updated permission for anonymous poll

The-Commit-Company · Apr 1, 2024 · c7b0232 · c7b0232
1 parent ab15acb
commit c7b0232
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/raven/hooks.py b/raven/hooks.py
@@ -214,6 +214,7 @@
 permission_query_conditions = {
 	"Raven Channel": "raven.permissions.raven_channel_query",
 	"Raven Message": "raven.permissions.raven_message_query",
+    "Raven Poll Vote": "raven.permissions.raven_poll_vote_query",
 }
 
 has_permission = {

diff --git a/raven/permissions.py b/raven/permissions.py
@@ -142,3 +142,16 @@ def raven_message_query(user):
       but needed for security since we do not want users to be able to view messages from channels they are not a member of
     """
 	return f"`tabRaven Message`.owner = {frappe.db.escape(user)}"
+
+
+def raven_poll_vote_query(user):
+	if not user:
+		user = frappe.session.user
+
+	"""
+	  Only show votes created by the user using a WHERE clause
+
+	  Hence, we are adding a WHERE clause to the query - this is inconsequential since we will never use the standard get_list query for Raven Poll Vote,
+	  but needed for security since we do not want users to be able to view votes from polls they did not vote for
+	"""
+	return f"`tabRaven Poll Vote`.owner = {frappe.db.escape(user)}"