Set attachement permission

Hello,
I am looking for a solution on how to manage access (read, write/delete) to attachement in v13.
I am aware of older postings regarding similar requirements, but none of them contains a solution:

Scenario: Within a doctype (let say Project, but same for all doctypes), a user adds an attachement. As a customer has also read access to the project, sometimes it is required to hide specific attachement, so that the customer won’t see all of them.

General issue: Even if someone cannot access a doctype due to permission, he can access files directly via URL.

Any ideas on how to handle this? It feels like a very basic requirement and I am wondering, if there isn’t a solution, yet.

1 Like

As I understand right now, there is no build-in functionality for this.

My plan is to add a custom module for this functionality

  • Create new doctype “User_File_Permission_Assignment” to maintain the permission per File, User and ptype (Read, Write, …)
  • Enhance the default “has_permission”-method part of “Files” doctype and add lookup for a entry in the new “User_File_Permission_Assignment”.

What is the best/correct way to overwrite/ hook into the default “has_permission” method, part of “File” doctype?

This may help for overriding default functionality How to override method in frappe?

You should write a backend permission query and condition to handle that scenario

Here you have the registry in the hooks.py and also it will lead you to paths with samples of how implement that

1 Like