Project

General

Profile

Actions

Defect #26705

closed

Unable to download file if custom field is not defined as visible to any users

Added by Thibault Deregnaucourt over 7 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Category:
Custom fields
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Even if my user account has all available roles (and is also an administrator), i am not able to download custom field file, unless custom field is configured as visible to any users.

I am getting a "403 - You are not authorized to access this page." error page when i am trying to download file (either from issue or custom query).

It does not occur when i add file as issue attachment.

My (bitnami) environment is :

Environment:
  Redmine version                3.4.2.stable
  Ruby version                   2.3.4-p301 (2017-03-30) [x86_64-linux]
  Rails version                  4.2.8
  Environment                    production
  Database adapter               Mysql2
SCM:
  Subversion                     1.9.5
  Cvs                            1.12.13
  Git                            2.7.4
  Filesystem                     
Redmine plugins:
  hide_journal_details           0.0.2
  redmine_contacts               4.1.1
  redmine_issue_templates        0.1.7

The production.log file :

Started GET "/attachments/@@@/@@@" for @@@.@@@.@@@.@@@ at 2017-08-16 16:11:05 +0000
Processing by AttachmentsController#show as HTML
  Parameters: {"id"=>"@@@", "filename"=>"@@@"}
  Current user: @@@ (id=@@@)
  Rendered common/error.html.erb within layouts/base (1.2ms)
  Rendered plugins/redmine_contacts/app/views/contacts_issues/_additional_assets.html.erb (1.1ms)
  Rendered plugins/redmine_contacts/app/views/common/_contacts_select2_data.html.erb (0.4ms)
Filter chain halted as :read_authorize rendered or redirected
Completed 403 Forbidden in 57ms (Views: 35.7ms | ActiveRecord: 10.2ms)

Related issues

Related to Redmine - Feature #6719: File format for custom fields (specific file uploads)ClosedJean-Philippe Lang2010-10-21

Actions
Actions #1

Updated by Go MAEDA over 7 years ago

  • Status changed from New to Confirmed

I confirmed the problem.

This is due to source:tags/3.4.2/app/models/custom_value.rb#L46. attachments_visible? method checks the return value of IssueCustomField#visible. But it always returns false by design when "Visible" setting of the custom field is other than "to any users".

  def attachments_visible?(user)
    visible? && customized && customized.visible?(user)
  end
Actions #2

Updated by Toshi MARUYAMA over 7 years ago

  • Related to Feature #6719: File format for custom fields (specific file uploads) added
Actions #3

Updated by Toshi MARUYAMA over 7 years ago

  • Target version set to 3.4.3
Actions #4

Updated by Jean-Philippe Lang about 7 years ago

  • Target version changed from 3.4.3 to 3.4.4
Actions #5

Updated by Jose Ramos about 7 years ago

+1

Actions #6

Updated by Jean-Philippe Lang almost 7 years ago

  • Status changed from Confirmed to Closed
  • Assignee set to Jean-Philippe Lang
  • Resolution set to Fixed

Fix committed, thanks for pointing this out.

Actions

Also available in: Atom PDF