Skip to main content

CustomPermission

Database-stored permission override.

Allows admins to override code-first permissions with database rules.
Evaluated in the RbacPermissionAdapter alongside Meta.permissions.

Evaluation Priority:
1. Explicit DENY rules are checked first (deny wins)
2. If no deny, explicit ALLOW rules are checked
3. If no explicit rule, fall back to code-first Meta.permissions

Attributes:
    for_user: Optional user ID this rule applies to
    for_role: Optional role name this rule applies to
    doctype_name: The DocType this permission applies to ("*" for all)
    action: The action (read, write, create, delete, submit, etc.)
    effect: Whether to ALLOW or DENY the permission
    enabled: Whether this rule is active
    priority: Rule priority (higher = evaluated first)
    description: Human-readable description of why this rule exists

Source: custom_permission.py

Fields

FieldTypeRequiredDescriptionValidators
for_userstrNoneUser ID this rule applies to (None = all users)
for_rolestrNoneRole name this rule applies to (None = all roles)
doctype_namestrDocType name or '*' for all DocTypes-
actionstrAction: read, write, create, delete, submit, cancel, amend-
effectPermissionEffectWhether to allow or deny this permission-
enabledboolWhether this rule is active-
priorityintRule priority (higher = evaluated first)-
descriptionstrNoneWhy this rule exists (for audit)

Permissions

RoleCreateDeleteReadWrite
Admin
System

Configuration

SettingValue
SubmittableFalse
Track ChangesTrue

Controller

Controller hooks are implemented in *_controller.py files. Available lifecycle hooks:

  • validate() - Called before save, raise exceptions for validation errors
  • before_insert() - Called before inserting a new document
  • after_insert() - Called after successfully inserting
  • before_save() - Called before saving (insert or update)
  • after_save() - Called after saving
  • before_delete() - Called before deleting
  • after_delete() - Called after deleting