Merge remote-tracking branch 'upstream/version-12' into version-12

Author: developmentforpeople

.eslintrc

@@ -140,6 +140,7 @@
 		"Cypress": true,
 		"cy": true,
 		"it": true,
+		"describe": true,
 		"expect": true,
 		"context": true,
 		"before": true,

.travis.yml

@@ -52,9 +52,7 @@ install:
   - cd ~
   - source ./.nvm/nvm.sh
   - nvm install v8.10.0
-
-  - git clone https://github.com/frappe/bench --depth 1
-  - pip install -e ./bench
+  - pip install -U frappe-bench --only-binary='all'
 
   - bench init frappe-bench --skip-assets --python $(which python) --frappe-path $TRAVIS_BUILD_DIR
 

frappe/__init__.py

@@ -23,7 +23,7 @@
 	reload(sys)
 	sys.setdefaultencoding("utf-8")
 
-__version__ = '12.17.0'
+__version__ = '12.19.0'
 __title__ = "Frappe Framework"
 
 local = Local()
@@ -1559,6 +1559,23 @@ def safe_eval(code, eval_globals=None, eval_locals=None):
 		"round": round
 	}
 
+	UNSAFE_ATTRIBUTES = {
+		# Generator Attributes
+		"gi_frame", "gi_code",
+		# Coroutine Attributes
+		"cr_frame", "cr_code", "cr_origin",
+		# Async Generator Attributes
+		"ag_code", "ag_frame",
+		# Traceback Attributes
+		"tb_frame", "tb_next",
+		# Format Attributes
+		"format", "format_map",
+	}
+
+	for attribute in UNSAFE_ATTRIBUTES:
+		if attribute in code:
+			throw('Illegal rule {0}. Cannot use "{1}"'.format(bold(code), attribute))
+
 	if '__' in code:
 		throw('Illegal rule {0}. Cannot use "__"'.format(bold(code)))
 

frappe/app.py

@@ -185,8 +185,20 @@ def handle_exception(e):
 	response = None
 	http_status_code = getattr(e, "http_status_code", 500)
 	return_as_message = False
-
-	if frappe.get_request_header('Accept') and (frappe.local.is_ajax or 'application/json' in frappe.get_request_header('Accept')):
+	accept_header = frappe.get_request_header("Accept") or ""
+	respond_as_json = (
+		frappe.get_request_header('Accept')
+		and (frappe.local.is_ajax or 'application/json' in accept_header)
+		or (
+			frappe.local.request.path.startswith("/api/") and not accept_header.startswith("text")
+		)
+	)
+
+	if frappe.conf.get('developer_mode'):
+		# don't fail silently
+		print(frappe.get_traceback())
+
+	if respond_as_json:
 		# handle ajax responses first
 		# if the request is ajax, send back the trace or error message
 		response = frappe.utils.response.report_error(http_status_code)

frappe/auth.py

@@ -209,7 +209,10 @@ def authenticate(self, user = None, pwd = None):
 			self.fail(_('Incomplete login details'), user=user)
 
 		# Ignore password check if tmp_id is set, 2FA takes care of authentication.
-		validate_password = not bool(frappe.form_dict.get('tmp_id'))
+		tmp_id = bool(frappe.form_dict.tmp_id)
+		enabled = cint(frappe.db.get_single_value('System Settings', 'enable_two_factor_auth', cache=True))
+		# if tmp_id is set and 2FA is enabled, skip validation by password
+		validate_password = not (tmp_id and enabled)
 		user = User.find_by_credentials(user, pwd, validate_password=validate_password)
 
 		if not user:

frappe/change_log/v12/v12_18_0.md

@@ -0,0 +1,21 @@
+## Version 12.18.0 Release Notes
+
+### Fixes & Enhancements
+
+- Moving Site folder across different FileSystems failed ([#13033](https://github.com/frappe/frappe/pull/13033))
+- Revert naming for custom naming series ([#13178](https://github.com/frappe/frappe/pull/13178))
+- Show delete button on portal if user has permission to delete document ([#13183](https://github.com/frappe/frappe/pull/13183))
+- Conditionally hide grid Add Row & Add Multiple buttons ([#12960](https://github.com/frappe/frappe/pull/12960))
+- Grid Form buttons Insert Above, Insert Below not hidden when can… ([#12906](https://github.com/frappe/frappe/pull/12906))
+- Do not skip data in save while using shortcut ([#13181](https://github.com/frappe/frappe/pull/13181))
+- Multi currency in print view shows same currency symbol ([#12569](https://github.com/frappe/frappe/pull/12569))
+- Reverting of series with a variable ([#12811](https://github.com/frappe/frappe/pull/12811))
+- Grid Form buttons Insert Above, Insert Below not hidden when can… ([#12931](https://github.com/frappe/frappe/pull/12931))
+- Check if same value is set to avoid unnecessary change triggers ([#12963](https://github.com/frappe/frappe/pull/12963))
+- Default values were not triggering change event ([#12975](https://github.com/frappe/frappe/pull/12975))
+- Preload URLs breaking for external requests ([#13058](https://github.com/frappe/frappe/pull/13058))
+- Forward message action in communication form view not working ([#12800](https://github.com/frappe/frappe/pull/12800))
+- Redirect Web Form user directly to success URL, if no amount is due ([#12661](https://github.com/frappe/frappe/pull/12661))
+- Check if response contains signature before setting ([#13185](https://github.com/frappe/frappe/pull/13185))
+- Replace parseFloat by Number ([#13011](https://github.com/frappe/frappe/pull/13011))
+- Only allow user's attachments to show in attachments tree ([#12822](https://github.com/frappe/frappe/pull/12822))

