Project

General

Profile

Actions
Copy link

Defect #39862

closed

Attachments functionality for (custom) plugins broken since fix for CVE-2022-44030

Added by Naha Sapimapethilon 5 months ago. Updated 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Marius BĂLTEANU
Category:
Plugin API
Target version:
5.0.8
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:
5.0.0

Description

I notice this in current 5.1-stable branch, but should be all the way back to defect #37772 if I tracked it right.

The problem is with the new constraints for some attachments routes, when used by a plugin. My plugin makes use of acts_as_attachable in its model and :partial=>'attachments/form' in its view, just like described here.

This is now broken with an error from app/helpers/attachments_helper.rb:23:in `container_attachments_edit_path':

No route matches {:action=>"edit_all", :controller=>"attachments", :id=>"138026", 
 :object_id=>138026, :object_type=>"myplugin",
 :project_id=>"1"}, possible unmatched constraints: [:object_type]

its actually coming from this block in config/routes.rb (finding that took me a while):

constraints object_type: /(issues|versions|news|messages|wiki_pages|projects|documents|journals)/ do
   get 'attachments/:object_type/:object_id/edit', :to => 'attachments#edit_all', :as => :object_attachments_edit
   patch 'attachments/:object_type/:object_id', :to => 'attachments#update_all', :as => :object_attachments
   get 'attachments/:object_type/:object_id/download', :to => 'attachments#download_all', :as => :object_attachments_download
end

the list of constraints on object_type needs myplugin in it, so it gets permitted to use these routes.

Since plugin routes get loaded at the very end of config/routes.rb I can't just overwrite/redefine since it already exists at the time I get loaded. Also I spot no functionality in the routing code of rails that allows modification from within an included routes file or at runtime via Rails.application.routes.routes... looks all read-only.

My workaround so far is to modify the release by

sed -i config/routes.rb -e '/constraints object_type:/ s/documents|journals/documents|journals|myplugin/'

right before starting up Redmine.

I think a proper solution would be to have this list be expandable somehow, perhaps via myplugin/init.rb?

Am a little lost here solving it on my own.

Files

0001-dynamic-object_type-routing-constraint-39862.patch (3.83 KB) 0001-dynamic-object_type-routing-constraint-39862.patch Jens Krämer, 2023-12-18 06:40

Related issues

Precedes Redmine - Feature #39948: Add Redmine::Plugin proxy method for Redmine::Acts::Attachable::ObjectTypeConstraint.register_object_typeClosedMarius BĂLTEANU

Actions
Actions
Copy link

Also available in: Atom PDF