From 14937fd4fc7ac7ce86593fad39bc070930dcf970 Mon Sep 17 00:00:00 2001 From: Jannat Patel Date: Mon, 23 Feb 2026 11:06:34 +0530 Subject: [PATCH] fix: check ptype for permission if not admin --- frontend/src/pages/JobForm.vue | 1 + frontend/src/pages/Lesson.vue | 2 +- lms/lms/api.py | 10 +++------- lms/lms/doctype/lms_badge/lms_badge.py | 7 +++++-- lms/lms/doctype/lms_batch/lms_batch.py | 3 +++ lms/lms/doctype/lms_certificate/lms_certificate.py | 4 ++++ lms/lms/doctype/lms_live_class/lms_live_class.py | 3 +++ lms/lms/doctype/lms_program/lms_program.py | 3 +++ 8 files changed, 23 insertions(+), 10 deletions(-) diff --git a/frontend/src/pages/JobForm.vue b/frontend/src/pages/JobForm.vue index 1ee0d523..c8035179 100644 --- a/frontend/src/pages/JobForm.vue +++ b/frontend/src/pages/JobForm.vue @@ -189,6 +189,7 @@ const jobDetails = createDocumentResource({ watch( () => jobDetails?.doc, () => { + if (!jobDetails.doc) return if (jobDetails.doc.owner != user.data?.name && !user.data?.is_moderator) { router.push({ name: 'Jobs', diff --git a/frontend/src/pages/Lesson.vue b/frontend/src/pages/Lesson.vue index 312e56c9..6bef3c0d 100644 --- a/frontend/src/pages/Lesson.vue +++ b/frontend/src/pages/Lesson.vue @@ -658,7 +658,7 @@ const getVideoDetails = () => { const getPlyrSourceDetails = () => { let details = [] - plyrSources.value.forEach(async (source) => { + plyrSources.value.forEach((source) => { if (source.currentTime == source.duration) markProgress() let src = cleanYouTubeUrl(source.source) details.push({ diff --git a/lms/lms/api.py b/lms/lms/api.py index 6e560809..337c67e9 100644 --- a/lms/lms/api.py +++ b/lms/lms/api.py @@ -31,6 +31,7 @@ from pypika import functions as fn from lms.lms.doctype.course_lesson.course_lesson import save_progress from lms.lms.utils import ( + LMS_ROLES, can_modify_batch, can_modify_course, get_average_rating, @@ -607,12 +608,7 @@ def check_app_permission(): if frappe.session.user == "Administrator": return True - roles = frappe.get_roles() - lms_roles = ["Moderator", "Course Creator", "Batch Evaluator", "LMS Student"] - if any(role in roles for role in lms_roles): - return True - - return False + return has_lms_role() @frappe.whitelist() @@ -1723,7 +1719,7 @@ def get_profile_details(username: str): roles = frappe.get_roles(details.name) if not has_lms_role(): frappe.throw( - _("User does not have permission to access this users profile details."), frappe.PermissionError + _("User does not have permission to access this user's profile details."), frappe.PermissionError ) details.roles = roles return details diff --git a/lms/lms/doctype/lms_badge/lms_badge.py b/lms/lms/doctype/lms_badge/lms_badge.py index 4e4f981d..f87f3d7c 100644 --- a/lms/lms/doctype/lms_badge/lms_badge.py +++ b/lms/lms/doctype/lms_badge/lms_badge.py @@ -70,14 +70,17 @@ def assign_badge(badge_name: str): ["name", "event", "reference_doctype", "condition", "user_field"], as_dict=True, ) + if not badge: + frappe.throw(_("Badge {0} not found").format(badge_name), frappe.DoesNotExistError) + if not badge.event == "Manual Assignment": return fields = ["name"] fields.append(badge.user_field) - list = frappe.get_all(badge.reference_doctype, filters=json.loads(badge.condition), fields=fields) + docs = frappe.get_all(badge.reference_doctype, filters=json.loads(badge.condition), fields=fields) - for doc in list: + for doc in docs: assignment_name = award(badge, doc.get(badge.user_field)) if assignment_name: assignments.append(assignment_name) diff --git a/lms/lms/doctype/lms_batch/lms_batch.py b/lms/lms/doctype/lms_batch/lms_batch.py index 6f535cd7..e34c8366 100644 --- a/lms/lms/doctype/lms_batch/lms_batch.py +++ b/lms/lms/doctype/lms_batch/lms_batch.py @@ -407,6 +407,9 @@ def has_permission(doc, ptype="read", user=None): if "Moderator" in roles or "Batch Evaluator" in roles: return True + if ptype not in ("read", "select", "print"): + return False + is_enrolled = frappe.db.exists("LMS Batch Enrollment", {"batch": doc.name, "member": user}) if is_enrolled: return True diff --git a/lms/lms/doctype/lms_certificate/lms_certificate.py b/lms/lms/doctype/lms_certificate/lms_certificate.py index cfc93af8..19579a07 100644 --- a/lms/lms/doctype/lms_certificate/lms_certificate.py +++ b/lms/lms/doctype/lms_certificate/lms_certificate.py @@ -222,6 +222,10 @@ def has_permission(doc, ptype="read", user=None): roles = frappe.get_roles(user) if "Moderator" in roles or "Course Creator" in roles or "Batch Evaluator" in roles: return True + if doc.owner == user: + return True + if ptype not in ("read", "select", "print"): + return False return doc.published diff --git a/lms/lms/doctype/lms_live_class/lms_live_class.py b/lms/lms/doctype/lms_live_class/lms_live_class.py index 9f9ff2cd..d91e3e99 100644 --- a/lms/lms/doctype/lms_live_class/lms_live_class.py +++ b/lms/lms/doctype/lms_live_class/lms_live_class.py @@ -177,6 +177,9 @@ def has_permission(doc, ptype="read", user=None): if "Moderator" in roles or "Batch Evaluator" in roles: return True + if ptype not in ("read", "select", "print"): + return False + return frappe.db.exists( "LMS Batch Enrollment", {"batch": doc.batch_name, "member": user}, diff --git a/lms/lms/doctype/lms_program/lms_program.py b/lms/lms/doctype/lms_program/lms_program.py index 5d09c328..e883b2f6 100644 --- a/lms/lms/doctype/lms_program/lms_program.py +++ b/lms/lms/doctype/lms_program/lms_program.py @@ -55,6 +55,9 @@ def has_permission(doc, ptype="read", user=None): if "Moderator" in roles or "Course Creator" in roles: return True + if ptype not in ("read", "select", "print"): + return False + is_enrolled = frappe.db.exists("LMS Program Member", {"parent": doc.name, "member": user}) if is_enrolled: return True