diff --git a/app/services/info_request_batch_zip.rb b/app/services/info_request_batch_zip.rb index 8826fe4e8a..29bed4e8b1 100644 --- a/app/services/info_request_batch_zip.rb +++ b/app/services/info_request_batch_zip.rb @@ -103,6 +103,7 @@ def prepare_incoming_message(message) def prepare_foi_attachment(attachment) message = attachment.incoming_message return if cannot?(:read, message) + return if cannot?(:read, attachment) sent_at = message.sent_at.to_formatted_s(:filename) diff --git a/config/initializers/alaveteli.rb b/config/initializers/alaveteli.rb index e1d2de07de..181fe3b87d 100644 --- a/config/initializers/alaveteli.rb +++ b/config/initializers/alaveteli.rb @@ -10,7 +10,7 @@ load "util.rb" # Application version -ALAVETELI_VERSION = '0.46.2.1' +ALAVETELI_VERSION = '0.46.3.0' # Add new inflection rules using the following format # (all these examples are active by default): diff --git a/doc/CHANGES.md b/doc/CHANGES.md index ddf580b342..95d2b8423c 100644 --- a/doc/CHANGES.md +++ b/doc/CHANGES.md @@ -1,10 +1,9 @@ -# 0.46.2.0 +# 0.46.3.0 ## Highlighted Features -* Use SecureRandom when generating tokens. -* This release includes an update to the commonlib submodule - you - should be warned about this when running `rails-post-deploy`. +* Fix visibility check for attachments when downloading a batch request as a zip + file (Gareth Rees) # 0.46.2.0 @@ -261,6 +260,21 @@ to match the new templates. app/views/user/wrong_user.html.erb app/views/user_mailer/already_registered.text.erb +# 0.45.5.0 + +## Highlighted Features + +* Fix visibility check for attachments when downloading a batch request as a zip + file (Gareth Rees) + +# 0.45.4.1 + +## Highlighted Features + +* Use SecureRandom when generating tokens. +* This release includes an update to the commonlib submodule - you + should be warned about this when running `rails-post-deploy`. + # 0.45.4.0 ## Highlighted Features diff --git a/spec/services/info_request_batch_zip_spec.rb b/spec/services/info_request_batch_zip_spec.rb index 4d413b45b9..3125ae6579 100644 --- a/spec/services/info_request_batch_zip_spec.rb +++ b/spec/services/info_request_batch_zip_spec.rb @@ -109,8 +109,11 @@ let(:message) { event.incoming_message } let(:attachment) { message.get_attachments_for_display.first } - context 'can read message' do - before { ability.can :read, message } + context 'can read message and attachment' do + before do + ability.can :read, message + ability.can :read, attachment + end it 'includes attachments' do expect(paths).to include( @@ -121,7 +124,24 @@ end context 'cannot read message' do - before { ability.cannot :read, message } + before do + ability.cannot :read, message + ability.can :read, attachment + end + + it 'does not include attachments' do + expect(paths).not_to include( + "#{base_path}/2019-11-11-103000/attachments-#{message.id}/" \ + "#{attachment.display_filename}" + ) + end + end + + context 'cannot read attachment' do + before do + ability.can :read, message + ability.cannot :read, attachment + end it 'does not include attachments' do expect(paths).not_to include( @@ -132,7 +152,10 @@ end context 'when a censor rule redacts an attachment filename' do - before { ability.can :read, message } + before do + ability.can :read, message + ability.can :read, attachment + end it 'uses the redacted filename in the zip path' do request.censor_rules.create!(