Added an Admin setting to enable/disable the REST web service. (#3920)

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3220 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 45aeb9955ca33ef88e7c5d02ec38ff0e03f6ef05..20a8e576013aa78ce677c91c1527a240371ebe1b 100644 (file)
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -70,7 +70,7 @@ class ApplicationController < ActionController::Base
     elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action])
       # RSS key authentication does not start a session
       User.find_by_rss_key(params[:key])
-    elsif ['xml', 'json'].include?(params[:format]) && accept_key_auth_actions.include?(params[:action])
+    elsif Setting.rest_api_enabled? && ['xml', 'json'].include?(params[:format]) && accept_key_auth_actions.include?(params[:action])
       if params[:key].present?
         # Use API key
         User.find_by_api_key(params[:key])

diff --git a/app/helpers/settings_helper.rb b/app/helpers/settings_helper.rb
index e57b75fcc884ee965b075a2bd039a316be94bfa4..18212683daf1f0b68aa563bbd24313a45c3e65ab 100644 (file)
--- a/app/helpers/settings_helper.rb
+++ b/app/helpers/settings_helper.rb
@@ -24,7 +24,8 @@ module SettingsHelper
             {:name => 'issues', :partial => 'settings/issues', :label => :label_issue_tracking},
             {:name => 'notifications', :partial => 'settings/notifications', :label => :field_mail_notification},
             {:name => 'mail_handler', :partial => 'settings/mail_handler', :label => :label_incoming_emails},
-            {:name => 'repositories', :partial => 'settings/repositories', :label => :label_repository_plural}
+            {:name => 'repositories', :partial => 'settings/repositories', :label => :label_repository_plural},
+            {:name => 'integration', :partial => 'settings/integration', :label => :label_integration}
             ]
   end
   

diff --git a/app/views/settings/_integration.html.erb b/app/views/settings/_integration.html.erb
new file mode 100644 (file)
index 0000000..23a612e
--- /dev/null
+++ b/app/views/settings/_integration.html.erb
@@ -0,0 +1,8 @@
+<% form_tag({:action => 'edit', :tab => 'integration'}) do %>
+
+<div class="box tabular settings">
+<p><%= setting_check_box :rest_api_enabled %></p>
+</div>
+
+<%= submit_tag l(:button_save) %>
+<% end %>

diff --git a/config/locales/en.yml b/config/locales/en.yml
index d75897befbc48e6d6c6fd9070ca8ec093f49f61a..0195f35238b7bf9adee15245b12d1c232eb45427 100644 (file)
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -324,6 +324,7 @@ en:
   setting_issue_done_ratio_issue_field: Use the issue field
   setting_issue_done_ratio_issue_status: Use the issue status
   setting_start_of_week: Start calendars on
+  setting_rest_api_enabled: Enable REST web service
   
   permission_add_project: Create project
   permission_edit_project: Edit project
@@ -735,6 +736,7 @@ en:
   label_api_access_key: API access key
   label_missing_api_access_key: Missing an API access key
   label_api_access_key_created_on: "API access key created {{value}} ago"
+  label_integration: Integration
   
   button_login: Login
   button_submit: Submit

diff --git a/config/settings.yml b/config/settings.yml
index d5943ebdb513ac2dc8cab766fae4da7deb20c06b..09bce1f20a752c88ec3b2da6a2586045a230b69e 100644 (file)
--- a/config/settings.yml
+++ b/config/settings.yml
@@ -176,3 +176,5 @@ gravatar_default:
   default: ''
 start_of_week:
   default: ''
+rest_api_enabled:
+  default: 0

diff --git a/test/integration/api_token_login_test.rb b/test/integration/api_token_login_test.rb
index 9017ab7bea1336dc2eee57e95b49f1be14f80da6..43f6eb01fc481faf2bffb192fe5a9b2112e91026 100644 (file)
--- a/test/integration/api_token_login_test.rb
+++ b/test/integration/api_token_login_test.rb
@@ -4,10 +4,12 @@ class ApiTokenLoginTest < ActionController::IntegrationTest
   fixtures :all
 
   def setup
+    Setting.rest_api_enabled = '1'
     Setting.login_required = '1'
   end
 
   def teardown
+    Setting.rest_api_enabled = '0'
     Setting.login_required = '0'
   end
   

