User Permissions not applied for dashboard chart data

[fahad-bren]

Describe the bug
User Permissions are not applied correctly in Insights. Restricted users can see data they should not have access to.

To Reproduce
Steps to reproduce the behavior:

1. Set up User Permissions on a doctype so a user can only see a subset of records.
2. Create an Insights query, chart, and a dashboard that uses that doctype.
3. View the dashboard as the restricted user.
4. The user sees all records instead of only those allowed by their User Permissions.

Expected behavior
Insights should respect site User Permissions and only show data the user is allowed to see.

Screenshots

Current Problem

The restricted user sees all the records

The restricted user can apply filter values that are not permitted

Preferred Solution

The restricted user sees only the allowed records

The restricted user can only apply valid filter values

Desktop:

• OS Ubuntu 22.04 LTS
• Browser Chrome 145.0.7632.117
• Version
• frappe version-14 (14.99.3)
• erpnext version-14 (14.92.2)
• insights version-3 (3.3.1)

Additional context
User Permissions work correctly in insights develop (3.2.0-dev)

[nextchamp-saqib]

It might be due to framework version, can you check by updating to latest commit on develop branch too?

[fahad-bren]

Checked with latest commit 1860c57 and User Permission bug still persists

[nextchamp-saqib]

Let me see if I can replicate, can you share your user permission as well, the one which should apply in the above example.

[fahad-bren]

Initially,
I tested this on Issue doc with a link type custom field projects

Here's the User Permission set for this temporary user

Additionally,
I tested this on Issue doc with its link type field issue_type

Here's the User Permission set for this temporary user

[fahad-bren]

Hey @nextchamp-saqib
Were you able to replicate this problem? Let me know if you require any additional details

[nextchamp-saqib]

Wasn't able to replicate on frappe framework v15 & v16

can you run these commands in bench console and share the output query?

from insights.insights.doctype.insights_table_v3.insights_table_v3 import get_permission_query_for_table
table_name = "tabIssue Type"
print(get_permission_query_for_table(table_name))

[fahad-bren]

can you run these commands in bench console and share the output query?

select *
                        from `tabIssue Type`

insights 3.3.1 version-3
75e2a93e (HEAD -> version-3, tag: v3.3.1, upstream/version-3) chore(release): bumped to v3.3.1
75e2a93 #885