Vote #70538: Version files in Files module cannot be downloaded if issue tracking is disabled - redmineorg-copy202205 - Redmine

編集操作

リンクをコピー

Vote #70538

完了

Version files in Files module cannot be downloaded if issue tracking is disabled

Admin Redmine さんが3年以上前に追加. 3年以上前に更新.

ステータス:

Closed

優先度:

通常

担当者:

カテゴリ:

Permissions and roles_17

対象バージョン:

1.2.3_39

開始日:

2011/08/13

期日:

進捗率:

予定工数:

Redmineorg_URL:

https://www.redmine.org/issues/9055

category_id:

version_id:

issue_org_id:

9055

author_id:

2564

assigned_to_id:

comments:

status_id:

tracker_id:

plus1:

affected_version:

closed_on:

affected_version_id:

ステータス-->[Closed]

引用

説明

When a project has in used modules checked just "Files" than accessing files under Files tab is not possible. There is an error message "You are not authorized to access this page." even under "Roles and permissions" are for proper role all checkboxes selected.
But when you check in used modules also "Issue tracking" (even it is no reason to have issue tracking under this project) then files under Files tab are accessible.
This issue is present in version 1.2.1 (Redmine 1.2.1.stable.6416 (MySQL)), in previous version (1.1.1) it was ok.

journals

At first - sorry Azamat to assign you to this ticket, but nobody has reflected to this defect for 3 months so I have assigned you. Please reassign this ticket to proper person.

Regarding this issue - it is still present in release 1.2.2.
I have found out more details about this issue. It will raise up just in case when there are following conditions fulfiled:

- a project is marked as "Public"
- project has enabled just "Files" in module list (of course there are some files in Files)
- to these files in Files part is accessing someone who is not a member of this (sub)project (not listed in "Members" of this project).

Error message in this case is: "404 - The page you were trying to access doesn't exist or has been removed."

If a member of this project is accessing these files , than it`s working fine.

The workaroud is following: If in Modules list is checked also "Issue tracking" (together with Files), than non-member users of this project are allowed to download files without any problems.

--------------------------------------------------------------------------------
Isn't this the same as #9360? I think so. Please provide feedback so we can close this issue as a duplicate since #9360 seems better documented.
--------------------------------------------------------------------------------
And maybe linked to #9576 too.
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
Mischa 's deeper investigation report can be found in #9360 note 5.
--------------------------------------------------------------------------------
And, BTW, according to #9576, it is a regression since it used to work fine in version:1.1.0.
--------------------------------------------------------------------------------
Etienne Massip wrote:
> And maybe linked to #9576 too.

I confirm.
This is a bug of 1.2.0 on existing database. 9576

--------------------------------------------------------------------------------
Mischa The Evil wrote in #9360:
> The questions which come up in me are:
> * Why does Redmine do that @visible?@ check?
> * Where (as in code) is it defined?

@#AttachmentsController#read_authorize@ filter (source:/trunk/app/controllers/attachments_controller.rb@7819#L78) calls @Attachment#visible?@ (source:/trunk/app/models/attachment.rb@7819#L117) which itself calls @Version#visible?@.

I think that the inconstancy is the following:
* the user needs the IssueTracking module's @view_issues@ permission to get read access to a version (and to its contents)
* there is no need to enable IssueTracking module to manage versions

--------------------------------------------------------------------------------
The description of issue #9360 seems to be the same as mine. Except one thing - I don`t have anonymous users so I don`t know the behavior of this issue for them. Issue #9576 is also very similar, but the description is not so detailed.
--------------------------------------------------------------------------------
Etienne Massip wrote:
> @#AttachmentsController#read_authorize@ filter (source:/trunk/app/controllers/attachments_controller.rb@7819#L78) calls @Attachment#visible?@ (source:/trunk/app/models/attachment.rb@7819#L117) which itself calls @Version#visible?@.

Thanks for this educational explanation...

> I think that the inconstancy is the following:
> * the user needs the IssueTracking module's @view_issues@ permission to get read access to a version (and to its contents)
> * there is no need to enable IssueTracking module to manage versions

I agree.
--------------------------------------------------------------------------------
Fixed in r7984.
--------------------------------------------------------------------------------
Merged in r8000.
--------------------------------------------------------------------------------

related_issues

duplicates,Closed,9576,403 forbidden on attachments, after upgrade to 1.2.0, 1.2.1 and 1.2.2
duplicates,Closed,9360,Deactivating the issue-tracking module makes project's files, bound to project's versions, inaccessible