From d838da51ddf3dcc74a883b43567e941eb5ba453e Mon Sep 17 00:00:00 2001
From: Ankush Menat <ankush@frappe.io>
Date: Tue, 30 Jan 2024 20:29:19 +0530
Subject: [PATCH] fix: short circuit private files perm check

For guest users there's no point in checking permissions, they'll eventually fail... instead just fail immediately.
---
 frappe/utils/response.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/frappe/utils/response.py b/frappe/utils/response.py
index 9fe10545d1..5be201499b 100644
--- a/frappe/utils/response.py
+++ b/frappe/utils/response.py
@@ -265,6 +265,9 @@ def download_backup(path):
 def download_private_file(path: str) -> Response:
 	"""Checks permissions and sends back private file"""
 
+	if frappe.session.user == "Guest":
+		raise Forbidden(_("You don't have permission to access this file"))
+
 	files = frappe.get_all("File", filters={"file_url": path}, fields="*")
 	# this file might be attached to multiple documents
 	# if the file is accessible from any one of those documents