Returns a 404 error when trying to view/download an attachment that can't be read from disk.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2692 e93f8b46-1217-0410-a6f0-8f06a7374b81

2 files changed, 11 insertions, 1 deletions

diff --git a/app/controllers/attachments_controller.rb b/app/controllers/attachments_controller.rb
index 445ae3d12..92d60ee0f 100644
--- a/app/controllers/attachments_controller.rb
+++ b/app/controllers/attachments_controller.rb
@@ -17,7 +17,7 @@
 
 class AttachmentsController < ApplicationController
   before_filter :find_project
-  before_filter :read_authorize, :except => :destroy
+  before_filter :file_readable, :read_authorize, :except => :destroy
   before_filter :delete_authorize, :only => :destroy
   
   verify :method => :post, :only => :destroy
@@ -64,6 +64,11 @@ private
     render_404
   end
   
+  # Checks that the file exists and is readable
+  def file_readable
+    @attachment.readable? ? true : render_404
+  end
+  
   def read_authorize
     @attachment.visible? ? true : deny_access
   end
diff --git a/app/models/attachment.rb b/app/models/attachment.rb
index 97471d739..fe1d6afaa 100644
--- a/app/models/attachment.rb
+++ b/app/models/attachment.rb
@@ -126,6 +126,11 @@ class Attachment < ActiveRecord::Base
     self.filename =~ /\.(patch|diff)$/i
   end
   
+  # Returns true if the file is readable
+  def readable?
+    File.readable?(diskfile)
+  end
+  
 private
   def sanitize_filename(value)
     # get only the filename, not the whole path