Further refinement for issue #340

author: Seb Bacon <seb.bacon@gmail.com> 2012-01-13 10:46:30 +0000
committer: Seb Bacon <seb.bacon@gmail.com> 2012-01-13 10:46:30 +0000
commit: 4808347cb65556756d38b60b25fa9761f92c4513 (patch)
tree: 3ecc31a6ba1c86dda177899b64d001eaa1d42d2e /app/controllers/request_controller.rb
parent: ec7a0c92f2b09c6b4d4d747d0b492bf9bd45c8ac (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb
index fbf862af3..af0ac4a46 100644
--- a/app/controllers/request_controller.rb
+++ b/app/controllers/request_controller.rb
@@ -601,10 +601,10 @@ class RequestController < ApplicationController
 
     before_filter :authenticate_attachment, :only => [ :get_attachment, :get_attachment_as_html ]
     def authenticate_attachment
-        # Test for hidden
-        if request.path =~ /\/$/ 
+        if request.path =~ /\/$/ || !(params[:part] =~ /^\d+$/)
             raise PermissionDenied.new("Directory listing not allowed")
         else
+            # Test for hidden
             incoming_message = IncomingMessage.find(params[:incoming_message_id])
             if !incoming_message.info_request.user_can_view?(authenticated_user)
                 @info_request = incoming_message.info_request # used by view
author	Seb Bacon <seb.bacon@gmail.com>	2012-01-13 10:46:30 +0000
committer	Seb Bacon <seb.bacon@gmail.com>	2012-01-13 10:46:30 +0000
commit	4808347cb65556756d38b60b25fa9761f92c4513 (patch)
tree	3ecc31a6ba1c86dda177899b64d001eaa1d42d2e /app/controllers/request_controller.rb
parent	ec7a0c92f2b09c6b4d4d747d0b492bf9bd45c8ac (diff)