From 7cf3240e08dc1a4ac79b71dd053b7be836c206ae Mon Sep 17 00:00:00 2001 From: Krishna Shirsath Date: Wed, 8 Apr 2026 14:17:53 +0530 Subject: [PATCH 1/2] fix: add permission checks for employee leave detail --- hrms/hr/doctype/leave_application/leave_application.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hrms/hr/doctype/leave_application/leave_application.py b/hrms/hr/doctype/leave_application/leave_application.py index ba5ff5885b..079d98127a 100755 --- a/hrms/hr/doctype/leave_application/leave_application.py +++ b/hrms/hr/doctype/leave_application/leave_application.py @@ -968,6 +968,8 @@ def get_number_of_leave_days( @frappe.whitelist() def get_leave_details(employee: str, date: str | datetime.date, for_salary_slip: bool = False) -> dict: + frappe.has_permission("Employee", "read", employee, throw=True) + allocation_records = get_leave_allocation_records(employee, date) leave_allocation = {} precision = cint(frappe.db.get_single_value("System Settings", "float_precision")) or 2 @@ -1027,6 +1029,8 @@ def get_leave_balance_on( if True, returns a dict eg: {'leave_balance': 10, 'leave_balance_for_consumption': 1} else, returns leave_balance (in this case 10) """ + if frappe.request: + frappe.has_permission("Employee", "read", employee, throw=True) if not to_date: to_date = nowdate() From c3867bc1cb13430b9276244034c7f458eedae38e Mon Sep 17 00:00:00 2001 From: ruthra kumar Date: Fri, 10 Apr 2026 16:27:30 +0530 Subject: [PATCH 2/2] ci: semgrep to enforce test correctness --- .github/workflows/linters.yml | 5 ++++- semgrep/test-correctness.yml | 18 ++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 semgrep/test-correctness.yml diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml index 35871a6fed..b7995ce4e7 100644 --- a/.github/workflows/linters.yml +++ b/.github/workflows/linters.yml @@ -46,4 +46,7 @@ jobs: run: pip install semgrep - name: Run Semgrep rules - run: semgrep ci --config ./frappe-semgrep-rules/rules --config r/python.lang.correctness \ No newline at end of file + run: semgrep ci --config ./frappe-semgrep-rules/rules --config r/python.lang.correctness + + - name: Semgrep for Test Correctness + run: semgrep ci --include=**/test_*.py --config ./semgrep/test-correctness.yml diff --git a/semgrep/test-correctness.yml b/semgrep/test-correctness.yml new file mode 100644 index 0000000000..d6b32ed6ad --- /dev/null +++ b/semgrep/test-correctness.yml @@ -0,0 +1,18 @@ +rules: +- id: Dont-commit + pattern: frappe.db.commit() + message: Commiting inside test breaks idempotency. + languages: [python] + severity: ERROR +- id: Implicit-commit + pattern: frappe.db.truncate() + message: DB truncation does implict commit which breaks test idempotency. + languages: [python] + severity: ERROR +- id: Dont-override-teardown + pattern: | + def tearDown(...): + ... + message: HRMSTestSuite forces rollback on each tearDown, which ensures idempotency. Don't override tearDown. + languages: [python] + severity: ERROR