Added an Admin setting to enable/disable the REST web service. (#3920)

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3220 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Eric Davis 2009-12-23 06:27:44 +00:00
parent e07e9d8bfe
commit bfcd5039f2
9 changed files with 131 additions and 2 deletions

View File

@ -70,7 +70,7 @@ class ApplicationController < ActionController::Base
elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action])
# RSS key authentication does not start a session
User.find_by_rss_key(params[:key])
elsif ['xml', 'json'].include?(params[:format]) && accept_key_auth_actions.include?(params[:action])
elsif Setting.rest_api_enabled? && ['xml', 'json'].include?(params[:format]) && accept_key_auth_actions.include?(params[:action])
if params[:key].present?
# Use API key
User.find_by_api_key(params[:key])

View File

@ -24,7 +24,8 @@ module SettingsHelper
{:name => 'issues', :partial => 'settings/issues', :label => :label_issue_tracking},
{:name => 'notifications', :partial => 'settings/notifications', :label => :field_mail_notification},
{:name => 'mail_handler', :partial => 'settings/mail_handler', :label => :label_incoming_emails},
{:name => 'repositories', :partial => 'settings/repositories', :label => :label_repository_plural}
{:name => 'repositories', :partial => 'settings/repositories', :label => :label_repository_plural},
{:name => 'integration', :partial => 'settings/integration', :label => :label_integration}
]
end

View File

@ -0,0 +1,8 @@
<% form_tag({:action => 'edit', :tab => 'integration'}) do %>
<div class="box tabular settings">
<p><%= setting_check_box :rest_api_enabled %></p>
</div>
<%= submit_tag l(:button_save) %>
<% end %>

View File

@ -324,6 +324,7 @@ en:
setting_issue_done_ratio_issue_field: Use the issue field
setting_issue_done_ratio_issue_status: Use the issue status
setting_start_of_week: Start calendars on
setting_rest_api_enabled: Enable REST web service
permission_add_project: Create project
permission_edit_project: Edit project
@ -735,6 +736,7 @@ en:
label_api_access_key: API access key
label_missing_api_access_key: Missing an API access key
label_api_access_key_created_on: "API access key created {{value}} ago"
label_integration: Integration
button_login: Login
button_submit: Submit

View File

@ -176,3 +176,5 @@ gravatar_default:
default: ''
start_of_week:
default: ''
rest_api_enabled:
default: 0

View File

@ -4,10 +4,12 @@ class ApiTokenLoginTest < ActionController::IntegrationTest
fixtures :all
def setup
Setting.rest_api_enabled = '1'
Setting.login_required = '1'
end
def teardown
Setting.rest_api_enabled = '0'
Setting.login_required = '0'
end

View File

@ -0,0 +1,110 @@
require "#{File.dirname(__FILE__)}/../test_helper"
class DisabledRestApi < ActionController::IntegrationTest
fixtures :all
def setup
Setting.rest_api_enabled = '0'
Setting.login_required = '1'
end
def teardown
Setting.rest_api_enabled = '1'
Setting.login_required = '0'
end
# Using the NewsController because it's a simple API.
context "get /news with the API disabled" do
context "in :xml format" do
context "with a valid api token" do
setup do
@user = User.generate_with_protected!
@token = Token.generate!(:user => @user, :action => 'api')
get "/news.xml?key=#{@token.value}"
end
should_respond_with :unauthorized
should_respond_with_content_type :xml
should "not login as the user" do
assert_equal User.anonymous, User.current
end
end
context "with a valid HTTP authentication" do
setup do
@user = User.generate_with_protected!(:password => 'my_password', :password_confirmation => 'my_password')
@authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@user.login, 'my_password')
get "/news.xml", nil, :authorization => @authorization
end
should_respond_with :unauthorized
should_respond_with_content_type :xml
should "not login as the user" do
assert_equal User.anonymous, User.current
end
end
context "with a valid HTTP authentication using the API token" do
setup do
@user = User.generate_with_protected!
@token = Token.generate!(:user => @user, :action => 'api')
@authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@token.value, 'X')
get "/news.xml", nil, :authorization => @authorization
end
should_respond_with :unauthorized
should_respond_with_content_type :xml
should "not login as the user" do
assert_equal User.anonymous, User.current
end
end
end
context "in :json format" do
context "with a valid api token" do
setup do
@user = User.generate_with_protected!
@token = Token.generate!(:user => @user, :action => 'api')
get "/news.json?key=#{@token.value}"
end
should_respond_with :unauthorized
should_respond_with_content_type :json
should "not login as the user" do
assert_equal User.anonymous, User.current
end
end
context "with a valid HTTP authentication" do
setup do
@user = User.generate_with_protected!(:password => 'my_password', :password_confirmation => 'my_password')
@authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@user.login, 'my_password')
get "/news.json", nil, :authorization => @authorization
end
should_respond_with :unauthorized
should_respond_with_content_type :json
should "not login as the user" do
assert_equal User.anonymous, User.current
end
end
context "with a valid HTTP authentication using the API token" do
setup do
@user = User.generate_with_protected!
@token = Token.generate!(:user => @user, :action => 'api')
@authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@token.value, 'DoesNotMatter')
get "/news.json", nil, :authorization => @authorization
end
should_respond_with :unauthorized
should_respond_with_content_type :json
should "not login as the user" do
assert_equal User.anonymous, User.current
end
end
end
end
end

View File

@ -4,10 +4,12 @@ class HttpBasicLoginTest < ActionController::IntegrationTest
fixtures :all
def setup
Setting.rest_api_enabled = '1'
Setting.login_required = '1'
end
def teardown
Setting.rest_api_enabled = '0'
Setting.login_required = '0'
end

View File

@ -4,10 +4,12 @@ class HttpBasicLoginWithApiTokenTest < ActionController::IntegrationTest
fixtures :all
def setup
Setting.rest_api_enabled = '1'
Setting.login_required = '1'
end
def teardown
Setting.rest_api_enabled = '0'
Setting.login_required = '0'
end