From 62fee35f001eb4a2b6ec79e8fcf05e6035f2afaa Mon Sep 17 00:00:00 2001 From: Marius Balteanu Date: Fri, 28 Mar 2025 07:48:48 +0000 Subject: [PATCH] Force format to html for the download_named_attachment route (#42394). MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patch by Jens Krämer (user:jkraemer). git-svn-id: https://svn.redmine.org/redmine/trunk@23581 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- config/routes.rb | 2 +- test/integration/attachments_test.rb | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/config/routes.rb b/config/routes.rb index 03dc70740..ad83deac0 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -316,7 +316,7 @@ Rails.application.routes.draw do # additional routes for having the file name at the end of url get 'attachments/:id/:filename', :to => 'attachments#show', :id => /\d+/, :filename => /.*/, :as => 'named_attachment', :format => 'html' - get 'attachments/download/:id/:filename', :to => 'attachments#download', :id => /\d+/, :filename => /.*/, :as => 'download_named_attachment' + get 'attachments/download/:id/:filename', :to => 'attachments#download', :id => /\d+/, :filename => /.*/, :as => 'download_named_attachment', format: 'html' get 'attachments/download/:id', :to => 'attachments#download', :id => /\d+/ get 'attachments/thumbnail/:id(/:size)', :to => 'attachments#thumbnail', :id => /\d+/, :size => /\d+/, :as => 'thumbnail' resources :attachments, :only => [:show, :update, :destroy] diff --git a/test/integration/attachments_test.rb b/test/integration/attachments_test.rb index f6a30d061..80d2040a1 100644 --- a/test/integration/attachments_test.rb +++ b/test/integration/attachments_test.rb @@ -267,6 +267,16 @@ class AttachmentsTest < Redmine::IntegrationTest end end + def test_unauthorized_named_download_link_should_redirect_to_login + with_settings login_required: '1' do + get "/attachments/download/1" + assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2Fattachments%2Fdownload%2F1" + + get "/attachments/download/1/error281.txt" + assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2Fattachments%2Fdownload%2F1%2Ferror281.txt" + end + end + private def ajax_upload(filename, content, attachment_id=1)