Front End Download of Attachments

This was also an enhancement suggested in the Forum.

It would be easy enough to add a link to the filename, just as is currently done in the back end, but there is a need to think about any possible security concerns here as well. For example if this is a 'private' issue do we want to allow downloads. I suspect not. Do we want guest users to be able to download? Again suspect not. Issue admin and staff, probably yes. Could add an option to enable the adding of the link, but this would tend to be 'over riding' so that it would apply to all attachments. Might need to add some additional flags to the attachment to control who can download it as a better solution.

One suggestion was that it might be possible to let users choose while raising an issue? The intent being that there would an option, that the user uses to specify who can download attachments. The raiser of the issue/ticket would decide who can download their attachments - everyone, registered or staff and admin only. The only possible problem with this is whether we can really rely upon the user to specify the 'visibility'. One way would be to assume that the default is that any attachment is always 'private' unless specifically marked as 'public' by the submitter. At least this way we would have a basic level of security (of the attachment) in place without requiring the user to do anything at all.

There should also be a component parameter override option to enable or disable this front end download ability.

The criteria is such that all 'issue administrators', 'issue staff' and the issue creator should be able to download any attachments associated with the issue. If the issue is marked as 'private' then no other person should be able to download any attachments. If the issue is public and the (new) component option to enable registered users to download attachments is set (default is not to allow registered users to download attachments) then registered users are permitted to download the attachments. A link is provided around the file name to enable the download. A new controller task is invoked to permit the download to occur. If a download is not possible then the link is not available.

The download is possible from two possible places in the front end. The first is from the actual issue form. Since the form is only displayed to the issue admin, staff and issue creator, no further checks are required and the link is always displayed. The second is on the issue display screen. It is here that we have to ensure that all the checks have been performed.