Commit e61a0cbae925ae8608f7037cf0350e2fade0b55a
Exists in
master
and in
28 other branches
Merge commit 'refs/merge-requests/287' of git://gitorious.org/noosfero/noosfero …
…into merge-requests/287 Conflicts: app/models/environment.rb
Showing
3 changed files
with
46 additions
and
4 deletions
Show diff stats
app/controllers/application_controller.rb
| @@ -3,6 +3,22 @@ class ApplicationController < ActionController::Base | @@ -3,6 +3,22 @@ class ApplicationController < ActionController::Base | ||
| 3 | before_filter :setup_multitenancy | 3 | before_filter :setup_multitenancy |
| 4 | before_filter :detect_stuff_by_domain | 4 | before_filter :detect_stuff_by_domain |
| 5 | before_filter :init_noosfero_plugins | 5 | before_filter :init_noosfero_plugins |
| 6 | + before_filter :allow_cross_domain_access | ||
| 7 | + | ||
| 8 | + protected | ||
| 9 | + | ||
| 10 | + def allow_cross_domain_access | ||
| 11 | + origin = request.headers['Origin'] | ||
| 12 | + return if origin.blank? | ||
| 13 | + if environment.access_control_allow_origin.include? origin | ||
| 14 | + response.headers["Access-Control-Allow-Origin"] = origin | ||
| 15 | + unless environment.access_control_allow_methods.blank? | ||
| 16 | + response.headers["Access-Control-Allow-Methods"] = environment.access_control_allow_methods | ||
| 17 | + end | ||
| 18 | + elsif environment.restrict_to_access_control_origins | ||
| 19 | + render_access_denied _('Origin not in allowed.') | ||
| 20 | + end | ||
| 21 | + end | ||
| 6 | 22 | ||
| 7 | include ApplicationHelper | 23 | include ApplicationHelper |
| 8 | layout :get_layout | 24 | layout :get_layout |
| @@ -79,11 +95,10 @@ class ApplicationController < ActionController::Base | @@ -79,11 +95,10 @@ class ApplicationController < ActionController::Base | ||
| 79 | false | 95 | false |
| 80 | end | 96 | end |
| 81 | 97 | ||
| 82 | - | ||
| 83 | def user | 98 | def user |
| 84 | current_user.person if logged_in? | 99 | current_user.person if logged_in? |
| 85 | end | 100 | end |
| 86 | - | 101 | + |
| 87 | alias :current_person :user | 102 | alias :current_person :user |
| 88 | 103 | ||
| 89 | # TODO: move this logic somewhere else (Domain class?) | 104 | # TODO: move this logic somewhere else (Domain class?) |
app/models/environment.rb
| @@ -268,6 +268,13 @@ class Environment < ActiveRecord::Base | @@ -268,6 +268,13 @@ class Environment < ActiveRecord::Base | ||
| 268 | 268 | ||
| 269 | settings_items :search_hints, :type => Hash, :default => {} | 269 | settings_items :search_hints, :type => Hash, :default => {} |
| 270 | 270 | ||
| 271 | + # Set to return http forbidden to host not on the allow origin list bellow | ||
| 272 | + settings_items :restrict_to_access_control_origins, :default => false | ||
| 273 | + # Set this according to http://www.w3.org/TR/cors/. Headers are set at every response | ||
| 274 | + # For multiple domains acts as suggested in http://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains | ||
| 275 | + settings_items :access_control_allow_origin, :type => Array | ||
| 276 | + settings_items :access_control_allow_methods, :type => String | ||
| 277 | + | ||
| 271 | def news_amount_by_folder=(amount) | 278 | def news_amount_by_folder=(amount) |
| 272 | settings[:news_amount_by_folder] = amount.to_i | 279 | settings[:news_amount_by_folder] = amount.to_i |
| 273 | end | 280 | end |
test/functional/application_controller_test.rb
| @@ -152,12 +152,12 @@ class ApplicationControllerTest < ActionController::TestCase | @@ -152,12 +152,12 @@ class ApplicationControllerTest < ActionController::TestCase | ||
| 152 | 152 | ||
| 153 | class UsesBlocksTestController < ApplicationController | 153 | class UsesBlocksTestController < ApplicationController |
| 154 | end | 154 | end |
| 155 | - assert UsesBlocksTestController.new.uses_design_blocks? | 155 | + assert UsesBlocksTestController.new.send(:uses_design_blocks?) |
| 156 | 156 | ||
| 157 | class DoesNotUsesBlocksTestController < ApplicationController | 157 | class DoesNotUsesBlocksTestController < ApplicationController |
| 158 | no_design_blocks | 158 | no_design_blocks |
| 159 | end | 159 | end |
| 160 | - assert !DoesNotUsesBlocksTestController.new.uses_design_blocks? | 160 | + assert !DoesNotUsesBlocksTestController.new.send(:uses_design_blocks?) |
| 161 | end | 161 | end |
| 162 | 162 | ||
| 163 | should 'generate blocks' do | 163 | should 'generate blocks' do |
| @@ -462,6 +462,26 @@ class ApplicationControllerTest < ActionController::TestCase | @@ -462,6 +462,26 @@ class ApplicationControllerTest < ActionController::TestCase | ||
| 462 | assert_no_tag :tag => 'script', :attributes => {:src => /methods_bli/} | 462 | assert_no_tag :tag => 'script', :attributes => {:src => /methods_bli/} |
| 463 | end | 463 | end |
| 464 | 464 | ||
| 465 | + should 'set access-control-allow-origin and method if configured' do | ||
| 466 | + e = Environment.default | ||
| 467 | + e.access_control_allow_origin = ['http://allowed'] | ||
| 468 | + e.save! | ||
| 469 | + | ||
| 470 | + @request.env["Origin"] = "http://allowed" | ||
| 471 | + get :index | ||
| 472 | + assert_response :success | ||
| 473 | + | ||
| 474 | + @request.env["Origin"] = "http://other" | ||
| 475 | + get :index | ||
| 476 | + assert_response :success | ||
| 477 | + | ||
| 478 | + @request.env["Origin"] = "http://other" | ||
| 479 | + e.restrict_to_access_control_origins = true | ||
| 480 | + e.save! | ||
| 481 | + get :index | ||
| 482 | + assert_response :forbidden | ||
| 483 | + end | ||
| 484 | + | ||
| 465 | if ActiveRecord::Base.connection.adapter_name == 'PostgreSQL' | 485 | if ActiveRecord::Base.connection.adapter_name == 'PostgreSQL' |
| 466 | 486 | ||
| 467 | should 'change postgresql schema' do | 487 | should 'change postgresql schema' do |