~netlandish/django-wiki

f092bf11beddde3e4c63d957f85a40c7629d1310 — Mathias Rav 6 years ago 65f4c19 
Set X-Frame-Options: SAMEORIGIN on preview

If a project has X_FRAME_OPTIONS = 'DENY' in its settings,
then the preview iframe is not shown. Simply force X-Frame-Options
to be SAMEORIGIN to avoid this problem.
patch browse .tar.gz 
2 files changed, 22 insertions(+), 2 deletions(-)

M src/wiki/views/article.py
M tests/core/test_views.py

M src/wiki/views/article.py => src/wiki/views/article.py +2 -0
@@ 15,6 15,7 @@ from django.views.generic import DetailView
from django.views.generic.base import RedirectView, TemplateView, View
from django.views.generic.edit import FormView
from django.views.generic.list import ListView
from django.views.decorators.clickjacking import xframe_options_sameorigin
from wiki import editors, forms, models
from wiki.conf import settings
from wiki.core import permissions


@@ 822,6 823,7 @@ class Preview(ArticleMixin, TemplateView):

    template_name = "wiki/preview_inline.html"

    @method_decorator(xframe_options_sameorigin)
    @method_decorator(get_article(can_read=True, deleted_contents=True))
    def dispatch(self, request, article, *args, **kwargs):
        revision_id = request.GET.get('r', None)


M tests/core/test_views.py => tests/core/test_views.py +20 -2
@@ 269,11 269,11 @@ class MoveViewTest(RequireRootArticleMixin, ArticleWebTestUtils, DjangoClientTes

        response = self.get_by_path('test0/test2/')
        self.assertContains(response, 'Moved: Test1')
        self.assertRegex(response.content, br'moved to <a[^>]*>wiki:/test1new/')
        self.assertRegex(response.rendered_content, r'moved to <a[^>]*>wiki:/test1new/')

        response = self.get_by_path('test0/test2/test020/')
        self.assertContains(response, 'Moved: Test020')
        self.assertRegex(response.content, br'moved to <a[^>]*>wiki:/test1new/test020')
        self.assertRegex(response.rendered_content, r'moved to <a[^>]*>wiki:/test1new/test020')

        # Check that moved_to was correctly set
        urlsrc = URLPath.get_by_path('/test0/test2/')


@@ 348,6 348,24 @@ class EditViewTest(RequireRootArticleMixin, ArticleWebTestUtils, DjangoClientTes

        self.assertContains(response, 'The modified text')

    def test_preview_xframe_options_sameorigin(self):
        """Ensure that preview response has X-Frame-Options: SAMEORIGIN"""

        example_data = {
            'content': 'The modified text',
            'current_revision': str(URLPath.root().article.current_revision.id),
            'preview': '1',
            'summary': 'why edited',
            'title': 'wiki test'
        }

        response = self.client.post(
            resolve_url('wiki:preview', path=''),
            example_data
        )

        self.assertEquals(response.get('X-Frame-Options'), 'SAMEORIGIN')

    def test_revision_conflict(self):
        """
        Test the warning if the same article is being edited concurrently.