Defect #14976
closed
authentication required configurable
0%
Description
when authentication required option is checked, all url required logined. but i expect some url is accessible to anonymous users, like '/attachments/download/3029/picture431-1.png', or else these image can't be displayed in email
Updated by Toshi MARUYAMA almost 12 years ago
- Category set to Accounts / authentication
Updated by
Updated by Go MAEDA over 1 year ago
I think that anonymous users should not be able to view any attachments.
Updated by Holger Just over 1 year ago
- Status changed from New to Closed
- Resolution set to Wont fix
Attachments are protected data and thus must not be publicly available without authentication. This is ensured by Redmine's authorization rules. If this would not be the case, we would consider it a high-severity security issue.
In general, the visibility of attachments is governed by their attached objects (i.e. issues in this case), so that the attachment is visible if the issue is visible to the current user. Thus, users can download attachments if the issue itself is publicly available (i.e. is in a public project in a Redmine which does not enforce authentication) or if the user is logged into Redmine from their current browser / mail client.