Defect #9055

Version files in Files module cannot be downloaded if issue tracking is disabled

Added by Stanislav Pach 10 months ago. Updated 6 months ago.

Status:Closed Start date:2011-08-13
Priority:Normal Due date:
Assignee:Jean-Philippe Lang % Done:

0%
Category:Permissions and roles
Target version:1.2.3
Affected version:1.2.1 Resolution:Fixed

Description

When a project has in used modules checked just "Files" than accessing files under Files tab is not possible. There is an error message "You are not authorized to access this page." even under "Roles and permissions" are for proper role all checkboxes selected.
But when you check in used modules also "Issue tracking" (even it is no reason to have issue tracking under this project) then files under Files tab are accessible.
This issue is present in version 1.2.1 (Redmine 1.2.1.stable.6416 (MySQL)), in previous version (1.1.1) it was ok.

Related issues

duplicated by Defect #9576: 403 forbidden on attachments, after upgrade to 1.2.0, 1.2... Closed 2011-11-15
duplicated by Defect #9360: Deactivating the issue-tracking module makes project's fi... Closed 2011-09-30

Associated revisions

Revision 7984
Added by Jean-Philippe Lang 6 months ago

Fixed: version files in Files module cannot be downloaded if issue tracking is disabled (#9055).

History

#1 Updated by Stanislav Pach 6 months ago

  • Assignee set to Azamat Hackimov
  • % Done changed from 0 to 10

At first - sorry Azamat to assign you to this ticket, but nobody has reflected to this defect for 3 months so I have assigned you. Please reassign this ticket to proper person.

Regarding this issue - it is still present in release 1.2.2.
I have found out more details about this issue. It will raise up just in case when there are following conditions fulfiled:

- a project is marked as "Public"
- project has enabled just "Files" in module list (of course there are some files in Files)
- to these files in Files part is accessing someone who is not a member of this (sub)project (not listed in "Members" of this project).

Error message in this case is: "404 - The page you were trying to access doesn't exist or has been removed."

If a member of this project is accessing these files , than it`s working fine.

The workaroud is following: If in Modules list is checked also "Issue tracking" (together with Files), than non-member users of this project are allowed to download files without any problems.

#2 Updated by Mischa The Evil 6 months ago

  • Assignee deleted (Azamat Hackimov)
  • % Done changed from 10 to 0

Isn't this the same as #9360? I think so. Please provide feedback so we can close this issue as a duplicate since #9360 seems better documented.

#3 Updated by Etienne Massip 6 months ago

And maybe linked to #9576 too.

#4 Updated by Etienne Massip 6 months ago

  • Target version set to Candidate for next minor release

#5 Updated by Etienne Massip 6 months ago

  • Status changed from New to Confirmed

#6 Updated by Etienne Massip 6 months ago

Mischa 's deeper investigation report can be found in #9360 note 5.

#7 Updated by Etienne Massip 6 months ago

And, BTW, according to #9576, it is a regression since it used to work fine in 1.1.0.

#8 Updated by Stéphane Liabat 6 months ago

Etienne Massip wrote:

And maybe linked to #9576 too.

I confirm.
This is a bug of 1.2.0 on existing database. 9576

#9 Updated by Etienne Massip 6 months ago

Mischa The Evil wrote in #9360:

The questions which come up in me are:
  • Why does Redmine do that visible? check?
  • Where (as in code) is it defined?

#AttachmentsController#read_authorize filter (source:/trunk/app/controllers/attachments_controller.rb@7819#L78) calls Attachment#visible? (source:/trunk/app/models/attachment.rb@7819#L117) which itself calls Version#visible?.

I think that the inconstancy is the following:
  • the user needs the IssueTracking module's view_issues permission to get read access to a version (and to its contents)
  • there is no need to enable IssueTracking module to manage versions

#10 Updated by Stanislav Pach 6 months ago

The description of issue #9360 seems to be the same as mine. Except one thing - I don`t have anonymous users so I don`t know the behavior of this issue for them. Issue #9576 is also very similar, but the description is not so detailed.

#11 Updated by Mischa The Evil 6 months ago

Etienne Massip wrote:

#AttachmentsController#read_authorize filter (source:/trunk/app/controllers/attachments_controller.rb@7819#L78) calls Attachment#visible? (source:/trunk/app/models/attachment.rb@7819#L117) which itself calls Version#visible?.

Thanks for this educational explanation...

I think that the inconstancy is the following:
  • the user needs the IssueTracking module's view_issues permission to get read access to a version (and to its contents)
  • there is no need to enable IssueTracking module to manage versions

I agree.

#12 Updated by Jean-Philippe Lang 6 months ago

  • Subject changed from Permissions for files are not respected to Version files in Files module cannot be downloaded if issue tracking is disabled
  • Status changed from Confirmed to Resolved
  • Assignee set to Jean-Philippe Lang
  • Target version changed from Candidate for next minor release to 1.2.3
  • Resolution set to Fixed

Fixed in r7984.

#13 Updated by Jean-Philippe Lang 6 months ago

  • Status changed from Resolved to Closed

Merged in r8000.

Also available in: Atom PDF