Project

General

Profile

Actions

Defect #9055

closed

Version files in Files module cannot be downloaded if issue tracking is disabled

Added by Stanislav Pach about 13 years ago. Updated almost 13 years ago.

Status:
Closed
Priority:
Normal
Category:
Permissions and roles
Target version:
Start date:
2011-08-13
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

When a project has in used modules checked just "Files" than accessing files under Files tab is not possible. There is an error message "You are not authorized to access this page." even under "Roles and permissions" are for proper role all checkboxes selected.
But when you check in used modules also "Issue tracking" (even it is no reason to have issue tracking under this project) then files under Files tab are accessible.
This issue is present in version 1.2.1 (Redmine 1.2.1.stable.6416 (MySQL)), in previous version (1.1.1) it was ok.


Related issues

Has duplicate Redmine - Defect #9576: 403 forbidden on attachments, after upgrade to 1.2.0, 1.2.1 and 1.2.2Closed2011-11-15

Actions
Has duplicate Redmine - Defect #9360: Deactivating the issue-tracking module makes project's files, bound to project's versions, inaccessibleClosed2011-09-30

Actions
Actions #1

Updated by Stanislav Pach almost 13 years ago

  • Assignee set to Azamat Hackimov
  • % Done changed from 0 to 10

At first - sorry Azamat to assign you to this ticket, but nobody has reflected to this defect for 3 months so I have assigned you. Please reassign this ticket to proper person.

Regarding this issue - it is still present in release 1.2.2.
I have found out more details about this issue. It will raise up just in case when there are following conditions fulfiled:

- a project is marked as "Public"
- project has enabled just "Files" in module list (of course there are some files in Files)
- to these files in Files part is accessing someone who is not a member of this (sub)project (not listed in "Members" of this project).

Error message in this case is: "404 - The page you were trying to access doesn't exist or has been removed."

If a member of this project is accessing these files , than it`s working fine.

The workaroud is following: If in Modules list is checked also "Issue tracking" (together with Files), than non-member users of this project are allowed to download files without any problems.

Actions #2

Updated by Mischa The Evil almost 13 years ago

  • Assignee deleted (Azamat Hackimov)
  • % Done changed from 10 to 0

Isn't this the same as #9360? I think so. Please provide feedback so we can close this issue as a duplicate since #9360 seems better documented.

Actions #3

Updated by Etienne Massip almost 13 years ago

And maybe linked to #9576 too.

Actions #4

Updated by Etienne Massip almost 13 years ago

  • Target version set to Candidate for next minor release
Actions #5

Updated by Etienne Massip almost 13 years ago

  • Status changed from New to Confirmed
Actions #6

Updated by Etienne Massip almost 13 years ago

Mischa 's deeper investigation report can be found in #9360 note 5.

Actions #7

Updated by Etienne Massip almost 13 years ago

And, BTW, according to #9576, it is a regression since it used to work fine in 1.1.0.

Actions #8

Updated by Stéphane Liabat almost 13 years ago

Etienne Massip wrote:

And maybe linked to #9576 too.

I confirm.
This is a bug of 1.2.0 on existing database. 9576

Actions #9

Updated by Etienne Massip almost 13 years ago

Mischa The Evil wrote in #9360:

The questions which come up in me are:
  • Why does Redmine do that visible? check?
  • Where (as in code) is it defined?

#AttachmentsController#read_authorize filter (source:/trunk/app/controllers/attachments_controller.rb@7819#L78) calls Attachment#visible? (source:/trunk/app/models/attachment.rb@7819#L117) which itself calls Version#visible?.

I think that the inconstancy is the following:
  • the user needs the IssueTracking module's view_issues permission to get read access to a version (and to its contents)
  • there is no need to enable IssueTracking module to manage versions
Actions #10

Updated by Stanislav Pach almost 13 years ago

The description of issue #9360 seems to be the same as mine. Except one thing - I don`t have anonymous users so I don`t know the behavior of this issue for them. Issue #9576 is also very similar, but the description is not so detailed.

Actions #11

Updated by Mischa The Evil almost 13 years ago

Etienne Massip wrote:

#AttachmentsController#read_authorize filter (source:/trunk/app/controllers/attachments_controller.rb@7819#L78) calls Attachment#visible? (source:/trunk/app/models/attachment.rb@7819#L117) which itself calls Version#visible?.

Thanks for this educational explanation...

I think that the inconstancy is the following:
  • the user needs the IssueTracking module's view_issues permission to get read access to a version (and to its contents)
  • there is no need to enable IssueTracking module to manage versions

I agree.

Actions #12

Updated by Jean-Philippe Lang almost 13 years ago

  • Subject changed from Permissions for files are not respected to Version files in Files module cannot be downloaded if issue tracking is disabled
  • Status changed from Confirmed to Resolved
  • Assignee set to Jean-Philippe Lang
  • Target version changed from Candidate for next minor release to 1.2.3
  • Resolution set to Fixed

Fixed in r7984.

Actions #13

Updated by Jean-Philippe Lang almost 13 years ago

  • Status changed from Resolved to Closed

Merged in r8000.

Actions

Also available in: Atom PDF