Can we control the visibility of documents based on the workflow state in the list of documents

anish-cv · August 26, 2024, 9:01am

I have a doctype with 3 workflow states namely Draft, Submitted, Approved. Also I have 3 level of users named user1, user2, user3. I want to control the visibility of the documents in the doctype list based on the current workflow state as user1 can see only draft & approved documents, user2 can see only Submitted documents and user3 only approved documents. I was able to achieve this in the list with client side script manipulating the filters. But this can be overridden by the user by clearing the filters. In form view also I was able to achieve this.

Is there a solution for this in frape framework level

avc · August 26, 2024, 9:10am

Hi @anish-cv:

User server script (permission type) or custom permission query (hooks)

Check this …

Hope this helps.

anish-cv · August 26, 2024, 9:56am

What could be the reason for get_permission_query_conditions not getting invoked in the class. Do we need to specify it in hooks.py for a new Doc Type

avc · August 26, 2024, 4:30pm

Hi @anish-cv:

Use hooks.py to set which method will manage permissions for your doctype.

github.com

frappe/frappe/blob/c4aa49743ed315b364311f58e72190d578d7a18d/frappe/hooks.py#L100


      
          
          on_logout = "frappe.core.doctype.session_default_settings.session_default_settings.clear_session_defaults"
          
          # PDF
          pdf_header_html = "frappe.utils.pdf.pdf_header_html"
          pdf_body_html = "frappe.utils.pdf.pdf_body_html"
          pdf_footer_html = "frappe.utils.pdf.pdf_footer_html"
          
          # permissions
          
          permission_query_conditions = {
          	"Event": "frappe.desk.doctype.event.event.get_permission_query_conditions",
          	"ToDo": "frappe.desk.doctype.todo.todo.get_permission_query_conditions",
          	"User": "frappe.core.doctype.user.user.get_permission_query_conditions",
          	"Dashboard Settings": "frappe.desk.doctype.dashboard_settings.dashboard_settings.get_permission_query_conditions",
          	"Notification Log": "frappe.desk.doctype.notification_log.notification_log.get_permission_query_conditions",
          	"Dashboard": "frappe.desk.doctype.dashboard.dashboard.get_permission_query_conditions",
          	"Dashboard Chart": "frappe.desk.doctype.dashboard_chart.dashboard_chart.get_permission_query_conditions",
          	"Number Card": "frappe.desk.doctype.number_card.number_card.get_permission_query_conditions",
          	"Notification Settings": "frappe.desk.doctype.notification_settings.notification_settings.get_permission_query_conditions",
          	"Note": "frappe.desk.doctype.note.note.get_permission_query_conditions",

omkar.deekonda · August 26, 2024, 6:37pm

Hi,
I am still picking up the basics of the Frappe Framework. Pardon me if I misunderstood OP’s question.

As per the documentation permission_query_conditions hook will only affect the result of frappe.db.get_list method and not frappe.db.get_all

If this is the case, is it not better to use has_permission hook?

Thank You!

avc · August 26, 2024, 8:47pm

Hi @omkar.deekonda:

frappe.db.get_all should be used under “controlled” circumstances from backend…
Desk (Frappe interface) always check permission system.

I’d recommend to use role permission as much you can do it … it’s really easy manage visibility for different user “levels”. In addition, framework provide even more tools: user permission (specific access to particular documents), permission levels for fields, etc …

Anyway, every use case would be different …
Hope this helps.

anish-cv · September 1, 2024, 11:43am

I am trying to control the visibility of the list of of documents shown in the Desk.

anish-cv · September 1, 2024, 11:46am

Still no effect. It has both get_permission_query_conditions and has_permission. has_permission executes for form level access even without hooks. But even with hooks get_permission_query_conditions is not getting invoked by the platform.

My code is below

def get_permission_query_conditions(user):
	if not user:
		user = frappe.session.user

	roles = frappe.get_roles(user)
	conditions = ""

	if "Head Level User" in roles:
		conditions = " workflow_state IN ('Technical Verified', 'Verified by SO')"
	elif "Tech Manager" in roles:
		conditions = " workflow_state = 'Submitted'"
	else:
		# Regular users can only see their own documents
		conditions = f" owner = '{user}'"
	return " and".conditions


def has_permission(doc, ptype):
	user = frappe.session.user
	#frappe.msgprint("has_permission")
	roles = frappe.get_roles(user)

	if "Head Level User" in roles:
		return doc.workflow_state in ['Technical Verified', 'Verified by SO']

	elif "Tech Manager" in roles:
		return doc.workflow_state == 'Submitted'
	else:
		return doc.owner == user

avc · September 1, 2024, 12:02pm

Hi @anish-cv:

Check

[quote=“anish-cv, post:8, topic:131699”]

	return " and".conditions

This is invalid … are you trying to use .join

anish-cv · September 1, 2024, 4:05pm

yes the code was json.modified but still no effect

def get_permission_query_conditions(user):
	frappe.msgprint("has_permission")
	if not user:
		user = frappe.session.user

	roles = frappe.get_roles(user)
	conditions = []

	if "Head Level User" in roles:
		conditions.append("workflow_state IN ('Technical Verified', 'Verified by SO')")
	elif "Tech Manager" in roles:
		conditions.append(" workflow_state = 'Submitted'")
	else:
			# Regular users can only see their own documents
		conditions.append(f" owner = '{user}'")
		#frappe.msgprint("Condition")
	return " and ".join(conditions)

avc · September 1, 2024, 4:44pm

Hi @anish-cv:

Are you logged as ‘Administrator’ ?
Note that has_permission check will be bypassed in that case.

anish-cv · September 1, 2024, 4:50pm

No I am trying with a Tech Manager level user.

avc · September 1, 2024, 5:12pm

Hi @anish-cv:

It’s working well on my side, both listview and document access… can you share hooks.py section for permissions? Any errors on error log or browser console? I assume you are working under development environment … are you tried to debug with print or breakpoint?

anish-cv · September 1, 2024, 10:04pm

The issue was with the hooks.py declaration. The solution worked