Defect #9360

Deactivating the issue-tracking module makes project's files, bound to project's versions, inaccessible

Added by G N about 6 years ago. Updated about 6 years ago.

Status:ClosedStart date:2011-09-30
Priority:HighDue date:
Assignee:-% Done:

0%

Category:Attachments
Target version:-
Resolution:Duplicate Affected version:1.2.1

Description

If the ``issue tracking`` module is deactivated in the project's settings, then all files in the ``files`` section are inaccessible for all (anonymous/authenticated/members). Anonymous users are redirected to login screen, while authenticated users get a 403 error.

If the ``issue tracking`` module is enabled, then file downloads work as expected.


Related issues

Duplicates Redmine - Defect #9055: Version files in Files module cannot be downloaded if iss... Closed 2011-08-13

History

#1 Updated by G N about 6 years ago

I am quite certain that the situation I described above has not always been the case, because I am sure downloads worked in the past, even if issue tracking was deactivated.

I selected "1.2.1" as the affected version, but the problem might have been introduced in another release, so the affected versions might be more than just 1.2.1.

#2 Updated by Antonio García-Domínguez about 6 years ago

We are also experiencing this bug. We noticed this when we migrated from 0.8.6 to 1.2.1 as well.

The code involved seems to be in source:trunk/app/models/version.rb#L43, which only allows users to view a version if they have the :view_issues permission. Shouldn't we use a different permission for this?

#3 Updated by Mischa The Evil about 6 years ago

Can you test if this behaviour also happens with files which aren't linked to a particular Redmine project version?

#4 Updated by Antonio García-Domínguez about 6 years ago

No, it doesn't. If the file is not linked to any version, I can download it just fine. That's how we noticed this problem, actually: some files would download just fine, and some didn't. After some probing, we found out that the failing files were those linked to a certain version.

#5 Updated by Mischa The Evil about 6 years ago

  • Subject changed from Deactivating the issue-tracking module makes project's files inaccessible to Deactivating the issue-tracking module makes project's files, bound to project's versions, inaccessible

I've just took a quick look at the related code for this.

Antonio García-Domínguez wrote:

The code involved seems to be in source:trunk/app/models/version.rb#L43, which only allows users to view a version if they have the :view_issues permission. Shouldn't we use a different permission for this?

No, I don't think so. For versions it's the right permission to use, I think.
As you already say which line is involved, I've tested it by changing it to match the :view_files permission. This obviously "works around" the problem, but it shows what the real issue looks like.

Before the download starts, Redmine checks if the Version is visible? when attachments have a Version as container-type. It looks to me it does the same on Project for Project container-type. This works for Project without problems since they can obviously not be disabled as a module as it's possible with issue-tracking. Whenever the issue-tracking module is disabled Version.visible? returns false which results in the here documented issue.

The questions which come up in me are:
  • Why does Redmine do that visible? check?
  • Where (as in code) is it defined?
I did a quick try to find the answers to the above questions but haven't succeeded due to:
  1. the fact I am not a Redmine core developer and
  2. the fact I am not familiar with the attachments code at all.

I'll leave it up to the Redmine core developers, but clearly the defect is reproducible.

#6 Updated by Etienne Massip about 6 years ago

  • Status changed from New to Closed
  • Resolution set to Duplicate

Closed as duplicate of #9055.

Also available in: Atom PDF