diff --git a/app/controllers/attachments_controller.rb b/app/controllers/attachments_controller.rb index 9ea9ac48..07fee126 100644 --- a/app/controllers/attachments_controller.rb +++ b/app/controllers/attachments_controller.rb @@ -17,7 +17,7 @@ class AttachmentsController < ApplicationController layout 'base' - before_filter :find_project, :check_project_privacy + before_filter :find_project def show if @attachment.is_diff? @@ -32,6 +32,8 @@ class AttachmentsController < ApplicationController end def download + @attachment.increment_download if @attachment.container.is_a?(Version) + # images are sent inline send_file @attachment.diskfile, :filename => filename_for_content_disposition(@attachment.filename), :type => @attachment.content_type, @@ -41,9 +43,11 @@ class AttachmentsController < ApplicationController private def find_project @attachment = Attachment.find(params[:id]) - #render_404 and return false unless File.readable?(@attachment.diskfile) @project = @attachment.project - #rescue - # render_404 + permission = @attachment.container.is_a?(Version) ? :view_files : "view_#{@attachment.container.class.name.underscore.pluralize}".to_sym + allowed = User.current.allowed_to?(permission, @project) + allowed ? true : (User.current.logged? ? render_403 : require_login) + rescue ActiveRecord::RecordNotFound + render_404 end end diff --git a/app/controllers/documents_controller.rb b/app/controllers/documents_controller.rb index 7e732b9b..1f0784bb 100644 --- a/app/controllers/documents_controller.rb +++ b/app/controllers/documents_controller.rb @@ -65,15 +65,6 @@ class DocumentsController < ApplicationController @document.destroy redirect_to :controller => 'documents', :action => 'index', :project_id => @project end - - def download - @attachment = @document.attachments.find(params[:attachment_id]) - @attachment.increment_download - send_file @attachment.diskfile, :filename => filename_for_content_disposition(@attachment.filename), - :type => @attachment.content_type - rescue - render_404 - end def add_attachment attachments = attach_files(@document, params[:attachments]) diff --git a/app/controllers/versions_controller.rb b/app/controllers/versions_controller.rb index aeb802cc..5d3393ed 100644 --- a/app/controllers/versions_controller.rb +++ b/app/controllers/versions_controller.rb @@ -37,15 +37,6 @@ class VersionsController < ApplicationController flash[:error] = "Unable to delete version" redirect_to :controller => 'projects', :action => 'settings', :tab => 'versions', :id => @project end - - def download - @attachment = @version.attachments.find(params[:attachment_id]) - @attachment.increment_download - send_file @attachment.diskfile, :filename => filename_for_content_disposition(@attachment.filename), - :type => @attachment.content_type - rescue - render_404 - end def destroy_file @version.attachments.find(params[:attachment_id]).destroy diff --git a/app/views/projects/list_files.rhtml b/app/views/projects/list_files.rhtml index f385229a..43687c50 100644 --- a/app/views/projects/list_files.rhtml +++ b/app/views/projects/list_files.rhtml @@ -23,8 +23,8 @@ <% for file in version.attachments %>