diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2013-01-26 18:37:09 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2013-01-26 18:37:09 +0000 |
| commit | 9f127793be20c1e23f31c66b5efd4a0acaea2642 (patch) | |
| tree | c3b45ebf7959f1fb6c9693077e12d829567109f8 | |
| parent | 134b66cb290f084a06a8a4ad7a21913cf002ca85 (diff) | |
| download | redmine-9f127793be20c1e23f31c66b5efd4a0acaea2642.tar.gz redmine-9f127793be20c1e23f31c66b5efd4a0acaea2642.zip | |
Make JSONP support optional and disabled by default (#12992).
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@11272 e93f8b46-1217-0410-a6f0-8f06a7374b81
| -rw-r--r-- | app/views/settings/_authentication.html.erb | 2 | ||||
| -rw-r--r-- | config/locales/en.yml | 1 | ||||
| -rw-r--r-- | config/locales/fr.yml | 1 | ||||
| -rw-r--r-- | config/settings.yml | 2 | ||||
| -rw-r--r-- | lib/redmine/views/builders/json.rb | 5 | ||||
| -rw-r--r-- | test/integration/api_test/jsonp_test.rb | 26 |
6 files changed, 32 insertions, 5 deletions
diff --git a/app/views/settings/_authentication.html.erb b/app/views/settings/_authentication.html.erb index bba896497..d190fab66 100644 --- a/app/views/settings/_authentication.html.erb +++ b/app/views/settings/_authentication.html.erb @@ -19,6 +19,8 @@ <p><%= setting_check_box :openid, :disabled => !Object.const_defined?(:OpenID) %></p> <p><%= setting_check_box :rest_api_enabled %></p> + +<p><%= setting_check_box :jsonp_enabled %></p> </div> <fieldset class="box"> diff --git a/config/locales/en.yml b/config/locales/en.yml index 9dac5ed2a..05ec1d32f 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -397,6 +397,7 @@ en: setting_thumbnails_enabled: Display attachment thumbnails setting_thumbnails_size: Thumbnails size (in pixels) setting_non_working_week_days: Non-working days + setting_jsonp_enabled: Enable JSONP support permission_add_project: Create project permission_add_subprojects: Create subprojects diff --git a/config/locales/fr.yml b/config/locales/fr.yml index db6220e00..f39943472 100644 --- a/config/locales/fr.yml +++ b/config/locales/fr.yml @@ -394,6 +394,7 @@ fr: setting_thumbnails_enabled: Afficher les vignettes des images setting_thumbnails_size: Taille des vignettes (en pixels) setting_non_working_week_days: Jours non travaillés + setting_jsonp_enabled: Activer le support JSONP permission_add_project: Créer un projet permission_add_subprojects: Créer des sous-projets diff --git a/config/settings.yml b/config/settings.yml index 6f3cfa7e5..c538334fb 100644 --- a/config/settings.yml +++ b/config/settings.yml @@ -211,6 +211,8 @@ start_of_week: default: '' rest_api_enabled: default: 0 +jsonp_enabled: + default: 0 default_notification_option: default: 'only_my_events' emails_header: diff --git a/lib/redmine/views/builders/json.rb b/lib/redmine/views/builders/json.rb index b55e952e7..feae6de53 100644 --- a/lib/redmine/views/builders/json.rb +++ b/lib/redmine/views/builders/json.rb @@ -25,7 +25,10 @@ module Redmine def initialize(request, response) super - self.jsonp = (request.params[:callback] || request.params[:jsonp]).to_s.gsub(/[^a-zA-Z0-9_]/, '') + callback = request.params[:callback] || request.params[:jsonp] + if callback && Setting.jsonp_enabled? + self.jsonp = callback.to_s.gsub(/[^a-zA-Z0-9_]/, '') + end end def output diff --git a/test/integration/api_test/jsonp_test.rb b/test/integration/api_test/jsonp_test.rb index 3007a2db8..df3be427c 100644 --- a/test/integration/api_test/jsonp_test.rb +++ b/test/integration/api_test/jsonp_test.rb @@ -20,8 +20,20 @@ require File.expand_path('../../../test_helper', __FILE__) class Redmine::ApiTest::JsonpTest < Redmine::ApiTest::Base fixtures :trackers + def test_should_ignore_jsonp_callback_with_jsonp_disabled + with_settings :jsonp_enabled => '0' do + get '/trackers.json?jsonp=handler' + end + + assert_response :success + assert_match %r{^\{"trackers":.+\}$}, response.body + assert_equal 'application/json; charset=utf-8', response.headers['Content-Type'] + end + def test_jsonp_should_accept_callback_param - get '/trackers.json?callback=handler' + with_settings :jsonp_enabled => '1' do + get '/trackers.json?callback=handler' + end assert_response :success assert_match %r{^handler\(\{"trackers":.+\}\)$}, response.body @@ -29,7 +41,9 @@ class Redmine::ApiTest::JsonpTest < Redmine::ApiTest::Base end def test_jsonp_should_accept_jsonp_param - get '/trackers.json?jsonp=handler' + with_settings :jsonp_enabled => '1' do + get '/trackers.json?jsonp=handler' + end assert_response :success assert_match %r{^handler\(\{"trackers":.+\}\)$}, response.body @@ -37,7 +51,9 @@ class Redmine::ApiTest::JsonpTest < Redmine::ApiTest::Base end def test_jsonp_should_strip_invalid_characters_from_callback - get '/trackers.json?callback=+-aA$1_' + with_settings :jsonp_enabled => '1' do + get '/trackers.json?callback=+-aA$1_' + end assert_response :success assert_match %r{^aA1_\(\{"trackers":.+\}\)$}, response.body @@ -45,7 +61,9 @@ class Redmine::ApiTest::JsonpTest < Redmine::ApiTest::Base end def test_jsonp_without_callback_should_return_json - get '/trackers.json?callback=' + with_settings :jsonp_enabled => '1' do + get '/trackers.json?callback=' + end assert_response :success assert_match %r{^\{"trackers":.+\}$}, response.body |