From 8a838aa4bd5e051ac34f2645221c1e4364008db5 Mon Sep 17 00:00:00 2001
From: David Taylor <david@taylorhq.com>
Date: Fri, 7 Oct 2016 02:51:08 +0100
Subject: [PATCH] Added decorator for X-Frame header

---
 PyRIGS/decorators.py | 11 +++++++++++
 RIGS/urls.py         |  6 +++---
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/PyRIGS/decorators.py b/PyRIGS/decorators.py
index 4af93097..065ce853 100644
--- a/PyRIGS/decorators.py
+++ b/PyRIGS/decorators.py
@@ -4,6 +4,17 @@ from django.template import RequestContext
 from django.http import HttpResponseRedirect
 from django.core.urlresolvers import reverse
 
+def allow_embed():
+    # using django.views.decorators.clickjacking.xframe_options_exempt removes the header
+    # Safari has differnet defaults to other browsers, so we have to set it explicitly
+    def headers_wrapper(fun):
+        def wrapped_function(*args, **kwargs):
+            response = fun(*args, **kwargs)
+            response['X-Frame-Options'] = "ALLOW"
+            return response
+        return wrapped_function
+    return headers_wrapper
+
 def user_passes_test_with_403(test_func, login_url=None, oembed_view=None):
     """
     Decorator for views that checks that the user passes the given test.
diff --git a/RIGS/urls.py b/RIGS/urls.py
index 8767d7b9..1383558e 100644
--- a/RIGS/urls.py
+++ b/RIGS/urls.py
@@ -2,10 +2,10 @@ from django.conf.urls import patterns, include, url
 from django.contrib.auth.decorators import login_required
 from RIGS import models, views, rigboard, finance, ical, versioning, forms
 from django.views.generic import RedirectView
-from django.views.decorators.clickjacking import xframe_options_exempt
 
 from PyRIGS.decorators import permission_required_with_403
 from PyRIGS.decorators import api_key_required
+from PyRIGS.decorators import allow_embed
 
 urlpatterns = patterns('',
                        # Examples:
@@ -15,7 +15,7 @@ urlpatterns = patterns('',
                        url(r'^closemodal/$', views.CloseModal.as_view(), name='closemodal'),
 
                        url('^user/login/$', 'RIGS.views.login', name='login'),
-                       url('^user/login/embed/$', xframe_options_exempt(views.login_embed), name='login_embed'),
+                       url('^user/login/embed/$', allow_embed()(views.login_embed), name='login_embed'),
                        url(r'^user/password_reset/$', 'django.contrib.auth.views.password_reset', {'password_reset_form':forms.PasswordReset}),
 
                        # People
@@ -85,7 +85,7 @@ urlpatterns = patterns('',
                            permission_required_with_403('RIGS.view_event', oembed_view="event_oembed")(rigboard.EventDetail.as_view()),
                            name='event_detail'),
                        url(r'^event/(?P<pk>\d+)/embed/$',
-                           xframe_options_exempt(permission_required_with_403('RIGS.view_event', login_url='/user/login/embed/')(rigboard.EventEmbed.as_view())),
+                           allow_embed()(permission_required_with_403('RIGS.view_event', login_url='/user/login/embed/')(rigboard.EventEmbed.as_view())),
                            name='event_embed'),
                        url(r'^event/(?P<pk>\d+)/oembed_json/$',
                            rigboard.EventOembed.as_view(),