fix: dont allow querying files to website users (backport #25094) (#2…

…5700) * fix: dont allow querying files to website users (#25094) * test: create desk user in file tests * fix: dont allow querying files to website users * test: make commiting test user optional (cherry picked from commit bd66168) # Conflicts: # frappe/core/doctype/file/test_file.py # frappe/core/doctype/user/test_user.py * chore: conflicts * chore: v14 compat --------- Co-authored-by: Ankush Menat <ankush@frappe.io>
frappe · Apr 6, 2024 · da5953c · da5953c
1 parent b2608b3
commit da5953c
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 37 deletions.
diff --git a/frappe/core/doctype/file/file.py b/frappe/core/doctype/file/file.py
@@ -765,10 +765,13 @@ def get_permission_query_conditions(user: str | None = None) -> str:
 	if user == "Administrator":
 		return ""
 
+	if frappe.get_cached_value("User", user, "user_type") != "System User":
+		return f""" `tabFile`.`owner` = {frappe.db.escape(user)} """
+
 	readable_doctypes = ", ".join(repr(dt) for dt in get_doctypes_with_read())
 	return f"""
 		(`tabFile`.`is_private` = 0)
-		OR (`tabFile`.`attached_to_doctype` IS NULL AND `tabFile`.`owner` = {user !r})
+		OR (`tabFile`.`attached_to_doctype` IS NULL AND `tabFile`.`owner` = {frappe.db.escape(user)})
 		OR (`tabFile`.`attached_to_doctype` IN ({readable_doctypes}))
 	"""
 

diff --git a/frappe/core/doctype/file/test_file.py b/frappe/core/doctype/file/test_file.py
@@ -664,45 +664,9 @@ def test_list_private_attachments(self):
 		self.assertNotIn("test_user_standalone.txt", system_manager_files)
 
 		self.assertIn("test_sm_attachment.txt", system_manager_attachments_files)
-		self.assertIn("test_sm_attachment.txt", user_attachments_files)
 		self.assertIn("test_user_attachment.txt", system_manager_attachments_files)
 		self.assertIn("test_user_attachment.txt", user_attachments_files)
 
-	def test_list_public_single_file(self):
-		"""Ensure that users are able to list public standalone files."""
-		frappe.set_user("test@example.com")
-		frappe.get_doc(
-			{
-				"doctype": "File",
-				"file_name": "test_public_single.txt",
-				"content": "Public single File",
-				"is_private": 0,
-			}
-		).insert()
-
-		frappe.set_user("test4@example.com")
-		files = [file.file_name for file in get_files_in_folder("Home")["files"]]
-		self.assertIn("test_public_single.txt", files)
-
-	def test_list_public_attachment(self):
-		"""Ensure that users are able to list public attachments."""
-		frappe.set_user("test@example.com")
-		self.attached_to_doctype, self.attached_to_docname = make_test_doc()
-		frappe.get_doc(
-			{
-				"doctype": "File",
-				"file_name": "test_public_attachment.txt",
-				"attached_to_doctype": self.attached_to_doctype,
-				"attached_to_name": self.attached_to_docname,
-				"content": "Public Attachment",
-				"is_private": 0,
-			}
-		).insert()
-
-		frappe.set_user("test4@example.com")
-		files = [file.file_name for file in get_files_in_folder("Home/Attachments")["files"]]
-		self.assertIn("test_public_attachment.txt", files)
-
 	def tearDown(self) -> None:
 		frappe.set_user("Administrator")
 		frappe.db.rollback()