#7927 Enable CORS access to rest APIs

v1.3.1
closed
General
2015-07-27
2015-07-13
No

Original request: https://sourceforge.net/p/forge/feature-requests/426/

May need .ini settings if this is something that some sites would want and not others.

Discussion

  • Dave Brondsema

    Dave Brondsema - 2015-07-13
    • labels: api --> api, sf-2, sf-current
     
  • Igor Bondarenko

    Igor Bondarenko - 2015-07-14
    • labels: api, sf-2, sf-current --> api, sf-2, sf-current, 42cc
    • status: open --> in-progress
    • assigned_to: Igor Bondarenko
     
  • Igor Bondarenko

    Igor Bondarenko - 2015-07-16

    Closed #821. ib/7927

    QA instructions:

    • See the notes below depending on your setup
    • Generate bearer token at /auth/oauth
    • Open this script in your browser and play with various API endpoints/methods

     
    Local notes:

    • Uncomment cors.enabled, cors.methods and cors.headers in development.ini
    • Comment out https check for APIs

     
    Allura/allura/controllers/rest.py

            #if not testing and request.scheme != 'https':
                #request.environ['pylons.status_code_redirect'] = True
                #raise exc.HTTPForbidden
    

     
    Sandbox notes:

    • Make sure you are using https for the request or else you will get constant 403
    • Add cors.enabled, cors.methods and cors.headers to production.ini
    • Enable passing auth headers in apache

     
    /etc/httpd/conf.d/allura-venv.conf

        WSGIPassAuthorization On
    
     

    Last edit: Igor Bondarenko 2015-07-17
  • Igor Bondarenko

    Igor Bondarenko - 2015-07-16
    • status: in-progress --> review
     
  • Dave Brondsema

    Dave Brondsema - 2015-07-16
    • Reviewer: Dave Brondsema
     
  • Dave Brondsema

    Dave Brondsema - 2015-07-21
    • status: review --> closed
     
  • Dave Brondsema

    Dave Brondsema - 2015-07-21

    Found two minor issues with the cache setting, and fixed them. Also added another test to assert a tricky attack vector stays closed.

     
  • Dave Brondsema

    Dave Brondsema - 2015-07-27
    • labels: api, sf-2, sf-current, 42cc --> api, sf-2, 42cc
     
  • Dave Brondsema

    Dave Brondsema - 2015-08-10
    • Milestone: unreleased --> v1.3.1
     

Log in to post a comment.