How to allow more than one role to access a private file?

Osama_Asif · March 6, 2023, 11:07am

Hello,

I want to understand what would be the best way to give access to a private file to multiple roles.

We’ve office employees uploading their information documents and they are private of course we do not want to make them public because they are sensitive.

But we want the officer manager to access them. Currently trying to open those files throws a 403 because only the uploader of the file is allowed to access it.

Thanks!

Diwas_Puri · November 9, 2023, 5:02pm

Hi

I am trying to do the same but I am getting the same error 403 like you. Did you find a way to make private files accessible to a particular role?

kevingee · November 9, 2023, 6:47pm

I don’t know about roles but you can share the file with other users and set the appropriate permissions.

Diwas_Puri · November 10, 2023, 3:47am

yes, I am aware about this feature, but I would like the files to be visible to a custom role as soon as it is uploaded as a ‘Private File’ by a separate role, just like how Administrator role can view the private files.

kevingee · November 10, 2023, 4:02am

You might want to write your custom script to check for the role and then grant permission

github.com

frappe/frappe/blob/dd86c48306216d60d0893e9cadebdcbae2247dc4/frappe/core/doctype/file/file.py#L787


      
          def on_doctype_update():
          	frappe.db.add_index("File", ["attached_to_doctype", "attached_to_name"])
          
          

          
def has_permission(doc, ptype=None, user=None):
          	user = user or frappe.session.user
          
          
	if ptype == "create":
          		return frappe.has_permission("File", "create", user=user)
          
          
	if not doc.is_private or (user != "Guest" and doc.owner == user) or user == "Administrator":
          		return True
          
          
	if doc.attached_to_doctype and doc.attached_to_name:
          		attached_to_doctype = doc.attached_to_doctype
          		attached_to_name = doc.attached_to_name
          
          
		try:
          			ref_doc = frappe.get_doc(attached_to_doctype, attached_to_name)
          		except frappe.DoesNotExistError:
          			frappe.clear_last_message()

github.com

frappe/frappe/blob/dd86c48306216d60d0893e9cadebdcbae2247dc4/frappe/core/doctype/file/file.py#L808


      
          			return False
          
          
		if ptype in ["write", "create", "delete"]:
          			return ref_doc.has_permission("write")
          		else:
          			return ref_doc.has_permission("read")
          
          
	return False
          
          

          
def get_permission_query_conditions(user: str = None) -> str:
          	user = user or frappe.session.user
          	if user == "Administrator":
          		return ""
          
          
	readable_doctypes = ", ".join(repr(dt) for dt in get_doctypes_with_read())
          	return f"""
          		(`tabFile`.`is_private` = 0)
          		OR (`tabFile`.`attached_to_doctype` IS NULL AND `tabFile`.`owner` = {user !r})
          		OR (`tabFile`.`attached_to_doctype` IN ({readable_doctypes}))
          	"""

Diwas_Puri · November 10, 2023, 6:13am

Is there no other way than to write a script? I thought there would be few checkmarks to fill and then it would be all set.