Defect #26705

Unable to download file if custom field is not defined as visible to any users

Added by Thibault Deregnaucourt 2 months ago. Updated 9 days ago.

Status:ConfirmedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Custom fields
Target version:3.4.4
Resolution: Affected version:3.4.2

Description

Even if my user account has all available roles (and is also an administrator), i am not able to download custom field file, unless custom field is configured as visible to any users.

I am getting a "403 - You are not authorized to access this page." error page when i am trying to download file (either from issue or custom query).

It does not occur when i add file as issue attachment.

My (bitnami) environment is :

Environment:
  Redmine version                3.4.2.stable
  Ruby version                   2.3.4-p301 (2017-03-30) [x86_64-linux]
  Rails version                  4.2.8
  Environment                    production
  Database adapter               Mysql2
SCM:
  Subversion                     1.9.5
  Cvs                            1.12.13
  Git                            2.7.4
  Filesystem                     
Redmine plugins:
  hide_journal_details           0.0.2
  redmine_contacts               4.1.1
  redmine_issue_templates        0.1.7

The production.log file :

Started GET "/attachments/@@@/@@@" for @@@.@@@.@@@.@@@ at 2017-08-16 16:11:05 +0000
Processing by AttachmentsController#show as HTML
  Parameters: {"id"=>"@@@", "filename"=>"@@@"}
  Current user: @@@ (id=@@@)
  Rendered common/error.html.erb within layouts/base (1.2ms)
  Rendered plugins/redmine_contacts/app/views/contacts_issues/_additional_assets.html.erb (1.1ms)
  Rendered plugins/redmine_contacts/app/views/common/_contacts_select2_data.html.erb (0.4ms)
Filter chain halted as :read_authorize rendered or redirected
Completed 403 Forbidden in 57ms (Views: 35.7ms | ActiveRecord: 10.2ms)

Related issues

Related to Redmine - Feature #6719: File format for custom fields (specific file uploads) Closed 2010-10-21

History

#1 Updated by Go MAEDA 2 months ago

  • Status changed from New to Confirmed

I confirmed the problem.

This is due to source:tags/3.4.2/app/models/custom_value.rb#L46. attachments_visible? method checks the return value of IssueCustomField#visible. But it always returns false by design when "Visible" setting of the custom field is other than "to any users".

  def attachments_visible?(user)
    visible? && customized && customized.visible?(user)
  end

#2 Updated by Toshi MARUYAMA about 1 month ago

  • Related to Feature #6719: File format for custom fields (specific file uploads) added

#3 Updated by Toshi MARUYAMA about 1 month ago

  • Target version set to 3.4.3

#4 Updated by Jean-Philippe Lang 9 days ago

  • Target version changed from 3.4.3 to 3.4.4

Also available in: Atom PDF