Project

General

Profile

Actions
Copy link

Defect #42394

closed

Inconsistent behaviour between attachment download routes with and without filename

Added by Jens Krämer about 1 month ago. Updated 17 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Marius BĂLTEANU
Category:
Attachments
Target version:
5.1.8
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Currently, depending on the filename extension of the attachment (i.e., zip or txt), the named attachment download route sometimes responds to unauthorized requests with a Status 401 instead of a redirect to the login form for unauthorized requests. This leads to an error message about a broken link in the users' browser. The route without filename always correctly redirects to the login form.

The attached patch (courtesy of Planio) forces the format for the named attachment download route to HTML to fix that, so that the routes with filename always redirects to `/login`, as well.

Files

0001-force-format-to-html-for-the-download_named_attachme.patch (2.19 KB) 0001-force-format-to-html-for-the-download_named_attachme.patch Jens Krämer, 2025-03-11 07:36
Actions
Copy link
 #1

Updated by Marius BĂLTEANU 30 days ago

  • Target version set to Candidate for next minor release
Actions
Copy link
 #2

Updated by Go MAEDA 22 days ago

  • Tracker changed from Patch to Defect
  • Status changed from New to Confirmed
  • Target version changed from Candidate for next minor release to 5.1.8
Actions
Copy link
 #3

Updated by Marius BĂLTEANU 19 days ago

  • Subject changed from inconsistent behaviour between attachment download routes with and without filename to Inconsistent behaviour between attachment download routes with and without filename
  • Status changed from Confirmed to Resolved
  • Assignee set to Marius BĂLTEANU
  • Resolution set to Fixed
Actions
Copy link
 #4

Updated by Go MAEDA 18 days ago

The commit r23581 broke two existing tests.

Failure:
Redmine::ApiTest::AttachmentsTest#test_GET_/attachments/download/:id/:filename_should_deny_access_without_credentials [test/integration/api_test/attachments_test.rb:66]:
Expected response to be a <401: unauthorized>, but was a <302: Found> redirect to <http://www.example.com/login?back_url=http%3A%2F%2Fwww.example.com%2Fattachments%2Fdownload%2F7%2Farchive.zip>
Response body: .
Expected: 401
  Actual: 302

bin/rails test test/integration/api_test/attachments_test.rb:64

Failure:
RoutingAttachmentsTest#test_attachments [test/test_helper.rb:330]:
The recognized options <{"format"=>"html", "controller"=>"attachments", "action"=>"download", "id"=>"1", "filename"=>"filename.ext"}> did not match <{"id"=>"1", "filename"=>"filename.ext", "controller"=>"attachments", "action"=>"download"}>, difference:.
--- expected
+++ actual
@@ -1 +1 @@
-{"id"=>"1", "filename"=>"filename.ext", "controller"=>"attachments", "action"=>"download"}
+{"format"=>"html", "controller"=>"attachments", "action"=>"download", "id"=>"1", "filename"=>"filename.ext"}

bin/rails test test/integration/routing/attachments_test.rb:23
Actions
Copy link
 #5

Updated by Marius BĂLTEANU 17 days ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF