Skip to content

fix: Apply permlevel for update_doc endpoint in v2 API #32135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gavindsouza merged 4 commits into from
Apr 16, 2025
Merged

fix: Apply permlevel for update_doc endpoint in v2 API #32135

gavindsouza merged 4 commits into from
Apr 16, 2025

Conversation

@petnd
Copy link
Contributor

@petnd petnd commented Apr 15, 2025

Apply Read Permission to returned fields of API v2

Bug Fix for: #32045

With this change, the API v2 now checks which fields the user is allowed to see when updating documents. In comparison to the "read_doc" method, the call to "apply_fieldlevel_read_permissions" did not yet exist when saving.

The document function “save” only checks whether the permissions for write and save are available. When the document is returned, however, no check is made at any point as to which fields the user is actually permitted to read.
With "Read_doc", the permission check is carried out in the API and fields are then checked directly.

@gavindsouza gavindsouza changed the title fix: Only Return Allowed Fields in API Response fix: Apply permlevel for update_doc endpoint in v2 API Apr 16, 2025
@gavindsouza gavindsouza merged commit 38f112f into frappe:develop Apr 16, 2025
25 checks passed
@gavindsouza gavindsouza added the backport version-15-hotfix Backport the PR to v15 label Apr 16, 2025
mergify bot pushed a commit that referenced this pull request Apr 16, 2025
@petnd @mergify
fix: Apply permlevel for update_doc endpoint in v2 API (#32135)
bccb794 
* fix: Only Return Allowed Fields in API Response

Apply Read Permission to the returned fields of API v2

(cherry picked from commit 38f112f)
@mergify mergify bot mentioned this pull request Apr 16, 2025
Merged
gavindsouza added a commit that referenced this pull request Apr 16, 2025
@gavindsouza
Merge pull request #32168 from frappe/mergify/bp/version-15-hotfix/pr…
bf638b0 
…-32135

fix: Apply permlevel for update_doc endpoint in v2 API (backport #32135)
frappe-pr-bot pushed a commit that referenced this pull request Apr 22, 2025
@frappe-bot
chore(release): Bumped to Version 15.66.0
a1d12fd 
# [15.66.0](v15.65.2...v15.66.0) (2025-04-22)

### Bug Fixes

* add param `is_system_generated=True` to `make_property_setter` ([86d7395](86d7395))
* add translate to error message ([59df3b0](59df3b0))
* allow custom fonts in wkhtmltopdf ([13e0d5d](13e0d5d))
* Allow to manually send an email even if queue is disabled ([13054b8](13054b8))
* Apply permlevel for update_doc endpoint in v2 API ([#32135](#32135)) ([bccb794](bccb794))
* broken print preview ([3a6f6a5](3a6f6a5))
* **db_query:** improve subquery check ([a640bde](a640bde))
* **db_query:** use `re.DOTALL` ([c6001fe](c6001fe))
* **email_queue:** remove confirm step ([4b73218](4b73218))
* **event:** Better calculation of next recurring event ([a624c02](a624c02))
* **Event:** Capture days within the weekly repeat ([7d70a34](7d70a34))
* **Event:** Handle end of the month repeats ([51053a0](51053a0))
* Exclude perm restrcited fields from standard list view filter ([e81cb9a](e81cb9a))
* **fc-billing:** switch manage billing to a `button` instead of `div` ([#32248](#32248)) ([#32249](#32249)) ([911c448](911c448))
* German translations ([b8a71ef](b8a71ef))
* group by parent child issue ([905bd96](905bd96))
* language change on setup wizard doesnt load options ([f2d59a9](f2d59a9))
* **map view:** hide sort selector ([e2f3ead](e2f3ead))
* **map view:** separate map creation and data rendering ([f3b1e2e](f3b1e2e))
* **minor:** address rendering should look same ([76624ba](76624ba))
* Portuguese translations ([d191012](d191012))
* Portuguese translations ([0fa3fec](0fa3fec))
* redundant comment in form timeline ([909a3a3](909a3a3))
* remove custom font from base font list ([039b243](039b243))
* return after setting value in set_route_filters ([bc73ae5](bc73ae5))
* selection of timezone after changing the language ([#32211](#32211)) ([#32212](#32212)) ([d355e99](d355e99))
* **setup-wizard:** create system user on initialising setup data ([#32181](#32181)) ([#32182](#32182)) ([c1cb739](c1cb739))
* **setup-wizard:** fetch translation messages only if language is changed ([#32224](#32224)) ([#32225](#32225)) ([5931711](5931711))
* sync translations from crowdin ([#32146](#32146)) ([cf3919b](cf3919b))
* Thai translations ([5e2e56d](5e2e56d))
* translatable string extraction ([#32142](#32142)) ([2aace36](2aace36))

### Features

* initialise and preload system settings and user for setup wizard ([#32108](#32108)) ([#32141](#32141)) ([c381cff](c381cff))
* **map view:** add locate control ([362bd58](362bd58))
* show link to form ([9ef262d](9ef262d))

### Performance Improvements

* 10000s of times faster global search ([#32147](#32147)) ([#32154](#32154)) ([169bfa5](169bfa5))
@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 1, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@gavindsouza gavindsouza gavindsouza approved these changes

Assignees

No one assigned

Labels

backport version-15-hotfix Backport the PR to v15

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@petnd @gavindsouza