From cffcc3cf343af949ea6aaaffa2bfe121f53a6730 Mon Sep 17 00:00:00 2001
From: Akhil Narang <me@akhilnarang.dev>
Date: Thu, 28 Aug 2025 16:04:32 +0530
Subject: [PATCH] fix(web_form): allow deletion of an item if you have
 permission

Bulk delete via list doesn't work if you have access to only "some" documents as we don't pass docname when checking
Seems inefficient to check there, so implemented it here

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
---
 frappe/public/js/frappe/web_form/web_form.js  | 24 +++++++++++++++++++
 .../doctype/web_form/templates/web_form.html  |  7 ++++++
 frappe/website/doctype/web_form/web_form.py   |  7 ++++++
 3 files changed, 38 insertions(+)

diff --git a/frappe/public/js/frappe/web_form/web_form.js b/frappe/public/js/frappe/web_form/web_form.js
index fb0f11bb13..5ee2c22128 100644
--- a/frappe/public/js/frappe/web_form/web_form.js
+++ b/frappe/public/js/frappe/web_form/web_form.js
@@ -30,6 +30,8 @@ export default class WebForm extends frappe.ui.FieldGroup {
 			this.setup_discard_action();
 		}
 
+		this.setup_delete_action();
+
 		this.setup_previous_next_button();
 		this.toggle_section();
 
@@ -174,6 +176,10 @@ export default class WebForm extends frappe.ui.FieldGroup {
 		$(".web-form-footer .discard-btn").on("click", () => this.discard_form());
 	}
 
+	setup_delete_action() {
+		$(".web-form-footer .delete-btn").on("click", () => this.delete_form());
+	}
+
 	discard_form() {
 		let path = window.location.href;
 		// remove new or edit after last / from url
@@ -192,6 +198,24 @@ export default class WebForm extends frappe.ui.FieldGroup {
 		return false;
 	}
 
+	delete_form() {
+		const path = window.location.href;
+		frappe.confirm(__("Are you sure you want to delete this record?"), () => {
+			frappe.call({
+				method: "frappe.website.doctype.web_form.web_form.delete",
+				args: {
+					web_form_name: this.name,
+					docname: this.doc.name,
+				},
+				callback: () => {
+					frappe.msgprint(__("Deleted!"));
+					window.location.href = path.substring(0, path.lastIndexOf("/"));
+				},
+			});
+		});
+		return false;
+	}
+
 	validate_section() {
 		if (this.allow_incomplete) return true;
 
diff --git a/frappe/website/doctype/web_form/templates/web_form.html b/frappe/website/doctype/web_form/templates/web_form.html
index 876e3d280b..e3dff6f815 100644
--- a/frappe/website/doctype/web_form/templates/web_form.html
+++ b/frappe/website/doctype/web_form/templates/web_form.html
@@ -46,6 +46,13 @@
 			<!-- submit button -->
 			<button type="submit" class="submit-btn btn btn-primary btn-sm ml-2">{{ _(button_label, context="Button in web form") or _("Submit", context="Button in web form") }}</button>
 		{% endif %}
+		{% if has_delete_permission %}
+			<!-- delete button -->
+			<button type="button" class="delete-btn btn btn-default btn-sm">
+				{{ _("Delete", context="Button in web form") }}
+			</button>
+		{% endif %}
+
 	</div>
 	{% endblock %}
 {% endmacro %}
diff --git a/frappe/website/doctype/web_form/web_form.py b/frappe/website/doctype/web_form/web_form.py
index 490d96771c..4c714c86cd 100644
--- a/frappe/website/doctype/web_form/web_form.py
+++ b/frappe/website/doctype/web_form/web_form.py
@@ -152,6 +152,9 @@ def get_context(context):
 		else:
 			context.template = "website/doctype/web_form/templates/web_form.html"
 
+		# By default, assume no delete permissions
+		context.has_delete_permission = False
+
 		# check permissions
 		if frappe.form_dict.name:
 			assert isinstance(frappe.form_dict.name, str | int)
@@ -172,6 +175,10 @@ def get_context(context):
 					_("You don't have the permissions to access this document"), frappe.PermissionError
 				)
 
+			context.has_delete_permission = frappe.has_permission(
+				self.doc_type, "delete", frappe.form_dict.name
+			)
+
 		if frappe.local.path == self.route:
 			path = f"/{self.route}/list" if self.show_list else f"/{self.route}/new"
 			frappe.redirect(path)