quick patch for CORS check while in site init state
This commit is contained in:
parent
0ec49de8ab
commit
b24f0a6adb
1 changed files with 48 additions and 43 deletions
|
@ -2,50 +2,55 @@
|
||||||
|
|
||||||
class handleCors
|
class handleCors
|
||||||
{
|
{
|
||||||
public function __construct()
|
public function __construct()
|
||||||
{
|
{
|
||||||
//check settings to see if external api access is allowed
|
//look to see if settings file exists. kinda important
|
||||||
$config = new Settings();
|
if (file_exists("../config/settings.json")) {
|
||||||
$settings = $config->getSettings();
|
//check settings to see if external api access is allowed
|
||||||
if ($settings["global"]["externalAPI"]) {
|
$config = new Settings();
|
||||||
//echo "API STATUS: " . $settings["global"]["externalAPI"];
|
$settings = $config->getSettings();
|
||||||
if ($settings["global"]["externalAPI"] == "true") {
|
if ($settings["global"]["externalAPI"]) {
|
||||||
//echo "API ACCESS ACTIVE";
|
//echo "API STATUS: " . $settings["global"]["externalAPI"];
|
||||||
// checks to see if origin is set
|
if ($settings["global"]["externalAPI"] == "true") {
|
||||||
if (isset($_SERVER["HTTP_ORIGIN"])) {
|
//echo "API ACCESS ACTIVE";
|
||||||
// You can decide if the origin in $_SERVER['HTTP_ORIGIN'] is something you want to allow, or as we do here, just allow all
|
// checks to see if origin is set
|
||||||
header("Access-Control-Allow-Origin: {$_SERVER["HTTP_ORIGIN"]}");
|
if (isset($_SERVER["HTTP_ORIGIN"])) {
|
||||||
|
// You can decide if the origin in $_SERVER['HTTP_ORIGIN'] is something you want to allow, or as we do here, just allow all
|
||||||
|
header("Access-Control-Allow-Origin: {$_SERVER["HTTP_ORIGIN"]}");
|
||||||
|
} else {
|
||||||
|
//No HTTP_ORIGIN set, so we allow any. You can disallow if needed here
|
||||||
|
//never allow just any domain, so turn CORS off if no No HTTP_ORIGIN is set
|
||||||
|
//header("Access-Control-Allow-Origin: *");
|
||||||
|
}
|
||||||
|
|
||||||
|
header("Access-Control-Allow-Credentials: true");
|
||||||
|
header("Access-Control-Max-Age: 600"); // cache for 10 minutes
|
||||||
|
|
||||||
|
if ($_SERVER["REQUEST_METHOD"] == "OPTIONS") {
|
||||||
|
if (isset($_SERVER["HTTP_ACCESS_CONTROL_REQUEST_METHOD"])) {
|
||||||
|
header(
|
||||||
|
"Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT"
|
||||||
|
);
|
||||||
|
} //Make sure you remove those you do not want to support
|
||||||
|
|
||||||
|
if (isset($_SERVER["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"])) {
|
||||||
|
header(
|
||||||
|
"Access-Control-Allow-Headers: {$_SERVER["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"]}"
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
//Just exit with 200 OK with the above headers for OPTIONS method
|
||||||
|
exit(0);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
//echo "API ACCESS ACTIVE";
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
//value doesn't exist, so whatevs
|
||||||
|
//echo "API ACCESS VALUE NOT PRESENT";
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
//No HTTP_ORIGIN set, so we allow any. You can disallow if needed here
|
//init state, so chill
|
||||||
//never allow just any domain, so turn CORS off if no No HTTP_ORIGIN is set
|
|
||||||
//header("Access-Control-Allow-Origin: *");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
header("Access-Control-Allow-Credentials: true");
|
|
||||||
header("Access-Control-Max-Age: 600"); // cache for 10 minutes
|
|
||||||
|
|
||||||
if ($_SERVER["REQUEST_METHOD"] == "OPTIONS") {
|
|
||||||
if (isset($_SERVER["HTTP_ACCESS_CONTROL_REQUEST_METHOD"])) {
|
|
||||||
header(
|
|
||||||
"Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT"
|
|
||||||
);
|
|
||||||
} //Make sure you remove those you do not want to support
|
|
||||||
|
|
||||||
if (isset($_SERVER["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"])) {
|
|
||||||
header(
|
|
||||||
"Access-Control-Allow-Headers: {$_SERVER["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"]}"
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
//Just exit with 200 OK with the above headers for OPTIONS method
|
|
||||||
exit(0);
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
//echo "API ACCESS ACTIVE";
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
//value doesn't exist, so whatevs
|
|
||||||
//echo "API ACCESS VALUE NOT PRESENT";
|
|
||||||
}
|
}
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue