_custom_perms:

  338. 			custom_perms.append(p)

  339. 	return custom_perms

  340. 

  341. def get_roles(user=None, with_standard=True):

  342. 	"""get roles of current user"""

  343. 	if not user:

  344. 		user = frappe.session.user

  345. 

  346. 	if user=='Guest':

  347. 		return ['Guest']

  348. 

  349. 	def get():

  350. 		return [r[0] for r in frappe.db.sql("""select role from `tabHas Role`

  351. 			where parent=%s and role not in ('All', 'Guest')""", (user,))] + ['All', 'Guest']

  352. 

  353. 	roles = frappe.cache().hget("roles", user, get)

  354. 

  355. 	# filter standard if required

  356. 	if not with_standard:

  357. 		roles = filter(lambda x: x not in ['All', 'Guest', 'Administrator'], roles)

  358. 

  359. 	return roles

  360. 

  361. def get_perms_for(roles, perm_doctype='DocPerm'):

  362. 	'''Get perms for given roles'''

  363. 	return frappe.db.sql("""select * from `tab{doctype}` where docstatus=0

  364. 		and ifnull(permlevel,0)=0

  365. 		and role in ({roles})""".format(doctype = perm_doctype,

  366. 			roles=", ".join(["%s"]*len(roles))), tuple(roles), as_dict=1)

  367. 

  368. def can_set_user_permissions(doctype, docname=None):

  369. 	# System Manager can always set user permissions

  370. 	if frappe.session.user == "Administrator" or "System Manager" in frappe.get_roles():

  371. 		return True

  372. 

  373. 	meta = frappe.get_meta(doctype)

  374. 

  375. 	# check if current user has read permission for docname

  376. 	if docname and not has_permission(doctype, "read", docname):

  377. 		return False

  378. 

  379. 	# check if current user has a role that can set permission

  380. 	if get_role_permissions(meta).set_user_permissions!=1:

  381. 		return False

  382. 

  383. 	return True

  384. 

  385. def set_user_permission_if_allowed(doctype, name, user, with_message=False):

  386. 	if get_role_permissions(frappe.get_meta(doctype), user).set_user_permissions!=1:

  387. 		add_user_permission(doctype, name, user, with_message)

  388. 

  389. def add_user_permission(doctype, name, user, with_message=False):

  390. 	'''Add user default'''

  391. 	if name not in frappe.defaults.get_user_permissions(user).get(doctype, []):

  392. 		if not frappe.db.exists(doctype, name):

  393. 			frappe.throw(_("{0} {1} not found").format(_(doctype), name), frappe.DoesNotExistError)

  394. 

  395. 		frappe.defaults.add_default(doctype, name, user, "User Permission")

  396. 	elif with_message:

  397. 		msgprint(_("Permission already set"))

  398. 

  399. def remove_user_permission(doctype, name, user, default_value_name=None):

  400. 	frappe.defaults.clear_default(key=doctype, value=name, parent=user, parenttype="User Permission",

  401. 		name=default_value_name)

  402. 

  403. def clear_user_permissions_for_doctype(doctype):

  404. 	frappe.defaults.clear_default(parenttype="User Permission", key=doctype)

  405. 

  406. def can_import(doctype, raise_exception=False):

  407. 	if not ("System Manager" in frappe.get_roles() or has_permission(doctype, "import")):

  408. 		if raise_exception:

  409. 			raise frappe.PermissionError("You are not allowed to import: {doctype}".format(doctype=doctype))

  410. 		else:

  411. 			return False

  412. 	return True

  413. 

  414. def can_export(doctype, raise_exception=False):

  415. 	if not ("System Manager" in frappe.get_roles() or has_permission(doctype, "export")):

  416. 		if raise_exception:

  417. 			raise frappe.PermissionError("You are not allowed to export: {doctype}".format(doctype=doctype))

  418. 		else:

  419. 			return False

  420. 	return True

  421. 

  422. def apply_user_permissions(doctype, ptype, user=None):

  423. 	"""Check if apply_user_permissions is checked for a doctype, perm type, user combination"""

  424. 	role_permissions = get_role_permissions(frappe.get_meta(doctype), user=user)

  425. 	return role_permissions.get("apply_user_permissions", {}).get(ptype)

  426. 

  427. def get_user_permission_doctypes(user_permission_doctypes, user_permissions):

  428. 	"""returns a list of list like [["User", "Blog Post"], ["User"]]"""

  429. 	if cint(frappe.db.get_single_value("System Settings", "ignore_user_permissions_if_missing")):

  430. 		# select those user permission doctypes for which user permissions exist!

  431. 		user_permission_doctypes = [list(set(doctypes).intersection(set(user_permissions.keys())))

  432. 			for doctypes in user_permission_doctypes]

  433. 

  434. 	if len(user_permission_doctypes) > 1:

  435. 		# OPTIMIZATION

  436. 		# if intersection exists, use that to reduce the amount of querying

  437. 		# for example, [["Blogger", "Blog Category"], ["Blogger"]], should only search in [["Blogger"]] as the first and condition becomes redundant

  438. 

  439. 		common = user_permission_doctypes[0]

  440. 		for i in range(1, len(user_permission_doctypes), 1):

  441. 			common = list(set(common).intersection(set(user_permission_doctypes[i])))

  442. 			if not common:

  443. 				break

  444. 

  445. 		if common:

  446. 			# is common one of the user_permission_doctypes set?

  447. 			for doctypes in user_permission_doctypes:

  448. 				# are these lists equal?

  449. 				if set(common) == set(doctypes):

  450. 					user_permission_doctypes = [common]

  451. 					break

  452. 

  453. 	return user_permission_doctypes

  454. 

  455. def setup_custom_perms(parent):

  456. 	'''if custom permssions are not setup for the current doctype, set them up'''

  457. 	if not frappe.db.exists('Custom DocPerm', dict(parent=parent)):

  458. 		copy_perms(parent)

  459. 		return True

  460. 

  461. def copy_perms(parent):

  462. 	'''Copy all DocPerm in to Custom DocPerm for the given document'''

  463. 	for d in frappe.get_all('DocPerm', fields='*', filters=dict(parent=parent)):

  464. 		custom_perm = frappe.new_doc('Custom DocPerm')

  465. 		custom_perm.update(d)

  466. 		custom_perm.insert(ignore_permissions=True)

  467. 

  468. def reset_perms(doctype):

  469. 	"""Reset permissions for given doctype."""

  470. 	from frappe.desk.notifications import delete_notification_count_for

  471. 	delete_notification_count_for(doctype)

  472. 

  473. 	frappe.db.sql("""delete from `tabCustom DocPerm` where parent=%s""", doctype)

  474. 

  475. def get_linked_doctypes(dt):

  476. 	return list(set([dt] + [d.options for d in

  477. 		frappe.get_meta(dt).get("fields", {

  478. 			"fieldtype":"Link",

  479. 			"ignore_user_permissions":("!=", 1),

  480. 			"options": ("!=", "[Select]")

  481. 		})

  482. 	]))