From 6b76cf5dc763a4e99a985a8b6e92a8fdab72df22 Mon Sep 17 00:00:00 2001
From: James Brooks <jbrooksuk@me.com>
Date: Sat, 20 Dec 2014 18:30:48 +0000
Subject: [PATCH] Access-Control-Allow-Origin setting works. Closes #72

---
 app/filters.php                        |  1 +
 app/filters/AllowedDomainsFilter.php   | 19 +++++++++++++++++++
 app/routes/api.php                     |  6 +++++-
 app/routes/app.php                     |  2 +-
 app/views/dashboard/settings.blade.php |  4 ----
 5 files changed, 26 insertions(+), 6 deletions(-)
 create mode 100644 app/filters/AllowedDomainsFilter.php

diff --git a/app/filters.php b/app/filters.php
index 58f2c2d1..9c93c05d 100644
--- a/app/filters.php
+++ b/app/filters.php
@@ -3,6 +3,7 @@
 Route::filter('is_setup', 'IsSetupFilter');
 Route::filter('has_setting', 'HasSettingFilter');
 Route::filter('cors', 'CORSFilter');
+Route::filter('allowed_domains', 'AllowedDomainsFilter');
 
 /*
 |--------------------------------------------------------------------------
diff --git a/app/filters/AllowedDomainsFilter.php b/app/filters/AllowedDomainsFilter.php
new file mode 100644
index 00000000..feedbe4c
--- /dev/null
+++ b/app/filters/AllowedDomainsFilter.php
@@ -0,0 +1,19 @@
+<?php
+
+class AllowedDomainsFilter {
+    public function filter($route, $request, $response) {
+    	// Always allow our own domain.
+    	$ourDomain = Setting::get('app_domain');
+        $response->headers->set('Access-Control-Allow-Origin', $ourDomain);
+
+        // Should we allow anyone else?
+    	if ($setting = Setting::get('allowed_domains')) {
+    		$domains = explode(',', $setting);
+    		foreach ($domains as $domain) {
+		        $response->headers->set('Access-Control-Allow-Origin', $domain);
+    		}
+    	}
+
+        return $response;
+    }
+}
diff --git a/app/routes/api.php b/app/routes/api.php
index 47763cf8..d3fac4d1 100644
--- a/app/routes/api.php
+++ b/app/routes/api.php
@@ -1,6 +1,10 @@
 <?php
 
-Route::api(['version' => 'v1', 'namespace' => 'CachetHQ\Cachet\Controllers\Api'], function() {
+Route::api([
+    'version'   => 'v1',
+    'namespace' => 'CachetHQ\Cachet\Controllers\Api',
+    'after'     => 'allowed_domains'
+], function() {
     Route::get('components', 'ComponentController@getComponents');
     Route::get('components/{id}', 'ComponentController@getComponent');
     Route::get('components/{id}/incidents', 'ComponentController@getComponentIncidents');
diff --git a/app/routes/app.php b/app/routes/app.php
index f74a0179..282a3619 100644
--- a/app/routes/app.php
+++ b/app/routes/app.php
@@ -7,7 +7,7 @@ Route::group(['before' => 'has_setting:app_name'], function() {
 });
 
 // Setup route.
-Route::group(['before' => 'no_setup:app_name'], function() {
+Route::group(['before' => 'is_setup'], function() {
     Route::controller('/setup', 'SetupController');
 });
 
diff --git a/app/views/dashboard/settings.blade.php b/app/views/dashboard/settings.blade.php
index 6817a818..2482efdb 100644
--- a/app/views/dashboard/settings.blade.php
+++ b/app/views/dashboard/settings.blade.php
@@ -30,10 +30,6 @@
 						<label>Allowed Domains <em>Comma Seperated</em></label>
 						<textarea class='form-control' name='allowed_domains' rows='5' placeholder='http://cachet.io, http://cachet.herokuapp.com'>{{ Setting::get('allowed_domains') }}</textarea>
 					</div>
-					<div class='form-group'>
-						<label>Disallowed Domains <em>Comma Seperated</em></label>
-						<textarea class='form-control' name='disallowed_domains' rows='5' placeholder='http://cachetfake.io, http://cachetfake.herokuapp.com'>{{ Setting::get('disallowed_domains') }}</textarea>
-					</div>
 				</fieldset>
 
 				<h3>Mail</h3>