Hi there hope everyone is doing great
as you can see i have uploaded 2 files one as public and one as private but when a user open the documents he can see both the public and private files is there any option to restrict user to see only public and not private files thankyou for your time and assistance
Hi @Mubasher:
“Private” means that files are not accesible without login.
Basically, anyone logged in who gets access to the doctype will get access to the attached documents too. Maybe it could be managed with permission over File Doctype but you will need add some logic to that.
Hope this helps.
in file doctype its working fine i set it to only if creater but lets say i attach afile in opportunity document and set it to private so anybody who has access to opportunity can view it this is the issue @avc
my requirments are
in opportunity if its set to private it can only be accessible to the the person who uploaded
so in file doctype its working fine only the owner can see the documents but in other documents its accessible to all even if set to private
Hi @Mubasher :
Actually, this is not the “Private” option purpose.
Form uses frappe.model.docinfo that returns all the files, without considering permission over the file document.
This get_attachments method on load.py is the key, get_all don’t check perms.
Bug? I don’t know, you will find thousands of different use cases. Maybe it could be added as DocType option “Consider permission for attachments”.
For now, I think you’ll need to customize.
Possible (and dirty) approach:
- Use client script to hide attachments sidebar with
$(".form-attachments").hide() - Add a child table to show the “permitted” files.
- Add a button to attach file “manually”
Hope this helps.
Edit: related private_files accessible to all user despite permission control · Issue #28086 · frappe/frappe · GitHub
yes i can say its a bug so i am trying to control through side server i m trying to get a solution if not then child table for attachmetns is the best approach for now