fix: secure bulk transaction (backport #45386) (#45425)

Co-authored-by: Raffael Meyer <14891507+barredterra@users.noreply.github.com>
fix: secure bulk transaction (#45386)

erpnext/accounts/doctype/purchase_invoice/purchase_invoice_list.js

@@ -45,12 +45,16 @@ frappe.listview_settings["Purchase Invoice"] = {
 	},
 
 	onload: function (listview) {
-		listview.page.add_action_item(__("Purchase Receipt"), () => {
-			erpnext.bulk_transaction_processing.create(listview, "Purchase Invoice", "Purchase Receipt");
-		});
+		if (frappe.model.can_create("Purchase Receipt")) {
+			listview.page.add_action_item(__("Purchase Receipt"), () => {
+				erpnext.bulk_transaction_processing.create(listview, "Purchase Invoice", "Purchase Receipt");
+			});
+		}
 
-		listview.page.add_action_item(__("Payment"), () => {
-			erpnext.bulk_transaction_processing.create(listview, "Purchase Invoice", "Payment Entry");
-		});
+		if (frappe.model.can_create("Payment Entry")) {
+			listview.page.add_action_item(__("Payment"), () => {
+				erpnext.bulk_transaction_processing.create(listview, "Purchase Invoice", "Payment Entry");
+			});
+		}
 	},
 };

erpnext/accounts/doctype/sales_invoice/sales_invoice_list.js

@@ -32,12 +32,16 @@ frappe.listview_settings["Sales Invoice"] = {
 	right_column: "grand_total",
 
 	onload: function (listview) {
-		listview.page.add_action_item(__("Delivery Note"), () => {
-			erpnext.bulk_transaction_processing.create(listview, "Sales Invoice", "Delivery Note");
-		});
+		if (frappe.model.can_create("Delivery Note")) {
+			listview.page.add_action_item(__("Delivery Note"), () => {
+				erpnext.bulk_transaction_processing.create(listview, "Sales Invoice", "Delivery Note");
+			});
+		}
 
-		listview.page.add_action_item(__("Payment"), () => {
-			erpnext.bulk_transaction_processing.create(listview, "Sales Invoice", "Payment Entry");
-		});
+		if (frappe.model.can_create("Payment Entry")) {
+			listview.page.add_action_item(__("Payment"), () => {
+				erpnext.bulk_transaction_processing.create(listview, "Sales Invoice", "Payment Entry");
+			});
+		}
 	},
 };

erpnext/buying/doctype/purchase_order/purchase_order_list.js

@@ -51,16 +51,22 @@ frappe.listview_settings["Purchase Order"] = {
 			listview.call_for_selected_items(method, { status: "Submitted" });
 		});
 
-		listview.page.add_action_item(__("Purchase Invoice"), () => {
-			erpnext.bulk_transaction_processing.create(listview, "Purchase Order", "Purchase Invoice");
-		});
+		if (frappe.model.can_create("Purchase Invoice")) {
+			listview.page.add_action_item(__("Purchase Invoice"), () => {
+				erpnext.bulk_transaction_processing.create(listview, "Purchase Order", "Purchase Invoice");
+			});
+		}
 
-		listview.page.add_action_item(__("Purchase Receipt"), () => {
-			erpnext.bulk_transaction_processing.create(listview, "Purchase Order", "Purchase Receipt");
-		});
+		if (frappe.model.can_create("Purchase Receipt")) {
+			listview.page.add_action_item(__("Purchase Receipt"), () => {
+				erpnext.bulk_transaction_processing.create(listview, "Purchase Order", "Purchase Receipt");
+			});
+		}
 
-		listview.page.add_action_item(__("Advance Payment"), () => {
-			erpnext.bulk_transaction_processing.create(listview, "Purchase Order", "Payment Entry");
-		});
+		if (frappe.model.can_create("Payment Entry")) {
+			listview.page.add_action_item(__("Advance Payment"), () => {
+				erpnext.bulk_transaction_processing.create(listview, "Purchase Order", "Payment Entry");
+			});
+		}
 	},
 };

erpnext/buying/doctype/supplier_quotation/supplier_quotation_list.js

@@ -11,12 +11,20 @@ frappe.listview_settings["Supplier Quotation"] = {
 	},
 
 	onload: function (listview) {
-		listview.page.add_action_item(__("Purchase Order"), () => {
-			erpnext.bulk_transaction_processing.create(listview, "Supplier Quotation", "Purchase Order");
-		});
+		if (frappe.model.can_create("Purchase Order")) {
+			listview.page.add_action_item(__("Purchase Order"), () => {
+				erpnext.bulk_transaction_processing.create(listview, "Supplier Quotation", "Purchase Order");
+			});
+		}
 
