From 2419d205602965bf79bd42300dbac613265a40af Mon Sep 17 00:00:00 2001
From: Lucas Brandstaetter <lucas@brandstaetter.tech>
Date: Mon, 23 Dec 2024 22:18:44 +0100
Subject: [PATCH] Add csp exceptions for voc-player

- Add unsafe-eval to the pages with the player
  Needed until the player removes the unsafe-eval
---
 src/.ruff.toml               | 1 +
 src/core/views/sso.py        | 2 +-
 src/plainui/views/events.py  | 3 +++
 src/plainui/views/general.py | 3 +++
 src/plainui/views/rooms.py   | 3 +++
 5 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/.ruff.toml b/src/.ruff.toml
index ed08c4a0b..54daa1c3a 100644
--- a/src/.ruff.toml
+++ b/src/.ruff.toml
@@ -93,6 +93,7 @@ section-order = [
     "django_bootstrap5",
     "django_rich",
     "djangorestframework",
+    "csp",
     "modeltranslation",
     "ragelimit",
     "rules",
diff --git a/src/core/views/sso.py b/src/core/views/sso.py
index ec2548512..fb4e9e409 100644
--- a/src/core/views/sso.py
+++ b/src/core/views/sso.py
@@ -2,10 +2,10 @@ import calendar
 import json
 import logging
 
-from csp.decorators import csp_update
 from oauth2_provider.models import get_access_token_model
 from oauth2_provider.views import AuthorizationView, ClientProtectedScopedResourceView
 
+from csp.decorators import csp_update
 from django.conf import settings
 from django.core.exceptions import ObjectDoesNotExist
 from django.http import HttpResponse
diff --git a/src/plainui/views/events.py b/src/plainui/views/events.py
index ed0bffa3f..6a07a4f0d 100644
--- a/src/plainui/views/events.py
+++ b/src/plainui/views/events.py
@@ -5,9 +5,11 @@ __all__ = (
     'UpcomingView',
 )
 
+from csp.decorators import csp_update
 from django.contrib.contenttypes.models import ContentType
 from django.shortcuts import get_object_or_404
 from django.urls import reverse
+from django.utils.decorators import method_decorator
 from django.views.generic.base import TemplateView
 
 from core.models import (
@@ -37,6 +39,7 @@ class AssembliesEventsView(ConferenceRequiredMixin, TemplateView):
         return context
 
 
+@method_decorator(csp_update(SCRIPT_SRC="'unsafe-eval'"), name='get')
 class EventView(ConferenceRequiredMixin, TemplateView):
     template_name = 'plainui/event.html.j2'
 
diff --git a/src/plainui/views/general.py b/src/plainui/views/general.py
index ee3b24ad6..943fa1f60 100644
--- a/src/plainui/views/general.py
+++ b/src/plainui/views/general.py
@@ -10,10 +10,12 @@ __all__ = (
 
 from datetime import timedelta
 
+from csp.decorators import csp_update
 from django.contrib.contenttypes.models import ContentType
 from django.shortcuts import get_list_or_404, redirect
 from django.urls import reverse
 from django.utils import timezone
+from django.utils.decorators import method_decorator
 from django.utils.timezone import now
 from django.views.generic.base import TemplateView
 
@@ -58,6 +60,7 @@ class LandingView(ConferenceRequiredMixin, TemplateView):
         return context
 
 
+@method_decorator(csp_update(SCRIPT_SRC="'unsafe-eval'"), name='get')
 class IndexView(ConferenceRequiredMixin, TemplateView):
     template_name = 'plainui/index.html.j2'
 
diff --git a/src/plainui/views/rooms.py b/src/plainui/views/rooms.py
index 689660b79..503c38738 100644
--- a/src/plainui/views/rooms.py
+++ b/src/plainui/views/rooms.py
@@ -4,9 +4,11 @@ __all__ = (
 )
 
 
+from csp.decorators import csp_update
 from django.contrib import messages
 from django.db.models import QuerySet
 from django.http import HttpResponseRedirect
+from django.utils.decorators import method_decorator
 from django.utils.translation import gettext
 from django.views.generic import DetailView
 
@@ -24,6 +26,7 @@ from plainui.views.utils import (
 )
 
 
+@method_decorator(csp_update(SCRIPT_SRC="'unsafe-eval'"), name='get')
 class RoomView(ConferenceRequiredMixin, DetailView):
     model = Room
     template_name = 'plainui/room.html.j2'
-- 
GitLab