Allow CORS on the API for all Foodsoft scopes

foodcoops · May 25, 2016 · 3af331d · 3af331d
1 parent dc3e78d
commit 3af331d
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 3 deletions.
diff --git a/config/app_config.yml.SAMPLE b/config/app_config.yml.SAMPLE
@@ -6,6 +6,7 @@ default: &defaults
   multi_coop_install: false
 
   # If multi_coop_install you have to use a coop name, which you you wanna be selected by default
+  # Please use basic characters for scope names, matching /[-a-zA-Z0-9_]+/
   default_scope: 'f'
 
   # name of this foodcoop

diff --git a/config/application.rb b/config/application.rb
@@ -48,7 +48,7 @@ class Application < Rails::Application
     # parameters by using an attr_accessible or attr_protected declaration.
     # TODO Re-activate this. Uncommenting this line will currently cause rspec to fail.
     config.active_record.whitelist_attributes = false
-    
+
     # Enable the asset pipeline
     config.assets.enabled = true
 
@@ -66,8 +66,8 @@ class Application < Rails::Application
     config.middleware.insert_before 0, "Rack::Cors" do
       allow do
         origins '*'
-        # @todo allow any scope
-        resource '/f/api/v1/*', :headers => :any, :methods => :any
+        # this restricts Foodsoft scopes to certain characters - let's discuss it when it becomes an actual problem
+        resource %r{\A/[-a-zA-Z0-9_]+/api/v1/}, :headers => :any, :methods => :any
       end
     end
   end