From 2419d205602965bf79bd42300dbac613265a40af Mon Sep 17 00:00:00 2001 From: Lucas Brandstaetter <lucas@brandstaetter.tech> Date: Mon, 23 Dec 2024 22:18:44 +0100 Subject: [PATCH] Add csp exceptions for voc-player - Add unsafe-eval to the pages with the player Needed until the player removes the unsafe-eval --- src/.ruff.toml | 1 + src/core/views/sso.py | 2 +- src/plainui/views/events.py | 3 +++ src/plainui/views/general.py | 3 +++ src/plainui/views/rooms.py | 3 +++ 5 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/.ruff.toml b/src/.ruff.toml index ed08c4a0b..54daa1c3a 100644 --- a/src/.ruff.toml +++ b/src/.ruff.toml @@ -93,6 +93,7 @@ section-order = [ "django_bootstrap5", "django_rich", "djangorestframework", + "csp", "modeltranslation", "ragelimit", "rules", diff --git a/src/core/views/sso.py b/src/core/views/sso.py index ec2548512..fb4e9e409 100644 --- a/src/core/views/sso.py +++ b/src/core/views/sso.py @@ -2,10 +2,10 @@ import calendar import json import logging -from csp.decorators import csp_update from oauth2_provider.models import get_access_token_model from oauth2_provider.views import AuthorizationView, ClientProtectedScopedResourceView +from csp.decorators import csp_update from django.conf import settings from django.core.exceptions import ObjectDoesNotExist from django.http import HttpResponse diff --git a/src/plainui/views/events.py b/src/plainui/views/events.py index ed0bffa3f..6a07a4f0d 100644 --- a/src/plainui/views/events.py +++ b/src/plainui/views/events.py @@ -5,9 +5,11 @@ __all__ = ( 'UpcomingView', ) +from csp.decorators import csp_update from django.contrib.contenttypes.models import ContentType from django.shortcuts import get_object_or_404 from django.urls import reverse +from django.utils.decorators import method_decorator from django.views.generic.base import TemplateView from core.models import ( @@ -37,6 +39,7 @@ class AssembliesEventsView(ConferenceRequiredMixin, TemplateView): return context +@method_decorator(csp_update(SCRIPT_SRC="'unsafe-eval'"), name='get') class EventView(ConferenceRequiredMixin, TemplateView): template_name = 'plainui/event.html.j2' diff --git a/src/plainui/views/general.py b/src/plainui/views/general.py index ee3b24ad6..943fa1f60 100644 --- a/src/plainui/views/general.py +++ b/src/plainui/views/general.py @@ -10,10 +10,12 @@ __all__ = ( from datetime import timedelta +from csp.decorators import csp_update from django.contrib.contenttypes.models import ContentType from django.shortcuts import get_list_or_404, redirect from django.urls import reverse from django.utils import timezone +from django.utils.decorators import method_decorator from django.utils.timezone import now from django.views.generic.base import TemplateView @@ -58,6 +60,7 @@ class LandingView(ConferenceRequiredMixin, TemplateView): return context +@method_decorator(csp_update(SCRIPT_SRC="'unsafe-eval'"), name='get') class IndexView(ConferenceRequiredMixin, TemplateView): template_name = 'plainui/index.html.j2' diff --git a/src/plainui/views/rooms.py b/src/plainui/views/rooms.py index 689660b79..503c38738 100644 --- a/src/plainui/views/rooms.py +++ b/src/plainui/views/rooms.py @@ -4,9 +4,11 @@ __all__ = ( ) +from csp.decorators import csp_update from django.contrib import messages from django.db.models import QuerySet from django.http import HttpResponseRedirect +from django.utils.decorators import method_decorator from django.utils.translation import gettext from django.views.generic import DetailView @@ -24,6 +26,7 @@ from plainui.views.utils import ( ) +@method_decorator(csp_update(SCRIPT_SRC="'unsafe-eval'"), name='get') class RoomView(ConferenceRequiredMixin, DetailView): model = Room template_name = 'plainui/room.html.j2' -- GitLab