Make JSONP support optional and disabled by default (#12992).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@11272 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/views/settings/_authentication.html.erb

@@ -19,6 +19,8 @@
 <p><%= setting_check_box :openid, :disabled => !Object.const_defined?(:OpenID) %></p>
 
 <p><%= setting_check_box :rest_api_enabled %></p>
+
+<p><%= setting_check_box :jsonp_enabled %></p>
 </div>
 
 <fieldset class="box">

config/locales/en.yml

@@ -397,6 +397,7 @@ en:
   setting_thumbnails_enabled: Display attachment thumbnails
   setting_thumbnails_size: Thumbnails size (in pixels)
   setting_non_working_week_days: Non-working days
+  setting_jsonp_enabled: Enable JSONP support
 
   permission_add_project: Create project
   permission_add_subprojects: Create subprojects

config/locales/fr.yml

@@ -394,6 +394,7 @@ fr:
   setting_thumbnails_enabled: Afficher les vignettes des images
   setting_thumbnails_size: Taille des vignettes (en pixels)
   setting_non_working_week_days: Jours non travaillés
+  setting_jsonp_enabled: Activer le support JSONP
 
   permission_add_project: Créer un projet
   permission_add_subprojects: Créer des sous-projets

config/settings.yml

@@ -211,6 +211,8 @@ start_of_week:
   default: ''
 rest_api_enabled:
   default: 0
+jsonp_enabled:
+  default: 0
 default_notification_option:
   default: 'only_my_events'
 emails_header:

lib/redmine/views/builders/json.rb

@@ -25,7 +25,10 @@ module Redmine
 
         def initialize(request, response)
           super
-          self.jsonp = (request.params[:callback] || request.params[:jsonp]).to_s.gsub(/[^a-zA-Z0-9_]/, '')
+          callback = request.params[:callback] || request.params[:jsonp]
+          if callback && Setting.jsonp_enabled?
+            self.jsonp = callback.to_s.gsub(/[^a-zA-Z0-9_]/, '')
+          end
         end
 
         def output

test/integration/api_test/jsonp_test.rb

@@ -20,8 +20,20 @@ require File.expand_path('../../../test_helper', __FILE__)
 class Redmine::ApiTest::JsonpTest < Redmine::ApiTest::Base
   fixtures :trackers
 
+  def test_should_ignore_jsonp_callback_with_jsonp_disabled
+    with_settings :jsonp_enabled => '0' do
+      get '/trackers.json?jsonp=handler'
+    end
+
+    assert_response :success
+    assert_match %r{^\{"trackers":.+\}$}, response.body
+    assert_equal 'application/json; charset=utf-8', response.headers['Content-Type']
+  end
+
   def test_jsonp_should_accept_callback_param
-    get '/trackers.json?callback=handler'
+    with_settings :jsonp_enabled => '1' do
+      get '/trackers.json?callback=handler'
+    end
 
     assert_response :success
     assert_match %r{^handler\(\{"trackers":.+\}\)$}, response.body
@@ -29,7 +41,9 @@ class Redmine::ApiTest::JsonpTest < Redmine::ApiTest::Base
   end
 
   def test_jsonp_should_accept_jsonp_param
-    get '/trackers.json?jsonp=handler'
+    with_settings :jsonp_enabled => '1' do
+      get '/trackers.json?jsonp=handler'
+    end
 
     assert_response :success
     assert_match %r{^handler\(\{"trackers":.+\}\)$}, response.body
@@ -37,7 +51,9 @@ class Redmine::ApiTest::JsonpTest < Redmine::ApiTest::Base
   end
 
   def test_jsonp_should_strip_invalid_characters_from_callback
-    get '/trackers.json?callback=+-aA$1_'
+    with_settings :jsonp_enabled => '1' do
+      get '/trackers.json?callback=+-aA$1_'
+    end
 
     assert_response :success
     assert_match %r{^aA1_\(\{"trackers":.+\}\)$}, response.body
@@ -45,7 +61,9 @@ class Redmine::ApiTest::JsonpTest < Redmine::ApiTest::Base
   end
 
   def test_jsonp_without_callback_should_return_json
-    get '/trackers.json?callback='
+    with_settings :jsonp_enabled => '1' do
+      get '/trackers.json?callback='
+    end
 
     assert_response :success
     assert_match %r{^\{"trackers":.+\}$}, response.body