Defect #34029
403 Forbidden error when non-member try to upload a file
Status: | New | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 0% | |
Category: | Permissions and roles | |||
Target version: | 5.0.0 | |||
Resolution: | Affected version: | 4.1.1 |
Description
Hello
Our users encountered an error in a specific case, when uploading files.
Here is a screenshot showing the 403-forbidden error after the upload:
Steps to reproduce¶
This error happens in a specific case when the user is not a member of the project.
Here are the steps to reproduce the issue:
- The current user is NOT member of any project
- The build-in role "non-member" has NO permission at all
- In the project's members tab, a role is set for the member "non-member" and this role has permission to create and update issues
Logs¶
On the server side, here are the logs:
Started POST "/uploads.js?attachment_id=1&filename=image-test.jpg&content_type=image%2Fjpeg" for 127.0.0.1 at 2020-09-24 10:30:51 +0200
Processing by AttachmentsController#upload as JS
Parameters: {"attachment_id"=>"1", "filename"=>"image-test.jpg", "content_type"=>"image/jpeg"}
Token Update All (12.1ms) UPDATE "tokens" SET "updated_on" = '2020-09-24 10:30:51.312455' WHERE "tokens"."user_id" = $1 AND "tokens"."value" = $2 AND "tokens"."action" = $3 [["user_id", 14], ["value", "7d688080432d1c8ceafbd03811ad81dbf8193f1f"], ["action", "session"]]
(0.6ms) SELECT MAX("settings"."updated_on") FROM "settings"
User Load (0.5ms) SELECT "users".* FROM "users" WHERE "users"."type" IN ('User', 'AnonymousUser') AND "users"."status" = $1 AND "users"."id" = $2 LIMIT $3 [["status", 1], ["id", 14], ["LIMIT", 1]]
Current user: visitor (id=14)
Role Load (1.0ms) SELECT DISTINCT "roles".* FROM "roles" INNER JOIN "member_roles" ON "member_roles"."role_id" = "roles"."id" INNER JOIN "members" ON "members"."id" = "member_roles"."member_id" INNER JOIN "projects" ON "projects"."id" = "members"."project_id" WHERE (projects.status <> 9) AND "members"."user_id" = 14
Role Load (0.2ms) SELECT "roles".* FROM "roles" WHERE "roles"."builtin" = $1 LIMIT $2 [["builtin", 1], ["LIMIT", 1]]
Filter chain halted as :authorize_global rendered or redirected
Completed 403 Forbidden in 20ms (ActiveRecord: 14.4ms)
Configuration¶
The bug has been confirmed on the latest Redmine version, with no plugin installed.
Environment: Redmine version 4.1.1.stable Ruby version 2.6.6-p146 (2020-03-31) [x86_64-darwin19] Rails version 5.2.4.2 Environment development Database adapter PostgreSQL Mailer queue ActiveJob::QueueAdapters::AsyncAdapter Mailer delivery smtp SCM: Subversion 1.13.0 Git 2.24.1 Filesystem Redmine plugins: no plugin installed
History
#1
Updated by Vincent Robert 7 months ago
- File patch.diff
added
- Target version set to 4.1.2
Please find attached a diff file which contains:
- a system test to reproduce the error
- a patch to fix it
Thank you for considering this patch.
def test_create_issue_with_attachment_when_user_is_not_a_member
set_tmp_attachments_directory
# Set no permission to non-member role
non_member_role = Role.where(:builtin => Role::BUILTIN_NON_MEMBER).first
non_member_role.permissions = []
non_member_role.save
# Set role "Reporter" to non-member users on project ecookbook
membership = Member.find_or_create_by(user_id: Group.non_member.id, project_id: 1)
membership.roles = [Role.find(3)] # Reporter
membership.save
log_user('someone', 'foo')
issue = new_record(Issue) do
visit '/projects/ecookbook/issues/new'
fill_in 'Subject', :with => 'Issue with attachment'
attach_file 'attachments[dummy][file]', Rails.root.join('test/fixtures/files/testfile.txt')
fill_in 'attachments[1][description]', :with => 'Some description'
click_on 'Create'
end
assert_equal 1, issue.attachments.count
assert_equal 'Some description', issue.attachments.first.description
end
# authorize if user has at least one role that has this permission
- roles = self.roles.to_a | [builtin_role]
+ roles = self.roles.to_a | [builtin_role] | Group.non_member.roles.to_a | Group.anonymous.roles.to_a
roles.any? {|role|
role.allowed_to?(action) && ...
#2
Updated by Marius BALTEANU about 1 month ago
- Target version changed from 4.1.2 to 4.2.0
Moving this to a major version (4.2.0) because the proposed patch moves a method from one class to another.
#3
Updated by Marius BALTEANU 26 days ago
- Target version changed from 4.2.0 to 5.0.0
Need more time to review and fix.