git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2692 e93f8b46-1217-0410-a6f0-8f06a7374b81tags/0.9.0
@@ -17,7 +17,7 @@ | |||
class AttachmentsController < ApplicationController | |||
before_filter :find_project | |||
before_filter :read_authorize, :except => :destroy | |||
before_filter :file_readable, :read_authorize, :except => :destroy | |||
before_filter :delete_authorize, :only => :destroy | |||
verify :method => :post, :only => :destroy | |||
@@ -64,6 +64,11 @@ private | |||
render_404 | |||
end | |||
# Checks that the file exists and is readable | |||
def file_readable | |||
@attachment.readable? ? true : render_404 | |||
end | |||
def read_authorize | |||
@attachment.visible? ? true : deny_access | |||
end |
@@ -126,6 +126,11 @@ class Attachment < ActiveRecord::Base | |||
self.filename =~ /\.(patch|diff)$/i | |||
end | |||
# Returns true if the file is readable | |||
def readable? | |||
File.readable?(diskfile) | |||
end | |||
private | |||
def sanitize_filename(value) | |||
# get only the filename, not the whole path |
@@ -23,8 +23,8 @@ class AttachmentsController; def rescue_action(e) raise e end; end | |||
class AttachmentsControllerTest < Test::Unit::TestCase | |||
fixtures :users, :projects, :roles, :members, :enabled_modules, :issues, :attachments, | |||
:versions, :wiki_pages, :wikis | |||
fixtures :users, :projects, :roles, :members, :enabled_modules, :issues, :trackers, :attachments, | |||
:versions, :wiki_pages, :wikis, :documents | |||
def setup | |||
@controller = AttachmentsController.new | |||
@@ -84,6 +84,11 @@ class AttachmentsControllerTest < Test::Unit::TestCase | |||
assert_equal 'application/x-ruby', @response.content_type | |||
end | |||
def test_download_missing_file | |||
get :download, :id => 2 | |||
assert_response 404 | |||
end | |||
def test_anonymous_on_private_private | |||
get :download, :id => 7 | |||
assert_redirected_to '/login?back_url=http%3A%2F%2Ftest.host%2Fattachments%2Fdownload%2F7' |