Defect #26705
closedUnable to download file if custom field is not defined as visible to any users
0%
Description
Even if my user account has all available roles (and is also an administrator), i am not able to download custom field file, unless custom field is configured as visible to any users.
I am getting a "403 - You are not authorized to access this page." error page when i am trying to download file (either from issue or custom query).
It does not occur when i add file as issue attachment.
My (bitnami) environment is :
Environment: Redmine version 3.4.2.stable Ruby version 2.3.4-p301 (2017-03-30) [x86_64-linux] Rails version 4.2.8 Environment production Database adapter Mysql2 SCM: Subversion 1.9.5 Cvs 1.12.13 Git 2.7.4 Filesystem Redmine plugins: hide_journal_details 0.0.2 redmine_contacts 4.1.1 redmine_issue_templates 0.1.7
The production.log file :
Started GET "/attachments/@@@/@@@" for @@@.@@@.@@@.@@@ at 2017-08-16 16:11:05 +0000 Processing by AttachmentsController#show as HTML Parameters: {"id"=>"@@@", "filename"=>"@@@"} Current user: @@@ (id=@@@) Rendered common/error.html.erb within layouts/base (1.2ms) Rendered plugins/redmine_contacts/app/views/contacts_issues/_additional_assets.html.erb (1.1ms) Rendered plugins/redmine_contacts/app/views/common/_contacts_select2_data.html.erb (0.4ms) Filter chain halted as :read_authorize rendered or redirected Completed 403 Forbidden in 57ms (Views: 35.7ms | ActiveRecord: 10.2ms)
Related issues
Updated by Go MAEDA over 7 years ago
- Status changed from New to Confirmed
I confirmed the problem.
This is due to source:tags/3.4.2/app/models/custom_value.rb#L46. attachments_visible?
method checks the return value of IssueCustomField#visible
. But it always returns false by design when "Visible" setting of the custom field is other than "to any users".
def attachments_visible?(user)
visible? && customized && customized.visible?(user)
end
Updated by Toshi MARUYAMA about 7 years ago
- Related to Feature #6719: File format for custom fields (specific file uploads) added
Updated by Jean-Philippe Lang about 7 years ago
- Target version changed from 3.4.3 to 3.4.4
Updated by Jean-Philippe Lang almost 7 years ago
- Status changed from Confirmed to Closed
- Assignee set to Jean-Philippe Lang
- Resolution set to Fixed
Fix committed, thanks for pointing this out.