From f8d0de21893a1ec982339c342d6f935354dc774c Mon Sep 17 00:00:00 2001
From: Valentin Rigal <rigal@teklia.com>
Date: Thu, 5 Oct 2023 08:01:38 +0000
Subject: [PATCH] Allow any request origin for IIIF endpoints

---
 arkindex/documents/apps.py                 |  1 +
 arkindex/documents/signals.py              | 17 ++++++++++++++
 arkindex/documents/tests/test_open_cors.py | 26 ++++++++++++++++++++++
 3 files changed, 44 insertions(+)
 create mode 100644 arkindex/documents/signals.py
 create mode 100644 arkindex/documents/tests/test_open_cors.py

diff --git a/arkindex/documents/apps.py b/arkindex/documents/apps.py
index bcac7a32f5..3c13922569 100644
--- a/arkindex/documents/apps.py
+++ b/arkindex/documents/apps.py
@@ -5,4 +5,5 @@ class DocumentsConfig(AppConfig):
     name = 'arkindex.documents'
 
     def ready(self):
+        from arkindex.documents import signals  # noqa: F401
         from arkindex.project import checks  # noqa: F401
diff --git a/arkindex/documents/signals.py b/arkindex/documents/signals.py
new file mode 100644
index 0000000000..287f295462
--- /dev/null
+++ b/arkindex/documents/signals.py
@@ -0,0 +1,17 @@
+from corsheaders.signals import check_request_enabled
+
+# List of endpoint open to any cross origin request
+OPEN_CORS_API = (
+    ('api', 'folder-manifest'),
+    ('api', 'element-annotation-list'),
+)
+
+
+def cors_allow_any_origin(sender, request, **kwargs):
+    route_match = request.resolver_match
+    if route_match is None:
+        return False
+    return (route_match.namespace, route_match.url_name) in OPEN_CORS_API
+
+
+check_request_enabled.connect(cors_allow_any_origin)
diff --git a/arkindex/documents/tests/test_open_cors.py b/arkindex/documents/tests/test_open_cors.py
new file mode 100644
index 0000000000..aee1936dbc
--- /dev/null
+++ b/arkindex/documents/tests/test_open_cors.py
@@ -0,0 +1,26 @@
+from django.urls import reverse
+
+from arkindex.documents.models import Element
+from arkindex.project.tests import FixtureAPITestCase
+
+
+class TestOpenCors(FixtureAPITestCase):
+
+    @classmethod
+    def setUpTestData(cls):
+        super().setUpTestData()
+        cls.vol = Element.objects.get(name='Volume 1')
+
+    def test_cors_open_endpoint(self):
+        response = self.client.get(
+            reverse('api:folder-manifest', kwargs={'pk': self.vol.id}),
+            HTTP_ORIGIN="http://anywhere.net",
+        )
+        self.assertEqual(response.headers.get('Access-Control-Allow-Origin'), 'http://anywhere.net')
+
+    def test_cors_closed_endpoint(self):
+        response = self.client.get(
+            reverse('api:element-retrieve', kwargs={'pk': self.vol.id}),
+            HTTP_ORIGIN="http://anywhere.net",
+        )
+        self.assertFalse('Access-Control-Allow-Origin' in response.headers.keys())
-- 
GitLab