Ran into something today that doesn’t make sense to me.
I was trying to grab a company’s tax ID in a print format:
jinja
<b>RNC:</b> {{ frappe.get_value("Company", doc.company, "tax_id") }}
Error: module has no attribute 'get_value'
But this works fine:
jinja
<b>RNC:</b> {{ frappe.db.get_value("Company", doc.company, "tax_id") }}
So frappe.get_value() is blocked but frappe.db.get_value() isn’t? And frappe.get_doc() works fine too?
From what I understand, frappe.get_value() checks permissions before returning data while frappe.db.get_value() bypasses permissions completely. But apparently frappe.get_doc() also doesn’t check permissions by default - you have to manually call check_permission() on it. Plus frappe.get_value() has caching built in, but frappe.db hits the database every time. So they allow the heavier operations that bypass security but block the lighter, safer one?
So the framework blocks the secure, cached method but allows the insecure, slower one?
If I’m printing employee data and some user shouldn’t see salary info, frappe.get_value() would respect that. But frappe.db.get_value() would just show the salary anyway, right?
Currently using frappe.db.get_value() since it works, but feels like I’m doing something wrong.
Anyone know why it’s set up this way?