diff options
| author | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2013-02-15 11:51:21 +0400 |
|---|---|---|
| committer | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2013-02-15 11:51:21 +0400 |
| commit | f6cc71bc36283223a10f3004121be34f06547d94 (patch) | |
| tree | dba91224d9aaed64018fc7a1b763212ea08e27e1 /app | |
| parent | 4821aa6c251a1a2eb4f1fac7bf0f2897a435b48b (diff) | |
Per project protection
Diffstat (limited to 'app')
| -rw-r--r-- | app/controllers/files_controller.rb | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/app/controllers/files_controller.rb b/app/controllers/files_controller.rb index 09f1e5512d6..3cd2e77322c 100644 --- a/app/controllers/files_controller.rb +++ b/app/controllers/files_controller.rb @@ -1,7 +1,13 @@ class FilesController < ApplicationController def download - uploader = Note.find(params[:id]).attachment - send_file uploader.file.path, disposition: 'attachment' + note = Note.find(params[:id]) + + if can?(current_user, :read_project, note.project) + uploader = note.attachment + send_file uploader.file.path, disposition: 'attachment' + else + not_found! + end end end |