From 2419d205602965bf79bd42300dbac613265a40af Mon Sep 17 00:00:00 2001
From: Lucas Brandstaetter <lucas@brandstaetter.tech>
Date: Mon, 23 Dec 2024 22:18:44 +0100
Subject: [PATCH] Add csp exceptions for voc-player
- Add unsafe-eval to the pages with the player
Needed until the player removes the unsafe-eval
---
src/.ruff.toml | 1 +
src/core/views/sso.py | 2 +-
src/plainui/views/events.py | 3 +++
src/plainui/views/general.py | 3 +++
src/plainui/views/rooms.py | 3 +++
5 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/.ruff.toml b/src/.ruff.toml
index ed08c4a0b..54daa1c3a 100644
--- a/src/.ruff.toml
+++ b/src/.ruff.toml
@@ -93,6 +93,7 @@ section-order = [
"django_bootstrap5",
"django_rich",
"djangorestframework",
+ "csp",
"modeltranslation",
"ragelimit",
"rules",
diff --git a/src/core/views/sso.py b/src/core/views/sso.py
index ec2548512..fb4e9e409 100644
--- a/src/core/views/sso.py
+++ b/src/core/views/sso.py
@@ -2,10 +2,10 @@ import calendar
import json
import logging
-from csp.decorators import csp_update
from oauth2_provider.models import get_access_token_model
from oauth2_provider.views import AuthorizationView, ClientProtectedScopedResourceView
+from csp.decorators import csp_update
from django.conf import settings
from django.core.exceptions import ObjectDoesNotExist
from django.http import HttpResponse
diff --git a/src/plainui/views/events.py b/src/plainui/views/events.py
index ed0bffa3f..6a07a4f0d 100644
--- a/src/plainui/views/events.py
+++ b/src/plainui/views/events.py
@@ -5,9 +5,11 @@ __all__ = (
'UpcomingView',
)
+from csp.decorators import csp_update
from django.contrib.contenttypes.models import ContentType
from django.shortcuts import get_object_or_404
from django.urls import reverse
+from django.utils.decorators import method_decorator
from django.views.generic.base import TemplateView
from core.models import (
@@ -37,6 +39,7 @@ class AssembliesEventsView(ConferenceRequiredMixin, TemplateView):
return context
+@method_decorator(csp_update(SCRIPT_SRC="'unsafe-eval'"), name='get')
class EventView(ConferenceRequiredMixin, TemplateView):
template_name = 'plainui/event.html.j2'
diff --git a/src/plainui/views/general.py b/src/plainui/views/general.py
index ee3b24ad6..943fa1f60 100644
--- a/src/plainui/views/general.py
+++ b/src/plainui/views/general.py
@@ -10,10 +10,12 @@ __all__ = (
from datetime import timedelta
+from csp.decorators import csp_update
from django.contrib.contenttypes.models import ContentType
from django.shortcuts import get_list_or_404, redirect
from django.urls import reverse
from django.utils import timezone
+from django.utils.decorators import method_decorator
from django.utils.timezone import now
from django.views.generic.base import TemplateView
@@ -58,6 +60,7 @@ class LandingView(ConferenceRequiredMixin, TemplateView):
return context
+@method_decorator(csp_update(SCRIPT_SRC="'unsafe-eval'"), name='get')
class IndexView(ConferenceRequiredMixin, TemplateView):
template_name = 'plainui/index.html.j2'
diff --git a/src/plainui/views/rooms.py b/src/plainui/views/rooms.py
index 689660b79..503c38738 100644
--- a/src/plainui/views/rooms.py
+++ b/src/plainui/views/rooms.py
@@ -4,9 +4,11 @@ __all__ = (
)
+from csp.decorators import csp_update
from django.contrib import messages
from django.db.models import QuerySet
from django.http import HttpResponseRedirect
+from django.utils.decorators import method_decorator
from django.utils.translation import gettext
from django.views.generic import DetailView
@@ -24,6 +26,7 @@ from plainui.views.utils import (
)
+@method_decorator(csp_update(SCRIPT_SRC="'unsafe-eval'"), name='get')
class RoomView(ConferenceRequiredMixin, DetailView):
model = Room
template_name = 'plainui/room.html.j2'
--
GitLab