From 50f5363b69f7de5782943230a9e351fc99c13492 Mon Sep 17 00:00:00 2001 From: Matthew Grove Date: Wed, 1 Feb 2023 23:17:24 +0000 Subject: [PATCH] [FIX] Move site URL settings out of constance to allow access for CORS CORS options require access to these settings, so they must be set before deployment --- breccia_mapper/settings.py | 35 ++++++++++++++++++++++++---- deploy/settings.example.ini | 26 ++++++++++++++++++++- people/fixtures/email_templates.json | 4 ++-- people/models/person.py | 1 + 4 files changed, 59 insertions(+), 7 deletions(-) diff --git a/breccia_mapper/settings.py b/breccia_mapper/settings.py index cdade2c..a72cf16 100644 --- a/breccia_mapper/settings.py +++ b/breccia_mapper/settings.py @@ -23,6 +23,14 @@ The most likely required settings are: SECRET_KEY, DEBUG, ALLOWED_HOSTS, DATABAS default: False Should the server run in debug mode? Provides information to users which is unsafe in production +- SITE_URL + default: localhost + The URL the site will be deployed on. Do not include http://, https://, or a trailing slash. + +- SITE_PROTOCOL + default: http + The protocol the site uses. Valid options are http or https. + - ALLOWED_HOSTS default: * if DEBUG else localhost Accepted values for server header in request - protects against CSRF and CSS attacks @@ -106,6 +114,8 @@ import dj_database_url SETTINGS_EXPORT = [ 'DEBUG', + 'SITE_URL', + 'SITE_PROTOCOL', 'GOOGLE_MAPS_API_KEY', ] @@ -124,6 +134,27 @@ ALLOWED_HOSTS = config( default='*' if DEBUG else '127.0.0.1,localhost,localhost.localdomain', cast=Csv()) +# Site URL +SITE_URL = config('SITE_URL', default='localhost') +SITE_PROTOCOL = config('SITE_PROTOCOL', default='http') + +# CORS settings +CORS_ALLOW_CREDENTIALS = True +CORS_ORIGIN_ALLOW_ALL = True +CORS_ALLOW_CREDENTIALS = True +CSRF_TRUSTED_ORIGINS = config( + 'TRUSTED_ORIGINS', + default='*' if DEBUG else 'http://127.0.0.1,http://localhost,http://localhost.localdomain', + cast=Csv()) +CORS_REPLACE_HTTPS_REFERER = True +CSRF_COOKIE_DOMAIN = config( + 'SITE_URL', + default='localhost') +CORS_ORIGIN_WHITELIST = config( + 'TRUSTED_ORIGINS', + default='*' if DEBUG else 'http://127.0.0.1,http://localhost,http://localhost.localdomain', + cast=Csv()) + # Application definition DJANGO_APPS = [ @@ -349,9 +380,6 @@ CONSTANCE_CONFIG = { 'RELATIONSHIP_FORM_HELP': ( '', 'Help text to display at the top of relationship forms.'), - 'SITE_URL': ( - 'http://localhost', - 'URL at which this mapper tool is accessible - do NOT include a trailing forward slash'), 'SITE_ICON': ( 'icon.png', 'Site icon', @@ -458,7 +486,6 @@ CONSTANCE_CONFIG_FIELDSETS = { 'RELATIONSHIP_FORM_HELP', ), 'Deployment': ( - 'SITE_URL', 'SITE_ICON', 'SITE_ICON_192x192', ), diff --git a/deploy/settings.example.ini b/deploy/settings.example.ini index 2fbe05b..257158c 100644 --- a/deploy/settings.example.ini +++ b/deploy/settings.example.ini @@ -1,9 +1,33 @@ [settings] +; REQUIRED=Secret key +; Used to generate CSRF tokens - must never be made public +SECRET_KEY=changeme + +; Debug +; Should the server run in debug mode? Provides information to users which is unsafe in production +; Default: False +DEBUG=False + ; Allowed hosts ; Accepted values for server header in request - protects against CSRF and CSS attacks ; Default: * if DEBUG else localhost -# ALLOWED_HOSTS=* if DEBUG else localhost +# ALLOWED_HOSTS=127.0.0.1,localhost,localhost.localdomain + +; Site URL +; The URL the site will be deployed on. Do not include http://, https://, or a trailing slash. +; Default: localhost +# SITE_URL=localhost + +; Site protocol +; The protocol the site uses. Valid options are http or https. +; Default: http +# SITE_PROTOCOL=http + +; Trusted origins +; The trusted origin domains of requests - protects against CSRF and CSS attacks +; Default: '*' if DEBUG else 'http://127.0.0.1,http://localhost,http://localhost.localdomain' +# TRUSTED_ORIGINS=http://127.0.0.1,http://localhost,http://localhost.localdomain ; Database URL ; URL to database - uses format described at https://github.com/jacobian/dj-database-url diff --git a/people/fixtures/email_templates.json b/people/fixtures/email_templates.json index 77bcdf4..d86c41c 100644 --- a/people/fixtures/email_templates.json +++ b/people/fixtures/email_templates.json @@ -7,8 +7,8 @@ "created": "2020-04-27T12:13:30.448Z", "last_updated": "2020-04-27T14:45:27.152Z", "subject": "Welcome to {{config.PROJECT_LONG_NAME}}", - "content": "Dear user,\r\n\r\nWelcome to {{ config.PROJECT_LONG_NAME }}. You can set your password at {{ config.SITE_URL }}/password_reset/.\r\n\r\nThanks,\r\n\r\nThe {{ config.PROJECT_SHORT_NAME }} team", - "html_content": "

{{ config.PROJECT_LONG_NAME }}


Dear user,


Welcome to {{ config.PROJECT_LONG_NAME }}. You can set your password here.


Thanks,

The {{ config.PROJECT_SHORT_NAME }} team

", + "content": "Dear user,\r\n\r\nWelcome to {{ config.PROJECT_LONG_NAME }}. You can set your password at {{ settings.SITE_PROTOCOL }}://{{ settings.SITE_URL }}/password_reset/.\r\n\r\nThanks,\r\n\r\nThe {{ config.PROJECT_SHORT_NAME }} team", + "html_content": "

{{ config.PROJECT_LONG_NAME }}


Dear user,


Welcome to {{ config.PROJECT_LONG_NAME }}. You can set your password here.


Thanks,

The {{ config.PROJECT_SHORT_NAME }} team

", "language": "", "default_template": null } diff --git a/people/models/person.py b/people/models/person.py index fa38acd..9934483 100755 --- a/people/models/person.py +++ b/people/models/person.py @@ -47,6 +47,7 @@ class User(AbstractUser): context = { 'user': self, 'config': config, + 'settings': settings, } logger.info('Sending welcome mail to user \'%s\'', self.username)