I am trying to check use access to a document, however I have noticed only permissions defined on the doctype are applied, hooks defined permissions are ignored. Permissions are applied corrected when I login to desk. Am I doing anything wrong ?
peterg
November 18, 2022, 10:10am
#2
I’ve been running into the same problem, and it appears the issue may be related to this:
opened 09:31AM - 12 May 20 UTC
closed 04:58PM - 27 Jul 21 UTC
bug
## Description of the issue
The documentation states:
> Document permissio… ns
> You can hook to doc.has_permission for any DocType and add special permission checking logic using the has_permission hook. Structure for this hook is,
```
has_permission = {
"{doctype}": "{dotted.path.to.function}",
}
```
> The function will be passed the concerned document as an argument. It should True or a falsy value after running the required logic.
However, it is not possible to provide permission (by returning a 'True' value as indicated in the documentation), only deny it. This is because the 'has_permission' hook is called by the has_controller_permission function:
```
def has_controller_permissions(doc, ptype, user=None):
"""Returns controller permissions if defined. None if not defined"""
if not user: user = frappe.session.user
methods = frappe.get_hooks("has_permission").get(doc.doctype, [])
if not methods:
return None
for method in methods:
controller_permission = frappe.call(frappe.get_attr(method), doc=doc, ptype=ptype, user=user)
if controller_permission is not None:
return controller_permission
# controller permissions could not decide on True or False
return None
```
but the result of this is only compared against False in get_doc_permissions:
```
if has_controller_permissions(doc, ptype, user=user) == False :
push_perm_check_log('Not allowed via controller permission check')
return {ptype: 0}
```
## Steps to reproduce the issue
1. Write a custom method for has_permission which returns 'True'
2. Add this to the 'has_permission' hook in hooks.py
3. Attempt to access the document
### Observed result
Permission can only be denied, not provided, by the 'has_permission' hook
### Expected result
Permission can be provided by the 'has_permission' hook as described in the documentation
### Suggested solution:
One of:
- allow has_controller_permission to return a permissions dictionary, so that permission can be granted by the has_permission hook
- update the documentation to indicate that permission can only be denied and that either 'None' (no impact) or 'False' (deny permissions) should be returned.
I got this working: in addition to what is in described in the issue, the permission_type parameter has been renamed to ptype