diff --git a/app/assets/javascripts/app/views/ticket_zoom/article_view.jst.eco b/app/assets/javascripts/app/views/ticket_zoom/article_view.jst.eco index 0dbd6e594..1ed4685a5 100644 --- a/app/assets/javascripts/app/views/ticket_zoom/article_view.jst.eco +++ b/app/assets/javascripts/app/views/ticket_zoom/article_view.jst.eco @@ -51,7 +51,7 @@
<% for attachment in @article.attachments: %> <% end %> diff --git a/app/controllers/ticket_articles_controller.rb b/app/controllers/ticket_articles_controller.rb index 3baf53f0c..20423edc1 100644 --- a/app/controllers/ticket_articles_controller.rb +++ b/app/controllers/ticket_articles_controller.rb @@ -239,11 +239,14 @@ class TicketArticlesController < ApplicationController # find file file = Store.find(params[:id]) + + disposition = sanitized_disposition + send_data( file.content, filename: file.filename, type: file.preferences['Content-Type'] || file.preferences['Mime-Type'], - disposition: 'inline' + disposition: disposition ) end @@ -267,4 +270,12 @@ class TicketArticlesController < ApplicationController ) end + private + + def sanitized_disposition + disposition = params.fetch(:disposition, 'inline') + valid_disposition = %w(inline attachment) + return disposition if valid_disposition.include?(disposition) + raise Exceptions::NotAuthorized, "Invalid disposition #{disposition} requested. Only #{valid_disposition.join(', ')} are valid." + end end