diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 7d51312..7ccd86e 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -3,6 +3,22 @@ class ApplicationController < ActionController::Base before_filter :setup_multitenancy before_filter :detect_stuff_by_domain before_filter :init_noosfero_plugins + before_filter :allow_cross_domain_access + + protected + + def allow_cross_domain_access + origin = request.headers['Origin'] + return if origin.blank? + if environment.access_control_allow_origin.include? origin + response.headers["Access-Control-Allow-Origin"] = origin + unless environment.access_control_allow_methods.blank? + response.headers["Access-Control-Allow-Methods"] = environment.access_control_allow_methods + end + elsif environment.restrict_to_access_control_origins + render_access_denied _('Origin not in allowed.') + end + end include ApplicationHelper layout :get_layout @@ -79,11 +95,10 @@ class ApplicationController < ActionController::Base false end - def user current_user.person if logged_in? end - + alias :current_person :user # TODO: move this logic somewhere else (Domain class?) diff --git a/app/models/environment.rb b/app/models/environment.rb index 77c3f2c..6b708fd 100644 --- a/app/models/environment.rb +++ b/app/models/environment.rb @@ -270,6 +270,13 @@ class Environment < ActiveRecord::Base settings_items :top_level_category_as_facet_ids, :type => Array, :default => [] + # Set to return http forbidden to host not on the allow origin list bellow + settings_items :restrict_to_access_control_origins, :default => false + # Set this according to http://www.w3.org/TR/cors/. Headers are set at every response + # For multiple domains acts as suggested in http://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains + settings_items :access_control_allow_origin, :type => Array + settings_items :access_control_allow_methods, :type => String + def news_amount_by_folder=(amount) settings[:news_amount_by_folder] = amount.to_i end diff --git a/test/functional/application_controller_test.rb b/test/functional/application_controller_test.rb index 5af16d4..49d09a2 100644 --- a/test/functional/application_controller_test.rb +++ b/test/functional/application_controller_test.rb @@ -152,12 +152,12 @@ class ApplicationControllerTest < ActionController::TestCase class UsesBlocksTestController < ApplicationController end - assert UsesBlocksTestController.new.uses_design_blocks? + assert UsesBlocksTestController.new.send(:uses_design_blocks?) class DoesNotUsesBlocksTestController < ApplicationController no_design_blocks end - assert !DoesNotUsesBlocksTestController.new.uses_design_blocks? + assert !DoesNotUsesBlocksTestController.new.send(:uses_design_blocks?) end should 'generate blocks' do @@ -462,6 +462,26 @@ class ApplicationControllerTest < ActionController::TestCase assert_no_tag :tag => 'script', :attributes => {:src => /methods_bli/} end + should 'set access-control-allow-origin and method if configured' do + e = Environment.default + e.access_control_allow_origin = ['http://allowed'] + e.save! + + @request.env["Origin"] = "http://allowed" + get :index + assert_response :success + + @request.env["Origin"] = "http://other" + get :index + assert_response :success + + @request.env["Origin"] = "http://other" + e.restrict_to_access_control_origins = true + e.save! + get :index + assert_response :forbidden + end + if ActiveRecord::Base.connection.adapter_name == 'PostgreSQL' should 'change postgresql schema' do -- libgit2 0.21.2