Defect #9360
closedDeactivating the issue-tracking module makes project's files, bound to project's versions, inaccessible
0%
Description
If the ``issue tracking`` module is deactivated in the project's settings, then all files in the ``files`` section are inaccessible for all (anonymous/authenticated/members). Anonymous users are redirected to login screen, while authenticated users get a 403 error.
If the ``issue tracking`` module is enabled, then file downloads work as expected.
Related issues
Updated by G N about 13 years ago
I am quite certain that the situation I described above has not always been the case, because I am sure downloads worked in the past, even if issue tracking was deactivated.
I selected "1.2.1" as the affected version, but the problem might have been introduced in another release, so the affected versions might be more than just 1.2.1.
Updated by Antonio García-Domínguez about 13 years ago
We are also experiencing this bug. We noticed this when we migrated from 0.8.6 to 1.2.1 as well.
The code involved seems to be in source:trunk/app/models/version.rb#L43, which only allows users to view a version if they have the :view_issues permission. Shouldn't we use a different permission for this?
Updated by Mischa The Evil about 13 years ago
Can you test if this behaviour also happens with files which aren't linked to a particular Redmine project version?
Updated by Antonio García-Domínguez about 13 years ago
No, it doesn't. If the file is not linked to any version, I can download it just fine. That's how we noticed this problem, actually: some files would download just fine, and some didn't. After some probing, we found out that the failing files were those linked to a certain version.
Updated by Mischa The Evil about 13 years ago
- Subject changed from Deactivating the issue-tracking module makes project's files inaccessible to Deactivating the issue-tracking module makes project's files, bound to project's versions, inaccessible
I've just took a quick look at the related code for this.
Antonio García-Domínguez wrote:
The code involved seems to be in source:trunk/app/models/version.rb#L43, which only allows users to view a version if they have the
:view_issues
permission. Shouldn't we use a different permission for this?
No, I don't think so. For versions
it's the right permission to use, I think.
As you already say which line is involved, I've tested it by changing it to match the :view_files
permission. This obviously "works around" the problem, but it shows what the real issue looks like.
Before the download starts, Redmine checks if the Version
is visible?
when attachments have a Version
as container-type. It looks to me it does the same on Project
for Project
container-type. This works for Project
without problems since they can obviously not be disabled as a module as it's possible with issue-tracking. Whenever the issue-tracking module is disabled Version.visible?
returns false
which results in the here documented issue.
- Why does Redmine do that
visible?
check? - Where (as in code) is it defined?
- the fact I am not a Redmine core developer and
- the fact I am not familiar with the attachments code at all.
I'll leave it up to the Redmine core developers, but clearly the defect is reproducible.
Updated by Etienne Massip about 13 years ago
- Status changed from New to Closed
- Resolution set to Duplicate
Closed as duplicate of #9055.