Fixes attachments functionality for (custom) plugins broken since fix for CVE-2022-44030 by adding a dynamic routing constraint which can be modified by plugins (#39862).

Patch by @jkraemer.

git-svn-id: https://svn.redmine.org/redmine/trunk@22551 e93f8b46-1217-0410-a6f0-8f06a7374b81

1 files changed, 3 insertions, 1 deletions

diff --git a/config/routes.rb b/config/routes.rb
index 6176fdfae..12be7b3ec 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -317,7 +317,9 @@ Rails.application.routes.draw do
   get 'attachments/download/:id', :to => 'attachments#download', :id => /\d+/
   get 'attachments/thumbnail/:id(/:size)', :to => 'attachments#thumbnail', :id => /\d+/, :size => /\d+/, :as => 'thumbnail'
   resources :attachments, :only => [:show, :update, :destroy]
-  constraints object_type: /(issues|versions|news|messages|wiki_pages|projects|documents|journals)/ do
+
+  # register plugin object types with ObjectTypeConstraint.register_object_type(PluginModel.name.underscore.pluralize')
+  constraints Redmine::Acts::Attachable::ObjectTypeConstraint do
     get 'attachments/:object_type/:object_id/edit', :to => 'attachments#edit_all', :as => :object_attachments_edit
     patch 'attachments/:object_type/:object_id', :to => 'attachments#update_all', :as => :object_attachments
     get 'attachments/:object_type/:object_id/download', :to => 'attachments#download_all', :as => :object_attachments_download