Project

General

Profile

Actions
Copy link

Defect #9055

closed

Version files in Files module cannot be downloaded if issue tracking is disabled

Added by Stanislav Pach over 12 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jean-Philippe Lang
Category:
Permissions and roles
Target version:
1.2.3
Start date:
2011-08-13
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:
1.2.1

Description

When a project has in used modules checked just "Files" than accessing files under Files tab is not possible. There is an error message "You are not authorized to access this page." even under "Roles and permissions" are for proper role all checkboxes selected.
But when you check in used modules also "Issue tracking" (even it is no reason to have issue tracking under this project) then files under Files tab are accessible.
This issue is present in version 1.2.1 (Redmine 1.2.1.stable.6416 (MySQL)), in previous version (1.1.1) it was ok.

Related issues

Has duplicate Redmine - Defect #9576: 403 forbidden on attachments, after upgrade to 1.2.0, 1.2.1 and 1.2.2Closed2011-11-15

Actions
Has duplicate Redmine - Defect #9360: Deactivating the issue-tracking module makes project's files, bound to project's versions, inaccessibleClosed2011-09-30

Actions
Actions
Copy link
 #1

Updated by Stanislav Pach over 12 years ago

  • Assignee set to Azamat Hackimov
  • % Done changed from 0 to 10

At first - sorry Azamat to assign you to this ticket, but nobody has reflected to this defect for 3 months so I have assigned you. Please reassign this ticket to proper person.

Regarding this issue - it is still present in release 1.2.2.
I have found out more details about this issue. It will raise up just in case when there are following conditions fulfiled:

- a project is marked as "Public"
- project has enabled just "Files" in module list (of course there are some files in Files)
- to these files in Files part is accessing someone who is not a member of this (sub)project (not listed in "Members" of this project).

Error message in this case is: "404 - The page you were trying to access doesn't exist or has been removed."

If a member of this project is accessing these files , than it`s working fine.

The workaroud is following: If in Modules list is checked also "Issue tracking" (together with Files), than non-member users of this project are allowed to download files without any problems.

Actions
Copy link
 #2

Updated by Mischa The Evil over 12 years ago

  • Assignee deleted (Azamat Hackimov)
  • % Done changed from 10 to 0

Isn't this the same as #9360? I think so. Please provide feedback so we can close this issue as a duplicate since #9360 seems better documented.

Actions
Copy link
 #3

Updated by Etienne Massip over 12 years ago

And maybe linked to #9576 too.

Actions
Copy link
 #4

Updated by Etienne Massip over 12 years ago

  • Target version set to Candidate for next minor release
Actions
Copy link
 #5

Updated by Etienne Massip over 12 years ago

  • Status changed from New to Confirmed
Actions
Copy link
 #6

Updated by Etienne Massip over 12 years ago

Mischa 's deeper investigation report can be found in #9360 note 5.

Actions
Copy link
 #7

Updated by Etienne Massip over 12 years ago

And, BTW, according to #9576, it is a regression since it used to work fine in 1.1.0.

Actions
Copy link
 #8

Updated by Stéphane Liabat over 12 years ago

Etienne Massip wrote:

And maybe linked to #9576 too.

I confirm.
This is a bug of 1.2.0 on existing database. 9576

Actions
Copy link
 #9

Updated by Etienne Massip over 12 years ago

Mischa The Evil wrote in #9360:

The questions which come up in me are:
  • Why does Redmine do that visible? check?
  • Where (as in code) is it defined?

#AttachmentsController#read_authorize filter (source:/trunk/app/controllers/attachments_controller.rb@7819#L78) calls Attachment#visible? (source:/trunk/app/models/attachment.rb@7819#L117) which itself calls Version#visible?.

I think that the inconstancy is the following:
  • the user needs the IssueTracking module's view_issues permission to get read access to a version (and to its contents)
  • there is no need to enable IssueTracking module to manage versions
Actions
Copy link
 #10

Updated by Stanislav Pach over 12 years ago

The description of issue #9360 seems to be the same as mine. Except one thing - I don`t have anonymous users so I don`t know the behavior of this issue for them. Issue #9576 is also very similar, but the description is not so detailed.

Actions
Copy link
 #11

Updated by Mischa The Evil over 12 years ago

Etienne Massip wrote:

#AttachmentsController#read_authorize filter (source:/trunk/app/controllers/attachments_controller.rb@7819#L78) calls Attachment#visible? (source:/trunk/app/models/attachment.rb@7819#L117) which itself calls Version#visible?.

Thanks for this educational explanation...

I think that the inconstancy is the following:
  • the user needs the IssueTracking module's view_issues permission to get read access to a version (and to its contents)
  • there is no need to enable IssueTracking module to manage versions

I agree.

Actions
Copy link
 #12

Updated by Jean-Philippe Lang over 12 years ago

  • Subject changed from Permissions for files are not respected to Version files in Files module cannot be downloaded if issue tracking is disabled
  • Status changed from Confirmed to Resolved
  • Assignee set to Jean-Philippe Lang
  • Target version changed from Candidate for next minor release to 1.2.3
  • Resolution set to Fixed

Fixed in r7984.

Actions
Copy link
 #13

Updated by Jean-Philippe Lang over 12 years ago

  • Status changed from Resolved to Closed

Merged in r8000.

Actions
Copy link

Also available in: Atom PDF