Merge pull request #38984 from ShrihariMahabal/validate-pvt-file-access

fix: validate private file access before inserting
2026-04-29 13:42:48 +05:30 · 2026-04-29 13:42:48 +05:30 · 0eb922b05d
commit 0eb922b05d
parent 73a81e0c02 b33929cea8
1 changed files with 31 additions and 0 deletions
--- a/frappe/core/doctype/file/file.py
+++ b/frappe/core/doctype/file/file.py
@ -111,6 +111,7 @@ class File(Document):
 		self.validate_attachment_limit()
 		self.set_file_type()
 		self.validate_file_extension()
+		self.validate_private_file_access()

 		if self.is_folder:
 			return
@ -200,6 +201,36 @@ class File(Document):
 			except PermissionError:
 				frappe.throw(_("Only System Managers can make this file public."))

+	def validate_private_file_access(self):
+		"""Validate that the user has permission to access an existing private file."""
+		if not self.file_url:
+			return
+
+		existing_files = frappe.get_all(
+			"File",
+			filters={"file_url": self.file_url},
+			fields=["name", "owner", "is_private"],
+			limit=1,
+		)
+
+		if not existing_files:
+			return
+
+		existing_file = existing_files[0]
+
+		if existing_file.is_private:
+			user = frappe.session.user
+
+			if user == existing_file.owner or user == "Administrator":
+				return
+
+			existing_doc = frappe.get_doc("File", existing_file.name)
+			if not has_permission(existing_doc, "read", user=user):
+				frappe.throw(
+					_("You do not have permission to access this file"),
+					frappe.PermissionError,
+				)
+
 	def after_rename(self, *args, **kwargs):
 		for successor in self.get_successors():
 			setup_folder_path(successor, self.name)