fix: use webform doctype rather than allowing user to pass any doctype

2022-12-05 11:56:12 +05:30 · 2022-12-05 11:56:12 +05:30 · 8e0c4ce702
commit 8e0c4ce702
parent 856d7a9f65
1 changed files with 9 additions and 8 deletions
--- a/frappe/website/doctype/web_form/web_form.py
+++ b/frappe/website/doctype/web_form/web_form.py
@ -373,19 +373,20 @@ def accept(web_form, data, docname=None):
 	files_to_delete = []

 	web_form = frappe.get_doc("Web Form", web_form)
+	doctype = web_form.doc_type

-	if data.name and not web_form.allow_edit:
+	if (data.name or docname) and not web_form.allow_edit:
 		frappe.throw(_("You are not allowed to update this Web Form Document"))

 	frappe.flags.in_web_form = True
-	meta = frappe.get_meta(data.doctype)
+	meta = frappe.get_meta(doctype)

 	if docname:
 		# update
-		doc = frappe.get_doc(data.doctype, docname)
+		doc = frappe.get_doc(doctype, docname)
 	else:
 		# insert
-		doc = frappe.new_doc(data.doctype)
+		doc = frappe.new_doc(doctype)

 	# set values
 	for field in web_form.web_form_fields:
@ -406,7 +407,7 @@ def accept(web_form, data, docname=None):
 		doc.set(fieldname, value)

 	if doc.name:
-		if web_form.has_web_form_permission(doc.doctype, doc.name, "write"):
+		if web_form.has_web_form_permission(doctype, doc.name, "write"):
 			doc.save(ignore_permissions=True)
 		else:
 			# only if permissions are present
@ -428,7 +429,7 @@ def accept(web_form, data, docname=None):

 			# remove earlier attached file (if exists)
 			if doc.get(fieldname):
-				remove_file_by_url(doc.get(fieldname), doctype=doc.doctype, name=doc.name)
+				remove_file_by_url(doc.get(fieldname), doctype=doctype, name=doc.name)

 			# save new file
 			filename, dataurl = filedata.split(",", 1)
@ -436,7 +437,7 @@ def accept(web_form, data, docname=None):
 				{
 					"doctype": "File",
 					"file_name": filename,
-					"attached_to_doctype": doc.doctype,
+					"attached_to_doctype": doctype,
 					"attached_to_name": doc.name,
 					"content": dataurl,
 					"decode": True,
@ -452,7 +453,7 @@ def accept(web_form, data, docname=None):
 	if files_to_delete:
 		for f in files_to_delete:
 			if f:
-				remove_file_by_url(f, doctype=doc.doctype, name=doc.name)
+				remove_file_by_url(f, doctype=doctype, name=doc.name)

 	frappe.flags.web_form_doc = doc
 	return doc