Deactivating the issue-tracking module makes project's files, bound to project's versions, inaccessible
If the ``issue tracking`` module is deactivated in the project's settings, then all files in the ``files`` section are inaccessible for all (anonymous/authenticated/members). Anonymous users are redirected to login screen, while authenticated users get a 403 error.
If the ``issue tracking`` module is enabled, then file downloads work as expected.
#1 Updated by G N over 6 years ago
I am quite certain that the situation I described above has not always been the case, because I am sure downloads worked in the past, even if issue tracking was deactivated.
I selected "1.2.1" as the affected version, but the problem might have been introduced in another release, so the affected versions might be more than just 1.2.1.
#2 Updated by Antonio García-Domínguez over 6 years ago
We are also experiencing this bug. We noticed this when we migrated from 0.8.6 to 1.2.1 as well.
The code involved seems to be in source:trunk/app/models/version.rb#L43, which only allows users to view a version if they have the :view_issues permission. Shouldn't we use a different permission for this?
#4 Updated by Antonio García-Domínguez over 6 years ago
No, it doesn't. If the file is not linked to any version, I can download it just fine. That's how we noticed this problem, actually: some files would download just fine, and some didn't. After some probing, we found out that the failing files were those linked to a certain version.
#5 Updated by Mischa The Evil over 6 years ago
- Subject changed from Deactivating the issue-tracking module makes project's files inaccessible to Deactivating the issue-tracking module makes project's files, bound to project's versions, inaccessible
I've just took a quick look at the related code for this.
Antonio García-Domínguez wrote:
The code involved seems to be in source:trunk/app/models/version.rb#L43, which only allows users to view a version if they have the
:view_issuespermission. Shouldn't we use a different permission for this?
No, I don't think so. For
versions it's the right permission to use, I think.
As you already say which line is involved, I've tested it by changing it to match the
:view_files permission. This obviously "works around" the problem, but it shows what the real issue looks like.
Before the download starts, Redmine checks if the
visible? when attachments have a
Version as container-type. It looks to me it does the same on
Project container-type. This works for
Project without problems since they can obviously not be disabled as a module as it's possible with issue-tracking. Whenever the issue-tracking module is disabled
false which results in the here documented issue.
- Why does Redmine do that
- Where (as in code) is it defined?
- the fact I am not a Redmine core developer and
- the fact I am not familiar with the attachments code at all.
I'll leave it up to the Redmine core developers, but clearly the defect is reproducible.