From c7b02328c8fb53327aa60df08461079f8fd3a5da Mon Sep 17 00:00:00 2001
From: Janhvi Patil <janhvipatil716@gmail.com>
Date: Mon, 1 Apr 2024 20:23:35 +0530
Subject: [PATCH] updated permission for anonymous poll

---
 raven/hooks.py       |  1 +
 raven/permissions.py | 13 +++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/raven/hooks.py b/raven/hooks.py
index 6f3c884d4..d22883209 100644
--- a/raven/hooks.py
+++ b/raven/hooks.py
@@ -214,6 +214,7 @@
 permission_query_conditions = {
 	"Raven Channel": "raven.permissions.raven_channel_query",
 	"Raven Message": "raven.permissions.raven_message_query",
+    "Raven Poll Vote": "raven.permissions.raven_poll_vote_query",
 }
 
 has_permission = {
diff --git a/raven/permissions.py b/raven/permissions.py
index 8b665069a..b934d4fa4 100644
--- a/raven/permissions.py
+++ b/raven/permissions.py
@@ -142,3 +142,16 @@ def raven_message_query(user):
       but needed for security since we do not want users to be able to view messages from channels they are not a member of
     """
 	return f"`tabRaven Message`.owner = {frappe.db.escape(user)}"
+
+
+def raven_poll_vote_query(user):
+	if not user:
+		user = frappe.session.user
+
+	"""
+	  Only show votes created by the user using a WHERE clause
+
+	  Hence, we are adding a WHERE clause to the query - this is inconsequential since we will never use the standard get_list query for Raven Poll Vote,
+	  but needed for security since we do not want users to be able to view votes from polls they did not vote for
+	"""
+	return f"`tabRaven Poll Vote`.owner = {frappe.db.escape(user)}"
\ No newline at end of file