From: Nizamudeen A <nia@redhat.com>
Date: Mon, 28 Aug 2023 05:15:28 +0000 (+0530)
Subject: mgr/dashboard: allow CORS for unauthorized access
X-Git-Tag: v19.0.0~593^2
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=8158bdab7134714dc2a9f155e599cc2838c3358d;p=ceph.git

mgr/dashboard: allow CORS for unauthorized access

Fixes: https://tracker.ceph.com/issues/62612
Signed-off-by: Nizamudeen A <nia@redhat.com>
---

diff --git a/src/pybind/mgr/dashboard/services/auth.py b/src/pybind/mgr/dashboard/services/auth.py
index 8ae897cebd8d4..f13963abffdd4 100644
--- a/src/pybind/mgr/dashboard/services/auth.py
+++ b/src/pybind/mgr/dashboard/services/auth.py
@@ -183,6 +183,16 @@ class AuthManagerTool(cherrypy.Tool):
             if user:
                 self._check_authorization(user.username)
                 return
+
+        resp_head = cherrypy.response.headers
+        req_head = cherrypy.request.headers
+        req_header_cross_origin_url = req_head.get('Access-Control-Allow-Origin')
+        cross_origin_urls = mgr.get_module_option('cross_origin_url', '')
+        cross_origin_url_list = [url.strip() for url in cross_origin_urls.split(',')]
+
+        if req_header_cross_origin_url in cross_origin_url_list:
+            resp_head['Access-Control-Allow-Origin'] = req_header_cross_origin_url
+
         self.logger.debug('Unauthorized access to %s',
                           cherrypy.url(relative='server'))
         raise cherrypy.HTTPError(401, 'You are not authorized to access '