Fixes attachments functionality for (custom) plugins broken since fix for CVE-2022-44030 by adding a dynamic routing constraint which can be modified by plugins (#39862).

Patch by @jkraemer.

git-svn-id: https://svn.redmine.org/redmine/trunk@22551 e93f8b46-1217-0410-a6f0-8f06a7374b81

1 files changed, 24 insertions, 0 deletions

diff --git a/lib/plugins/acts_as_attachable/lib/acts_as_attachable.rb b/lib/plugins/acts_as_attachable/lib/acts_as_attachable.rb
index 4a069980d..9c09a7870 100644
--- a/lib/plugins/acts_as_attachable/lib/acts_as_attachable.rb
+++ b/lib/plugins/acts_as_attachable/lib/acts_as_attachable.rb
@@ -20,6 +20,30 @@
 module Redmine
   module Acts
     module Attachable
+
+      class ObjectTypeConstraint
+        cattr_accessor :object_types
+
+        self.object_types = Concurrent::Set.new(%w[
+          issues versions news messages wiki_pages projects documents journals
+        ])
+
+        class << self
+          def matches?(request)
+            request.path_parameters[:object_type] =~ param_expression
+          end
+
+          def register_object_type(type)
+            object_types << type
+            @param_expression = nil
+          end
+
+          def param_expression
+            @param_expression ||= Regexp.new("^(#{object_types.join("|")})$")
+          end
+        end
+      end
+
       def self.included(base)
         base.extend ClassMethods
       end