mysociety · gbp · Mar 25, 2026 · Mar 25, 2026 · Mar 25, 2026 · Mar 24, 2026
diff --git a/app/services/info_request_batch_zip.rb b/app/services/info_request_batch_zip.rb
@@ -103,6 +103,7 @@ def prepare_incoming_message(message)
   def prepare_foi_attachment(attachment)
     message = attachment.incoming_message
     return if cannot?(:read, message)
+    return if cannot?(:read, attachment)
 
     sent_at = message.sent_at.to_formatted_s(:filename)
 

diff --git a/config/initializers/alaveteli.rb b/config/initializers/alaveteli.rb
@@ -10,7 +10,7 @@
 load "util.rb"
 
 # Application version
-ALAVETELI_VERSION = '0.46.2.1'
+ALAVETELI_VERSION = '0.46.3.0'
 
 # Add new inflection rules using the following format
 # (all these examples are active by default):

diff --git a/doc/CHANGES.md b/doc/CHANGES.md
@@ -1,10 +1,9 @@
-# 0.46.2.0
+# 0.46.3.0
 
 ## Highlighted Features
 
-* Use SecureRandom when generating tokens.
-* This release includes an update to the commonlib submodule - you
-  should be warned about this when running `rails-post-deploy`.
+* Fix visibility check for attachments when downloading a batch request as a zip
+  file (Gareth Rees)
 
 # 0.46.2.0
 
@@ -261,6 +260,21 @@ to match the new templates.
     app/views/user/wrong_user.html.erb
     app/views/user_mailer/already_registered.text.erb
 
+# 0.45.5.0
+
+## Highlighted Features
+
+* Fix visibility check for attachments when downloading a batch request as a zip
+  file (Gareth Rees)
+
+# 0.45.4.1
+
+## Highlighted Features
+
+* Use SecureRandom when generating tokens.
+* This release includes an update to the commonlib submodule - you
+  should be warned about this when running `rails-post-deploy`.
+
 # 0.45.4.0
 
 ## Highlighted Features

diff --git a/spec/services/info_request_batch_zip_spec.rb b/spec/services/info_request_batch_zip_spec.rb
@@ -109,8 +109,11 @@
       let(:message) { event.incoming_message }
       let(:attachment) { message.get_attachments_for_display.first }
 
-      context 'can read message' do
-        before { ability.can :read, message }
+      context 'can read message and attachment' do
+        before do
+          ability.can :read, message
+          ability.can :read, attachment
+        end
 
         it 'includes attachments' do
           expect(paths).to include(
@@ -121,7 +124,24 @@
       end
 
       context 'cannot read message' do
-        before { ability.cannot :read, message }
+        before do
+          ability.cannot :read, message
+          ability.can :read, attachment
+        end
+
+        it 'does not include attachments' do
+          expect(paths).not_to include(
+            "#{base_path}/2019-11-11-103000/attachments-#{message.id}/" \
+              "#{attachment.display_filename}"
+          )
+        end
+      end
+
+      context 'cannot read attachment' do
+        before do
+          ability.can :read, message
+          ability.cannot :read, attachment
+        end
 
         it 'does not include attachments' do
           expect(paths).not_to include(
@@ -132,7 +152,10 @@
       end
 
       context 'when a censor rule redacts an attachment filename' do
-        before { ability.can :read, message }
+        before do
+          ability.can :read, message
+          ability.can :read, attachment
+        end
 
         it 'uses the redacted filename in the zip path' do
           request.censor_rules.create!(