diff --git a/test/integration/disabled_rest_api_test.rb b/test/integration/disabled_rest_api_test.rb
new file mode 100644 (file)
index 0000000..5ebf91c
--- /dev/null
+++ b/test/integration/disabled_rest_api_test.rb
@@ -0,0 +1,110 @@
+require "#{File.dirname(__FILE__)}/../test_helper"
+
+class DisabledRestApi < ActionController::IntegrationTest
+  fixtures :all
+
+  def setup
+    Setting.rest_api_enabled = '0'
+    Setting.login_required = '1'
+  end
+
+  def teardown
+    Setting.rest_api_enabled = '1'
+    Setting.login_required = '0'
+  end
+  
+  # Using the NewsController because it's a simple API.
+  context "get /news with the API disabled" do
+
+    context "in :xml format" do
+      context "with a valid api token" do
+        setup do
+          @user = User.generate_with_protected!
+          @token = Token.generate!(:user => @user, :action => 'api')
+          get "/news.xml?key=#{@token.value}"
+        end
+        
+        should_respond_with :unauthorized
+        should_respond_with_content_type :xml
+        should "not login as the user" do
+          assert_equal User.anonymous, User.current
+        end
+      end
+
+      context "with a valid HTTP authentication" do
+        setup do
+          @user = User.generate_with_protected!(:password => 'my_password', :password_confirmation => 'my_password')
+          @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@user.login, 'my_password')
+          get "/news.xml", nil, :authorization => @authorization
+        end
+        
+        should_respond_with :unauthorized
+        should_respond_with_content_type :xml
+        should "not login as the user" do
+          assert_equal User.anonymous, User.current
+        end
+      end
+
+      context "with a valid HTTP authentication using the API token" do
+        setup do
+          @user = User.generate_with_protected!
+          @token = Token.generate!(:user => @user, :action => 'api')
+          @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@token.value, 'X')
+          get "/news.xml", nil, :authorization => @authorization
+        end
+        
+        should_respond_with :unauthorized
+        should_respond_with_content_type :xml
+        should "not login as the user" do
+          assert_equal User.anonymous, User.current
+        end
+      end
+    end
+
+    context "in :json format" do
+      context "with a valid api token" do
+        setup do
+          @user = User.generate_with_protected!
+          @token = Token.generate!(:user => @user, :action => 'api')
+          get "/news.json?key=#{@token.value}"
+        end
+        
+        should_respond_with :unauthorized
+        should_respond_with_content_type :json
+        should "not login as the user" do
+          assert_equal User.anonymous, User.current
+        end
+      end
+
+      context "with a valid HTTP authentication" do
+        setup do
+          @user = User.generate_with_protected!(:password => 'my_password', :password_confirmation => 'my_password')
+          @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@user.login, 'my_password')
+          get "/news.json", nil, :authorization => @authorization
+        end
+        
+        should_respond_with :unauthorized
+        should_respond_with_content_type :json
+        should "not login as the user" do
+          assert_equal User.anonymous, User.current
+        end
+      end
+
+      context "with a valid HTTP authentication using the API token" do
+        setup do
+          @user = User.generate_with_protected!
+          @token = Token.generate!(:user => @user, :action => 'api')
+          @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@token.value, 'DoesNotMatter')
+          get "/news.json", nil, :authorization => @authorization
+        end
+
+        should_respond_with :unauthorized
+        should_respond_with_content_type :json
+        should "not login as the user" do
+          assert_equal User.anonymous, User.current
+        end
+      end
+      
+    end    
+  end
+end

diff --git a/test/integration/http_basic_login_test.rb b/test/integration/http_basic_login_test.rb
index e18359dfcc263e277900d67cca18e05dd9bc5684..7f5c15c7d0e288c956d1f724af0228475a0c817d 100644 (file)
--- a/test/integration/http_basic_login_test.rb
+++ b/test/integration/http_basic_login_test.rb
@@ -4,10 +4,12 @@ class HttpBasicLoginTest < ActionController::IntegrationTest
   fixtures :all
 
   def setup
+    Setting.rest_api_enabled = '1'
     Setting.login_required = '1'
   end
 
   def teardown
+    Setting.rest_api_enabled = '0'
     Setting.login_required = '0'
   end
   

diff --git a/test/integration/http_basic_login_with_api_token_test.rb b/test/integration/http_basic_login_with_api_token_test.rb
index 2aefb8b0e56f9e91f4d4d4a37a54869947e63e35..fe3df3130a71090e75cc5bf49a03f703e394fb70 100644 (file)
--- a/test/integration/http_basic_login_with_api_token_test.rb
+++ b/test/integration/http_basic_login_with_api_token_test.rb
@@ -4,10 +4,12 @@ class HttpBasicLoginWithApiTokenTest < ActionController::IntegrationTest
   fixtures :all
 
   def setup
+    Setting.rest_api_enabled = '1'
     Setting.login_required = '1'
   end
 
   def teardown
+    Setting.rest_api_enabled = '0'
     Setting.login_required = '0'
   end