Use allowed methods from view function #303
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Allowed methods are used in the following hierarchy: 1) methods parameter of cross_origin decorator 2) methods parameter of view function route 3) resource or app level configuration
amCap1712
commented
Jan 1, 2022
| @@ -38,8 +48,7 @@ def test_defaults(self): | |||
| self.assertFalse(ACL_METHODS in self.get('/defaults', origin='www.example.com').headers) | |||
| self.assertFalse(ACL_METHODS in self.head('/defaults', origin='www.example.com').headers) | |||
| res = self.preflight('/defaults', 'POST', origin='www.example.com') | |||
| for method in ALL_METHODS: | |||
| self.assertTrue(method in res.headers.get(ACL_METHODS)) | |||
| self.assertIsNone(res.headers.get(ACL_METHODS)) | |||
There was a problem hiding this comment.
This is backward incompatible. Earlier if the cross_origin decorator had no methods specified all the methods from the default or app level configuration would be used but now the methods will be restricted to what the view supports.
amCap1712
commented
Jan 1, 2022
| def index2(): | ||
| return 'Welcome 2' | ||
|
|
||
| res = self.preflight('/', 'GET', origin='www.example.com') |
There was a problem hiding this comment.
This change is also backward incompatible in a way that instead of default or level configuration, methods from view function are used.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Allowed methods are used in the following hierarchy:
I tried to implement this in
set_cors_headersbut couldn't because it is called from both decorator and extension. In the case of the decorator, we do not want to use the methods from view function if the decorator had those specified but in case of extension we want to use it always.flask-cors/flask_cors/core.py
Line 224 in 24c45ce
This change is not backward compatible, see PR comments for details.
I am not sure this change is always desirable. With this patch, the view level methods always override resource level configuration. If we have a bunch of views supporting POST and GET methods; and have used resource level configuration to restrict the access control method to GET. With this PR, the view methods will expose those views to POST as well.
Input on how to improve this is appreciated.
Fixes #228