From: Go MAEDA <maeda@farend.jp>
Date: Thu, 20 Oct 2022 04:33:55 +0000 (+0000)
Subject: Merged r21907 from trunk to 5.0-stable (#37772).
X-Git-Tag: 5.0.4~18
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=df615b7047e58a5dfb236d3b011dfe1619559acc;p=redmine.git

Merged r21907 from trunk to 5.0-stable (#37772).


git-svn-id: https://svn.redmine.org/redmine/branches/5.0-stable@21910 e93f8b46-1217-0410-a6f0-8f06a7374b81
---

diff --git a/app/controllers/attachments_controller.rb b/app/controllers/attachments_controller.rb
index aa8bbeec9..0af43e18c 100644
--- a/app/controllers/attachments_controller.rb
+++ b/app/controllers/attachments_controller.rb
@@ -219,19 +219,10 @@ class AttachmentsController < ApplicationController
   end
 
   def find_container
-    klass =
-      begin
-        params[:object_type].to_s.singularize.classify.constantize
-      rescue
-        nil
-      end
-    unless klass && (klass.reflect_on_association(:attachments) || klass.method_defined?(:attachments))
-      render_404
-      return
-    end
-
+    # object_type is constrained to valid values in routes
+    klass = params[:object_type].to_s.singularize.classify.constantize
     @container = klass.find(params[:object_id])
-    if @container.respond_to?(:visible?) && !@container.visible?
+    unless @container.visible?
       render_403
       return
     end