Wrong URL and access permissions on issue attachments

Created by: mikehaertl

I have installed GitLab 5.0 under a relative URL in /gitlab. When i attach a file to an issue, the URL to that file is /files/note/1/hotel_photo.php. It's missing the /gitlab prefix. And according to the following issues, there should also be an /upload prefix or something:

https://github.com/gitlabhq/gitlabhq/issues/2657
https://github.com/gitlabhq/gitlab-recipes/pull/50

I could create a proxy rule in my webserver config - but what about access permissions for the files? Anyone could download them. I'd suggest to better use something like mod_xsendfile so you could check for permissions first, before you send the file.

Admin message

Admin message

Wrong URL and access permissions on issue attachments