File view permissions issue

[hibit-2709]

After upgrade plugin from 2.4.11 to 3.0.10. User has permission view_dmsf_files. We hope that it permits to download file linked by macro {{dmsf()}}. In version 3.0.10 to download file user must have also permission view_dmsf_folders. But we don't want to allow browsing DMS by all users.

Any suggestions?

[picman]

That is strange. I have just tested it as follows:

• I have a user with a role Reporter in the project ant the following permissions:
• I have a wiki page with a macro {{dmsf(id)}} id - ID of a document stored by that project.
• The user doesn't see DMS tab but can click on the macro and see or download the document So, I'd say it works as expected. At least in DMSF v3.0.12.

[hibit-2709]

I brought Redmine to the state as in the picture

I'm sorry, but the data remained. In addition to DMS, we have normally a few more plugins. And still don't have permission to download. I try with dedicated role, and as Non member (permission to view dmsf files). Plugins are deleted not uninstalled. Is it possible MySQL table corruption?

[picman]

• A user assigned to the project.
• The user has a role with View documents right.
• You have a wiki page that belongs to the project.
• You have a DMSF macro link to a document in the top (not in a sub-folder) in the same project.
• If you click it, it shows 443 Forbidden?

What does say log/production.log?

[hibit-2709]

I, [2023-03-22T10:48:27.468646 #2980221] INFO -- : [59372e09-f3b6-4b68-afb0-79978010862b] Started GET "/issues" for 127.0.0.1 at 2023-03-22 10:48:27 +0100 I, [2023-03-22T10:48:27.469696 #2980221] INFO -- : [59372e09-f3b6-4b68-afb0-79978010862b] Processing by IssuesController#index as HTML I, [2023-03-22T10:48:27.533257 #2980221] INFO -- : [59372e09-f3b6-4b68-afb0-79978010862b] Current user: Bolek (id=60) I, [2023-03-22T10:48:28.342195 #2980221] INFO -- : [59372e09-f3b6-4b68-afb0-79978010862b] Rendered issues/index.html.erb within layouts/base (Duration: 285.3ms | Allocations: 183908) I, [2023-03-22T10:48:28.382020 #2980221] INFO -- : [59372e09-f3b6-4b68-afb0-79978010862b] Rendered layout layouts/base.html.erb (Duration: 325.2ms | Allocations: 195583) I, [2023-03-22T10:48:28.382356 #2980221] INFO -- : [59372e09-f3b6-4b68-afb0-79978010862b] Completed 200 OK in 913ms (Views: 208.8ms | ActiveRecord: 461.4ms | Allocations: 401404) I, [2023-03-22T10:48:31.443345 #2980221] INFO -- : [fe3a1a14-2437-4a57-beb1-dfedf3703115] Started GET "/dmsf/files/20846/view" for 127.0.0.1 at 2023-03-22 10:48:31 +0100 I, [2023-03-22T10:48:31.444056 #2980221] INFO -- : [fe3a1a14-2437-4a57-beb1-dfedf3703115] Processing by DmsfFilesController#view as HTML I, [2023-03-22T10:48:31.444101 #2980221] INFO -- : [fe3a1a14-2437-4a57-beb1-dfedf3703115] Parameters: {"id"=>"20846"} I, [2023-03-22T10:48:31.449850 #2980221] INFO -- : [fe3a1a14-2437-4a57-beb1-dfedf3703115] Current user: Bolek (id=60) I, [2023-03-22T10:48:31.488849 #2980221] INFO -- : [fe3a1a14-2437-4a57-beb1-dfedf3703115] Rendered common/error.html.erb within layouts/base (Duration: 1.4ms | Allocations: 290) I, [2023-03-22T10:48:31.544799 #2980221] INFO -- : [fe3a1a14-2437-4a57-beb1-dfedf3703115] Rendered layout layouts/base.html.erb (Duration: 57.5ms | Allocations: 15572) I, [2023-03-22T10:48:31.544958 #2980221] INFO -- : [fe3a1a14-2437-4a57-beb1-dfedf3703115] Filter chain halted as :permissions rendered or redirected I, [2023-03-22T10:48:31.545036 #2980221] INFO -- : [fe3a1a14-2437-4a57-beb1-dfedf3703115] Completed 403 Forbidden in 101ms (Views: 34.6ms | ActiveRecord: 38.3ms | Allocations: 26465)

[picman]

Hm, that is strange. I don't know.

