diff --git a/app/assets/javascripts/app/views/ticket_zoom/article_view.jst.eco b/app/assets/javascripts/app/views/ticket_zoom/article_view.jst.eco
index 0dbd6e594..1ed4685a5 100644
--- a/app/assets/javascripts/app/views/ticket_zoom/article_view.jst.eco
+++ b/app/assets/javascripts/app/views/ticket_zoom/article_view.jst.eco
@@ -51,7 +51,7 @@
<%- @article.attachments.length %> <%- @T('Attached Files') %>
<% for attachment in @article.attachments: %>
<% end %>
diff --git a/app/controllers/ticket_articles_controller.rb b/app/controllers/ticket_articles_controller.rb
index 3baf53f0c..20423edc1 100644
--- a/app/controllers/ticket_articles_controller.rb
+++ b/app/controllers/ticket_articles_controller.rb
@@ -239,11 +239,14 @@ class TicketArticlesController < ApplicationController
# find file
file = Store.find(params[:id])
+
+ disposition = sanitized_disposition
+
send_data(
file.content,
filename: file.filename,
type: file.preferences['Content-Type'] || file.preferences['Mime-Type'],
- disposition: 'inline'
+ disposition: disposition
)
end
@@ -267,4 +270,12 @@ class TicketArticlesController < ApplicationController
)
end
+ private
+
+ def sanitized_disposition
+ disposition = params.fetch(:disposition, 'inline')
+ valid_disposition = %w(inline attachment)
+ return disposition if valid_disposition.include?(disposition)
+ raise Exceptions::NotAuthorized, "Invalid disposition #{disposition} requested. Only #{valid_disposition.join(', ')} are valid."
+ end
end