Quick patch for CORS check while in init state

This commit is contained in:
Ro 2021-08-02 12:53:36 -07:00
commit 3c3f2a0881

View file

@ -2,50 +2,55 @@
class handleCors class handleCors
{ {
public function __construct() public function __construct()
{ {
//check settings to see if external api access is allowed //look to see if settings file exists. kinda important
$config = new Settings(); if (file_exists("../config/settings.json")) {
$settings = $config->getSettings(); //check settings to see if external api access is allowed
if ($settings["global"]["externalAPI"]) { $config = new Settings();
//echo "API STATUS: " . $settings["global"]["externalAPI"]; $settings = $config->getSettings();
if ($settings["global"]["externalAPI"] == "true") { if ($settings["global"]["externalAPI"]) {
//echo "API ACCESS ACTIVE"; //echo "API STATUS: " . $settings["global"]["externalAPI"];
// checks to see if origin is set if ($settings["global"]["externalAPI"] == "true") {
if (isset($_SERVER["HTTP_ORIGIN"])) { //echo "API ACCESS ACTIVE";
// You can decide if the origin in $_SERVER['HTTP_ORIGIN'] is something you want to allow, or as we do here, just allow all // checks to see if origin is set
header("Access-Control-Allow-Origin: {$_SERVER["HTTP_ORIGIN"]}"); if (isset($_SERVER["HTTP_ORIGIN"])) {
// You can decide if the origin in $_SERVER['HTTP_ORIGIN'] is something you want to allow, or as we do here, just allow all
header("Access-Control-Allow-Origin: {$_SERVER["HTTP_ORIGIN"]}");
} else {
//No HTTP_ORIGIN set, so we allow any. You can disallow if needed here
//never allow just any domain, so turn CORS off if no No HTTP_ORIGIN is set
//header("Access-Control-Allow-Origin: *");
}
header("Access-Control-Allow-Credentials: true");
header("Access-Control-Max-Age: 600"); // cache for 10 minutes
if ($_SERVER["REQUEST_METHOD"] == "OPTIONS") {
if (isset($_SERVER["HTTP_ACCESS_CONTROL_REQUEST_METHOD"])) {
header(
"Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT"
);
} //Make sure you remove those you do not want to support
if (isset($_SERVER["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"])) {
header(
"Access-Control-Allow-Headers: {$_SERVER["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"]}"
);
}
//Just exit with 200 OK with the above headers for OPTIONS method
exit(0);
}
} else {
//echo "API ACCESS ACTIVE";
}
} else {
//value doesn't exist, so whatevs
//echo "API ACCESS VALUE NOT PRESENT";
}
} else { } else {
//No HTTP_ORIGIN set, so we allow any. You can disallow if needed here //init state, so chill
//never allow just any domain, so turn CORS off if no No HTTP_ORIGIN is set
//header("Access-Control-Allow-Origin: *");
} }
header("Access-Control-Allow-Credentials: true");
header("Access-Control-Max-Age: 600"); // cache for 10 minutes
if ($_SERVER["REQUEST_METHOD"] == "OPTIONS") {
if (isset($_SERVER["HTTP_ACCESS_CONTROL_REQUEST_METHOD"])) {
header(
"Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT"
);
} //Make sure you remove those you do not want to support
if (isset($_SERVER["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"])) {
header(
"Access-Control-Allow-Headers: {$_SERVER["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"]}"
);
}
//Just exit with 200 OK with the above headers for OPTIONS method
exit(0);
}
} else {
//echo "API ACCESS ACTIVE";
}
} else {
//value doesn't exist, so whatevs
//echo "API ACCESS VALUE NOT PRESENT";
} }
}
} }