Defect #39862
closedAttachments functionality for (custom) plugins broken since fix for CVE-2022-44030
0%
Description
I notice this in current 5.1-stable
branch, but should be all the way back to defect #37772 if I tracked it right.
The problem is with the new constraints for some attachments routes, when used by a plugin. My plugin makes use of acts_as_attachable
in its model and :partial=>'attachments/form'
in its view, just like described here.
This is now broken with an error from app/helpers/attachments_helper.rb:23:in `container_attachments_edit_path'
:
No route matches {:action=>"edit_all", :controller=>"attachments", :id=>"138026", :object_id=>138026, :object_type=>"myplugin", :project_id=>"1"}, possible unmatched constraints: [:object_type]
its actually coming from this block in config/routes.rb
(finding that took me a while):
constraints object_type: /(issues|versions|news|messages|wiki_pages|projects|documents|journals)/ do
get 'attachments/:object_type/:object_id/edit', :to => 'attachments#edit_all', :as => :object_attachments_edit
patch 'attachments/:object_type/:object_id', :to => 'attachments#update_all', :as => :object_attachments
get 'attachments/:object_type/:object_id/download', :to => 'attachments#download_all', :as => :object_attachments_download
end
the list of constraints on object_type
needs myplugin
in it, so it gets permitted to use these routes.
Since plugin routes get loaded at the very end of config/routes.rb
I can't just overwrite/redefine since it already exists at the time I get loaded. Also I spot no functionality in the routing code of rails that allows modification from within an included routes file or at runtime via Rails.application.routes.routes
... looks all read-only.
My workaround so far is to modify the release by
sed -i config/routes.rb -e '/constraints object_type:/ s/documents|journals/documents|journals|myplugin/'
right before starting up Redmine.
I think a proper solution would be to have this list be expandable somehow, perhaps via myplugin/init.rb
?
Am a little lost here solving it on my own.
Files
Related issues