##// END OF EJS Templates
jro_apps » redmine
RSS
Returns a 404 error when trying to view/download an attachment that can't be read from disk....
Jean-Philippe Lang -
r2600:15a14e55cdb9
parent child
Show More
Side by Side Unified
Context file:
r2600:15a14e55cdb9 Loading diff...:
Show file before | Show file after | Hide comments
@@ -1,74 +1,79
1 1 # Redmine - project management software
2 2 # Copyright (C) 2006-2008 Jean-Philippe Lang
3 3 #
4 4 # This program is free software; you can redistribute it and/or
5 5 # modify it under the terms of the GNU General Public License
6 6 # as published by the Free Software Foundation; either version 2
7 7 # of the License, or (at your option) any later version.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU General Public License
15 15 # along with this program; if not, write to the Free Software
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 class AttachmentsController < ApplicationController
19 19 before_filter :find_project
20 before_filter :read_authorize, :except => :destroy
20 before_filter :file_readable, :read_authorize, :except => :destroy
21 21 before_filter :delete_authorize, :only => :destroy
22 22
23 23 verify :method => :post, :only => :destroy
24 24
25 25 def show
26 26 if @attachment.is_diff?
27 27 @diff = File.new(@attachment.diskfile, "rb").read
28 28 render :action => 'diff'
29 29 elsif @attachment.is_text? && @attachment.filesize <= Setting.file_max_size_displayed.to_i.kilobyte
30 30 @content = File.new(@attachment.diskfile, "rb").read
31 31 render :action => 'file'
32 32 else
33 33 download
34 34 end
35 35 end
36 36
37 37 def download
38 38 if @attachment.container.is_a?(Version) || @attachment.container.is_a?(Project)
39 39 @attachment.increment_download
40 40 end
41 41
42 42 # images are sent inline
43 43 send_file @attachment.diskfile, :filename => filename_for_content_disposition(@attachment.filename),
44 44 :type => @attachment.content_type,
45 45 :disposition => (@attachment.image? ? 'inline' : 'attachment')
46 46
47 47 end
48 48
49 49 def destroy
50 50 # Make sure association callbacks are called
51 51 @attachment.container.attachments.delete(@attachment)
52 52 redirect_to :back
53 53 rescue ::ActionController::RedirectBackError
54 54 redirect_to :controller => 'projects', :action => 'show', :id => @project
55 55 end
56 56
57 57 private
58 58 def find_project
59 59 @attachment = Attachment.find(params[:id])
60 60 # Show 404 if the filename in the url is wrong
61 61 raise ActiveRecord::RecordNotFound if params[:filename] && params[:filename] != @attachment.filename
62 62 @project = @attachment.project
63 63 rescue ActiveRecord::RecordNotFound
64 64 render_404
65 65 end
66 66
67 # Checks that the file exists and is readable
68 def file_readable
69 @attachment.readable? ? true : render_404
70 end
71
67 72 def read_authorize
68 73 @attachment.visible? ? true : deny_access
69 74 end
70 75
71 76 def delete_authorize
72 77 @attachment.deletable? ? true : deny_access
73 78 end
74 79 end
Show file before | Show file after | Hide comments
@@ -1,152 +1,157
1 1 # redMine - project management software
2 2 # Copyright (C) 2006-2007 Jean-Philippe Lang
3 3 #
4 4 # This program is free software; you can redistribute it and/or
5 5 # modify it under the terms of the GNU General Public License
6 6 # as published by the Free Software Foundation; either version 2
7 7 # of the License, or (at your option) any later version.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU General Public License
15 15 # along with this program; if not, write to the Free Software
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 require "digest/md5"
19 19
20 20 class Attachment < ActiveRecord::Base
21 21 belongs_to :container, :polymorphic => true
22 22 belongs_to :author, :class_name => "User", :foreign_key => "author_id"
23 23
24 24 validates_presence_of :container, :filename, :author
25 25 validates_length_of :filename, :maximum => 255
26 26 validates_length_of :disk_filename, :maximum => 255
27 27
28 28 acts_as_event :title => :filename,
29 29 :url => Proc.new {|o| {:controller => 'attachments', :action => 'download', :id => o.id, :filename => o.filename}}
30 30
31 31 acts_as_activity_provider :type => 'files',
32 32 :permission => :view_files,
33 33 :author_key => :author_id,
34 34 :find_options => {:select => "#{Attachment.table_name}.*",
35 35 :joins => "LEFT JOIN #{Version.table_name} ON #{Attachment.table_name}.container_type='Version' AND #{Version.table_name}.id = #{Attachment.table_name}.container_id " +
36 36 "LEFT JOIN #{Project.table_name} ON #{Version.table_name}.project_id = #{Project.table_name}.id OR ( #{Attachment.table_name}.container_type='Project' AND #{Attachment.table_name}.container_id = #{Project.table_name}.id )"}
37 37
38 38 acts_as_activity_provider :type => 'documents',
39 39 :permission => :view_documents,
40 40 :author_key => :author_id,
41 41 :find_options => {:select => "#{Attachment.table_name}.*",
42 42 :joins => "LEFT JOIN #{Document.table_name} ON #{Attachment.table_name}.container_type='Document' AND #{Document.table_name}.id = #{Attachment.table_name}.container_id " +
43 43 "LEFT JOIN #{Project.table_name} ON #{Document.table_name}.project_id = #{Project.table_name}.id"}
44 44
45 45 cattr_accessor :storage_path
46 46 @@storage_path = "#{RAILS_ROOT}/files"
47 47
48 48 def validate
49 49 if self.filesize > Setting.attachment_max_size.to_i.kilobytes
50 50 errors.add(:base, :too_long, :count => Setting.attachment_max_size.to_i.kilobytes)
51 51 end
52 52 end
53 53
54 54 def file=(incoming_file)
55 55 unless incoming_file.nil?
