jro_apps/redmine Commit - r11042:9f127793be20

Make JSONP support optional and disabled by default (#12992)....

Jean-Philippe Lang -

r11042:9f127793be20

parent child

Context file:

r11042:9f127793be20

Collapse all files

app/views/settings/_authentication.html.erb +2 0

              <p><%= setting_check_box :openid, :disabled => !Object.const_defined?(:OpenID) %></p>
              <p><%= setting_check_box :rest_api_enabled %></p>
+             <p><%= setting_check_box :jsonp_enabled %></p>
              </div>
              <fieldset class="box">

config/locales/en.yml +1 0

                setting_thumbnails_enabled: Display attachment thumbnails
                setting_thumbnails_size: Thumbnails size (in pixels)
                setting_non_working_week_days: Non-working days
+               setting_jsonp_enabled: Enable JSONP support
                permission_add_project: Create project
                permission_add_subprojects: Create subprojects

config/locales/fr.yml +1 0

                setting_thumbnails_enabled: Afficher les vignettes des images
                setting_thumbnails_size: Taille des vignettes (en pixels)
                setting_non_working_week_days: Jours non travaillés
+               setting_jsonp_enabled: Activer le support JSONP
                permission_add_project: Créer un projet
                permission_add_subprojects: Créer des sous-projets

config/settings.yml +2 0

                default: ''
              rest_api_enabled:
                default: 0
+             jsonp_enabled:
+               default: 0
              default_notification_option:
                default: 'only_my_events'
              emails_header:

lib/redmine/views/builders/json.rb +4 -1

                      def initialize(request, response)
                        super
-                       self.jsonp = (request.params[:callback] || request.params[:jsonp]).to_s.gsub(/[^a-zA-Z0-9_]/, '')
+                       callback = request.params[:callback] || request.params[:jsonp]
+                       if callback && Setting.jsonp_enabled?
+                         self.jsonp = callback.to_s.gsub(/[^a-zA-Z0-9_]/, '')
+                       end
                      end
                      def output

test/integration/api_test/jsonp_test.rb +22 -4

              class Redmine::ApiTest::JsonpTest < Redmine::ApiTest::Base
                fixtures :trackers
+               def test_should_ignore_jsonp_callback_with_jsonp_disabled
+                 with_settings :jsonp_enabled => '0' do
+                   get '/trackers.json?jsonp=handler'
+                 end
+                 assert_response :success
+                 assert_match %r{^\{"trackers":.+\}$}, response.body
+                 assert_equal 'application/json; charset=utf-8', response.headers['Content-Type']
+               end
                def test_jsonp_should_accept_callback_param
-                 get '/trackers.json?callback=handler'
+                 with_settings :jsonp_enabled => '1' do
+                   get '/trackers.json?callback=handler'
+                 end
                  assert_response :success
                  assert_match %r{^handler\(\{"trackers":.+\}\)$}, response.body
                end
                def test_jsonp_should_accept_jsonp_param
-                 get '/trackers.json?jsonp=handler'
+                 with_settings :jsonp_enabled => '1' do
+                   get '/trackers.json?jsonp=handler'
+                 end
                  assert_response :success
                  assert_match %r{^handler\(\{"trackers":.+\}\)$}, response.body
                end
                def test_jsonp_should_strip_invalid_characters_from_callback
-                 get '/trackers.json?callback=+-aA$1_'
+                 with_settings :jsonp_enabled => '1' do
+                   get '/trackers.json?callback=+-aA$1_'
+                 end
                  assert_response :success
                  assert_match %r{^aA1_\(\{"trackers":.+\}\)$}, response.body
                end
                def test_jsonp_without_callback_should_return_json
-                 get '/trackers.json?callback='
+                 with_settings :jsonp_enabled => '1' do
+                   get '/trackers.json?callback='
+                 end
                  assert_response :success
                  assert_match %r{^\{"trackers":.+\}$}, response.body

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages