Closed hibit-2709 closed 1 year ago
That is strange. I have just tested it as follows:
{{dmsf(id)}}
id - ID of a document stored by that project.I brought Redmine to the state as in the picture
I'm sorry, but the data remained. In addition to DMS, we have normally a few more plugins. And still don't have permission to download. I try with dedicated role, and as Non member (permission to view dmsf files). Plugins are deleted not uninstalled. Is it possible MySQL table corruption?
What does say log/production.log?
I, [2023-03-22T10:48:27.468646 #2980221] INFO -- : [59372e09-f3b6-4b68-afb0-79978010862b] Started GET "/issues" for 127.0.0.1 at 2023-03-22 10:48:27 +0100 I, [2023-03-22T10:48:27.469696 #2980221] INFO -- : [59372e09-f3b6-4b68-afb0-79978010862b] Processing by IssuesController#index as HTML I, [2023-03-22T10:48:27.533257 #2980221] INFO -- : [59372e09-f3b6-4b68-afb0-79978010862b] Current user: Bolek (id=60) I, [2023-03-22T10:48:28.342195 #2980221] INFO -- : [59372e09-f3b6-4b68-afb0-79978010862b] Rendered issues/index.html.erb within layouts/base (Duration: 285.3ms | Allocations: 183908) I, [2023-03-22T10:48:28.382020 #2980221] INFO -- : [59372e09-f3b6-4b68-afb0-79978010862b] Rendered layout layouts/base.html.erb (Duration: 325.2ms | Allocations: 195583) I, [2023-03-22T10:48:28.382356 #2980221] INFO -- : [59372e09-f3b6-4b68-afb0-79978010862b] Completed 200 OK in 913ms (Views: 208.8ms | ActiveRecord: 461.4ms | Allocations: 401404) I, [2023-03-22T10:48:31.443345 #2980221] INFO -- : [fe3a1a14-2437-4a57-beb1-dfedf3703115] Started GET "/dmsf/files/20846/view" for 127.0.0.1 at 2023-03-22 10:48:31 +0100 I, [2023-03-22T10:48:31.444056 #2980221] INFO -- : [fe3a1a14-2437-4a57-beb1-dfedf3703115] Processing by DmsfFilesController#view as HTML I, [2023-03-22T10:48:31.444101 #2980221] INFO -- : [fe3a1a14-2437-4a57-beb1-dfedf3703115] Parameters: {"id"=>"20846"} I, [2023-03-22T10:48:31.449850 #2980221] INFO -- : [fe3a1a14-2437-4a57-beb1-dfedf3703115] Current user: Bolek (id=60) I, [2023-03-22T10:48:31.488849 #2980221] INFO -- : [fe3a1a14-2437-4a57-beb1-dfedf3703115] Rendered common/error.html.erb within layouts/base (Duration: 1.4ms | Allocations: 290) I, [2023-03-22T10:48:31.544799 #2980221] INFO -- : [fe3a1a14-2437-4a57-beb1-dfedf3703115] Rendered layout layouts/base.html.erb (Duration: 57.5ms | Allocations: 15572) I, [2023-03-22T10:48:31.544958 #2980221] INFO -- : [fe3a1a14-2437-4a57-beb1-dfedf3703115] Filter chain halted as :permissions rendered or redirected I, [2023-03-22T10:48:31.545036 #2980221] INFO -- : [fe3a1a14-2437-4a57-beb1-dfedf3703115] Completed 403 Forbidden in 101ms (Views: 34.6ms | ActiveRecord: 38.3ms | Allocations: 26465)
Hm, that is strange. I don't know.
I made further attempts. Freshly installed Redmine. Document in the top - OK. Document in sub-folder - Forbidden (????? 'view_dmsf_files' don't suggest that) 100% our documents (about 20000) are in sub-folders.
Very well. We move further now. It is related to documents in sub-folders only. I can reproduce the error now.
Could you test in in the devel branch?
Still forbidden
In my opinion, patch of dmsf_folder.rb return false instead of true.
Haven't you got any permissions defined in the folder?
We don't use any permissions on folders. P.S. In macro {{dmsf()}} is duplicated permission check. Is it intentional?
Where?
In file marcos.rb I'm found duplicated
unless User.current&.allowed_to?(:view_dmsf_files, file.project, { id: file.id }) raise l(:notice_not_authorized) end
Definition of macro 'dmsf'
This permission check is related to whether to display the macro or not. I see no duplicity here.
You check the same permissions before and after determination of revision. But file.project and file.id are not changed.
You're right. The duplicity removed.
Why? We still have a problem.
Add some log messages directly into the code to find why the function returns false instead o true. I cannot reproduce your problem and therefore cannot help you.
e.g. Rails.logger.info
def self.permissions?(folder, allow_system = true, file = false)
Rails.logger.info ">>> self.permissions?(#{file})"
# Administrator?
return true if (User.current&.admin? || folder.nil?)
Rails.logger.info ">>> not admin"
# Permissions to the project?
# If file is true we work just with the file and not viewing the folder
return false unless file || User.current&.allowed_to?(:view_dmsf_folders, folder.project)
Rails.logger.info ">>> allowed to view folders or it is a file"
# System folder?
if folder && folder.system
return false unless allow_system || User.current.allowed_to?(:display_system_folders, folder.project)
return false if folder.issue && !folder.issue.visible?(User.current)
end
Rails.logger.info ">>> it is not a system folder"
# Permissions to the folder?
if folder.dmsf_folder_permissions.any?
role_ids = User.current.roles_for_project(folder.project).map{ |r| r.id }
role_permission_ids = folder.dmsf_folder_permissions.roles.map{ |p| p.object_id }
return true if (role_ids & role_permission_ids).any?
principal_ids = folder.dmsf_folder_permissions.users.map{ |p| p.object_id }
return true if principal_ids.include?(User.current.id)
user_group_ids = User.current.groups.map{ |g| g.id }
return true if (principal_ids & user_group_ids).any?
return false
end
Rails.logger.info ">>> There are no permissions"
Rails.logger.info ">>> Check the parent folder"
DmsfFolder.permissions?(folder.dmsf_folder, allow_system)
end
Processing by DmsfFilesController#view as HTML Parameters: {"id"=>"20846"} Current user: xxxxx (id=290)
self.permissions?(false) not admin self.permissions?(true) not admin allowed to view folders or it is a file it is not a system folder There are no permissions Check the parent folder self.permissions?(false) not admin Rendered common/error.html.erb within layouts/base (Duration: 0.6ms | Allocations: 359) Rendered layout layouts/base.html.erb (Duration: 49.6ms | Allocations: 19118) Filter chain halted as :permissions rendered or redirected Completed 403 Forbidden in 107ms (Views: 41.4ms | ActiveRecord: 22.8ms | Allocations: 33179)
Thank you. That helped me to identify the problem. It should be fixed now.
After upgrade plugin from 2.4.11 to 3.0.10. User has permission view_dmsf_files. We hope that it permits to download file linked by macro {{dmsf()}}. In version 3.0.10 to download file user must have also permission view_dmsf_folders. But we don't want to allow browsing DMS by all users.
Any suggestions?