Project

General

Profile

Actions

Defect #14976

closed

authentication required configurable

Added by Huang Ruhua over 10 years ago. Updated 13 days ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Accounts / authentication
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Wont fix
Affected version:

Description

when authentication required option is checked, all url required logined. but i expect some url is accessible to anonymous users, like '/attachments/download/3029/picture431-1.png', or else these image can't be displayed in email

Actions #1

Updated by Toshi MARUYAMA over 10 years ago

  • Category set to Accounts / authentication
Actions #2

Updated by Huang Ruhua about 10 years ago

when can fix this issue?

Actions #3

Updated by Go MAEDA 3 months ago

I think that anonymous users should not be able to view any attachments.

Actions #4

Updated by Holger Just 13 days ago

  • Status changed from New to Closed
  • Resolution set to Wont fix

Attachments are protected data and thus must not be publicly available without authentication. This is ensured by Redmine's authorization rules. If this would not be the case, we would consider it a high-severity security issue.

In general, the visibility of attachments is governed by their attached objects (i.e. issues in this case), so that the attachment is visible if the issue is visible to the current user. Thus, users can download attachments if the issue itself is publicly available (i.e. is in a public project in a Redmine which does not enforce authentication) or if the user is logged into Redmine from their current browser / mail client.

Actions

Also available in: Atom PDF