Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't require authorization for OPTIONS #8

Merged
merged 2 commits into from
Aug 9, 2017
Merged

Don't require authorization for OPTIONS #8

merged 2 commits into from
Aug 9, 2017

Conversation

imtayadeway
Copy link
Contributor

CORS states that no authorization should be done in pre-flight
requests. For the problematic Container Deployments collection, we
will now render the sensitive data if authorized, but don't require
authorization, rendering no data if none is stipulated.

@miq-bot add-label bug
@miq-bot assign @abellotti

/cc @jntullo

@imtayadeway
Don't require authorization for OPTIONS
0710b6a 
CORS states that no authorization should be done in pre-flight
requests. For the problematic Container Deployments collection, we
will now render the sensitive data if authorized, but don't require
authorization, rendering no data if none is stipulated.
@abellotti abellotti self-assigned this Aug 9, 2017
@imtayadeway imtayadeway mentioned this pull request Aug 9, 2017
Closed
abellotti
abellotti reviewed Aug 9, 2017
View reviewed changes
app/controllers/api/container_deployments_controller.rb Outdated
render_options(:container_deployments, ContainerDeploymentService.new.all_data)
if [HttpHeaders::MIQ_TOKEN, HttpHeaders::AUTH_TOKEN, "HTTP_AUTHORIZATION"].any? { |header| request.headers.include?(header) }
require_api_user_or_token
render_options(:container_deployments, ContainerDeploymentService.new.all_data)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice @imtayadeway !!

Can we move the logic in line 12 to a method in base_controller/authentication.rb ? maybe something like request_includes_authentication. Thanks.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could, although personally I think this is an anti-pattern and I don't want to promote re-use of it. I could extract a private method in this controller if you think this would be better?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if you don't mind, private method for now would be good. Thanks!!

@abellotti
Copy link
Member

Thanks @imtayadeway for the update 🎵

will merge when 🍏

@abellotti abellotti added the bug label Aug 9, 2017
@abellotti abellotti added this to the Sprint 67 Ending Aug 21, 2017 milestone Aug 9, 2017
@abellotti abellotti merged commit 254d7d8 into ManageIQ:master Aug 9, 2017
@imtayadeway imtayadeway deleted the fix/cors-authentication branch January 12, 2018 15:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abellotti abellotti abellotti left review comments

Assignees

@abellotti abellotti

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@imtayadeway @abellotti