diff options
| -rw-r--r-- | app/controllers/request_controller.rb | 4 | ||||
| -rw-r--r-- | spec/integration/errors_spec.rb | 2 |
2 files changed, 4 insertions, 2 deletions
diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index fbf862af3..af0ac4a46 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -601,10 +601,10 @@ class RequestController < ApplicationController before_filter :authenticate_attachment, :only => [ :get_attachment, :get_attachment_as_html ] def authenticate_attachment - # Test for hidden - if request.path =~ /\/$/ + if request.path =~ /\/$/ || !(params[:part] =~ /^\d+$/) raise PermissionDenied.new("Directory listing not allowed") else + # Test for hidden incoming_message = IncomingMessage.find(params[:incoming_message_id]) if !incoming_message.info_request.user_can_view?(authenticated_user) @info_request = incoming_message.info_request # used by view diff --git a/spec/integration/errors_spec.rb b/spec/integration/errors_spec.rb index 8084bb35a..705c1fff8 100644 --- a/spec/integration/errors_spec.rb +++ b/spec/integration/errors_spec.rb @@ -48,6 +48,8 @@ describe "When rendering errors" do it "should render a 403 for attempts at directory listing for attachments" do get("/request/5/response/4/attach/html/3/" ) response.code.should == "403" + get("/request/5/response/4/attach/html" ) + response.code.should == "403" end it "should render a 404 for non-existent 'details' pages for requests" do get("/details/request/wobble" ) |