| @@ -17,7 +17,7 | |||||
| 17 |
|
17 | |||
| 18 | class AttachmentsController < ApplicationController |
|
18 | class AttachmentsController < ApplicationController | |
| 19 | before_filter :find_project |
|
19 | before_filter :find_project | |
| 20 | before_filter :read_authorize, :except => :destroy |
|
20 | before_filter :file_readable, :read_authorize, :except => :destroy | |
| 21 | before_filter :delete_authorize, :only => :destroy |
|
21 | before_filter :delete_authorize, :only => :destroy | |
| 22 |
|
22 | |||
| 23 | verify :method => :post, :only => :destroy |
|
23 | verify :method => :post, :only => :destroy | |
| @@ -64,6 +64,11 private | |||||
| 64 | render_404 |
|
64 | render_404 | |
| 65 | end |
|
65 | end | |
| 66 |
|
66 | |||
|
|
67 | # Checks that the file exists and is readable | |||
|
|
68 | def file_readable | |||
|
|
69 | @attachment.readable? ? true : render_404 | |||
|
|
70 | end | |||
|
|
71 | ||||
| 67 | def read_authorize |
|
72 | def read_authorize | |
| 68 | @attachment.visible? ? true : deny_access |
|
73 | @attachment.visible? ? true : deny_access | |
| 69 | end |
|
74 | end | |
| @@ -126,6 +126,11 class Attachment < ActiveRecord::Base | |||||
| 126 | self.filename =~ /\.(patch|diff)$/i |
|
126 | self.filename =~ /\.(patch|diff)$/i | |
| 127 | end |
|
127 | end | |
| 128 |
|
128 | |||
|
|
129 | # Returns true if the file is readable | |||
|
|
130 | def readable? | |||
|
|
131 | File.readable?(diskfile) | |||
|
|
132 | end | |||
|
|
133 | ||||
| 129 | private |
|
134 | private | |
| 130 | def sanitize_filename(value) |
|
135 | def sanitize_filename(value) | |
| 131 | # get only the filename, not the whole path |
|
136 | # get only the filename, not the whole path | |
| @@ -23,8 +23,8 class AttachmentsController; def rescue_action(e) raise e end; end | |||||
| 23 |
|
23 | |||
| 24 |
|
24 | |||
| 25 | class AttachmentsControllerTest < Test::Unit::TestCase |
|
25 | class AttachmentsControllerTest < Test::Unit::TestCase | |
| 26 | fixtures :users, :projects, :roles, :members, :enabled_modules, :issues, :attachments, |
|
26 | fixtures :users, :projects, :roles, :members, :enabled_modules, :issues, :trackers, :attachments, | |
| 27 | :versions, :wiki_pages, :wikis |
|
27 | :versions, :wiki_pages, :wikis, :documents | |
| 28 |
|
28 | |||
| 29 | def setup |
|
29 | def setup | |
| 30 | @controller = AttachmentsController.new |
|
30 | @controller = AttachmentsController.new | |
| @@ -84,6 +84,11 class AttachmentsControllerTest < Test::Unit::TestCase | |||||
| 84 | assert_equal 'application/x-ruby', @response.content_type |
|
84 | assert_equal 'application/x-ruby', @response.content_type | |
| 85 | end |
|
85 | end | |
| 86 |
|
86 | |||
|
|
87 | def test_download_missing_file | |||
|
|
88 | get :download, :id => 2 | |||
|
|
89 | assert_response 404 | |||
|
|
90 | end | |||
|
|
91 | ||||
| 87 | def test_anonymous_on_private_private |
|
92 | def test_anonymous_on_private_private | |
| 88 | get :download, :id => 7 |
|
93 | get :download, :id => 7 | |
| 89 | assert_redirected_to '/login?back_url=http%3A%2F%2Ftest.host%2Fattachments%2Fdownload%2F7' |
|
94 | assert_redirected_to '/login?back_url=http%3A%2F%2Ftest.host%2Fattachments%2Fdownload%2F7' | |
General Comments 0
You need to be logged in to leave comments.
Login now