Defect #9055
closedVersion files in Files module cannot be downloaded if issue tracking is disabled
0%
Description
When a project has in used modules checked just "Files" than accessing files under Files tab is not possible. There is an error message "You are not authorized to access this page." even under "Roles and permissions" are for proper role all checkboxes selected.
But when you check in used modules also "Issue tracking" (even it is no reason to have issue tracking under this project) then files under Files tab are accessible.
This issue is present in version 1.2.1 (Redmine 1.2.1.stable.6416 (MySQL)), in previous version (1.1.1) it was ok.
Related issues
Updated by Stanislav Pach almost 13 years ago
- Assignee set to Azamat Hackimov
- % Done changed from 0 to 10
At first - sorry Azamat to assign you to this ticket, but nobody has reflected to this defect for 3 months so I have assigned you. Please reassign this ticket to proper person.
Regarding this issue - it is still present in release 1.2.2.
I have found out more details about this issue. It will raise up just in case when there are following conditions fulfiled:
- a project is marked as "Public"
- project has enabled just "Files" in module list (of course there are some files in Files)
- to these files in Files part is accessing someone who is not a member of this (sub)project (not listed in "Members" of this project).
Error message in this case is: "404 - The page you were trying to access doesn't exist or has been removed."
If a member of this project is accessing these files , than it`s working fine.
The workaroud is following: If in Modules list is checked also "Issue tracking" (together with Files), than non-member users of this project are allowed to download files without any problems.
Updated by Mischa The Evil almost 13 years ago
- Assignee deleted (
Azamat Hackimov) - % Done changed from 10 to 0
Updated by Etienne Massip almost 13 years ago
- Target version set to Candidate for next minor release
Updated by Etienne Massip almost 13 years ago
- Status changed from New to Confirmed
Updated by Etienne Massip almost 13 years ago
Mischa 's deeper investigation report can be found in #9360 note 5.
Updated by Etienne Massip almost 13 years ago
Updated by Stéphane Liabat almost 13 years ago
Etienne Massip wrote:
And maybe linked to #9576 too.
I confirm.
This is a bug of 1.2.0 on existing database. 9576
Updated by Etienne Massip almost 13 years ago
Mischa The Evil wrote in #9360:
The questions which come up in me are:
- Why does Redmine do that
visible?
check?- Where (as in code) is it defined?
#AttachmentsController#read_authorize
filter (source:/trunk/app/controllers/attachments_controller.rb@7819#L78) calls Attachment#visible?
(source:/trunk/app/models/attachment.rb@7819#L117) which itself calls Version#visible?
.
- the user needs the IssueTracking module's
view_issues
permission to get read access to a version (and to its contents) - there is no need to enable IssueTracking module to manage versions
Updated by Stanislav Pach almost 13 years ago
Updated by Mischa The Evil almost 13 years ago
Etienne Massip wrote:
#AttachmentsController#read_authorize
filter (source:/trunk/app/controllers/attachments_controller.rb@7819#L78) callsAttachment#visible?
(source:/trunk/app/models/attachment.rb@7819#L117) which itself callsVersion#visible?
.
Thanks for this educational explanation...
I think that the inconstancy is the following:
- the user needs the IssueTracking module's
view_issues
permission to get read access to a version (and to its contents)- there is no need to enable IssueTracking module to manage versions
I agree.
Updated by Jean-Philippe Lang almost 13 years ago
- Subject changed from Permissions for files are not respected to Version files in Files module cannot be downloaded if issue tracking is disabled
- Status changed from Confirmed to Resolved
- Assignee set to Jean-Philippe Lang
- Target version changed from Candidate for next minor release to 1.2.3
- Resolution set to Fixed
Fixed in r7984.
Updated by Jean-Philippe Lang almost 13 years ago
- Status changed from Resolved to Closed
Merged in r8000.