From b24f0a6adbcbd74059a0d7585186b5e284c0c2e0 Mon Sep 17 00:00:00 2001 From: Ro Date: Mon, 2 Aug 2021 12:52:19 -0700 Subject: [PATCH] quick patch for CORS check while in site init state --- brain/utility/HandleCors.inc.php | 91 +++++++++++++++++--------------- 1 file changed, 48 insertions(+), 43 deletions(-) diff --git a/brain/utility/HandleCors.inc.php b/brain/utility/HandleCors.inc.php index a5a6c7e..86fa7b0 100644 --- a/brain/utility/HandleCors.inc.php +++ b/brain/utility/HandleCors.inc.php @@ -2,50 +2,55 @@ class handleCors { - public function __construct() - { - //check settings to see if external api access is allowed - $config = new Settings(); - $settings = $config->getSettings(); - if ($settings["global"]["externalAPI"]) { - //echo "API STATUS: " . $settings["global"]["externalAPI"]; - if ($settings["global"]["externalAPI"] == "true") { - //echo "API ACCESS ACTIVE"; - // checks to see if origin is set - if (isset($_SERVER["HTTP_ORIGIN"])) { - // You can decide if the origin in $_SERVER['HTTP_ORIGIN'] is something you want to allow, or as we do here, just allow all - header("Access-Control-Allow-Origin: {$_SERVER["HTTP_ORIGIN"]}"); + public function __construct() + { + //look to see if settings file exists. kinda important + if (file_exists("../config/settings.json")) { + //check settings to see if external api access is allowed + $config = new Settings(); + $settings = $config->getSettings(); + if ($settings["global"]["externalAPI"]) { + //echo "API STATUS: " . $settings["global"]["externalAPI"]; + if ($settings["global"]["externalAPI"] == "true") { + //echo "API ACCESS ACTIVE"; + // checks to see if origin is set + if (isset($_SERVER["HTTP_ORIGIN"])) { + // You can decide if the origin in $_SERVER['HTTP_ORIGIN'] is something you want to allow, or as we do here, just allow all + header("Access-Control-Allow-Origin: {$_SERVER["HTTP_ORIGIN"]}"); + } else { + //No HTTP_ORIGIN set, so we allow any. You can disallow if needed here + //never allow just any domain, so turn CORS off if no No HTTP_ORIGIN is set + //header("Access-Control-Allow-Origin: *"); + } + + header("Access-Control-Allow-Credentials: true"); + header("Access-Control-Max-Age: 600"); // cache for 10 minutes + + if ($_SERVER["REQUEST_METHOD"] == "OPTIONS") { + if (isset($_SERVER["HTTP_ACCESS_CONTROL_REQUEST_METHOD"])) { + header( + "Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT" + ); + } //Make sure you remove those you do not want to support + + if (isset($_SERVER["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"])) { + header( + "Access-Control-Allow-Headers: {$_SERVER["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"]}" + ); + } + + //Just exit with 200 OK with the above headers for OPTIONS method + exit(0); + } + } else { + //echo "API ACCESS ACTIVE"; + } + } else { + //value doesn't exist, so whatevs + //echo "API ACCESS VALUE NOT PRESENT"; + } } else { - //No HTTP_ORIGIN set, so we allow any. You can disallow if needed here - //never allow just any domain, so turn CORS off if no No HTTP_ORIGIN is set - //header("Access-Control-Allow-Origin: *"); + //init state, so chill } - - header("Access-Control-Allow-Credentials: true"); - header("Access-Control-Max-Age: 600"); // cache for 10 minutes - - if ($_SERVER["REQUEST_METHOD"] == "OPTIONS") { - if (isset($_SERVER["HTTP_ACCESS_CONTROL_REQUEST_METHOD"])) { - header( - "Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT" - ); - } //Make sure you remove those you do not want to support - - if (isset($_SERVER["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"])) { - header( - "Access-Control-Allow-Headers: {$_SERVER["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"]}" - ); - } - - //Just exit with 200 OK with the above headers for OPTIONS method - exit(0); - } - } else { - //echo "API ACCESS ACTIVE"; - } - } else { - //value doesn't exist, so whatevs - //echo "API ACCESS VALUE NOT PRESENT"; } - } }