Fixes attachments functionality for (custom) plugins broken since fix for CVE-2022-44030 by adding a dynamic routing constraint which can be modified by plugins (#39862).

Patch by @jkraemer. git-svn-id: https://svn.redmine.org/redmine/trunk@22551 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-11-13 08:46:01 +01:00 · 2023-12-22 02:08:53 +00:00
parent cb10b529cb
commit c17b42509b
4 changed files with 34 additions and 1 deletions
--- a/lib/plugins/acts_as_attachable/lib/acts_as_attachable.rb
+++ b/lib/plugins/acts_as_attachable/lib/acts_as_attachable.rb
@@ -20,6 +20,30 @@
 module Redmine
  module Acts
    module Attachable
+
+      class ObjectTypeConstraint
+        cattr_accessor :object_types
+
+        self.object_types = Concurrent::Set.new(%w[
+          issues versions news messages wiki_pages projects documents journals
+        ])
+
+        class << self
+          def matches?(request)
+            request.path_parameters[:object_type] =~ param_expression
+          end
+
+          def register_object_type(type)
+            object_types << type
+            @param_expression = nil
+          end
+
+          def param_expression
+            @param_expression ||= Regexp.new("^(#{object_types.join("|")})$")
+          end
+        end
+      end
+
      def self.included(base)
        base.extend ClassMethods
      end