Download as
Browse Code »

Commit f59d7bafec05ed5d2da0b591708ccbdbdadf5f0c

Authored by Braulio Bhavamitra
1 parent 82c567f2
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

Support Access-Control-Allow-Origin configuration and use

Showing 3 changed files with 46 additions and 4 deletions   Show diff stats
app/controllers/application_controller.rb
  Diff comments   View file @f59d7ba
... ... @@ -3,6 +3,22 @@ class ApplicationController < ActionController::Base
3 3 before_filter :setup_multitenancy
4 4 before_filter :detect_stuff_by_domain
5 5 before_filter :init_noosfero_plugins
  6 + before_filter :allow_cross_domain_access
  7 +
  8 + protected
  9 +
  10 + def allow_cross_domain_access
  11 + origin = request.headers['Origin']
  12 + return if origin.blank?
  13 + if environment.access_control_allow_origin.include? origin
  14 + response.headers["Access-Control-Allow-Origin"] = origin
  15 + unless environment.access_control_allow_methods.blank?
  16 + response.headers["Access-Control-Allow-Methods"] = environment.access_control_allow_methods
  17 + end
  18 + elsif environment.restrict_to_access_control_origins
  19 + render_access_denied _('Origin not in allowed.')
  20 + end
  21 + end
6 22  
7 23 include ApplicationHelper
8 24 layout :get_layout
... ... @@ -79,11 +95,10 @@ class ApplicationController < ActionController::Base
79 95 false
80 96 end
81 97  
82   -
83 98 def user
84 99 current_user.person if logged_in?
85 100 end
86   -
  101 +
87 102 alias :current_person :user
88 103  
89 104 # TODO: move this logic somewhere else (Domain class?)
... ...
app/models/environment.rb
  Diff comments   View file @f59d7ba
... ... @@ -270,6 +270,13 @@ class Environment < ActiveRecord::Base
270 270  
271 271 settings_items :top_level_category_as_facet_ids, :type => Array, :default => []
272 272  
  273 + # Set to return http forbidden to host not on the allow origin list bellow
  274 + settings_items :restrict_to_access_control_origins, :default => false
  275 + # Set this according to http://www.w3.org/TR/cors/. Headers are set at every response
  276 + # For multiple domains acts as suggested in http://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains
  277 + settings_items :access_control_allow_origin, :type => Array
  278 + settings_items :access_control_allow_methods, :type => String
  279 +
273 280 def news_amount_by_folder=(amount)
274 281 settings[:news_amount_by_folder] = amount.to_i
275 282 end
... ...
test/functional/application_controller_test.rb
  Diff comments   View file @f59d7ba
... ... @@ -152,12 +152,12 @@ class ApplicationControllerTest < ActionController::TestCase
152 152  
153 153 class UsesBlocksTestController < ApplicationController
154 154 end
155   - assert UsesBlocksTestController.new.uses_design_blocks?
  155 + assert UsesBlocksTestController.new.send(:uses_design_blocks?)
156 156  
157 157 class DoesNotUsesBlocksTestController < ApplicationController
158 158 no_design_blocks
159 159 end
160   - assert !DoesNotUsesBlocksTestController.new.uses_design_blocks?
  160 + assert !DoesNotUsesBlocksTestController.new.send(:uses_design_blocks?)
161 161 end
162 162  
163 163 should 'generate blocks' do
... ... @@ -462,6 +462,26 @@ class ApplicationControllerTest &lt; ActionController::TestCase
462 462 assert_no_tag :tag => 'script', :attributes => {:src => /methods_bli/}
463 463 end
464 464  
  465 + should 'set access-control-allow-origin and method if configured' do
  466 + e = Environment.default
  467 + e.access_control_allow_origin = ['http://allowed']
  468 + e.save!
  469 +
  470 + @request.env["Origin"] = "http://allowed"
  471 + get :index
  472 + assert_response :success
  473 +
  474 + @request.env["Origin"] = "http://other"
  475 + get :index
  476 + assert_response :success
  477 +
  478 + @request.env["Origin"] = "http://other"
  479 + e.restrict_to_access_control_origins = true
  480 + e.save!
  481 + get :index
  482 + assert_response :forbidden
  483 + end
  484 +
465 485 if ActiveRecord::Base.connection.adapter_name == 'PostgreSQL'
466 486  
467 487 should 'change postgresql schema' do
... ...