[FIX] Move site URL settings out of constance to allow access for CORS

CORS options require access to these settings, so they must be set before deployment

breccia_mapper/settings.py

@@ -23,6 +23,14 @@ The most likely required settings are: SECRET_KEY, DEBUG, ALLOWED_HOSTS, DATABAS
   default: False
   Should the server run in debug mode?  Provides information to users which is unsafe in production
 
+- SITE_URL
+  default: localhost
+  The URL the site will be deployed on. Do not include http://, https://, or a trailing slash.
+
+- SITE_PROTOCOL
+  default: http
+  The protocol the site uses. Valid options are http or https.
+
 - ALLOWED_HOSTS
   default: * if DEBUG else localhost
   Accepted values for server header in request - protects against CSRF and CSS attacks
@@ -106,6 +114,8 @@ import dj_database_url
 
 SETTINGS_EXPORT = [
     'DEBUG',
+    'SITE_URL',
+    'SITE_PROTOCOL',
     'GOOGLE_MAPS_API_KEY',
 ]
 
@@ -124,6 +134,27 @@ ALLOWED_HOSTS = config(
     default='*' if DEBUG else '127.0.0.1,localhost,localhost.localdomain',
     cast=Csv())
 
+# Site URL
+SITE_URL = config('SITE_URL', default='localhost')
+SITE_PROTOCOL = config('SITE_PROTOCOL', default='http')
+
+# CORS settings
+CORS_ALLOW_CREDENTIALS = True
+CORS_ORIGIN_ALLOW_ALL = True
+CORS_ALLOW_CREDENTIALS = True
+CSRF_TRUSTED_ORIGINS = config(
+    'TRUSTED_ORIGINS',
+    default='*' if DEBUG else 'http://127.0.0.1,http://localhost,http://localhost.localdomain',
+    cast=Csv())
+CORS_REPLACE_HTTPS_REFERER = True
+CSRF_COOKIE_DOMAIN = config(
+    'SITE_URL',
+    default='localhost')
+CORS_ORIGIN_WHITELIST = config(
+    'TRUSTED_ORIGINS',
+    default='*' if DEBUG else 'http://127.0.0.1,http://localhost,http://localhost.localdomain',
+    cast=Csv())
+
 # Application definition
 
 DJANGO_APPS = [
@@ -349,9 +380,6 @@ CONSTANCE_CONFIG = {
     'RELATIONSHIP_FORM_HELP': (
         '',
         'Help text to display at the top of relationship forms.'),
-    'SITE_URL': (
-      'http://localhost',
-      'URL at which this mapper tool is accessible - do NOT include a trailing forward slash'),
     'SITE_ICON': (
         'icon.png',
         'Site icon',
@@ -458,7 +486,6 @@ CONSTANCE_CONFIG_FIELDSETS = {
         'RELATIONSHIP_FORM_HELP',
     ),
     'Deployment': (
-        'SITE_URL',
         'SITE_ICON',
         'SITE_ICON_192x192',
     ),

deploy/settings.example.ini

@@ -1,9 +1,33 @@
 [settings]
 
+; REQUIRED=Secret key
+; Used to generate CSRF tokens - must never be made public
+SECRET_KEY=changeme
+
+; Debug
+; Should the server run in debug mode?  Provides information to users which is unsafe in production
+; Default: False
+DEBUG=False
+
 ; Allowed hosts
 ; Accepted values for server header in request - protects against CSRF and CSS attacks
 ; Default: * if DEBUG else localhost
-# ALLOWED_HOSTS=* if DEBUG else localhost
+# ALLOWED_HOSTS=127.0.0.1,localhost,localhost.localdomain
+
+; Site URL
+; The URL the site will be deployed on. Do not include http://, https://, or a trailing slash.
+; Default: localhost
+# SITE_URL=localhost
+
+; Site protocol
+; The protocol the site uses. Valid options are http or https.
+; Default: http
+# SITE_PROTOCOL=http
+
+; Trusted origins
+; The trusted origin domains of requests - protects against CSRF and CSS attacks
+; Default: '*' if DEBUG else 'http://127.0.0.1,http://localhost,http://localhost.localdomain'
+# TRUSTED_ORIGINS=http://127.0.0.1,http://localhost,http://localhost.localdomain
 
 ; Database URL
 ; URL to database - uses format described at https://github.com/jacobian/dj-database-url

people/fixtures/email_templates.json

@@ -7,8 +7,8 @@
             "created": "2020-04-27T12:13:30.448Z",
             "last_updated": "2020-04-27T14:45:27.152Z",
             "subject": "Welcome to {{config.PROJECT_LONG_NAME}}",
-            "content": "Dear user,\r\n\r\nWelcome to {{ config.PROJECT_LONG_NAME }}. You can set your password at {{ config.SITE_URL }}/password_reset/.\r\n\r\nThanks,\r\n\r\nThe {{ config.PROJECT_SHORT_NAME }} team",
+            "content": "Dear user,\r\n\r\nWelcome to {{ config.PROJECT_LONG_NAME }}. You can set your password at {{ settings.SITE_PROTOCOL }}://{{ settings.SITE_URL }}/password_reset/.\r\n\r\nThanks,\r\n\r\nThe {{ config.PROJECT_SHORT_NAME }} team",
-            "html_content": "<h1>{{ config.PROJECT_LONG_NAME }}</h1><br/><p>Dear user,</p><br/><p>Welcome to {{ config.PROJECT_LONG_NAME }}. You can set your password <a href='{{ config.SITE_URL }}/password_reset/'>here</a>.</p><br/><p>Thanks,</p><p>The {{ config.PROJECT_SHORT_NAME }} team</p>",
+            "html_content": "<h1>{{ config.PROJECT_LONG_NAME }}</h1><br/><p>Dear user,</p><br/><p>Welcome to {{ config.PROJECT_LONG_NAME }}. You can set your password <a href='{{ settings.SITE_PROTOCOL }}://{{ settings.SITE_URL }}/password_reset/'>here</a>.</p><br/><p>Thanks,</p><p>The {{ config.PROJECT_SHORT_NAME }} team</p>",
             "language": "",
             "default_template": null
         }

people/models/person.py

@@ -47,6 +47,7 @@ class User(AbstractUser):
         context = {
             'user': self,
             'config': config,
+            'settings': settings,
         }
 
         logger.info('Sending welcome mail to user \'%s\'', self.username)