diff options
Diffstat (limited to 'app/controllers/request_controller.rb')
| -rw-r--r-- | app/controllers/request_controller.rb | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index 99aa3c7ea..af0ac4a46 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -601,12 +601,13 @@ class RequestController < ApplicationController before_filter :authenticate_attachment, :only => [ :get_attachment, :get_attachment_as_html ] def authenticate_attachment - # Test for hidden - if request.path =~ /\/$/ + if request.path =~ /\/$/ || !(params[:part] =~ /^\d+$/) raise PermissionDenied.new("Directory listing not allowed") else + # Test for hidden incoming_message = IncomingMessage.find(params[:incoming_message_id]) if !incoming_message.info_request.user_can_view?(authenticated_user) + @info_request = incoming_message.info_request # used by view render :template => 'request/hidden', :status => 410 # gone end end |