frappe/change_log/v12/v12_19_0.md

@@ -0,0 +1,14 @@
+## Version 12.19.0 Release Notes
+
+### Fixes & Enhancements
+
+- Refresh form section while refreshing the field ([#13355](https://github.com/frappe/frappe/pull/13355))
+- Check for 2FA is enabled or not ([#13455](https://github.com/frappe/frappe/pull/13455))
+- Tooltip displays correct title (backport #13346) ([#13354](https://github.com/frappe/frappe/pull/13354))
+- Expose limited methods of json module ([#13253](https://github.com/frappe/frappe/pull/13253))
+- ci: Update Sider config ([#13332](https://github.com/frappe/frappe/pull/13332))
+- auto_repeat field check while loading customize form ([#13350](https://github.com/frappe/frappe/pull/13350))
+- Restrict access to python's internal attributes ([#13383](https://github.com/frappe/frappe/pull/13383))
+- Respond to /api requests as JSON by default (backport #13028) ([#13408](https://github.com/frappe/frappe/pull/13408))
+- CSS bug on print format rtl layout ([#13299](https://github.com/frappe/frappe/pull/13299))
+- Check if salutation already exists in email body ([#13196](https://github.com/frappe/frappe/pull/13196))

frappe/commands/site.py

@@ -513,7 +513,7 @@ def move(dest_dir, site):
 		site_dump_exists = os.path.exists(final_new_path)
 		count = int(count or 0) + 1
 
-	os.rename(old_path, final_new_path)
+	shutil.move(old_path, final_new_path)
 	frappe.destroy()
 	return final_new_path
 

frappe/core/doctype/file/file.py

@@ -947,10 +947,18 @@ def validate_filename(filename):
 
 @frappe.whitelist()
 def get_files_in_folder(folder):
-	return frappe.db.get_all('File',
+	attachment_folder = frappe.db.get_value('File',
+		'Home/Attachments',
+		['name', 'file_name', 'file_url', 'is_folder', 'modified'],
+		as_dict=1
+	)
+	files = frappe.db.get_list('File',
 		{ 'folder': folder },
 		['name', 'file_name', 'file_url', 'is_folder', 'modified']
 	)
+	if folder == 'Home' and attachment_folder not in files:
+		files.insert(0, attachment_folder)
+	return files
 
 def update_existing_file_docs(doc):
 	# Update is private and file url of all file docs that point to the same file

frappe/core/doctype/file/test_file.py

@@ -8,7 +8,7 @@
 import os
 import unittest
 from frappe import _
-from frappe.core.doctype.file.file import move_file
+from frappe.core.doctype.file.file import move_file, get_files_in_folder
 from frappe.utils import get_files_path
 # test_records = frappe.get_test_records('File')
 
@@ -390,3 +390,61 @@ def test_parent_directory_validation_in_file_url(self):
 		file1.reload()
 		file1.file_url = '/private/files/parent_dir2.txt'
 		file1.save()
+
+
+class TestAttachmentsAccess(unittest.TestCase):
+
+	def test_attachments_access(self):
+
+		frappe.set_user('test4@example.com')
+		self.attached_to_doctype, self.attached_to_docname = make_test_doc()
+
+		frappe.get_doc({
+			"doctype": "File",
+			"file_name": 'test_user.txt',
+			"attached_to_doctype": self.attached_to_doctype,
+			"attached_to_name": self.attached_to_docname,
+			"content": 'Testing User'
+		}).insert()
+
+		frappe.get_doc({
+			"doctype": "File",
+			"file_name": "test_user_home.txt",
+			"content": 'User Home',
+		}).insert()
+
+		frappe.set_user('test@example.com')
+
+		frappe.get_doc({
+			"doctype": "File",
+			"file_name": 'test_system_manager.txt',
+			"attached_to_doctype": self.attached_to_doctype,
+			"attached_to_name": self.attached_to_docname,
+			"content": 'Testing System Manager'
+		}).insert()
+
+		frappe.get_doc({
+			"doctype": "File",
+			"file_name": "test_sm_home.txt",
+			"content": 'System Manager Home',
+		}).insert()
+
+		system_manager_files = [file.file_name for file in get_files_in_folder('Home')]
+		system_manager_attachments_files = [file.file_name for file in get_files_in_folder('Home/Attachments')]
+
+		frappe.set_user('test4@example.com')
+		user_files = [file.file_name for file in get_files_in_folder('Home')]
+		user_attachments_files = [file.file_name for file in get_files_in_folder('Home/Attachments')]
+
+		self.assertIn('test_sm_home.txt', system_manager_files)
+		self.assertNotIn('test_sm_home.txt', user_files)
+		self.assertIn('test_user_home.txt', system_manager_files)
+		self.assertIn('test_user_home.txt', user_files)
+
+		self.assertIn('test_system_manager.txt', system_manager_attachments_files)
+		self.assertNotIn('test_system_manager.txt', user_attachments_files)
+		self.assertIn('test_user.txt', system_manager_attachments_files)
+		self.assertIn('test_user.txt', user_attachments_files)
+
+		frappe.set_user('Administrator')
+		frappe.db.rollback()