Usage of User Permission to restrict access to multiple documents

avc · August 1, 2024, 9:56pm

User Permission lets restrict data access based on link field. For example, you can set restriction for user01@users.com for access only to Customer01. Option Apply to all DocTypes will spread the restriction to other doctypes, so you can just access to documents related to Customer01.

Deeper restrictions could be applied with one of this solutions:

Server script (permission script): Easy to achieve, but it will only work on listviews (directly typing URL user can avoid the restriction). Client script to trick this.
Frappe User and Role Permissions create new record conflict - #6 by thinkdigital
Hooks for permission_query_conditions and has_permission. More reliable and elegant, but you will need to create a custom app.

github.com

frappe/frappe/blob/c4aa49743ed315b364311f58e72190d578d7a18d/frappe/desk/doctype/event/event.py#L221


      
          		deletion = []
          		for comm in comms:
          			delete = frappe.get_doc("Communication", comm.name).delete()
          			deletion.append(delete)
          
          		return deletion
          
          	return {}
          
          
          def get_permission_query_conditions(user):
          	if not user:
          		user = frappe.session.user
          	return f"""(`tabEvent`.`event_type`='Public' or `tabEvent`.`owner`={frappe.db.escape(user)})"""
          
          
          def has_permission(doc, user):
          	if doc.event_type == "Public" or doc.owner == user:
          		return True
          
          	return False

github.com

frappe/frappe/blob/c4aa49743ed315b364311f58e72190d578d7a18d/frappe/hooks.py#L101


      
          on_logout = "frappe.core.doctype.session_default_settings.session_default_settings.clear_session_defaults"
          
          # PDF
          pdf_header_html = "frappe.utils.pdf.pdf_header_html"
          pdf_body_html = "frappe.utils.pdf.pdf_body_html"
          pdf_footer_html = "frappe.utils.pdf.pdf_footer_html"
          
          # permissions
          
          permission_query_conditions = {
          	"Event": "frappe.desk.doctype.event.event.get_permission_query_conditions",
          	"ToDo": "frappe.desk.doctype.todo.todo.get_permission_query_conditions",
          	"User": "frappe.core.doctype.user.user.get_permission_query_conditions",
          	"Dashboard Settings": "frappe.desk.doctype.dashboard_settings.dashboard_settings.get_permission_query_conditions",
          	"Notification Log": "frappe.desk.doctype.notification_log.notification_log.get_permission_query_conditions",
          	"Dashboard": "frappe.desk.doctype.dashboard.dashboard.get_permission_query_conditions",
          	"Dashboard Chart": "frappe.desk.doctype.dashboard_chart.dashboard_chart.get_permission_query_conditions",
          	"Number Card": "frappe.desk.doctype.number_card.number_card.get_permission_query_conditions",
          	"Notification Settings": "frappe.desk.doctype.notification_settings.notification_settings.get_permission_query_conditions",
          	"Note": "frappe.desk.doctype.note.note.get_permission_query_conditions",
          	"Kanban Board": "frappe.desk.doctype.kanban_board.kanban_board.get_permission_query_conditions",

Hope this helps.