Mercurial > p > roundup > code
diff doc/admin_guide.txt @ 8039:e1cff9745fb4
refactor: make mime_type_allowlist class prop to configure from interfaces.py
The list of mime types that are served to the browser was located in a
list inside a function. The allow_html_file setting provided a limited
mechanism to add/remove the text/html mime type from the list.
Move the list from the function to the Client class level so that the
admin can add/remove from the list as required using interfaces.py.
Also remove application/pdf by default and provide docs in
admin_guide.txt on how to reenable viewing pdf's in the browser.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Mon, 17 Jun 2024 23:35:03 -0400 |
| parents | 098ceff38349 |
| children | 704757c71b84 |
line wrap: on
line diff
--- a/doc/admin_guide.txt Mon Jun 17 23:18:37 2024 -0400 +++ b/doc/admin_guide.txt Mon Jun 17 23:35:03 2024 -0400 @@ -324,6 +324,47 @@ mechanism allows the admin to allow use of brotli and zstd for dynamic content, but not for static content. +.. _browser_handling_attached_files: + +.. index:: single: interfaces.py; Controlling browser handling of attached files + +Controlling Browser Handling of Attached Files +============================================== + +You may be aware of the ``allow_html_file`` `config.ini setting +<reference.html#config-ini-section-web>`_. When set to yes, it permits +html files to be attached and displayed in the browser as html +files. The underlying mechanism used to enable/disable attaching HTML +is exposed using ``interfaces.py``. + +Similar to ``Client.precompressed_mime_types`` above, there is a +``Client.mime_type_allowlist``. If a mime type is present in this +list, an attachment with this mime type is served to the browser. If +the mime type is not present, the mime type is set to +``application/octet-stream`` which causes the browser to download the +attachment to a file. + +In release 2.4.0, the mime type ``application/pdf`` was removed from +the precompressed_mime_types list. This prevents the browser from +executing scripts that may be included in the PDF file. If you trust +the individuals uploading PDF files to your tracker and wish to allow +viewing PDF files from your tracker, you can do so by editing your +tracker's "interfaces.py" file. Adding:: + + from roundup.cgi.client import Client + Client.mime_type_allowlist.append('application/pdf') + +will permit the PDF files to be viewed in the browser rather than +downloaded to a file. + +Similarly, you can remove a mime type (e.g. audio/oog) using:: + + from roundup.cgi.client import Client + Client.mime_type_allowlist.remove('audio/oog') + +which will force the browser to save the attachment to a file rather +than playing the audio file. + .. index:: single: interfaces.py; setting REST maximum result limit Configuring REST Maximum Result Limit