Project

General

Profile

Actions

Defect #34029

closed

403 Forbidden error when non-member try to upload a file

Added by Vincent Robert about 4 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Category:
Permissions and roles
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Hello

Our users encountered an error in a specific case, when uploading files.

Here is a screenshot showing the 403-forbidden error after the upload:

Steps to reproduce

This error happens in a specific case when the user is not a member of the project.
Here are the steps to reproduce the issue:

  • The current user is NOT member of any project
  • The build-in role "non-member" has NO permission at all
  • In the project's members tab, a role is set for the member "non-member" and this role has permission to create and update issues

Logs

On the server side, here are the logs:

Started POST "/uploads.js?attachment_id=1&filename=image-test.jpg&content_type=image%2Fjpeg" for 127.0.0.1 at 2020-09-24 10:30:51 +0200
Processing by AttachmentsController#upload as JS
  Parameters: {"attachment_id"=>"1", "filename"=>"image-test.jpg", "content_type"=>"image/jpeg"}
  Token Update All (12.1ms)  UPDATE "tokens" SET "updated_on" = '2020-09-24 10:30:51.312455' WHERE "tokens"."user_id" = $1 AND "tokens"."value" = $2 AND "tokens"."action" = $3  [["user_id", 14], ["value", "7d688080432d1c8ceafbd03811ad81dbf8193f1f"], ["action", "session"]]
   (0.6ms)  SELECT MAX("settings"."updated_on") FROM "settings" 
  User Load (0.5ms)  SELECT  "users".* FROM "users" WHERE "users"."type" IN ('User', 'AnonymousUser') AND "users"."status" = $1 AND "users"."id" = $2 LIMIT $3  [["status", 1], ["id", 14], ["LIMIT", 1]]
  Current user: visitor (id=14)
  Role Load (1.0ms)  SELECT DISTINCT "roles".* FROM "roles" INNER JOIN "member_roles" ON "member_roles"."role_id" = "roles"."id" INNER JOIN "members" ON "members"."id" = "member_roles"."member_id" INNER JOIN "projects" ON "projects"."id" = "members"."project_id" WHERE (projects.status <> 9) AND "members"."user_id" = 14
  Role Load (0.2ms)  SELECT  "roles".* FROM "roles" WHERE "roles"."builtin" = $1 LIMIT $2  [["builtin", 1], ["LIMIT", 1]]
Filter chain halted as :authorize_global rendered or redirected
Completed 403 Forbidden in 20ms (ActiveRecord: 14.4ms)

Configuration

The bug has been confirmed on the latest Redmine version, with no plugin installed.

Environment:
  Redmine version                4.1.1.stable
  Ruby version                   2.6.6-p146 (2020-03-31) [x86_64-darwin19]
  Rails version                  5.2.4.2
  Environment                    development
  Database adapter               PostgreSQL
  Mailer queue                   ActiveJob::QueueAdapters::AsyncAdapter
  Mailer delivery                smtp
SCM:
  Subversion                     1.13.0
  Git                            2.24.1
  Filesystem                     
Redmine plugins:
  no plugin installed


Files

error.png (69.7 KB) error.png Vincent Robert, 2020-09-24 10:35
patch.diff (2.91 KB) patch.diff Vincent Robert, 2020-09-24 15:06
0001-Include-GroupNonMember-and-GroupAnonymous-roles-3402.patch (1.07 KB) 0001-Include-GroupNonMember-and-GroupAnonymous-roles-3402.patch Marius BĂLTEANU, 2022-03-20 22:13
Actions

Also available in: Atom PDF