Per project protection

author Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Fri, 15 Feb 2013 07:51:21 +0000 (09:51 +0200)

committer Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Fri, 15 Feb 2013 07:51:21 +0000 (09:51 +0200)
author Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Fri, 15 Feb 2013 07:51:21 +0000 (09:51 +0200)
committer Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Fri, 15 Feb 2013 07:51:21 +0000 (09:51 +0200)
diff --git a/app/controllers/files_controller.rb b/app/controllers/files_controller.rb

index 09f1e55..3cd2e77 100644 (file)
--- a/app/controllers/files_controller.rb
+++ b/app/controllers/files_controller.rb
@@ -1,7 +1,13 @@
  class FilesController < ApplicationController
    def download
-    uploader = Note.find(params[:id]).attachment
-    send_file uploader.file.path, disposition: 'attachment'
+    note = Note.find(params[:id])
+
+    if can?(current_user, :read_project, note.project)
+      uploader = note.attachment
+      send_file uploader.file.path, disposition: 'attachment'
+    else
+      not_found!
+    end
    end
  end
author	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
	Fri, 15 Feb 2013 07:51:21 +0000 (09:51 +0200)
committer	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
	Fri, 15 Feb 2013 07:51:21 +0000 (09:51 +0200)