Allow any request origin for IIIF endpoints

arkindex/documents/apps.py

@@ -5,4 +5,5 @@ class DocumentsConfig(AppConfig):
     name = 'arkindex.documents'
 
     def ready(self):
+        from arkindex.documents import signals  # noqa: F401
         from arkindex.project import checks  # noqa: F401

arkindex/documents/signals.py

+from corsheaders.signals import check_request_enabled
+
+# List of endpoint open to any cross origin request
+OPEN_CORS_API = (
+    ('api', 'folder-manifest'),
+    ('api', 'element-annotation-list'),
+)
+
+
+def cors_allow_any_origin(sender, request, **kwargs):
+    route_match = request.resolver_match
+    if route_match is None:
+        return False
+    return (route_match.namespace, route_match.url_name) in OPEN_CORS_API
+
+
+check_request_enabled.connect(cors_allow_any_origin)

arkindex/documents/tests/test_open_cors.py

+from django.urls import reverse
+
+from arkindex.documents.models import Element
+from arkindex.project.tests import FixtureAPITestCase
+
+
+class TestOpenCors(FixtureAPITestCase):
+
+    @classmethod
+    def setUpTestData(cls):
+        super().setUpTestData()
+        cls.vol = Element.objects.get(name='Volume 1')
+
+    def test_cors_open_endpoint(self):
+        response = self.client.get(
+            reverse('api:folder-manifest', kwargs={'pk': self.vol.id}),
+            HTTP_ORIGIN="http://anywhere.net",
+        )
+        self.assertEqual(response.headers.get('Access-Control-Allow-Origin'), 'http://anywhere.net')
+
+    def test_cors_closed_endpoint(self):
+        response = self.client.get(
+            reverse('api:element-retrieve', kwargs={'pk': self.vol.id}),
+            HTTP_ORIGIN="http://anywhere.net",
+        )
+        self.assertFalse('Access-Control-Allow-Origin' in response.headers.keys())