56 56 @temp_file = incoming_file
57 57 if @temp_file.size > 0
58 58 self.filename = sanitize_filename(@temp_file.original_filename)
59 59 self.disk_filename = Attachment.disk_filename(filename)
60 60 self.content_type = @temp_file.content_type.to_s.chomp
61 61 self.filesize = @temp_file.size
62 62 end
63 63 end
64 64 end
65 65
66 66 def file
67 67 nil
68 68 end
69 69
70 70 # Copies the temporary file to its final location
71 71 # and computes its MD5 hash
72 72 def before_save
73 73 if @temp_file && (@temp_file.size > 0)
74 74 logger.debug("saving '#{self.diskfile}'")
75 75 md5 = Digest::MD5.new
76 76 File.open(diskfile, "wb") do |f|
77 77 buffer = ""
78 78 while (buffer = @temp_file.read(8192))
79 79 f.write(buffer)
80 80 md5.update(buffer)
81 81 end
82 82 end
83 83 self.digest = md5.hexdigest
84 84 end
85 85 # Don't save the content type if it's longer than the authorized length
86 86 if self.content_type && self.content_type.length > 255
87 87 self.content_type = nil
88 88 end
89 89 end
90 90
91 91 # Deletes file on the disk
92 92 def after_destroy
93 93 File.delete(diskfile) if !filename.blank? && File.exist?(diskfile)
94 94 end
95 95
96 96 # Returns file's location on disk
97 97 def diskfile
98 98 "#{@@storage_path}/#{self.disk_filename}"
99 99 end
100 100
101 101 def increment_download
102 102 increment!(:downloads)
103 103 end
104 104
105 105 def project
106 106 container.project
107 107 end
108 108
109 109 def visible?(user=User.current)
110 110 container.attachments_visible?(user)
111 111 end
112 112
113 113 def deletable?(user=User.current)
114 114 container.attachments_deletable?(user)
115 115 end
116 116
117 117 def image?
118 118 self.filename =~ /\.(jpe?g|gif|png)$/i
119 119 end
120 120
121 121 def is_text?
122 122 Redmine::MimeType.is_type?('text', filename)
123 123 end
124 124
125 125 def is_diff?
126 126 self.filename =~ /\.(patch|diff)$/i
127 127 end
128 128
129 # Returns true if the file is readable
130 def readable?
131 File.readable?(diskfile)
132 end
133
129 134 private
130 135 def sanitize_filename(value)
131 136 # get only the filename, not the whole path
132 137 just_filename = value.gsub(/^.*(\\|\/)/, '')
133 138 # NOTE: File.basename doesn't work right with Windows paths on Unix
134 139 # INCORRECT: just_filename = File.basename(value.gsub('\\\\', '/'))
135 140
136 141 # Finally, replace all non alphanumeric, hyphens or periods with underscore
137 142 @filename = just_filename.gsub(/[^\w\.\-]/,'_')
138 143 end
139 144
140 145 # Returns an ASCII or hashed filename
141 146 def self.disk_filename(filename)
142 147 df = DateTime.now.strftime("%y%m%d%H%M%S") + "_"
143 148 if filename =~ %r{^[a-zA-Z0-9_\.\-]*$}
144 149 df << filename
145 150 else
146 151 df << Digest::MD5.hexdigest(filename)
147 152 # keep the extension if any
148 153 df << $1 if filename =~ %r{(\.[a-zA-Z0-9]+)$}
149 154 end
150 155 df
151 156 end
152 157 end
Show file before | Show file after | Hide comments
@@ -1,137 +1,142
1 1 # redMine - project management software
2 2 # Copyright (C) 2006-2008 Jean-Philippe Lang
3 3 #
4 4 # This program is free software; you can redistribute it and/or
5 5 # modify it under the terms of the GNU General Public License
6 6 # as published by the Free Software Foundation; either version 2
7 7 # of the License, or (at your option) any later version.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU General Public License
15 15 # along with this program; if not, write to the Free Software
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 require File.dirname(__FILE__) + '/../test_helper'
19 19 require 'attachments_controller'
20 20
21 21 # Re-raise errors caught by the controller.
