10000 fix: Show authorized private attachments in web forms by marination · Pull Request #32177 · frappe/frappe · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

fix: Show authorized private attachments in web forms #32177

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 25, 2025
Merged

fix: Show authorized private attachments in web forms #32177

merged 1 commit into from
Apr 25, 2025

Conversation

marination
Copy link
Collaborator
@marination marination commented Apr 16, 2025
edited by barredterra
Loading

Issue

  • A website user can only ever see public attachments in a webform even if they have read access to the record and attachments
  • Here is an issue with some public and private attachments
    Screenshot 2025-04-16 at 10 11 41 PM
  • The portal user can only see public attachments because that's hard coded in the web form's context formation logic
    Screenshot 2025-04-16 at 10 12 48 PM

Fix

Assuming "Apply document permissions" is unchecked in the webform

  • The portal user can only see public attachments if they don't have access to the webform doctype via role perms
    2025-04-16 10 15 27 PM
  • The portal user can see both public and private attachments if they have role perm access access to the webform doctype (File permissions are used)
    2025-04-16 10 17 48 PM

Context/Setup:

  • Submitted Web form records are visible only if the web form has login_required checked
  • Use the "Issue" webform for instance: have Login Required, Allow multiple responses, Show attachments and Show list checked
  • Create a Website user with role "Customer" (this user does not have desk access)
  • Have the website user create a bunch of issues via <sitename>/issues/list
  • Have system users add a bunch of private and public attachments to an issue

@marination marination requested a review from barredterra April 25, 2025 09:26
barredterra
barredterra approved these changes Apr 25, 2025
View reviewed changes
Copy link
Collaborator
@barredterra barredterra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@barredterra barredterra merged commit 2a75c27 into frappe:develop Apr 25, 2025
23 checks passed
@barredterra barredterra added the backport version-15-hotfix Backport the PR to v15 label Apr 25, 2025
mergify bot pushed a commit that referenced this pull request Apr 25, 2025
@marination @mergify
fix: Show authorized private attachments in web forms (#32177)
5496229 
(cherry picked from commit 2a75c27)
@mergify mergify bot mentioned this pull request Apr 25, 2025
Merged
marination added a commit that referenced this pull request Apr 25, 2025
@marination
Merge pull request #32304 from frappe/mergify/bp/version-15-hotfix/pr…
7673526 
…-32177

fix: Show authorized private attachments in web forms (backport #32177)
frappe-pr-bot pushed a commit that referenced this pull request Apr 29, 2025
@frappe-bot
chore(release): Bumped to Version 15.67.0
8bd6cfd 
# [15.67.0](v15.66.1...v15.67.0) (2025-04-29)

### Bug Fixes

* Avoid unnecessary version logs for int PK ([9ac0b20](9ac0b20))
* **Comment:** logic for update notification ([2052de9](2052de9))
* create custom field when doctype is changed ([fc25eb8](fc25eb8))
* do not create version for virtual fields ([177009f](177009f))
* ensure workflow state field is created post-validation ([26a0b41](26a0b41))
* error on gorup by ([1e82ca4](1e82ca4))
* **get_events:** Pass date objects instead of string ([a4590fa](a4590fa))
* handle snapshot isolation errors better (copy [#32318](#32318)) ([#32326](#32326)) ([00e73f9](00e73f9))
* **load:** Don't fetch Dynamic Link titles if missing doctype ([a6613fc](a6613fc))
* middle dot and margin ([#32285](#32285)) ([98339bb](98339bb))
* Module not found error for custom doctypes ([e2dc772](e2dc772))
* prevent updating first_responded_on on automated message ([100540e](100540e))
* recorder with replica (backport [#32280](#32280)) ([#32281](#32281)) ([4ecad4f](4ecad4f))
* remove unnecessary clear_cache call ([22b5f0d](22b5f0d))
* **safe_exec:** add get_content_hash ([#32265](#32265)) ([7155c25](7155c25))
* Show authorized private attachments in web forms ([#32177](#32177)) ([5496229](5496229))
* sync translations from crowdin ([#32216](#32216)) ([976ca2f](976ca2f))

### Features

* publish comment from desk (backport [#32256](#32256)) ([#32284](#32284)) ([354843a](354843a))
@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 10, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@barredterra barredterra barredterra approved these changes

Assignees
No one assigned
Labels
backport version-15-hotfix Backport the PR to v15
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@marination @barredterra
0