Allow to download javascript attachments again (#23376).

Patch by Holger Just.

git-svn-id: http://svn.redmine.org/redmine/trunk@15856 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/attachments_controller.rb

@@ -22,6 +22,10 @@ class AttachmentsController < ApplicationController
   before_action :delete_authorize, :only => :destroy
   before_action :authorize_global, :only => :upload
 
+  # Disable check for same origin requests for JS files, i.e. attachments with
+  # MIME type text/javascript.
+  skip_after_filter :verify_same_origin_request, :only => :download
+
   accept_api_auth :show, :download, :thumbnail, :upload, :destroy
 
   def show

test/functional/attachments_controller_test.rb

@@ -252,6 +252,19 @@ class AttachmentsControllerTest < Redmine::ControllerTest
     set_tmp_attachments_directory
   end
 
+  def test_download_js_file
+    set_tmp_attachments_directory
+    attachment = Attachment.create!(
+      :file => mock_file_with_options(:original_filename => "hello.js", :content_type => "text/javascript"),
+      :author_id => 2,
+      :container => Issue.find(1)
+    )
+
+    get :download, :id => attachment.id
+    assert_response :success
+    assert_equal 'text/javascript', @response.content_type
+  end
+
   def test_download_version_file_with_issue_tracking_disabled
     Project.find(1).disable_module! :issue_tracking
     get :download, :id => 9