summaryrefslogtreecommitdiffstats
path: root/app/controllers
diff options
context:
space:
mode:
Diffstat (limited to 'app/controllers')
-rw-r--r--app/controllers/attachments_controller.rb12
-rw-r--r--app/controllers/documents_controller.rb9
-rw-r--r--app/controllers/versions_controller.rb9
3 files changed, 8 insertions, 22 deletions
diff --git a/app/controllers/attachments_controller.rb b/app/controllers/attachments_controller.rb
index 9ea9ac48e..07fee1269 100644
--- a/app/controllers/attachments_controller.rb
+++ b/app/controllers/attachments_controller.rb
@@ -17,7 +17,7 @@
class AttachmentsController < ApplicationController
layout 'base'
- before_filter :find_project, :check_project_privacy
+ before_filter :find_project
def show
if @attachment.is_diff?
@@ -32,6 +32,8 @@ class AttachmentsController < ApplicationController
end
def download
+ @attachment.increment_download if @attachment.container.is_a?(Version)
+
# images are sent inline
send_file @attachment.diskfile, :filename => filename_for_content_disposition(@attachment.filename),
:type => @attachment.content_type,
@@ -41,9 +43,11 @@ class AttachmentsController < ApplicationController
private
def find_project
@attachment = Attachment.find(params[:id])
- #render_404 and return false unless File.readable?(@attachment.diskfile)
@project = @attachment.project
- #rescue
- # render_404
+ permission = @attachment.container.is_a?(Version) ? :view_files : "view_#{@attachment.container.class.name.underscore.pluralize}".to_sym
+ allowed = User.current.allowed_to?(permission, @project)
+ allowed ? true : (User.current.logged? ? render_403 : require_login)
+ rescue ActiveRecord::RecordNotFound
+ render_404
end
end
diff --git a/app/controllers/documents_controller.rb b/app/controllers/documents_controller.rb
index 7e732b9b6..1f0784bb2 100644
--- a/app/controllers/documents_controller.rb
+++ b/app/controllers/documents_controller.rb
@@ -65,15 +65,6 @@ class DocumentsController < ApplicationController
@document.destroy
redirect_to :controller => 'documents', :action => 'index', :project_id => @project
end
-
- def download
- @attachment = @document.attachments.find(params[:attachment_id])
- @attachment.increment_download
- send_file @attachment.diskfile, :filename => filename_for_content_disposition(@attachment.filename),
- :type => @attachment.content_type
- rescue
- render_404
- end
def add_attachment
attachments = attach_files(@document, params[:attachments])
diff --git a/app/controllers/versions_controller.rb b/app/controllers/versions_controller.rb
index aeb802ccb..5d3393ed8 100644
--- a/app/controllers/versions_controller.rb
+++ b/app/controllers/versions_controller.rb
@@ -37,15 +37,6 @@ class VersionsController < ApplicationController
flash[:error] = "Unable to delete version"
redirect_to :controller => 'projects', :action => 'settings', :tab => 'versions', :id => @project
end
-
- def download
- @attachment = @version.attachments.find(params[:attachment_id])
- @attachment.increment_download
- send_file @attachment.diskfile, :filename => filename_for_content_disposition(@attachment.filename),
- :type => @attachment.content_type
- rescue
- render_404
- end
def destroy_file
@version.attachments.find(params[:attachment_id]).destroy