kopia lustrzana https://github.com/simonw/datasette
CORS headers for write APIs, refs #1922
rodzic
4ddd77e512
commit
48725bb4ea
|
@ -73,13 +73,20 @@ class BaseView:
|
|||
request.path.endswith(".json")
|
||||
or request.headers.get("content-type") == "application/json"
|
||||
):
|
||||
return Response.json(
|
||||
response = Response.json(
|
||||
{"ok": False, "error": "Method not allowed"}, status=405
|
||||
)
|
||||
return Response.text("Method not allowed", status=405)
|
||||
else:
|
||||
response = Response.text("Method not allowed", status=405)
|
||||
if self.ds.cors:
|
||||
add_cors_headers(response.headers)
|
||||
return response
|
||||
|
||||
async def options(self, request, *args, **kwargs):
|
||||
return await self.method_not_allowed(request)
|
||||
r = Response.text("ok")
|
||||
if self.ds.cors:
|
||||
add_cors_headers(r.headers)
|
||||
return r
|
||||
|
||||
async def get(self, request, *args, **kwargs):
|
||||
return await self.method_not_allowed(request)
|
||||
|
@ -155,12 +162,6 @@ class BaseView:
|
|||
class DataView(BaseView):
|
||||
name = ""
|
||||
|
||||
async def options(self, request, *args, **kwargs):
|
||||
r = Response.text("ok")
|
||||
if self.ds.cors:
|
||||
add_cors_headers(r.headers)
|
||||
return r
|
||||
|
||||
def redirect(self, request, path, forward_querystring=True, remove_args=None):
|
||||
if request.query_string and "?" not in path and forward_querystring:
|
||||
path = f"{path}?{request.query_string}"
|
||||
|
|
|
@ -897,14 +897,32 @@ def test_config_force_https_urls():
|
|||
("/fixtures/no_primary_key.json", 200),
|
||||
# A 400 invalid SQL query should still have the header:
|
||||
("/fixtures.json?sql=select+blah", 400),
|
||||
# Write APIs
|
||||
("/fixtures/-/create", 405),
|
||||
("/fixtures/facetable/-/insert", 405),
|
||||
("/fixtures/facetable/-/drop", 405),
|
||||
],
|
||||
)
|
||||
def test_cors(app_client_with_cors, path, status_code):
|
||||
def test_cors(
|
||||
app_client_with_cors,
|
||||
app_client_two_attached_databases_one_immutable,
|
||||
path,
|
||||
status_code,
|
||||
):
|
||||
response = app_client_with_cors.get(path)
|
||||
assert response.status == status_code
|
||||
assert response.headers["Access-Control-Allow-Origin"] == "*"
|
||||
assert response.headers["Access-Control-Allow-Headers"] == "Authorization"
|
||||
assert response.headers["Access-Control-Expose-Headers"] == "Link"
|
||||
# Same request to app_client_two_attached_databases_one_immutable
|
||||
# should not have those headers - I'm using that fixture because
|
||||
# regular app_client doesn't have immutable fixtures.db which means
|
||||
# the test for /fixtures.db returns a 403 error
|
||||
response = app_client_two_attached_databases_one_immutable.get(path)
|
||||
assert response.status == status_code
|
||||
assert "Access-Control-Allow-Origin" not in response.headers
|
||||
assert "Access-Control-Allow-Headers" not in response.headers
|
||||
assert "Access-Control-Expose-Headers" not in response.headers
|
||||
|
||||
|
||||
@pytest.mark.parametrize(
|
||||
|
|
Ładowanie…
Reference in New Issue