fix: allow CORS requests for product image move (#10920)

It's required by Nutripatrol to perform image deletion from nutripatrol.openfoodfacts.org @Valimp FYI
openfoodfacts · Oct 22, 2024 · 967a47e · 967a47e
1 parent d56760a
commit 967a47e
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/cgi/product_image_move.pl b/cgi/product_image_move.pl
@@ -28,12 +28,14 @@
 use ProductOpener::Store qw/:all/;
 use ProductOpener::Index qw/:all/;
 use ProductOpener::Display qw/:all/;
+use ProductOpener::HTTP qw/write_cors_headers/;
 use ProductOpener::Lang qw/$lc/;
 use ProductOpener::Tags qw/:all/;
 use ProductOpener::Users qw/$Org_id $Owner_id $User_id %User/;
 use ProductOpener::Images qw/process_image_move/;
 use ProductOpener::Products qw/:all/;
 
+use Apache2::Const -compile => qw(M_OPTIONS);
 use CGI qw/:cgi :form escapeHTML/;
 use URI::Escape::XS;
 use Storable qw/dclone/;
@@ -76,6 +78,18 @@
 $log->debug("parsing code", {user => $User_id, code => $code, cc => $request_ref->{cc}, lc => $lc, ip => remote_addr()})
 	if $log->is_debug();
 
+# Add a CORS header to allow cross-domain requests (especially from Nutripatrol)
+my $r = Apache2::RequestUtil->request();
+# We need to allows credentials (cookies) to authenticate the user
+my $allow_credentials = 1;
+my $sub_domain_only = 1;
+write_cors_headers($allow_credentials, $sub_domain_only);
+
+# If the requests is an OPTIONS request, we return the headers and exit
+if ($r->method_number == Apache2::Const::M_OPTIONS) {
+	exit(0);
+}
+
 if ((not defined $code) or ($code eq '')) {
 
 	$log->warn("no code");