fix: Check private file permissions for all docs

A file may be attached to multiple documents. It's permission is decided based on the attached document's permissions. So, the permission should be checked for each document and should be allowed if atleast one document is accessible.
2019-07-29 15:42:51 +05:30 · 2019-07-29 15:42:51 +05:30 · 5fec5d7eea
commit 5fec5d7eea
parent 188ea01c55
2 changed files with 13 additions and 5 deletions
--- a/frappe/core/doctype/file/file.py
+++ b/frappe/core/doctype/file/file.py
@ -569,7 +569,7 @@ class File(NestedSet):
 			if has_permission(self, 'read'):
 				return True

-			raise frappe.PermissionError
+			return False

 	def get_extension(self):
 		'''returns split filename and extension'''
--- a/frappe/utils/response.py
+++ b/frappe/utils/response.py
@ -162,11 +162,19 @@ def download_backup(path):

 def download_private_file(path):
 	"""Checks permissions and sends back private file"""
-	try:
-		_file = frappe.get_doc("File", {"file_url": path})
-		_file.is_downloadable()

-	except frappe.PermissionError:
+	files = frappe.db.get_all('File', {'file_url': path})
+	can_access = False
+	# this file might be attached to multiple documents
+	# if the file is accessible from any one of those documents
+	# then it should be downloadable
+	for f in files:
+		_file = frappe.get_doc("File", f)
+		can_access = _file.is_downloadable()
+		if can_access:
+			break
+
+	if not can_access:
 		raise Forbidden(_("You don't have permission to access this file"))

 	return send_private_file(path.split("/private", 1)[1])