NPO-Accounting/houdini
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add framing of /donate and /btn

Browse source
This commit is contained in:
Eric Schultz 2021-05-19 15:36:57 -05:00 committed by Eric Schultz
parent a69c5256a4
commit 63c40ccba7
3 changed files with 37 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
app/controllers/concerns/controllers/x_frame.rb Normal file
View file

@ -0,0 +1,16 @@
# frozen_string_literal: true
# License: AGPL-3.0-or-later WITH WTO-AP-3.0-or-later
# Full license explanation at https://github.com/houdiniproject/houdini/blob/master/LICENSE
module Controllers::XFrame
extend ActiveSupport::Concern
included do
private
# allows the page to be put in a frame, i.e. remove the X-Frame-Options header
def allow_framing
response.headers.delete('X-Frame-Options') if response.headers.has_key?('X-Frame-Options')
end
end
end

4
app/controllers/nonprofits_controller.rb
View file

@ -5,11 +5,15 @@
class NonprofitsController < ApplicationController
include Controllers::Nonprofit::Current
include Controllers::Nonprofit::Authorization
include Controllers::XFrame
helper_method :current_nonprofit_user?
before_action :authenticate_nonprofit_user!, only: %i[dashboard dashboard_metrics dashboard_todos payment_history profile_todos recurring_donation_stats update verify_identity]
before_action :authenticate_super_admin!, if: proc {|c| ( c.action_name == "destroy") || (c.action_name == "show" && !current_nonprofit.published) }
# we have to allow nonprofits/:id/donation and nonprofits/:id/btn to be framed
after_action :allow_framing, only: %i[donate btn]
# get /nonprofits/:id
# get /:state_code/:city/:name
def show

17
spec/controllers/nonprofits_spec.rb
View file

@ -76,4 +76,21 @@ describe NonprofitsController, type: :controller do
end
end
end
describe '#donate' do
let(:nonprofit) { force_create(:nm_justice) }
it 'allows being put into a frame by not setting X-Frame-Options header' do
get :donate, params: {id: nonprofit.id}
expect(response.headers).to_not include 'X-Frame-Options'
end
end
describe '#btn' do
let(:nonprofit) { force_create(:nm_justice) }
it 'allows being put into a frame by not setting X-Frame-Options header' do
get :btn, params: {id: nonprofit.id}
expect(response.headers).to_not include 'X-Frame-Options'
end
end
end