Skip to content

Feat/enhanced role based access control for my audits report #144

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Suraiyya-786 merged 3 commits into from
May 22, 2026
Merged

Feat/enhanced role based access control for my audits report #144

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3706f03
feat:Enhanced role based permission
Suraiyya-786 May 22, 2026
ef1ee74
feat:Enhanced role based permission in my audits
Suraiyya-786 May 22, 2026
476d17e
feat:Enhanced role based permission Access Control for My Audits Report
Suraiyya-786 May 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
135 changes: 98 additions & 37 deletions audit_management/audit_management/doctype/my_audits/my_audits.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -802,9 +802,7 @@ def has_permission(doc, ptype, user=None):
# 4. Access for Audit Members (Non-Managers)
# Audit Member: only if NOT draft OR owner
if "Audit Member" in roles:
if getattr(doc, "status", None) == "Draft":
return doc.owner == user
return True
return doc.owner == user

# 5. Access for Others (Owner or Current Assignee)
if doc.owner == user:
Expand All @@ -827,66 +825,129 @@ def get_permission_query_conditions(user=None):

roles = frappe.get_roles(user)

# =========================================================
# ADMIN BYPASS
# =========================================================
if "Administrator" in roles or "System Manager" in roles:
return ""

# =========================================================
# DIVISION ACCESS
# =========================================================
allowed_divisions = get_user_allowed_divisions(user)
divisions_sql = ", ".join(f"{frappe.db.escape(d)}" for d in allowed_divisions) if allowed_divisions else "'None'"

# NEW: Sol ID Condition
divisions_sql = ", ".join(
[frappe.db.escape(d) for d in allowed_divisions]
) if allowed_divisions else "'None'"

# =========================================================
# AUDIT MANAGER
# Full division access
# =========================================================
if "Audit Manager" in roles:
return f"""
`tabMy Audits`.emp_division IN ({divisions_sql})
"""

# =========================================================
# AUDIT MEMBER
# Only created records
# =========================================================
if "Audit Member" in roles:
return f"""
`tabMy Audits`.owner = '{user}'
"""

# =========================================================
# SOL ID ACCESS
# =========================================================
allowed_sol_ids = get_user_allowed_sol_ids(user)
sol_id_condition = "1=0"

sol_condition = "1=0"

if allowed_sol_ids:
sol_ids_str = ", ".join([frappe.db.escape(str(s)) for s in allowed_sol_ids])
sol_id_condition = f"""
`tabMy Audits`.emp_branch IN (
SELECT name FROM `tabAudit Level`
WHERE sahayog_branch IN ({sol_ids_str})
sol_ids_sql = ", ".join(
[frappe.db.escape(str(s)) for s in allowed_sol_ids]
)

sol_condition = f"""
(
`tabMy Audits`.status != 'Draft'
AND
`tabMy Audits`.emp_branch IN (
SELECT name
FROM `tabAudit Level`
WHERE sahayog_branch IN ({sol_ids_sql})
)
)
"""

is_audit_manager = "Audit Manager" in roles
is_audit_team = is_audit_manager or "Audit Member" in roles

# ✅ FIX: correct child table name
# =========================================================
# STAGE ACCESS
# =========================================================
pending_condition = f"""
EXISTS (
SELECT name FROM `tabAudit Items`
SELECT name
FROM `tabAudit Items`
WHERE parent = `tabMy Audits`.name
AND status = 'Pending'
AND (user_id = '{user}' OR email = '{user}')
AND (
user_id = '{user}'
OR email = '{user}'
)
)
"""

responded_condition = f"""
EXISTS (
SELECT name FROM `tabAudit Items`
WHERE parent = `tabMy Audits`.name
AND status = 'Responded'
AND (user_id = '{user}' OR email = '{user}')
)
EXISTS (
SELECT name
FROM `tabAudit Items`
WHERE parent = `tabMy Audits`.name
AND status = 'Responded'
AND (
user_id = '{user}'
OR email = '{user}'
)
)
"""
if is_audit_manager:
return f"`tabMy Audits`.emp_division IN ({divisions_sql})"

if "Audit Member" in roles and not is_audit_manager:
return f"`tabMy Audits`.owner = '{user}'"

