From b7b50d25cf210183ce124898192e5204b948deba Mon Sep 17 00:00:00 2001 From: Saso Skube Date: Fri, 28 Jun 2024 05:14:18 +0200 Subject: [PATCH] fix(surveys): Allow CORS OPTIONS request to be unauthenticated. (#23282) fix(surveys): Allow CORS OPTIONS request to be unauthenticated Co-authored-by: Phani Raj --- posthog/api/survey.py | 5 ++++- posthog/api/test/test_survey.py | 10 ++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/posthog/api/survey.py b/posthog/api/survey.py index 05ab3da354b62..4dfdb9156c242 100644 --- a/posthog/api/survey.py +++ b/posthog/api/survey.py @@ -4,7 +4,7 @@ import nh3 from django.db.models import Min -from django.http import JsonResponse +from django.http import JsonResponse, HttpResponse from django.utils.text import slugify from django.views.decorators.csrf import csrf_exempt from nanoid import generate @@ -467,6 +467,9 @@ class Meta: def surveys(request: Request): token = get_token(None, request) + if request.method == "OPTIONS": + return cors_response(request, HttpResponse("")) + if not token: return cors_response( request, diff --git a/posthog/api/test/test_survey.py b/posthog/api/test/test_survey.py index 363688915daf5..f29ead7743bb8 100644 --- a/posthog/api/test/test_survey.py +++ b/posthog/api/test/test_survey.py @@ -2015,6 +2015,16 @@ def _get_surveys( REMOTE_ADDR=ip, ) + def test_options_unauthenticated(self): + unauthenticated_client = Client(enforce_csrf_checks=True) + unauthenticated_client.logout() + request_headers = {"HTTP_ACCESS_CONTROL_REQUEST_METHOD": "GET", "HTTP_ORIGIN": "*", "USER_AGENT": "Agent 008"} + response = unauthenticated_client.options( + "/api/surveys", data={}, follow=False, secure=False, headers={}, **request_headers + ) + self.assertEqual(response.status_code, 200) + self.assertEqual(response.headers["Access-Control-Allow-Origin"], "*") + @snapshot_postgres_queries def test_list_surveys(self): basic_survey = Survey.objects.create(