From 1432d279b3cd216c434695682b5d8b38cd4d1a70 Mon Sep 17 00:00:00 2001 From: David Date: Thu, 4 Jul 2024 21:13:03 +0200 Subject: [PATCH] fix: security context as per semgrep rule --- erpnext/accounts/doctype/payment_entry/payment_entry.py | 5 +++++ erpnext/selling/doctype/sales_order/sales_order.py | 1 + 2 files changed, 6 insertions(+) diff --git a/erpnext/accounts/doctype/payment_entry/payment_entry.py b/erpnext/accounts/doctype/payment_entry/payment_entry.py index 13658cf002f3..c9421416d9a0 100644 --- a/erpnext/accounts/doctype/payment_entry/payment_entry.py +++ b/erpnext/accounts/doctype/payment_entry/payment_entry.py @@ -1170,22 +1170,27 @@ def set_remarks(self): self.set("remarks", "\n".join(remarks)) + @frappe.requires_permission("Sales Order", "read") def _from_sales_order(self, so): frappe.flags.new_payment_entry = self return get_payment_entry(so.doctype, so.name) + @frappe.requires_permission("Sales Invoice", "read") def _from_sales_invoice(self, si): frappe.flags.new_payment_entry = self return get_payment_entry(si.doctype, si.name) + @frappe.requires_permission("Purchase Order", "read") def _from_purchase_order(self, po): frappe.flags.new_payment_entry = self return get_payment_entry(po.doctype, po.name) + @frappe.requires_permission("Purchase Invoice", "read") def _from_purchase_invoice(self, pi): frappe.flags.new_payment_entry = self return get_payment_entry(pi.doctype, pi.name) + @frappe.requires_permission("Dunning", "read") def _from_dunning(self, d): frappe.flags.new_payment_entry = self return get_payment_entry(d.doctype, d.name) diff --git a/erpnext/selling/doctype/sales_order/sales_order.py b/erpnext/selling/doctype/sales_order/sales_order.py index f8fcd5765156..b7e7247b9f11 100755 --- a/erpnext/selling/doctype/sales_order/sales_order.py +++ b/erpnext/selling/doctype/sales_order/sales_order.py @@ -741,6 +741,7 @@ def cancel_stock_reservation_entries(self, sre_list=None, notify=True) -> None: voucher_type=self.doctype, voucher_no=self.name, sre_list=sre_list, notify=notify ) + @frappe.requires_permission("Sales Invoice", "create") def _into_sales_invoice(self): make_sales_invoice(self.name)