From 190e01a5f394fd787115540616e5368f408e7c06 Mon Sep 17 00:00:00 2001
From: Athul Cyriac Ajay <athul8720@gmail.com>
Date: Thu, 17 Nov 2022 11:18:20 +0530
Subject: [PATCH 1/6] fix: Force integer type in request.max_content_length

---
 frappe/app.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frappe/app.py b/frappe/app.py
index 0d7fdc1fe1..7927e834ed 100644
--- a/frappe/app.py
+++ b/frappe/app.py
@@ -112,7 +112,7 @@ def init_request(request):
 	else:
 		frappe.connect(set_admin_as_user=False)
 
-	request.max_content_length = frappe.local.conf.get("max_file_size") or 10 * 1024 * 1024
+	request.max_content_length = int(frappe.local.conf.get("max_file_size")) or 10 * 1024 * 1024
 
 	make_form_dict(request)
 

From 1f6f31fc972fd62b689c4c0495a98da5f9a11828 Mon Sep 17 00:00:00 2001
From: Ankush Menat <ankushmenat@gmail.com>
Date: Thu, 17 Nov 2022 11:21:51 +0530
Subject: [PATCH 2/6] refactor: int > cint

---
 frappe/app.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/frappe/app.py b/frappe/app.py
index 7927e834ed..fc679aa44e 100644
--- a/frappe/app.py
+++ b/frappe/app.py
@@ -21,7 +21,7 @@ from frappe import _
 from frappe.auth import SAFE_HTTP_METHODS, UNSAFE_HTTP_METHODS, HTTPRequest
 from frappe.core.doctype.comment.comment import update_comments_in_parent_after_request
 from frappe.middlewares import StaticDataMiddleware
-from frappe.utils import get_site_name, sanitize_html
+from frappe.utils import cint, get_site_name, sanitize_html
 from frappe.utils.error import make_error_snapshot
 from frappe.website.serve import get_response
 
@@ -112,7 +112,7 @@ def init_request(request):
 	else:
 		frappe.connect(set_admin_as_user=False)
 
-	request.max_content_length = int(frappe.local.conf.get("max_file_size")) or 10 * 1024 * 1024
+	request.max_content_length = cint(frappe.local.conf.get("max_file_size")) or 10 * 1024 * 1024
 
 	make_form_dict(request)
 

From 64289308575fe2a96b4045a8d9cd13631d294bb3 Mon Sep 17 00:00:00 2001
From: Jannat Patel <31363128+pateljannat@users.noreply.github.com>
Date: Thu, 17 Nov 2022 11:39:43 +0530
Subject: [PATCH 3/6] fix: security issue in discussions component (#18903)

[skip ci]
---
 frappe/website/doctype/discussion_reply/discussion_reply.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/frappe/website/doctype/discussion_reply/discussion_reply.py b/frappe/website/doctype/discussion_reply/discussion_reply.py
index 1ac62d3b7d..f4460160c1 100644
--- a/frappe/website/doctype/discussion_reply/discussion_reply.py
+++ b/frappe/website/doctype/discussion_reply/discussion_reply.py
@@ -59,4 +59,6 @@ class DiscussionReply(Document):
 
 @frappe.whitelist()
 def delete_message(reply_name):
-	frappe.delete_doc("Discussion Reply", reply_name, ignore_permissions=True)
+	owner = frappe.db.get_value("Discussion Reply", reply_name, "owner")
+	if owner == frappe.session.user:
+		frappe.delete_doc("Discussion Reply", reply_name)

From c658d8cb1b32a2ac3b0fa1a84040864f2db6a532 Mon Sep 17 00:00:00 2001
From: Ankush Menat <ankush@frappe.io>
Date: Thu, 17 Nov 2022 11:50:18 +0530
Subject: [PATCH 4/6] fix: ignore unpicklable hooks (#18902)

If any custom app use import statement in hooks.py everything breaks.
Hooks.py while being python file is still only supposed to be used for
configuring.

