Default File Setting to Private

Does anyone know if there is a way to change the behavior of file uploads to default to private instead of public? Our install and usage has much more private files that public ones.

3 Likes

@James_Robertson

Please try setting the default as 0 in the customise form.

Where would I set that? This is a screen shot of the is_private check box on the file doctype form.

I am having the same issue. It used to be private by default but now the checkbox has changed to public.
Not sure how to fix this issue?!?!

@ArundhatiS - any more thoughts on this? I am not sure of next steps per your suggestion and my initial reply with screen shot.

I went ahead and opened a git issue for this.

https://github.com/frappe/erpnext/issues/9102

1 Like

If I upload a file as a ā€œPublicā€ file, this means that anyone on the internet with a link can see it!

For this specific matter, perhaps the dialog that pops up once the user has clicked the Attach+ link for uploading should involve these radio button options (aside form the Browse and link paste field)
Public (Web)
Internal Public (All users of ERPNext)
Private (Only user who uploaded image)
At this point, the user should be able to select individual users to share with (read, write share inheritance) or a Role or Groups of roles that can use it. I know this is convoluted in a sense, but with security it is crucial.

There are two Github issues on this.
#9102
#9116

My only concern is the last option. Private should be linked to the document that the attachment was added to. If you are in a role that gives you rights on the document, then you should be able to ā€œmanageā€ that file (delete, update, view, print).

Thinking about this some more, maybe a new security role feature is in order - attachments (view, edit). Then an admin can allow a user to see a document, but not its attachments. or to see them only, but you canā€™t edit them. This would be useful in HR employee as an example. Employee can see his/her employee record, but no attachments related to it (e.g. their employee ā€œfileā€), or everyone in the company can see perm level 0 information on the employee record, but again no attachments. HR users and managers would be able to see perm level 1+ and attachments.

1 Like

You are right, the Private option is exclusively linked to the document that the attachment is added to. Only the uploader has rights to manage the file, including individual shares.

This security role is a solid idea.

2 Likes

I opened up

https://github.com/frappe/erpnext/issues/9127

to capture this idea. Cross linked the other ones in it too.

1 Like

For the item images when using ā€œUpload Attachmentā€ in File Manager it is a huge pain to upload like 5000 images in split amounts and keep clicking every single image in the upload form as ā€œPUBLICā€! They go to the webshop, so all must be public. We should have either a switch that the default is public or have ā€œselect allā€ when uploading those. Iā€™ve been clicking these images public while uploading for days now.

And no, the solution is not to upload via csv that all those images would be public since I need to upload them via File Manager anyway in batches.

1 Like

Hi James,

Did you get any solution for this?

Regards,
Asif

1 Like

You can force all file is private by using hook ā€˜after_insertā€™
hooks.py
doc_events = {
ā€œFileā€ : {
ā€œafter_insertā€: ā€œen_crm.overrides.issue.private_file_alter_insertā€,
}
}

function handle hook in file issue.py
def private_file_alter_insert(doc_str, method):
frappe.logger().info(fā€™ got doc before insert {doc_str.as_dict()}ā€˜)
doc_dict = doc_str.as_dict()
doc_file = frappe.get_doc(doc_dict.get(ā€œdoctypeā€), doc_dict.get(ā€œnameā€))
try:
doc_file.is_private = 1
doc_file.save()
except Exception as e:
frappe.logger().info(fā€™[ERROR] make image to private errorā€™)


Hope this help
BR

4 Likes