-		listview.page.add_action_item(__("Purchase Invoice"), () => {
-			erpnext.bulk_transaction_processing.create(listview, "Supplier Quotation", "Purchase Invoice");
-		});
+		if (frappe.model.can_create("Purchase Invoice")) {
+			listview.page.add_action_item(__("Purchase Invoice"), () => {
+				erpnext.bulk_transaction_processing.create(
+					listview,
+					"Supplier Quotation",
+					"Purchase Invoice"
+				);
+			});
+		}
 	},
 };

erpnext/selling/doctype/quotation/quotation_list.js

@@ -12,13 +12,17 @@ frappe.listview_settings["Quotation"] = {
 			};
 		}
 
-		listview.page.add_action_item(__("Sales Order"), () => {
-			erpnext.bulk_transaction_processing.create(listview, "Quotation", "Sales Order");
-		});
+		if (frappe.model.can_create("Sales Order")) {
+			listview.page.add_action_item(__("Sales Order"), () => {
+				erpnext.bulk_transaction_processing.create(listview, "Quotation", "Sales Order");
+			});
+		}
 
-		listview.page.add_action_item(__("Sales Invoice"), () => {
-			erpnext.bulk_transaction_processing.create(listview, "Quotation", "Sales Invoice");
-		});
+		if (frappe.model.can_create("Sales Invoice")) {
+			listview.page.add_action_item(__("Sales Invoice"), () => {
+				erpnext.bulk_transaction_processing.create(listview, "Quotation", "Sales Invoice");
+			});
+		}
 	},
 
 	get_indicator: function (doc) {

erpnext/selling/doctype/sales_order/sales_order_list.js

@@ -60,16 +60,22 @@ frappe.listview_settings["Sales Order"] = {
 			listview.call_for_selected_items(method, { status: "Submitted" });
 		});
 
-		listview.page.add_action_item(__("Sales Invoice"), () => {
-			erpnext.bulk_transaction_processing.create(listview, "Sales Order", "Sales Invoice");
-		});
+		if (frappe.model.can_create("Sales Invoice")) {
+			listview.page.add_action_item(__("Sales Invoice"), () => {
+				erpnext.bulk_transaction_processing.create(listview, "Sales Order", "Sales Invoice");
+			});
+		}
 
-		listview.page.add_action_item(__("Delivery Note"), () => {
-			erpnext.bulk_transaction_processing.create(listview, "Sales Order", "Delivery Note");
-		});
+		if (frappe.model.can_create("Delivery Note")) {
+			listview.page.add_action_item(__("Delivery Note"), () => {
+				erpnext.bulk_transaction_processing.create(listview, "Sales Order", "Delivery Note");
+			});
+		}
 
-		listview.page.add_action_item(__("Advance Payment"), () => {
-			erpnext.bulk_transaction_processing.create(listview, "Sales Order", "Payment Entry");
-		});
+		if (frappe.model.can_create("Payment Entry")) {
+			listview.page.add_action_item(__("Advance Payment"), () => {
+				erpnext.bulk_transaction_processing.create(listview, "Sales Order", "Payment Entry");
+			});
+		}
 	},
 };

erpnext/stock/doctype/delivery_note/delivery_note_list.js

@@ -63,16 +63,20 @@ frappe.listview_settings["Delivery Note"] = {
 			}
 		};
 
-		// doclist.page.add_actions_menu_item(__('Create Delivery Trip'), action, false);
+		if (frappe.model.can_create("Delivery Trip")) {
+			doclist.page.add_action_item(__("Create Delivery Trip"), action);
+		}
 
-		doclist.page.add_action_item(__("Create Delivery Trip"), action);
+		if (frappe.model.can_create("Sales Invoice")) {
+			doclist.page.add_action_item(__("Sales Invoice"), () => {
+				erpnext.bulk_transaction_processing.create(doclist, "Delivery Note", "Sales Invoice");
+			});
+		}
 
-		doclist.page.add_action_item(__("Sales Invoice"), () => {
-			erpnext.bulk_transaction_processing.create(doclist, "Delivery Note", "Sales Invoice");
-		});
-
-		doclist.page.add_action_item(__("Packaging Slip From Delivery Note"), () => {
-			erpnext.bulk_transaction_processing.create(doclist, "Delivery Note", "Packing Slip");
-		});
+		if (frappe.model.can_create("Packing Slip")) {
+			doclist.page.add_action_item(__("Packaging Slip From Delivery Note"), () => {
+				erpnext.bulk_transaction_processing.create(doclist, "Delivery Note", "Packing Slip");
+			});
+		}
 	},
 };

erpnext/utilities/bulk_transaction.py

@@ -8,6 +8,9 @@ from frappe.utils import get_link_to_form, today
 
 @frappe.whitelist()
 def transaction_processing(data, from_doctype, to_doctype):
+	frappe.has_permission(from_doctype, "read", throw=True)
+	frappe.has_permission(to_doctype, "create", throw=True)
+
 	if isinstance(data, str):
 		deserialized_data = json.loads(data)
 	else: