fix: validate homepage paths (backport #25409) (#25411)

* fix: validate homepage paths (cherry picked from commit d9d2943) # Conflicts: # frappe/core/doctype/role/role.json # frappe/website/path_resolver.py * fix: clear routing cache on homepage change (cherry picked from commit d758af5) # Conflicts: # frappe/tests/test_caching.py # frappe/website/router.py --------- Co-authored-by: Ankush Menat <ankush@frappe.io>
frappe · Mar 14, 2024 · ee1c8e3 · ee1c8e3
1 parent 96dcee1
commit ee1c8e3
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 3 deletions.
diff --git a/frappe/core/doctype/role/role.json b/frappe/core/doctype/role/role.json
@@ -64,7 +64,7 @@
    "options": "Domain"
   },
   {
-   "description": "Route: Example \"/desk\"",
+   "description": "Route: Example \"/app\"",
    "fieldname": "home_page",
    "fieldtype": "Data",
    "label": "Home Page"
@@ -148,7 +148,7 @@
  "idx": 1,
  "index_web_pages_for_search": 1,
  "links": [],
- "modified": "2022-08-05 18:33:27.694065",
+ "modified": "2024-03-13 20:59:37.875253",
  "modified_by": "Administrator",
  "module": "Core",
  "name": "Role",
@@ -173,4 +173,4 @@
  "states": [],
  "track_changes": 1,
  "translated_doctype": 1
-}
+}
diff --git a/frappe/core/doctype/role/role.py b/frappe/core/doctype/role/role.py
@@ -3,6 +3,7 @@
 
 import frappe
 from frappe.model.document import Document
+from frappe.website.path_resolver import validate_path
 
 desk_properties = (
 	"search_bar",
@@ -31,13 +32,18 @@ def validate(self):
 			self.disable_role()
 		else:
 			self.set_desk_properties()
+		self.validate_homepage()
 
 	def disable_role(self):
 		if self.name in STANDARD_ROLES:
 			frappe.throw(frappe._("Standard roles cannot be disabled"))
 		else:
 			self.remove_roles()
 
+	def validate_homepage(self):
+		if frappe.request and self.home_page:
+			validate_path(self.home_page)
+
 	def set_desk_properties(self):
 		# set if desk_access is not allowed, unset all desk properties
 		if self.name == "Guest":

diff --git a/frappe/website/doctype/portal_settings/portal_settings.py b/frappe/website/doctype/portal_settings/portal_settings.py
@@ -3,6 +3,7 @@
 
 import frappe
 from frappe.model.document import Document
+from frappe.website.path_resolver import validate_path
 
 
 class PortalSettings(Document):
@@ -57,3 +58,7 @@ def remove_deleted_doctype_items(self):
 		for menu_item in list(self.get("menu")):
 			if menu_item.reference_doctype not in existing_doctypes:
 				self.remove(menu_item)
+
+	def validate(self):
+		if frappe.request and self.default_portal_home:
+			validate_path(self.default_portal_home)
diff --git a/frappe/website/path_resolver.py b/frappe/website/path_resolver.py
@@ -173,3 +173,8 @@ def _get():
 		return _get()
 
 	return frappe.cache().get_value("website_route_rules", _get)
+
+
+def validate_path(path: str):
+	if not PathResolver(path).is_valid_path():
+		frappe.throw(frappe._("Path {0} it not a valid path").format(frappe.bold(path)))