Set attachement permission

paddy · August 6, 2020, 7:50am

Hello,
I am looking for a solution on how to manage access (read, write/delete) to attachement in v13.
I am aware of older postings regarding similar requirements, but none of them contains a solution:

Scenario: Within a doctype (let say Project, but same for all doctypes), a user adds an attachement. As a customer has also read access to the project, sometimes it is required to hide specific attachement, so that the customer won’t see all of them.

General issue: Even if someone cannot access a doctype due to permission, he can access files directly via URL.

Any ideas on how to handle this? It feels like a very basic requirement and I am wondering, if there isn’t a solution, yet.

paddy · August 6, 2020, 2:06pm

As I understand right now, there is no build-in functionality for this.

My plan is to add a custom module for this functionality

Create new doctype “User_File_Permission_Assignment” to maintain the permission per File, User and ptype (Read, Write, …)
Enhance the default “has_permission”-method part of “Files” doctype and add lookup for a entry in the new “User_File_Permission_Assignment”.

What is the best/correct way to overwrite/ hook into the default “has_permission” method, part of “File” doctype?

TurkerTunali · August 6, 2020, 8:50pm

This may help for overriding default functionality How to override method in frappe? - #4 by revant_one

max_morais_dmm · August 6, 2020, 10:20pm

You should write a backend permission query and condition to handle that scenario

Here you have the registry in the hooks.py and also it will lead you to paths with samples of how implement that

github.com

frappe/frappe/blob/develop/frappe/hooks.py#L86


      
          
          
on_session_creation = [
          	"frappe.core.doctype.activity_log.feed.login_feed",
          	"frappe.core.doctype.user.user.notify_admin_access_to_system_manager",
          ]
          
          
on_logout = (
          	"frappe.core.doctype.session_default_settings.session_default_settings.clear_session_defaults"
          )
          
          
# permissions
          
          
permission_query_conditions = {
          	"Event": "frappe.desk.doctype.event.event.get_permission_query_conditions",
          	"ToDo": "frappe.desk.doctype.todo.todo.get_permission_query_conditions",
          	"User": "frappe.core.doctype.user.user.get_permission_query_conditions",
          	"Dashboard Settings": "frappe.desk.doctype.dashboard_settings.dashboard_settings.get_permission_query_conditions",
          	"Notification Log": "frappe.desk.doctype.notification_log.notification_log.get_permission_query_conditions",
          	"Dashboard": "frappe.desk.doctype.dashboard.dashboard.get_permission_query_conditions",
          	"Dashboard Chart": "frappe.desk.doctype.dashboard_chart.dashboard_chart.get_permission_query_conditions",
          	"Number Card": "frappe.desk.doctype.number_card.number_card.get_permission_query_conditions",

Gordon_Yeung · July 6, 2023, 2:23am

@paddy Do you have any solution for this issue?