From d98b65804bb561eca9cf729c29cf4aefae36f7f2 Mon Sep 17 00:00:00 2001 From: Marius Balteanu Date: Sat, 29 Mar 2025 13:52:41 +0000 Subject: [PATCH] Merged r23581, r23582 and r23583 from trunk to 5.1-stable (#42394). git-svn-id: https://svn.redmine.org/redmine/branches/5.1-stable@23585 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- config/routes.rb | 2 +- test/integration/api_test/attachments_test.rb | 2 +- test/integration/attachments_test.rb | 10 ++++++++++ test/integration/routing/attachments_test.rb | 2 +- 4 files changed, 13 insertions(+), 3 deletions(-) diff --git a/config/routes.rb b/config/routes.rb index d5296b3c3..0457ff1ef 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -313,7 +313,7 @@ Rails.application.routes.draw do # additional routes for having the file name at the end of url get 'attachments/:id/:filename', :to => 'attachments#show', :id => /\d+/, :filename => /.*/, :as => 'named_attachment', :format => 'html' - get 'attachments/download/:id/:filename', :to => 'attachments#download', :id => /\d+/, :filename => /.*/, :as => 'download_named_attachment' + get 'attachments/download/:id/:filename', :to => 'attachments#download', :id => /\d+/, :filename => /.*/, :as => 'download_named_attachment', :format => 'html' get 'attachments/download/:id', :to => 'attachments#download', :id => /\d+/ get 'attachments/thumbnail/:id(/:size)', :to => 'attachments#thumbnail', :id => /\d+/, :size => /\d+/, :as => 'thumbnail' resources :attachments, :only => [:show, :update, :destroy] diff --git a/test/integration/api_test/attachments_test.rb b/test/integration/api_test/attachments_test.rb index d07e22a66..32c08a067 100644 --- a/test/integration/api_test/attachments_test.rb +++ b/test/integration/api_test/attachments_test.rb @@ -63,7 +63,7 @@ class Redmine::ApiTest::AttachmentsTest < Redmine::ApiTest::Base test "GET /attachments/download/:id/:filename should deny access without credentials" do get '/attachments/download/7/archive.zip' - assert_response 401 + assert_response 302 end test "GET /attachments/thumbnail/:id should return the thumbnail" do diff --git a/test/integration/attachments_test.rb b/test/integration/attachments_test.rb index fc64df3ee..e0a78ca9b 100644 --- a/test/integration/attachments_test.rb +++ b/test/integration/attachments_test.rb @@ -267,6 +267,16 @@ class AttachmentsTest < Redmine::IntegrationTest end end + def test_unauthorized_named_download_link_should_redirect_to_login + with_settings login_required: '1' do + get "/attachments/download/1" + assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2Fattachments%2Fdownload%2F1" + + get "/attachments/download/1/error281.txt" + assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2Fattachments%2Fdownload%2F1%2Ferror281.txt" + end + end + private def ajax_upload(filename, content, attachment_id=1) diff --git a/test/integration/routing/attachments_test.rb b/test/integration/routing/attachments_test.rb index 15e61635b..18b411f99 100644 --- a/test/integration/routing/attachments_test.rb +++ b/test/integration/routing/attachments_test.rb @@ -26,7 +26,7 @@ class RoutingAttachmentsTest < Redmine::RoutingTest should_route 'GET /attachments/1/filename.txt' => 'attachments#show', :id => '1', :filename => 'filename.txt', :format => 'html' should_route 'GET /attachments/download/1' => 'attachments#download', :id => '1' - should_route 'GET /attachments/download/1/filename.ext' => 'attachments#download', :id => '1', :filename => 'filename.ext' + should_route 'GET /attachments/download/1/filename.ext' => 'attachments#download', :id => '1', :filename => 'filename.ext', :format => 'html' should_route 'GET /attachments/thumbnail/1' => 'attachments#thumbnail', :id => '1' should_route 'GET /attachments/thumbnail/1/200' => 'attachments#thumbnail', :id => '1', :size => '200'