diff options
| author | Go MAEDA <maeda@farend.jp> | 2022-10-20 04:33:55 +0000 |
|---|---|---|
| committer | Go MAEDA <maeda@farend.jp> | 2022-10-20 04:33:55 +0000 |
| commit | df615b7047e58a5dfb236d3b011dfe1619559acc (patch) | |
| tree | 1aee03c6c96894a50d2328eb57da1cc10b0009a3 | |
| parent | eea816ae0825a3d794e650d11a3909ace772152b (diff) | |
| download | redmine-df615b7047e58a5dfb236d3b011dfe1619559acc.tar.gz redmine-df615b7047e58a5dfb236d3b011dfe1619559acc.zip | |
Merged r21907 from trunk to 5.0-stable (#37772).
git-svn-id: https://svn.redmine.org/redmine/branches/5.0-stable@21910 e93f8b46-1217-0410-a6f0-8f06a7374b81
| -rw-r--r-- | app/controllers/attachments_controller.rb | 15 |
1 files changed, 3 insertions, 12 deletions
diff --git a/app/controllers/attachments_controller.rb b/app/controllers/attachments_controller.rb index aa8bbeec9..0af43e18c 100644 --- a/app/controllers/attachments_controller.rb +++ b/app/controllers/attachments_controller.rb @@ -219,19 +219,10 @@ class AttachmentsController < ApplicationController end def find_container - klass = - begin - params[:object_type].to_s.singularize.classify.constantize - rescue - nil - end - unless klass && (klass.reflect_on_association(:attachments) || klass.method_defined?(:attachments)) - render_404 - return - end - + # object_type is constrained to valid values in routes + klass = params[:object_type].to_s.singularize.classify.constantize @container = klass.find(params[:object_id]) - if @container.respond_to?(:visible?) && !@container.visible? + unless @container.visible? render_403 return end |