22 22 class AttachmentsController; def rescue_action(e) raise e end; end
23 23
24 24
25 25 class AttachmentsControllerTest < Test::Unit::TestCase
26 fixtures :users, :projects, :roles, :members, :enabled_modules, :issues, :attachments,
27 :versions, :wiki_pages, :wikis
26 fixtures :users, :projects, :roles, :members, :enabled_modules, :issues, :trackers, :attachments,
27 :versions, :wiki_pages, :wikis, :documents
28 28
29 29 def setup
30 30 @controller = AttachmentsController.new
31 31 @request = ActionController::TestRequest.new
32 32 @response = ActionController::TestResponse.new
33 33 Attachment.storage_path = "#{RAILS_ROOT}/test/fixtures/files"
34 34 User.current = nil
35 35 end
36 36
37 37 def test_routing
38 38 assert_routing('/attachments/1', :controller => 'attachments', :action => 'show', :id => '1')
39 39 assert_routing('/attachments/1/filename.ext', :controller => 'attachments', :action => 'show', :id => '1', :filename => 'filename.ext')
40 40 assert_routing('/attachments/download/1', :controller => 'attachments', :action => 'download', :id => '1')
41 41 assert_routing('/attachments/download/1/filename.ext', :controller => 'attachments', :action => 'download', :id => '1', :filename => 'filename.ext')
42 42 end
43 43
44 44 def test_recognizes
45 45 assert_recognizes({:controller => 'attachments', :action => 'show', :id => '1'}, '/attachments/1')
46 46 assert_recognizes({:controller => 'attachments', :action => 'show', :id => '1'}, '/attachments/show/1')
47 47 assert_recognizes({:controller => 'attachments', :action => 'show', :id => '1', :filename => 'filename.ext'}, '/attachments/1/filename.ext')
48 48 assert_recognizes({:controller => 'attachments', :action => 'download', :id => '1'}, '/attachments/download/1')
49 49 assert_recognizes({:controller => 'attachments', :action => 'download', :id => '1', :filename => 'filename.ext'},'/attachments/download/1/filename.ext')
50 50 end
51 51
52 52 def test_show_diff
53 53 get :show, :id => 5
54 54 assert_response :success
55 55 assert_template 'diff'
56 56 assert_equal 'text/html', @response.content_type
57 57 end
58 58
59 59 def test_show_text_file
60 60 get :show, :id => 4
61 61 assert_response :success
62 62 assert_template 'file'
63 63 assert_equal 'text/html', @response.content_type
64 64 end
65 65
66 66 def test_show_text_file_should_send_if_too_big
67 67 Setting.file_max_size_displayed = 512
68 68 Attachment.find(4).update_attribute :filesize, 754.kilobyte
69 69
70 70 get :show, :id => 4
71 71 assert_response :success
72 72 assert_equal 'application/x-ruby', @response.content_type
73 73 end
74 74
75 75 def test_show_other
76 76 get :show, :id => 6
77 77 assert_response :success
78 78 assert_equal 'application/octet-stream', @response.content_type
79 79 end
80 80
81 81 def test_download_text_file
82 82 get :download, :id => 4
83 83 assert_response :success
84 84 assert_equal 'application/x-ruby', @response.content_type
85 85 end
86 86
87 def test_download_missing_file
88 get :download, :id => 2
89 assert_response 404
90 end
91
87 92 def test_anonymous_on_private_private
88 93 get :download, :id => 7
89 94 assert_redirected_to '/login?back_url=http%3A%2F%2Ftest.host%2Fattachments%2Fdownload%2F7'
90 95 end
91 96
92 97 def test_destroy_issue_attachment
93 98 issue = Issue.find(3)
94 99 @request.session[:user_id] = 2
95 100
96 101 assert_difference 'issue.attachments.count', -1 do
97 102 post :destroy, :id => 1
98 103 end
99 104 # no referrer
100 105 assert_redirected_to 'projects/ecookbook'
101 106 assert_nil Attachment.find_by_id(1)
102 107 j = issue.journals.find(:first, :order => 'created_on DESC')
103 108 assert_equal 'attachment', j.details.first.property
104 109 assert_equal '1', j.details.first.prop_key
105 110 assert_equal 'error281.txt', j.details.first.old_value
106 111 end
107 112
108 113 def test_destroy_wiki_page_attachment
109 114 @request.session[:user_id] = 2
110 115 assert_difference 'Attachment.count', -1 do
111 116 post :destroy, :id => 3
112 117 assert_response 302
113 118 end
114 119 end
115 120
116 121 def test_destroy_project_attachment
117 122 @request.session[:user_id] = 2
118 123 assert_difference 'Attachment.count', -1 do
119 124 post :destroy, :id => 8
120 125 assert_response 302
121 126 end
122 127 end
123 128
124 129 def test_destroy_version_attachment
125 130 @request.session[:user_id] = 2
126 131 assert_difference 'Attachment.count', -1 do
127 132 post :destroy, :id => 9
128 133 assert_response 302
129 134 end
130 135 end
131 136
132 137 def test_destroy_without_permission
133 138 post :destroy, :id => 3
134 139 assert_redirected_to '/login?back_url=http%3A%2F%2Ftest.host%2Fattachments%2Fdestroy%2F3'
135 140 assert Attachment.find_by_id(3)
136 141 end
137 142 end
General Comments 0
You need to be logged in to leave comments. Login now