diff options
author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2016-10-02 10:22:30 +0000 |
---|---|---|
committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2016-10-02 10:22:30 +0000 |
commit | 31825ff1ee663d1f9478d9587c89c903f4eac474 (patch) | |
tree | aae8d98528ff9af2f9d846ce372930b43a53af89 | |
parent | dce9b21f3fcf19e9ac062f253d7c6312e8ace247 (diff) |
Merged r15856 (#23376).
git-svn-id: http://svn.redmine.org/redmine/branches/3.3-stable@15877 e93f8b46-1217-0410-a6f0-8f06a7374b81
-rw-r--r-- | app/controllers/attachments_controller.rb | 4 | ||||
-rw-r--r-- | test/functional/attachments_controller_test.rb | 13 |
2 files changed, 17 insertions, 0 deletions
diff --git a/app/controllers/attachments_controller.rb b/app/controllers/attachments_controller.rb index ea45397ef..ec7cb7936 100644 --- a/app/controllers/attachments_controller.rb +++ b/app/controllers/attachments_controller.rb @@ -22,6 +22,10 @@ class AttachmentsController < ApplicationController before_filter :delete_authorize, :only => :destroy before_filter :authorize_global, :only => :upload + # Disable check for same origin requests for JS files, i.e. attachments with + # MIME type text/javascript. + skip_after_filter :verify_same_origin_request, :only => :download + accept_api_auth :show, :download, :thumbnail, :upload, :destroy def show diff --git a/test/functional/attachments_controller_test.rb b/test/functional/attachments_controller_test.rb index 5d3387975..c8bf99644 100644 --- a/test/functional/attachments_controller_test.rb +++ b/test/functional/attachments_controller_test.rb @@ -258,6 +258,19 @@ class AttachmentsControllerTest < ActionController::TestCase set_tmp_attachments_directory end + def test_download_js_file + set_tmp_attachments_directory + attachment = Attachment.create!( + :file => mock_file_with_options(:original_filename => "hello.js", :content_type => "text/javascript"), + :author_id => 2, + :container => Issue.find(1) + ) + + get :download, :id => attachment.id + assert_response :success + assert_equal 'text/javascript', @response.content_type + end + def test_download_version_file_with_issue_tracking_disabled Project.find(1).disable_module! :issue_tracking get :download, :id => 9 |