mirrors
/
redmine
mirror of https://github.com/redmine/redmine.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 199 Wiki Activity
Browse Source

Returns a 404 error when trying to view/download an attachment that can't be read from disk. 

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2692 e93f8b46-1217-0410-a6f0-8f06a7374b81
tags/0.9.0
Jean-Philippe Lang 15 years ago
parent
914ef1cb25
commit
15a14e55cd
3 changed files with 18 additions and 3 deletions
Split View Show Diff Stats
  1. 6
    1
      app/controllers/attachments_controller.rb
  2. 5
    0
      app/models/attachment.rb
  3. 7
    2
      test/functional/attachments_controller_test.rb

+ 6
- 1
app/controllers/attachments_controller.rb View File

@@ -17,7 +17,7 @@

class AttachmentsController < ApplicationController
before_filter :find_project
before_filter :read_authorize, :except => :destroy
before_filter :file_readable, :read_authorize, :except => :destroy
before_filter :delete_authorize, :only => :destroy
verify :method => :post, :only => :destroy
@@ -64,6 +64,11 @@ private
render_404
end
# Checks that the file exists and is readable
def file_readable
@attachment.readable? ? true : render_404
end
def read_authorize
@attachment.visible? ? true : deny_access
end

+ 5
- 0
app/models/attachment.rb View File

@@ -126,6 +126,11 @@ class Attachment < ActiveRecord::Base
self.filename =~ /\.(patch|diff)$/i
end
# Returns true if the file is readable
def readable?
File.readable?(diskfile)
end
private
def sanitize_filename(value)
# get only the filename, not the whole path

+ 7
- 2
test/functional/attachments_controller_test.rb View File

@@ -23,8 +23,8 @@ class AttachmentsController; def rescue_action(e) raise e end; end


class AttachmentsControllerTest < Test::Unit::TestCase
fixtures :users, :projects, :roles, :members, :enabled_modules, :issues, :attachments,
:versions, :wiki_pages, :wikis
fixtures :users, :projects, :roles, :members, :enabled_modules, :issues, :trackers, :attachments,
:versions, :wiki_pages, :wikis, :documents
def setup
@controller = AttachmentsController.new
@@ -84,6 +84,11 @@ class AttachmentsControllerTest < Test::Unit::TestCase
assert_equal 'application/x-ruby', @response.content_type
end
def test_download_missing_file
get :download, :id => 2
assert_response 404
end
def test_anonymous_on_private_private
get :download, :id => 7
assert_redirected_to '/login?back_url=http%3A%2F%2Ftest.host%2Fattachments%2Fdownload%2F7'

Write Preview
Loading…
Cancel
Save