This PR ignores unpicklable members of hooks.py
---
 frappe/__init__.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/frappe/__init__.py b/frappe/__init__.py
index 84a27642a9..2d491ca068 100644
--- a/frappe/__init__.py
+++ b/frappe/__init__.py
@@ -1432,6 +1432,8 @@ def get_doc_hooks():
 
 @request_cache
 def _load_app_hooks(app_name: str | None = None):
+	import types
+
 	hooks = {}
 	apps = [app_name] if app_name else get_installed_apps(sort=True)
 
@@ -1447,9 +1449,13 @@ def _load_app_hooks(app_name: str | None = None):
 			if not request:
 				raise SystemExit
 			raise
-		for key in dir(app_hooks):
+
+		def _is_valid_hook(obj):
+			return not isinstance(obj, (types.ModuleType, types.FunctionType, type))
+
+		for key, value in inspect.getmembers(app_hooks, predicate=_is_valid_hook):
 			if not key.startswith("_"):
-				append_hook(hooks, key, getattr(app_hooks, key))
+				append_hook(hooks, key, value)
 	return hooks
 
 

From f3c00c2bdcc963dc708716224d83de6b3686bf04 Mon Sep 17 00:00:00 2001
From: Sagar Vora <sagar@resilient.tech>
Date: Thu, 17 Nov 2022 07:45:35 +0000
Subject: [PATCH 5/6] perf: dont fetch meta unless required (#18907)

---
 frappe/desk/search.py    | 9 +++++++--
 frappe/model/db_query.py | 6 +++---
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/frappe/desk/search.py b/frappe/desk/search.py
index b820fabd6d..4843219179 100644
--- a/frappe/desk/search.py
+++ b/frappe/desk/search.py
@@ -206,11 +206,16 @@ def search_widget(
 				)
 				order_by = f"_relevance, {order_by}"
 
-			ptype = "select" if frappe.only_has_select_perm(doctype) else "read"
 			ignore_permissions = (
 				True
 				if doctype == "DocType"
-				else (cint(ignore_user_permissions) and has_permission(doctype, ptype=ptype))
+				else (
+					cint(ignore_user_permissions)
+					and has_permission(
+						doctype,
+						ptype="select" if frappe.only_has_select_perm(doctype) else "read",
+					)
+				)
 			)
 
 			values = frappe.get_list(
diff --git a/frappe/model/db_query.py b/frappe/model/db_query.py
index 3e6b8ec753..e689f91ddd 100644
--- a/frappe/model/db_query.py
+++ b/frappe/model/db_query.py
@@ -455,10 +455,10 @@ class DatabaseQuery:
 		)
 
 	def check_read_permission(self, doctype):
-		ptype = "select" if frappe.only_has_select_perm(doctype) else "read"
-
 		if not self.flags.ignore_permissions and not frappe.has_permission(
-			doctype, ptype=ptype, parent_doctype=self.doctype
+			doctype,
+			ptype="select" if frappe.only_has_select_perm(doctype) else "read",
+			parent_doctype=self.doctype,
 		):
 			frappe.flags.error_message = _("Insufficient Permission for {0}").format(frappe.bold(doctype))
 			raise frappe.PermissionError(doctype)

From edf01ee1cd56147b5f57cf5345f943e82f258a1d Mon Sep 17 00:00:00 2001
From: Faris Ansari <netchampfaris@users.noreply.github.com>
Date: Thu, 17 Nov 2022 14:43:03 +0530
Subject: [PATCH 6/6] fix(file): attached_to_name can be an integer (#18909)

* fix(file): attached_to_name can be an integer

incorrect validation introduces via
https://github.com/frappe/frappe/pull/18880

* test(file): set correct fieldname

* fix: check for str, int explicitly
---
 frappe/core/doctype/file/file.py      | 4 ++--
 frappe/core/doctype/file/test_file.py | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/frappe/core/doctype/file/file.py b/frappe/core/doctype/file/file.py
index 0e28145c9a..0c21501589 100755
--- a/frappe/core/doctype/file/file.py
+++ b/frappe/core/doctype/file/file.py
@@ -101,8 +101,8 @@ class File(Document):
 		if not self.attached_to_doctype:
 			return
 
-		if self.attached_to_name and not isinstance(self.attached_to_name, str):
-			frappe.throw(_("Attached To Name must be a string"), TypeError)
+		if not self.attached_to_name or not isinstance(self.attached_to_name, (str, int)):
+			frappe.throw(_("Attached To Name must be a string or an integer"), frappe.ValidationError)
 
 		if not self.attached_to_field:
 			return
diff --git a/frappe/core/doctype/file/test_file.py b/frappe/core/doctype/file/test_file.py
index ed97c5683d..86bd69eb5f 100644
--- a/frappe/core/doctype/file/test_file.py
+++ b/frappe/core/doctype/file/test_file.py
@@ -85,7 +85,7 @@ class TestBase64File(FrappeTestCase):
 				"doctype": "File",
 				"file_name": "test_base64.txt",
 				"attached_to_doctype": self.attached_to_doctype,
-				"attached_to_docname": self.attached_to_docname,
+				"attached_to_name": self.attached_to_docname,
 				"content": self.test_content,
 				"decode": True,
 			}