From 5fec5d7eea0b686a57da08ee3d47a11ef4f8803a Mon Sep 17 00:00:00 2001 From: Faris Ansari Date: Mon, 29 Jul 2019 15:42:51 +0530 Subject: [PATCH] fix: Check private file permissions for all docs A file may be attached to multiple documents. It's permission is decided based on the attached document's permissions. So, the permission should be checked for each document and should be allowed if atleast one document is accessible. --- frappe/core/doctype/file/file.py | 2 +- frappe/utils/response.py | 16 ++++++++++++---- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/frappe/core/doctype/file/file.py b/frappe/core/doctype/file/file.py index 8fac317100..3c3543e1dd 100755 --- a/frappe/core/doctype/file/file.py +++ b/frappe/core/doctype/file/file.py @@ -569,7 +569,7 @@ class File(NestedSet): if has_permission(self, 'read'): return True - raise frappe.PermissionError + return False def get_extension(self): '''returns split filename and extension''' diff --git a/frappe/utils/response.py b/frappe/utils/response.py index 7228e028ae..78cb3132d5 100644 --- a/frappe/utils/response.py +++ b/frappe/utils/response.py @@ -162,11 +162,19 @@ def download_backup(path): def download_private_file(path): """Checks permissions and sends back private file""" - try: - _file = frappe.get_doc("File", {"file_url": path}) - _file.is_downloadable() - except frappe.PermissionError: + files = frappe.db.get_all('File', {'file_url': path}) + can_access = False + # this file might be attached to multiple documents + # if the file is accessible from any one of those documents + # then it should be downloadable + for f in files: + _file = frappe.get_doc("File", f) + can_access = _file.is_downloadable() + if can_access: + break + + if not can_access: raise Forbidden(_("You don't have permission to access this file")) return send_private_file(path.split("/private", 1)[1])