A user with the following permission flags: bcfhjkmnprtw
for a site in which the virtual users Reader, Developer, Anonymous and Nobody have no default privileges, cannot download an attachment directly from a wiki page attachments list. The list points to URIs such as this one: https://www.example.com/artifact/66a9b2083b1ad09a This is because the Read permission is needed to download a raw artifact. However, the same user may access the attachment via a different URI: https://www.example.com/attachdownload?file=file_name.exe&page=Wiki+Page+Name This bounces the user through a code path that does this (attach.c): g.perm.Read = 1; cgi_replace_parameter("name",zUUID); if( fossil_strcmp(g.zPath,"attachview")==0 ){ artifact_page(); }else{ cgi_replace_parameter("m", mimetype_from_name(zFile)); rawartifact_page(); } i.e. pretend the user has read permission for this request, and press on to download the thing. So it would be more convenient for the wiki page to link to the permissive URI rather than the restrictive one. Note that a similar issue exists with tickets. A user permitted to view tickets should be able to conveniently download the objects attached to the ticket.
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
