class AttachmentsController < ApplicationController
before_filter :find_project
- before_filter :read_authorize, :except => :destroy
+ before_filter :file_readable, :read_authorize, :except => :destroy
before_filter :delete_authorize, :only => :destroy
verify :method => :post, :only => :destroy
render_404
end
+ # Checks that the file exists and is readable
+ def file_readable
+ @attachment.readable? ? true : render_404
+ end
+
def read_authorize
@attachment.visible? ? true : deny_access
end
self.filename =~ /\.(patch|diff)$/i
end
+ # Returns true if the file is readable
+ def readable?
+ File.readable?(diskfile)
+ end
+
private
def sanitize_filename(value)
# get only the filename, not the whole path
class AttachmentsControllerTest < Test::Unit::TestCase
- fixtures :users, :projects, :roles, :members, :enabled_modules, :issues, :attachments,
- :versions, :wiki_pages, :wikis
+ fixtures :users, :projects, :roles, :members, :enabled_modules, :issues, :trackers, :attachments,
+ :versions, :wiki_pages, :wikis, :documents
def setup
@controller = AttachmentsController.new
assert_equal 'application/x-ruby', @response.content_type
end
+ def test_download_missing_file
+ get :download, :id => 2
+ assert_response 404
+ end
+
def test_anonymous_on_private_private
get :download, :id => 7
assert_redirected_to '/login?back_url=http%3A%2F%2Ftest.host%2Fattachments%2Fdownload%2F7'
projects / redmine.git / commitdiff