From: Jean-Philippe Lang Date: Sat, 1 Oct 2016 09:24:34 +0000 (+0000) Subject: Allow to download javascript attachments again (#23376). X-Git-Tag: 3.4.0~676 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=76bf2404d5114bdb4fc03a314e5e01af1fb66b5f;p=redmine.git Allow to download javascript attachments again (#23376). Patch by Holger Just. git-svn-id: http://svn.redmine.org/redmine/trunk@15856 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- diff --git a/app/controllers/attachments_controller.rb b/app/controllers/attachments_controller.rb index 7387809bf..19a51b9cc 100644 --- a/app/controllers/attachments_controller.rb +++ b/app/controllers/attachments_controller.rb @@ -22,6 +22,10 @@ class AttachmentsController < ApplicationController before_action :delete_authorize, :only => :destroy before_action :authorize_global, :only => :upload + # Disable check for same origin requests for JS files, i.e. attachments with + # MIME type text/javascript. + skip_after_filter :verify_same_origin_request, :only => :download + accept_api_auth :show, :download, :thumbnail, :upload, :destroy def show diff --git a/test/functional/attachments_controller_test.rb b/test/functional/attachments_controller_test.rb index 66039cf67..6a44ca40c 100644 --- a/test/functional/attachments_controller_test.rb +++ b/test/functional/attachments_controller_test.rb @@ -252,6 +252,19 @@ class AttachmentsControllerTest < Redmine::ControllerTest set_tmp_attachments_directory end + def test_download_js_file + set_tmp_attachments_directory + attachment = Attachment.create!( + :file => mock_file_with_options(:original_filename => "hello.js", :content_type => "text/javascript"), + :author_id => 2, + :container => Issue.find(1) + ) + + get :download, :id => attachment.id + assert_response :success + assert_equal 'text/javascript', @response.content_type + end + def test_download_version_file_with_issue_tracking_disabled Project.find(1).disable_module! :issue_tracking get :download, :id => 9