[hibit-2709]

I made further attempts. Freshly installed Redmine. Document in the top - OK. Document in sub-folder - Forbidden (????? 'view_dmsf_files' don't suggest that) 100% our documents (about 20000) are in sub-folders.

[picman]

Very well. We move further now. It is related to documents in sub-folders only. I can reproduce the error now.

[picman]

Could you test in in the devel branch?

[hibit-2709]

Still forbidden

[hibit-2709]

In my opinion, patch of dmsf_folder.rb return false instead of true.

[picman]

Haven't you got any permissions defined in the folder?

[hibit-2709]

We don't use any permissions on folders. P.S. In macro {{dmsf()}} is duplicated permission check. Is it intentional?

[picman]

Where?

[hibit-2709]

In file marcos.rb I'm found duplicated

    unless User.current&.allowed_to?(:view_dmsf_files, file.project, { id: file.id })
      raise l(:notice_not_authorized)
    end

Definition of macro 'dmsf'

[picman]

This permission check is related to whether to display the macro or not. I see no duplicity here.

[hibit-2709]

You check the same permissions before and after determination of revision. But file.project and file.id are not changed.

[picman]

You're right. The duplicity removed.

[hibit-2709]

Why? We still have a problem.

[picman]

Add some log messages directly into the code to find why the function returns false instead o true. I cannot reproduce your problem and therefore cannot help you.

e.g. Rails.logger.info

def self.permissions?(folder, allow_system = true, file = false)
Rails.logger.info ">>> self.permissions?(#{file})"
    # Administrator?
    return true if (User.current&.admin? || folder.nil?)
Rails.logger.info ">>> not admin"
    # Permissions to the project?
    # If file is true we work just with the file and not viewing the folder
    return false unless file || User.current&.allowed_to?(:view_dmsf_folders, folder.project)
Rails.logger.info ">>> allowed to view folders or it is a file"
    # System folder?
    if folder && folder.system
      return false unless allow_system || User.current.allowed_to?(:display_system_folders, folder.project)
      return false if folder.issue && !folder.issue.visible?(User.current)
    end
Rails.logger.info ">>> it is not a system folder"
    # Permissions to the folder?
    if folder.dmsf_folder_permissions.any?
      role_ids = User.current.roles_for_project(folder.project).map{ |r| r.id }
      role_permission_ids = folder.dmsf_folder_permissions.roles.map{ |p| p.object_id }
      return true if (role_ids & role_permission_ids).any?
      principal_ids = folder.dmsf_folder_permissions.users.map{ |p| p.object_id }
      return true if principal_ids.include?(User.current.id)
      user_group_ids = User.current.groups.map{ |g| g.id }
      return true if (principal_ids & user_group_ids).any?
      return false
    end
Rails.logger.info ">>> There are no permissions"
Rails.logger.info ">>> Check the parent folder"
    DmsfFolder.permissions?(folder.dmsf_folder, allow_system)
  end

[hibit-2709]

Processing by DmsfFilesController#view as HTML Parameters: {"id"=>"20846"} Current user: xxxxx (id=290)

self.permissions?(false) not admin self.permissions?(true) not admin allowed to view folders or it is a file it is not a system folder There are no permissions Check the parent folder self.permissions?(false) not admin Rendered common/error.html.erb within layouts/base (Duration: 0.6ms | Allocations: 359) Rendered layout layouts/base.html.erb (Duration: 49.6ms | Allocations: 19118) Filter chain halted as :permissions rendered or redirected Completed 403 Forbidden in 107ms (Views: 41.4ms | ActiveRecord: 22.8ms | Allocations: 33179)

[picman]

Thank you. That helped me to identify the problem. It should be fixed now.