# ✅ FINAL CONTROL
# =========================================================
# FINAL CONDITIONS
# =========================================================
return f"""
(
(`tabMy Audits`.status = 'Draft' AND `tabMy Audits`.owner = '{user}')
OR
(`tabMy Audits`.owner = '{user}' AND `tabMy Audits`.emp_division IN ({divisions_sql}))

-- Draft only owner
(
`tabMy Audits`.status = 'Draft'
AND `tabMy Audits`.owner = '{user}'
)

OR
({sol_id_condition})

-- SOL ID based access
(
{sol_condition}
)

OR

-- Pending stage access
(
`tabMy Audits`.status != 'Draft' AND (
({pending_condition})
`tabMy Audits`.status != 'Draft'
AND (
{pending_condition}
OR
({responded_condition})
{responded_condition}
)
)

OR

-- Owner access
(
`tabMy Audits`.owner = '{user}'
)

)
"""

Expand Down
38 changes: 22 additions & 16 deletions audit_management/audit_management/report/my_audits_report/my_audits_report.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,15 +64,10 @@ def get_data(filters):
# Sees everything, no perm filter needed
pass
elif is_audit_member:
# Audit Member: Sees only their own created records (as requested)
# OR records in their allowed divisions
allowed_divisions = get_user_allowed_divisions(user)
perm_conds = [f"owner = {frappe.db.escape(user)}"]
if allowed_divisions:
div_list = ", ".join([frappe.db.escape(d) for d in allowed_divisions])
perm_conds.append(f"emp_division IN ({div_list})")

conditions.append(f"({' OR '.join(perm_conds)})")
# Audit Member: only own created records
conditions.append(
f"owner = {frappe.db.escape(user)}"
)
else:
# Other users: Sol ID based access (from Report Preference)
# OR records where they are participants
Expand All @@ -82,18 +77,29 @@ def get_data(filters):
if allowed_sol_ids:
sol_list = ", ".join([frappe.db.escape(str(s)) for s in allowed_sol_ids])
perm_conds.append(f"""
emp_branch IN (
SELECT name FROM `tabAudit Level`
WHERE sahayog_branch IN ({sol_list})
(
status != 'Draft'
AND
emp_branch IN (
SELECT name FROM `tabAudit Level`
WHERE sahayog_branch IN ({sol_list})
)
)
""")

# Also include where they are assigned (Audit Items)
perm_conds.append(f"""
EXISTS (
SELECT name FROM `tabAudit Items`
WHERE parent = `tabMy Audits`.name
AND (user_id = {frappe.db.escape(user)} OR email = {frappe.db.escape(user)})
(
status != 'Draft'
AND EXISTS (
SELECT name
FROM `tabAudit Items`
WHERE parent = `tabMy Audits`.name
AND (
user_id = {frappe.db.escape(user)}
OR email = {frappe.db.escape(user)}
)
)
)
""")

Expand Down
6 changes: 3 additions & 3 deletions audit_management/audit_management/utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ def update_audit_aging(doc):
end_date = getdate(doc.modified) if doc.status == "Closed" else getdate(nowdate())

doc.aging = get_working_days(start_date, end_date)

def get_user_allowed_divisions(user=None):
"""
Fetch all divisions user can access.
Expand Down Expand Up @@ -57,7 +57,7 @@ def get_user_allowed_divisions(user=None):
settings = frappe.get_single("Audit Management Settings")

if not getattr(settings, "division_permissions", None):
return list(allowed_divisions)
return [d for d in allowed_divisions if d]

# Add mapped divisions
for row in settings.division_permissions:
Expand All @@ -67,4 +67,4 @@ def get_user_allowed_divisions(user=None):
):
allowed_divisions.add(row.allowed_division)

return list(allowed_divisions)
return [d for d in allowed_divisions if d]
Loading