Fossil

View Ticket
Login
Ticket UUID: a7eff56a933249258f0d902da3736ad62382e53d
Title: Attachment Download Link
Status: Fixed Type: Feature_Request
Severity: Cosmetic Priority:
Subsystem: Resolution: Fixed
Last Modified: 2010-09-27 08:51:10
Version Found In: d090292800
Description:
When viewing an attachment on a ticket if the user clicks "Download" and doesn't have the necessary privileges they are redirected to the login page. If the user doesn't have permission to download attachments maybe the link just shouldn't show up?

<hr><i>anonymous claiming to be anonymous  added on 2010-09-04 07:37:43:</i><br>
What is the goal of forbidding attachment downloading while allowing to view it? User can just copy-paste text attachment or run a simple script to reconstruct binary attachment from shown hex-dump, so why do such restriction exist?

<hr /><i>anonymous added on 2010-09-27 08:51:10:</i><br />
Attachments and checkouts both result in files transferred from the repository to the user, but it is not clear that the same permission flag (checkout) should be used for both.

The wiki/ticket system attachments are informational in nature and could be of interest to users who are not developers, to whom checkout is usually restricted.

I suggest that ability to read a wiki/ticket should be sufficient privilege to download any attachment to it.