8000 fix: correct permission query condition in Dashboard (backport #31552) by mergify[bot] · Pull Request #31601 · frappe/frappe · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

fix: correct permission query condition in Dashboard (backport #31552) #31601

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 9, 2025
Merged

fix: correct permission query condition in Dashboard (backport #31552) #31601

merged 1 commit into from
Mar 9, 2025

Conversation

mergify[bot]
Copy link
Contributor
@mergify mergify bot commented Mar 9, 2025

Description

This PR fixes an issue in the get_permission_query_conditions function of Dashboard doctype where the SQL condition was missing parentheses. This could lead to incorrect logical evaluation when the query is combined with other conditions.

Problem

The current implementation returns an SQL condition without parentheses:
return f" tabDashboard.module in ({','.join(allowed_modules)}) or {module_not_set} "

Solution

return f" (tabDashboard.module in ({','.join(allowed_modules)}) or {module_not_set}) "

Impact

  • Correctness: Ensures that the permission logic is evaluated correctly.
  • Maintainability: Makes the query easier to understand and maintain.
  • Reliability: Prevents potential bugs in dashboard filtering.

Example Scenario

Imagine a user has access to Module1 and Module2. Without parentheses, a query like:
tabDashboard.module IN ('Module1', 'Module2') OR ifnull(tabDashboard.module, '') = '' AND tabDashboard.is_active = 1

Would be evaluated as:
(tabDashboard.module IN ('Module1', 'Module2') OR ifnull(tabDashboard.module, '') = '') AND tabDashboard.is_active = 1

With the fix, the logical grouping is preserved, and the query works as intended.

Checklist

  • All tests pass locally (UI and Unit tests).
  • All business logic and validations are on the server-side.
  • Updated necessary documentation (if applicable).
  • PR name follows the convention.

Additional Notes

  • This change is minimal and does not introduce any breaking changes.
  • No screenshots/GIFs are included as this is a backend logic fix.
This is an automatic backport of pull request #31552 done by [Mergify](https://mergify.com).

@iamejaaz iamejaaz enabled auto-merge March 9, 2025 05:22
@iamejaaz iamejaaz merged commit b58adf8 into version-15-hotfix Mar 9, 2025
16 checks passed
@iamejaaz iamejaaz deleted the mergify/bp/version-15-hotfix/pr-31552 branch March 9, 2025 05:32
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 24, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@iamejaaz @CaioMatins
0