fix(security): Make all Prepared Report file attachments private

frappe/core/doctype/prepared_report/prepared_report.py

@@ -85,7 +85,8 @@ def create_json_gz_file(data, dt, dn):
 		"file_name": json_filename,
 		"attached_to_doctype": dt,
 		"attached_to_name": dn,
-		"content": compressed_content
+		"content": compressed_content,
+		"is_private": 1
 	})
 	_file.save(ignore_permissions=True)
 

frappe/patches.txt

@@ -257,3 +257,4 @@ frappe.patches.v12_0.setup_tags
 frappe.patches.v12_0.update_auto_repeat_status_and_not_submittable
 frappe.patches.v12_0.copy_to_parent_for_tags
 frappe.patches.v12_0.create_notification_settings_for_user
+frappe.patches.v11_0.make_all_prepared_report_attachments_private

frappe/patches/v11_0/make_all_prepared_report_attachments_private.py

@@ -0,0 +1,10 @@
+from __future__ import unicode_literals
+import frappe
+
+
+def execute():
+	files = frappe.get_all("File", filters={"attached_to_doctype": "Prepared Report", "is_private": 0})
+	for file_name in files:
+		file_doc = frappe.get_doc("File", file_name)
+		file_doc.is_private = 1
+		file_doc.save()