Fixed issue #617 - Prevent attachment preview in browser attachment download.

app/assets/javascripts/app/views/ticket_zoom/article_view.jst.eco

@@ -51,7 +51,7 @@
             <div class="attachments-title"><%- @article.attachments.length %> <%- @T('Attached Files') %></div>
             <% for attachment in @article.attachments: %>
               <div class="attachment">
-                <a class="attachment-name u-highlight" href="<%= App.Config.get('api_path') %>/ticket_attachment/<%= @article.ticket_id %>/<%= @article.id %>/<%= attachment.id %>" target="_blank" data-type="attachment"><%= attachment.filename %></a>
+                <a class="attachment-name u-highlight" href="<%= App.Config.get('api_path') %>/ticket_attachment/<%= @article.ticket_id %>/<%= @article.id %>/<%= attachment.id %>?disposition=attachment" target="_blank" data-type="attachment"><%= attachment.filename %></a>
                 <div class="attachment-size"><%- @humanFileSize(attachment.size) %></div>
               </div>
             <% end %>

app/controllers/ticket_articles_controller.rb

@@ -239,11 +239,14 @@ class TicketArticlesController < ApplicationController
 
     # find file
     file = Store.find(params[:id])
+
+    disposition = sanitized_disposition
+
     send_data(
       file.content,
       filename: file.filename,
       type: file.preferences['Content-Type'] || file.preferences['Mime-Type'],
-      disposition: 'inline'
+      disposition: disposition
     )
   end
 
@@ -267,4 +270,12 @@ class TicketArticlesController < ApplicationController
     )
   end
 
+  private
+
+  def sanitized_disposition
+    disposition = params.fetch(:disposition, 'inline')
+    valid_disposition = %w(inline attachment)
+    return disposition if valid_disposition.include?(disposition)
+    raise Exceptions::NotAuthorized, "Invalid disposition #{disposition} requested. Only #{valid_disposition.join(', ')} are valid."
+  end
 end