Allow to download javascript attachments again (#23376).

Patch by Holger Just.

git-svn-id: http://svn.redmine.org/redmine/trunk@15856 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/controllers/attachments_controller.rb b/app/controllers/attachments_controller.rb
index 7387809bf43f9825601df47b4b36442c2e5020ba..19a51b9ccf6f144ade715510b550f59808f69223 100644 (file)
--- a/app/controllers/attachments_controller.rb
+++ b/app/controllers/attachments_controller.rb
@@ -22,6 +22,10 @@ class AttachmentsController < ApplicationController
   before_action :delete_authorize, :only => :destroy
   before_action :authorize_global, :only => :upload
 
+  # Disable check for same origin requests for JS files, i.e. attachments with
+  # MIME type text/javascript.
+  skip_after_filter :verify_same_origin_request, :only => :download
+
   accept_api_auth :show, :download, :thumbnail, :upload, :destroy
 
   def show

diff --git a/test/functional/attachments_controller_test.rb b/test/functional/attachments_controller_test.rb
index 66039cf67bab2c7112c6190415e884d0d7801d10..6a44ca40c0da54916113331fbcd110e242c13e4a 100644 (file)
--- a/test/functional/attachments_controller_test.rb
+++ b/test/functional/attachments_controller_test.rb
@@ -252,6 +252,19 @@ class AttachmentsControllerTest < Redmine::ControllerTest
     set_tmp_attachments_directory
   end
 
+  def test_download_js_file
+    set_tmp_attachments_directory
+    attachment = Attachment.create!(
+      :file => mock_file_with_options(:original_filename => "hello.js", :content_type => "text/javascript"),
+      :author_id => 2,
+      :container => Issue.find(1)
+    )
+
+    get :download, :id => attachment.id
+    assert_response :success
+    assert_equal 'text/javascript', @response.content_type
+  end
+
   def test_download_version_file_with_issue_tracking_disabled
     Project.find(1).disable_module! :issue_tracking
     get :download, :id => 9