Project

General

Profile

Actions

Defect #14976

closed

authentication required configurable

Added by Huang Ruhua about 11 years ago. Updated 8 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Accounts / authentication
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Wont fix
Affected version:

Description

when authentication required option is checked, all url required logined. but i expect some url is accessible to anonymous users, like '/attachments/download/3029/picture431-1.png', or else these image can't be displayed in email

Actions #1

Updated by Toshi MARUYAMA about 11 years ago

  • Category set to Accounts / authentication
Actions #2

Updated by Huang Ruhua almost 11 years ago

when can fix this issue?

Actions #3

Updated by Go MAEDA 10 months ago

I think that anonymous users should not be able to view any attachments.

Actions #4

Updated by Holger Just 8 months ago

  • Status changed from New to Closed
  • Resolution set to Wont fix

Attachments are protected data and thus must not be publicly available without authentication. This is ensured by Redmine's authorization rules. If this would not be the case, we would consider it a high-severity security issue.

In general, the visibility of attachments is governed by their attached objects (i.e. issues in this case), so that the attachment is visible if the issue is visible to the current user. Thus, users can download attachments if the issue itself is publicly available (i.e. is in a public project in a Redmine which does not enforce authentication) or if the user is logged into Redmine from their current browser / mail client.

Actions

Also available in: Atom PDF