Defect #14976
closedauthentication required configurable
0%
Description
when authentication required option is checked, all url required logined. but i expect some url is accessible to anonymous users, like '/attachments/download/3029/picture431-1.png', or else these image can't be displayed in email
Updated by Toshi MARUYAMA about 11 years ago
- Category set to Accounts / authentication
Updated by Holger Just 9 months ago
- Status changed from New to Closed
- Resolution set to Wont fix
Attachments are protected data and thus must not be publicly available without authentication. This is ensured by Redmine's authorization rules. If this would not be the case, we would consider it a high-severity security issue.
In general, the visibility of attachments is governed by their attached objects (i.e. issues in this case), so that the attachment is visible if the issue is visible to the current user. Thus, users can download attachments if the issue itself is publicly available (i.e. is in a public project in a Redmine which does not enforce authentication) or if the user is logged into Redmine from their current browser / mail client.