Make xmlrpc and rest APIs configurable

Author: schlatterbeck

roundup/cgi/client.py

@@ -426,10 +426,13 @@ def setTranslator(self, translator=None):
     def main(self):
         """ Wrap the real main in a try/finally so we always close off the db.
         """
+        xmlrpc_enabled = self.instance.config.WEB_ENABLE_XMLRPC
+        rest_enabled   = self.instance.config.WEB_ENABLE_REST
         try:
-            if self.path == 'xmlrpc':
+            if xmlrpc_enabled and self.path == 'xmlrpc':
                 self.handle_xmlrpc()
-            elif self.path == 'rest' or self.path[:5] == 'rest/':
+            elif rest_enabled and (self.path == 'rest' or
+                                   self.path[:5] == 'rest/'):
                 self.handle_rest()
             else:
                 self.inner_main()

roundup/configuration.py

@@ -727,6 +727,18 @@ def str2value(self, value):
 are logged into roundup and open a roundup link
 from a source other than roundup (e.g. link in
 email)."""),
+        (BooleanOption, 'enable_xmlrpc', "yes",
+            """Whether to enable the XMLRPC API in the roundup web
+interface. By default the XMLRPC endpoint is the string 'xmlrpc'
+after the roundup web url configured in the 'tracker' section.
+If this variable is set to 'no', the xmlrpc path has no special meaning
+and will yield an error message."""),
+        (BooleanOption, 'enable_rest', "yes",
+            """Whether to enable the REST API in the roundup web
+interface. By default the REST endpoint is the string 'rest' plus any
+additional REST-API parameters after the roundup web url configured in
+the tracker section. If this variable is set to 'no', the rest path has
+no special meaning and will yield an error message."""),
         (CsrfSettingOption, 'csrf_enforce_token', "yes",
             """How do we deal with @csrf fields in posted forms.
 Set this to 'required' to block the post and notify