Make JSONP support optional and disabled by default (#12992).

author Jean-Philippe Lang <jp_lang@yahoo.fr>

Sat, 26 Jan 2013 18:37:09 +0000 (18:37 +0000)

committer Jean-Philippe Lang <jp_lang@yahoo.fr>

Sat, 26 Jan 2013 18:37:09 +0000 (18:37 +0000)
author Jean-Philippe Lang <jp_lang@yahoo.fr>
Sat, 26 Jan 2013 18:37:09 +0000 (18:37 +0000)
committer Jean-Philippe Lang <jp_lang@yahoo.fr>
Sat, 26 Jan 2013 18:37:09 +0000 (18:37 +0000)
diff --git a/app/views/settings/_authentication.html.erb b/app/views/settings/_authentication.html.erb

index bba896497da8c73374b8d6bdf611dca10d09e41e..d190fab6653779628fb97d6b2227483bdd8710b6 100644 (file)
--- a/app/views/settings/_authentication.html.erb
+++ b/app/views/settings/_authentication.html.erb
@@ -19,6 +19,8 @@
  <p><%= setting_check_box :openid, :disabled => !Object.const_defined?(:OpenID) %></p>
  
  <p><%= setting_check_box :rest_api_enabled %></p>
+
+<p><%= setting_check_box :jsonp_enabled %></p>
  </div>
  
  <fieldset class="box">
diff --git a/config/locales/en.yml b/config/locales/en.yml

index 9dac5ed2ae053c2d44c9d332e6f271ffddc195c6..05ec1d32f18fe55d351be9d77303255f5e20748a 100644 (file)
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -397,6 +397,7 @@ en:
    setting_thumbnails_enabled: Display attachment thumbnails
    setting_thumbnails_size: Thumbnails size (in pixels)
    setting_non_working_week_days: Non-working days
+  setting_jsonp_enabled: Enable JSONP support
  
    permission_add_project: Create project
    permission_add_subprojects: Create subprojects
diff --git a/config/locales/fr.yml b/config/locales/fr.yml

index db6220e001d6258025854ca1c6c653183a193189..f39943472a514d3df79cfc5572f6202455117a58 100644 (file)
--- a/config/locales/fr.yml
+++ b/config/locales/fr.yml
@@ -394,6 +394,7 @@ fr:
    setting_thumbnails_enabled: Afficher les vignettes des images
    setting_thumbnails_size: Taille des vignettes (en pixels)
    setting_non_working_week_days: Jours non travaillés
+  setting_jsonp_enabled: Activer le support JSONP
  
    permission_add_project: Créer un projet
    permission_add_subprojects: Créer des sous-projets
diff --git a/config/settings.yml b/config/settings.yml

index 6f3cfa7e557df03dcb6b256d2465f2f4de89cddf..c538334fbcc537ad1bb00f3bddc233fdcbb17e8a 100644 (file)
--- a/config/settings.yml
+++ b/config/settings.yml
@@ -211,6 +211,8 @@ start_of_week:
    default: ''
  rest_api_enabled:
    default: 0
+jsonp_enabled:
+  default: 0
  default_notification_option:
    default: 'only_my_events'
  emails_header:
diff --git a/lib/redmine/views/builders/json.rb b/lib/redmine/views/builders/json.rb

index b55e952e7a65e3963a7d5e314daa1bd82f616b01..feae6de536608ed4d2270d00491fd3e504f39e16 100644 (file)
--- a/lib/redmine/views/builders/json.rb
+++ b/lib/redmine/views/builders/json.rb
@@ -25,7 +25,10 @@ module Redmine
  
          def initialize(request, response)
            super
-          self.jsonp = (request.params[:callback] || request.params[:jsonp]).to_s.gsub(/[^a-zA-Z0-9_]/, '')
+          callback = request.params[:callback] || request.params[:jsonp]
+          if callback && Setting.jsonp_enabled?
+            self.jsonp = callback.to_s.gsub(/[^a-zA-Z0-9_]/, '')
+          end
          end
  
          def output
diff --git a/test/integration/api_test/jsonp_test.rb b/test/integration/api_test/jsonp_test.rb

index 3007a2db8fa0f4c27fdecfc70110253670956167..df3be427c8feff0ad1061b33b10742da16fb7c64 100644 (file)
--- a/test/integration/api_test/jsonp_test.rb
+++ b/test/integration/api_test/jsonp_test.rb
@@ -20,8 +20,20 @@ require File.expand_path('../../../test_helper', __FILE__)
  class Redmine::ApiTest::JsonpTest < Redmine::ApiTest::Base
    fixtures :trackers
  
+  def test_should_ignore_jsonp_callback_with_jsonp_disabled
+    with_settings :jsonp_enabled => '0' do
+      get '/trackers.json?jsonp=handler'
+    end
+
+    assert_response :success
+    assert_match %r{^\{"trackers":.+\}$}, response.body
+    assert_equal 'application/json; charset=utf-8', response.headers['Content-Type']
+  end
+
    def test_jsonp_should_accept_callback_param
-    get '/trackers.json?callback=handler'
+    with_settings :jsonp_enabled => '1' do
+      get '/trackers.json?callback=handler'
+    end
  
      assert_response :success
      assert_match %r{^handler\(\{"trackers":.+\}\)$}, response.body
@@ -29,7 +41,9 @@ class Redmine::ApiTest::JsonpTest < Redmine::ApiTest::Base
    end
  
    def test_jsonp_should_accept_jsonp_param
-    get '/trackers.json?jsonp=handler'
+    with_settings :jsonp_enabled => '1' do
+      get '/trackers.json?jsonp=handler'
+    end
  
      assert_response :success
      assert_match %r{^handler\(\{"trackers":.+\}\)$}, response.body
@@ -37,7 +51,9 @@ class Redmine::ApiTest::JsonpTest < Redmine::ApiTest::Base
    end
  
    def test_jsonp_should_strip_invalid_characters_from_callback
-    get '/trackers.json?callback=+-aA$1_'
+    with_settings :jsonp_enabled => '1' do
+      get '/trackers.json?callback=+-aA$1_'
+    end
  
      assert_response :success
      assert_match %r{^aA1_\(\{"trackers":.+\}\)$}, response.body
@@ -45,7 +61,9 @@ class Redmine::ApiTest::JsonpTest < Redmine::ApiTest::Base
    end
  
    def test_jsonp_without_callback_should_return_json
-    get '/trackers.json?callback='
+    with_settings :jsonp_enabled => '1' do
+      get '/trackers.json?callback='
+    end
  
      assert_response :success
      assert_match %r{^\{"trackers":.+\}$}, response.body
author	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Sat, 26 Jan 2013 18:37:09 +0000 (18:37 +0000)
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Sat, 26 Jan 2013 18:37:09 +0000 (18:37 +0000)
app/views/settings/_authentication.html.erb		patch \| blob \| history
config/locales/en.yml		patch \| blob \| history
config/locales/fr.yml		patch \| blob \| history
config/settings.yml		patch \| blob \| history
lib/redmine/views/builders/json.rb		patch \| blob \| history
test/integration/api_test/jsonp_test.rb		patch \| blob \| history