| @@ -17,7 +17,7 | |||
|
|
17 | 17 | |
|
|
18 | 18 | class AttachmentsController < ApplicationController |
|
|
19 | 19 | before_filter :find_project |
|
|
20 | before_filter :read_authorize, :except => :destroy | |
|
|
20 | before_filter :file_readable, :read_authorize, :except => :destroy | |
|
|
21 | 21 | before_filter :delete_authorize, :only => :destroy |
|
|
22 | 22 | |
|
|
23 | 23 | verify :method => :post, :only => :destroy |
| @@ -64,6 +64,11 private | |||
|
|
64 | 64 | render_404 |
|
|
65 | 65 | end |
|
|
66 | 66 | |
|
|
67 | # Checks that the file exists and is readable | |
|
|
68 | def file_readable | |
|
|
69 | @attachment.readable? ? true : render_404 | |
|
|
70 | end | |
|
|
71 | ||
|
|
67 | 72 | def read_authorize |
|
|
68 | 73 | @attachment.visible? ? true : deny_access |
|
|
69 | 74 | end |
| @@ -126,6 +126,11 class Attachment < ActiveRecord::Base | |||
|
|
126 | 126 | self.filename =~ /\.(patch|diff)$/i |
|
|
127 | 127 | end |
|
|
128 | 128 | |
|
|
129 | # Returns true if the file is readable | |
|
|
130 | def readable? | |
|
|
131 | File.readable?(diskfile) | |
|
|
132 | end | |
|
|
133 | ||
|
|
129 | 134 | private |
|
|
130 | 135 | def sanitize_filename(value) |
|
|
131 | 136 | # get only the filename, not the whole path |
| @@ -23,8 +23,8 class AttachmentsController; def rescue_action(e) raise e end; end | |||
|
|
23 | 23 | |
|
|
24 | 24 | |
|
|
25 | 25 | class AttachmentsControllerTest < Test::Unit::TestCase |
|
|
26 | fixtures :users, :projects, :roles, :members, :enabled_modules, :issues, :attachments, | |
|
|
27 | :versions, :wiki_pages, :wikis | |
|
|
26 | fixtures :users, :projects, :roles, :members, :enabled_modules, :issues, :trackers, :attachments, | |
|
|
27 | :versions, :wiki_pages, :wikis, :documents | |
|
|
28 | 28 | |
|
|
29 | 29 | def setup |
|
|
30 | 30 | @controller = AttachmentsController.new |
| @@ -84,6 +84,11 class AttachmentsControllerTest < Test::Unit::TestCase | |||
|
|
84 | 84 | assert_equal 'application/x-ruby', @response.content_type |
|
|
85 | 85 | end |
|
|
86 | 86 | |
|
|
87 | def test_download_missing_file | |
|
|
88 | get :download, :id => 2 | |
|
|
89 | assert_response 404 | |
|
|
90 | end | |
|
|
91 | ||
|
|
87 | 92 | def test_anonymous_on_private_private |
|
|
88 | 93 | get :download, :id => 7 |
|
|
89 | 94 | assert_redirected_to '/login?back_url=http%3A%2F%2Ftest.host%2Fattachments%2Fdownload%2F7' |
General Comments 0
You need to be logged in to leave comments.
Login now