Restrict _reset_password() for internal use. Return link when used as an internal func, whitelisted method to be used otherwise, when resetting password.
Co-authored-by: Ankush Menat <ankushmenat@gmail.com>
* feat: add user invitation doctype & related public methods
* style(user-invitation): execute formatters & add semgrep comments
* refactor(user-invitation): use `is` to compare `None` values
* fix(user-invitation): skip fetching `after_accept` for default app
* fix(user-invitation): translate email templates
* fix(user-invitaton): return pending invites from invite by email api
* refactor(user-invitation): improve code quality
* fix(user-invitation): translate all error messages
* refactor(user-invitation): improve security & readability
Improvements:
- move invite expiration check to `daily_maintenance`
- explicitly import all of the used packages
- specify methods for all security-critical endpoints
- improve error messages and give them suitable titles
- remove unnecessary utility functions
- make invitation key management secure
- translate all of the subjects of the sent emails
- use the `app_title` hook to create email titles
- commit the work done after each iteration of the background invitation
expiry checker
- restructure code to improve readability
- use `user.reset_password` to generate the target link
- use clear long names to name identifiers
- add document states with relevant colors (User Invitation doctype)
- differ `sendmail` emails whenever possible
- send an email to the invitation creator instead of the invitee after
the invite has expired
- remove `User Invitation Manager` role
* fix(user-invitation): use valid emails to test doctype & related code
* feat(user-invitation): support adding multiple roles
* refactor(user-invitation): mark relevant fields `set only once`
* feat(user-invitation): add `Cancelled` status
* test(user-invitation): correct broken tests
* test(user-invitation): form valid f-strings & run code formatter
* feat(user-invitation): make doctype usable from desk
* fix(user-invitation): remove delete permission from invitation doctype
* feat(user-invitation): pass user inserted info to `after_accept` hook
* refactor(user-invitation): improve custom action methods & errors
Improvements:
- trigger actions only when the invitation is in the `Pending` state
- use lowercase letters to start error messages
- handle cases where `user_invitation_hook` is not defined
* refactor(user-invitation): remove site name from email templates
* docs(user-invitation): add internal documentation
* feat(user-invitation): add 'get pending' & cancel invites apis
* fix(user-invitation): make invitation app specific
* refactor(user-invitation): avoid mixing function programming
* fix(user-invitation): make apis usable for app specific valid users
* fix(user-invitation): allow app specific invites
* feat(user-invitation): make list view & permission checks app specific
* refactor(user-invitation): convert class methods to static when possible
* feat(user-invitation): add `app_only_for` method to the doc
* fix(user-invitation): f-string syntax error in `get_permission_query_conditions`
* docs(user-invitation): add examples & improve the internal doc
* refactor: rename method name
static_ is unnecessary
only_for doesn't make sense in this context when arguments are not roles
* fix: Support POST request too
We dont follow REST semantics 100%, anything that modifies something
should ideally be doable with POST too.
* chore: cap
* fix: Avoid ignore_permissions as user arg
---------
Co-authored-by: Ankush Menat <ankush@frappe.io>
refactor: clean up code to py39+ supported syntax
- f-strings instead of format
- latest typing support instead of pre 3.9 TitleCase
- remove UTF-8 declarations.
- many more changes
Powered by https://github.com/asottile/pyupgrade/ + manual cleanups
Restructured and moved most APIs under frappe.core.api.file namespace.
Changed some obvious security gaps (like using get_list instead of
get_all for an endpoint), styled, added type hints and made minor performance
enhancements.
Changes
* download_file API
* Move API to handler.py
* Check for permissions via File.is_downloadable instead
* Moved APIs to new namespace: `frappe.core.api.file`
* Backwards compatibility
* Added APIs to override_whitelisted_methods to maintain existing
client endpoints
* Imported APIs to controller's namespace to avoid breaking external
app usages
