allow cross-origin requests for add-on detail API calls (patch by @kewisch) (bug 772605)

2012-07-22 20:43:32 -07:00 · 2012-07-22 20:43:32 -07:00 · dbfa18ac67
--- a/apps/amo/decorators.py
+++ b/apps/amo/decorators.py
@ -191,3 +191,18 @@ def no_login_required(f):
    """
    f._no_login_required = True
    return f
+
+
+def allow_cross_site_request(f):
+    """Allow other sites to access this resource, see
+    https://developer.mozilla.org/en/HTTP_access_control."""
+    @functools.wraps(f)
+    def wrapper(request, *args, **kw):
+        response = f(request, *args, **kw)
+        """If Access-Control-Allow-Credentials isn't set, the browser won't
+        return data required cookies to see.  This is a good thing, let's keep
+        it that way."""
+        response['Access-Control-Allow-Origin'] = '*'
+        response['Access-Control-Allow-Methods'] = 'GET'
+        return response
+    return wrapper
--- a/apps/api/tests/test_views.py
+++ b/apps/api/tests/test_views.py
@ -133,7 +133,7 @@ class ControlCharacterTest(TestCase):

    def test(self):
        a = Addon.objects.get(pk=3615)
-        a.name = "I ove You"
+        a.name = "Iove You"
        a.save()
        response = make_call('addon/3615')
        self.assertNotContains(response, '')
@ -544,6 +544,21 @@ class APITest(TestCase):
        eq_(doc[0].tag, 'error')
        eq_(response.status_code, 404)

+    def test_cross_origin(self):
+        # Add-on details should allow cross-origin requests.
+        response = self.client.get('/en-US/firefox/api/%.1f/addon/3615' %
+                                   api.CURRENT_VERSION)
+
+        eq_(response['Access-Control-Allow-Origin'], '*')
+        eq_(response['Access-Control-Allow-Methods'], 'GET')
+
+        # Even those that are not found.
+        response = self.client.get('/en-US/firefox/api/%.1f/addon/999' %
+                                   api.CURRENT_VERSION)
+
+        eq_(response['Access-Control-Allow-Origin'], '*')
+        eq_(response['Access-Control-Allow-Methods'], 'GET')
+

 class ListTest(TestCase):
    """Tests the list view with various urls."""
@ -1184,6 +1199,22 @@ class SearchTest(ESTestCase):
        with self.assertNumQueries(0):
            addon.compatible_version(amo.FIREFOX.id, '4.0', 'all', 'strict')

+    def test_cross_origin(self):
+        # The search view doesn't allow cross-origin requests.
+        # First we check for a search without results.
+        response = self.client.get('/en-US/firefox/api/%.1f/search/firebug/3' %
+                                   api.CURRENT_VERSION)
+
+        assert not response.has_header('Access-Control-Allow-Origin')
+        assert not response.has_header('Access-Control-Allow-Methods')
+
+        # Now a search with results.
+        response = self.client.get('/en-US/firefox/api/%.1f/search/delicious' %
+                                   api.CURRENT_VERSION)
+
+        assert not response.has_header('Access-Control-Allow-Origin')
+        assert not response.has_header('Access-Control-Allow-Methods')
+

 class LanguagePacks(UploadTest):
    fixtures = ['addons/listed', 'base/apps', 'base/platforms']
--- a/apps/api/views.py
+++ b/apps/api/views.py
@ -25,7 +25,7 @@ from tower import ugettext as _, ugettext_lazy
 import amo
 import api
 from addons.models import Addon, CompatOverride
-from amo.decorators import post_required
+from amo.decorators import post_required, allow_cross_site_request
 from amo.models import manual_order
 from amo.urlresolvers import get_url_prefix
 from amo.utils import JSONEncoder
@ -242,6 +242,7 @@ class APIView(object):

 class AddonDetailView(APIView):

+    @allow_cross_site_request
    def process_request(self, addon_id):
        try:
            addon = Addon.objects.id_or_slug(addon_id).get()
--- a/apps/stats/decorators.py
+++ b/apps/stats/decorators.py
@ -1,16 +0,0 @@
-import functools
-
-
-def allow_cross_site_request(f):
-    """Allow other sites to access this resource, see
-    https://developer.mozilla.org/en/HTTP_access_control."""
-    @functools.wraps(f)
-    def wrapper(request, *args, **kw):
-        response = f(request, *args, **kw)
-        """If Access-Control-Allow-Credentials isn't set, the browser won't
-        return data required cookies to see.  This is a good thing, let's keep
-        it that way."""
-        response['Access-Control-Allow-Origin'] = '*'
-        response['Access-Control-Allow-Methods'] = 'GET'
-        return response
-    return wrapper
--- a/apps/stats/views.py
+++ b/apps/stats/views.py
@ -27,11 +27,10 @@ from bandwagon.views import get_collection
 from zadmin.models import SiteEvent

 import amo
-from amo.decorators import json_view, login_required
+from amo.decorators import allow_cross_site_request, json_view, login_required
 from amo.urlresolvers import reverse
 from amo.utils import memoize

-from .decorators import allow_cross_site_request
 from .models import CollectionCount, Contribution, DownloadCount, UpdateCount

 SERIES_GROUPS = ('day', 'week', 'month')