From bf8b253dd2a6c2ca70a578cba0db947f303a8dc8 Mon Sep 17 00:00:00 2001 From: Holger Just Date: Tue, 19 Jul 2016 17:45:11 +0200 Subject: [PATCH] Allow to download javascript attachments again --- app/controllers/attachments_controller.rb | 4 ++++ test/fixtures/attachments.yml | 13 +++++++++++++ test/fixtures/files/2016/07/160719150727_script.js | 1 + test/functional/attachments_controller_test.rb | 7 +++++++ test/integration/api_test/issues_test.rb | 2 +- 5 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 test/fixtures/files/2016/07/160719150727_script.js diff --git a/app/controllers/attachments_controller.rb b/app/controllers/attachments_controller.rb index 7387809..19a51b9 100644 --- a/app/controllers/attachments_controller.rb +++ b/app/controllers/attachments_controller.rb @@ -22,6 +22,10 @@ class AttachmentsController < ApplicationController before_action :delete_authorize, :only => :destroy before_action :authorize_global, :only => :upload + # Disable check for same origin requests for JS files, i.e. attachments with + # MIME type text/javascript. + skip_after_filter :verify_same_origin_request, :only => :download + accept_api_auth :show, :download, :thumbnail, :upload, :destroy def show diff --git a/test/fixtures/attachments.yml b/test/fixtures/attachments.yml index 6f56c08..425cb87 100644 --- a/test/fixtures/attachments.yml +++ b/test/fixtures/attachments.yml @@ -267,3 +267,16 @@ attachments_020: filename: root_attachment.txt filesize: 54 author_id: 2 +attachments_021: + created_on: 2016-07-19 15:07:27 +02:00 + downloads: 0 + content_type: text/javascript + disk_filename: 160719150727_script.js + disk_directory: "2016/07" + container_id: 3 + digest: bc279813fab770379fd219f1722ccc3a + id: 21 + container_type: Issue + filesize: 16 + filename: script.js + author_id: 2 diff --git a/test/fixtures/files/2016/07/160719150727_script.js b/test/fixtures/files/2016/07/160719150727_script.js new file mode 100644 index 0000000..6754325 --- /dev/null +++ b/test/fixtures/files/2016/07/160719150727_script.js @@ -0,0 +1 @@ +alert('Hello'); diff --git a/test/functional/attachments_controller_test.rb b/test/functional/attachments_controller_test.rb index 66039cf..5bf1e72 100644 --- a/test/functional/attachments_controller_test.rb +++ b/test/functional/attachments_controller_test.rb @@ -252,6 +252,13 @@ class AttachmentsControllerTest < Redmine::ControllerTest set_tmp_attachments_directory end + def test_download_js_file + get :download, :id => 21 + assert_response :success + assert_equal 'text/javascript', @response.content_type + set_tmp_attachments_directory + end + def test_download_version_file_with_issue_tracking_disabled Project.find(1).disable_module! :issue_tracking get :download, :id => 9 diff --git a/test/integration/api_test/issues_test.rb b/test/integration/api_test/issues_test.rb index b1e1891..f4cfc40 100644 --- a/test/integration/api_test/issues_test.rb +++ b/test/integration/api_test/issues_test.rb @@ -296,7 +296,7 @@ class Redmine::ApiTest::IssuesTest < Redmine::ApiTest::Base get '/issues/3.xml?include=attachments' assert_select 'issue attachments[type=array]' do - assert_select 'attachment', 4 + assert_select 'attachment', 5 assert_select 'attachment id', :text => '1' do assert_select '~ filename', :text => 'error281.txt' assert_select '~ content_url', :text => 'http://www.example.com/attachments/download/1/error281.txt' -- 2.9.1