feat: protect attached files #31855
Merged
feat: protect attached files #31855
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
9a3257d to
d4cbb80
Compare
d4cbb80 to
3b1cc1a
Compare
Collaborator
Author
|
The semgrep failure is not related to this PR. |
0xD0M1M0
reviewed
Mar 27, 2025
ccda94c to
6f791db
Compare
akhilnarang
approved these changes
Mar 28, 2025
mergify bot
pushed a commit
that referenced
this pull request
Mar 31, 2025
* feat: protect attached files * fix: protection does not apply to draft documents * chore: update descriptions * feat: hide delete button when file is protected (cherry picked from commit 3f5da98) # Conflicts: # frappe/core/doctype/doctype/doctype.json # frappe/custom/doctype/customize_form/customize_form.json
barredterra
added a commit
that referenced
this pull request
Apr 8, 2025
* feat: protect attached files (#31855) * feat: protect attached files * fix: protection does not apply to draft documents * chore: update descriptions * feat: hide delete button when file is protected (cherry picked from commit 3f5da98) # Conflicts: # frappe/core/doctype/doctype/doctype.json # frappe/custom/doctype/customize_form/customize_form.json * chore: resolve conflicts --------- Co-authored-by: Raffael Meyer <14891507+barredterra@users.noreply.github.com>
frappe-pr-bot
pushed a commit
that referenced
this pull request
Apr 15, 2025
# [15.64.0](v15.63.1...v15.64.0) (2025-04-15) ### Bug Fixes * check if user is diabled during api authentication ([ba81f14](ba81f14)) * compare lowercase keyword in global search ([#31832](#31832)) ([df0d514](df0d514)) * drop `branch_name` ([7e2c2a3](7e2c2a3)) * Event google URL field not big enough for irl data ([08e7aba](08e7aba)) * **event:** Handle month ends for repeating monthly ([d1e5c09](d1e5c09)) * **google-calendar:** Use byday variable type properly ([3829c2a](3829c2a)) * improve url validation ([#32052](#32052)) ([#32078](#32078)) ([4907ade](4907ade)) * increase failure threshold for preapred report ([#32063](#32063)) ([#32070](#32070)) ([495db3d](495db3d)) * linter config in boilerplate ([fea2139](fea2139)) * list_view_settings can be missing ([#32048](#32048)) ([8c7e860](8c7e860)) * make app installation possible again ([4d774e8](4d774e8)) * only exclude RUF001 where we're using some ambiguous characters ([42379ea](42379ea)) * Prevent duplicate ToDo creation when assigning ([dc3370b](dc3370b)) * print builder beta print option not working ([5977581](5977581)) * **push_notification:** use cstr to convert a None body to empty string ([#32056](#32056)) ([#32062](#32062)) ([9b7b44d](9b7b44d)) * remove print statement ([ebc484f](ebc484f)) * respect include filters while generating report name ([25d87bd](25d87bd)) * Show doctype name in perm check errors ([#32122](#32122)) ([#32125](#32125)) ([75cc5d1](75cc5d1)) * skip adding app to list if we can't run the permission hook ([#32134](#32134)) ([1d03333](1d03333)) * switch to ruff ([d84dda8](d84dda8)) * sync translations from crowdin ([#32012](#32012)) ([257a864](257a864)) * Use GET for get_events for notification bar ([5215f91](5215f91)) * **UX:** block inserting more than 5000 items in table ([#32127](#32127)) ([#32130](#32130)) ([8e74e4e](8e74e4e)) ### Features * ✨ addes x-priority option to email header and the frappe.sendmail function ([#31966](#31966)) ([#32089](#32089)) ([5cc38b6](5cc38b6)) * add info about pre-commit to README ([7d1b92a](7d1b92a)) * ask for branch name ([a70f2e5](a70f2e5)) * copy config files to new app ([745400f](745400f)) * create pre-commit config for new app ([d1254d3](d1254d3)) * linter workflow for new apps ([186e46d](186e46d)) * protect attached files (backport [#31855](#31855)) ([#31970](#31970)) ([15334b6](15334b6)) ### Reverts * Revert "refactor: _create_app_boilerplate" ([a924cce](a924cce))
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Due to compliance regulations, receipts and business letters must be stored securely for multiple years. We want to protect against accidental or malicious deletion. E. g. we attach a PDF of a Sales Invoice when it is submitted and we are obligated to keep the PDF for 10 years.
This PR introduces a DocType-level setting called Protect Attached Files. If it is enabled, attachments on submitted documents cannot be deleted.
Regardless of protection, we still want to allow:
Thus, if the document is in draft or if it's canceled and you have the necessary role permissions for deleting it, you can also delete protected attachments.
We plan to enable this setting for numerous ERPNext DocTypes via the ERPNext Germany app.
@0xD0M1M0