Skip to content

feat: protect attached files (backport #31855) #31970

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
barredterra merged 3 commits into from
Apr 8, 2025
Merged

feat: protect attached files (backport #31855) #31970

barredterra merged 3 commits into from
Apr 8, 2025

Conversation

@mergify
Copy link
Contributor

@mergify mergify bot commented Mar 31, 2025

Due to compliance regulations, receipts and business letters must be stored securely for multiple years. We want to protect against accidental or malicious deletion. E. g. we attach a PDF of a Sales Invoice when it is submitted and we are obligated to keep the PDF for 10 years.

This PR introduces a DocType-level setting called Protect Attached Files. If it is enabled, attachments on submitted documents cannot be deleted.

Regardless of protection, we still want to allow:

  • deleting or modifying of draft documents
  • deleting canceled documents.

Thus, if the document is in draft or if it's canceled and you have the necessary role permissions for deleting it, you can also delete protected attachments.

We plan to enable this setting for numerous ERPNext DocTypes via the ERPNext Germany app.

@0xD0M1M0

no-docs

This is an automatic backport of pull request #31855 done by Mergify.

@barredterra @mergify
feat: protect attached files (#31855)
4b99147 
* feat: protect attached files

* fix: protection does not apply to draft documents

* chore: update descriptions

* feat: hide delete button when file is protected

(cherry picked from commit 3f5da98)

# Conflicts:
#	frappe/core/doctype/doctype/doctype.json
#	frappe/custom/doctype/customize_form/customize_form.json
@mergify mergify bot added the conflicts label Mar 31, 2025
@mergify

This comment was marked as outdated.

Sign in to view
@barredterra
Copy link
Collaborator

barredterra commented Apr 8, 2025

The Linters / Semgrep failure is not related to this PR.

@barredterra
Copy link
Collaborator

barredterra commented Apr 8, 2025

Tested, works as expected.

@barredterra barredterra enabled auto-merge (squash) April 8, 2025 19:47
@barredterra barredterra merged commit 15334b6 into version-15-hotfix Apr 8, 2025
20 of 22 checks passed
@barredterra barredterra deleted the mergify/bp/version-15-hotfix/pr-31855 branch April 8, 2025 20:24
frappe-pr-bot pushed a commit that referenced this pull request Apr 15, 2025
@frappe-bot
chore(release): Bumped to Version 15.64.0
af3c358 
# [15.64.0](v15.63.1...v15.64.0) (2025-04-15)

### Bug Fixes

* check if user is diabled during api authentication ([ba81f14](ba81f14))
* compare lowercase keyword in global search ([#31832](#31832)) ([df0d514](df0d514))
* drop `branch_name` ([7e2c2a3](7e2c2a3))
* Event google URL field not big enough for irl data ([08e7aba](08e7aba))
* **event:** Handle month ends for repeating monthly ([d1e5c09](d1e5c09))
* **google-calendar:** Use byday variable type properly ([3829c2a](3829c2a))
* improve url validation ([#32052](#32052)) ([#32078](#32078)) ([4907ade](4907ade))
* increase failure threshold for preapred report ([#32063](#32063)) ([#32070](#32070)) ([495db3d](495db3d))
* linter config in boilerplate ([fea2139](fea2139))
* list_view_settings can be missing ([#32048](#32048)) ([8c7e860](8c7e860))
* make app installation possible again ([4d774e8](4d774e8))
* only exclude RUF001 where we're using some ambiguous characters ([42379ea](42379ea))
* Prevent duplicate ToDo creation when assigning ([dc3370b](dc3370b))
* print builder beta print option not working ([5977581](5977581))
* **push_notification:** use cstr to convert a None body to empty string ([#32056](#32056)) ([#32062](#32062)) ([9b7b44d](9b7b44d))
* remove print statement ([ebc484f](ebc484f))
* respect include filters while generating report name ([25d87bd](25d87bd))
* Show doctype name in perm check errors ([#32122](#32122)) ([#32125](#32125)) ([75cc5d1](75cc5d1))
* skip adding app to list if we can't run the permission hook ([#32134](#32134)) ([1d03333](1d03333))
* switch to ruff ([d84dda8](d84dda8))
* sync translations from crowdin ([#32012](#32012)) ([257a864](257a864))
* Use GET for get_events for notification bar ([5215f91](5215f91))
* **UX:** block inserting more than 5000 items in table ([#32127](#32127)) ([#32130](#32130)) ([8e74e4e](8e74e4e))

### Features

* ✨ addes x-priority option to email header and the frappe.sendmail function ([#31966](#31966)) ([#32089](#32089)) ([5cc38b6](5cc38b6))
* add info about pre-commit to README ([7d1b92a](7d1b92a))
* ask for branch name ([a70f2e5](a70f2e5))
* copy config files to new app ([745400f](745400f))
* create pre-commit config for new app ([d1254d3](d1254d3))
* linter workflow for new apps ([186e46d](186e46d))
* protect attached files (backport [#31855](#31855)) ([#31970](#31970)) ([15334b6](15334b6))

### Reverts

* Revert "refactor: _create_app_boilerplate" ([a924cce](a924cce))
@frappe-pr-bot
Copy link
Collaborator

frappe-pr-bot commented Apr 15, 2025

🎉 This PR is included in version 15.64.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@barredterra barredterra mentioned this pull request Apr 21, 2025
Merged
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 30, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

@barredterra barredterra

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@barredterra @frappe-pr-bot