Cross-Origin issue creation
Added by Herberts Markuns over 7 years ago
Hi,
I'm having trouble with Redmine API. What I'm trying to do is create an issue as an anonymous user, from a different origin, from a web browser.
Is that possible?
I'm getting 404 errors, when POSTing, which shows up as OPTIONS request method through browser network inspector. GET method works however - returns all issues of the public project.
I have set to allow anonymous users to create issues on this public project.
Console logging the following errors:
OPTIONS ..issues.json 404 (Not Found) XMLHttpRequest cannot load ..issues.json. Response for preflight has invalid HTTP status code 404
Story:
I have created a project for users who use one of our products to submit feedback, anonymously. On one of these products, there is a "feedback" button, that allows users to submit feedback, without directly accessing the feedback site.
This button should create an issue in Redmine with user input. The user is submitting feedback from "userproduct.com" domain, to "ourredmineinstance.com".
To access "ourredmineinstance.com" you need a certificate, which the user has, and which the browser requests user to specify when calling Redmine API from "userproduct.com" (already works).
We're using Redmine in a Docker container, based on sameersbn/redmine docker image, based on Ubuntu 14.04.
Environment: Redmine version 3.2.0.stable Ruby version 2.1.8-p440 (2015-12-16) [x86_64-linux-gnu] Rails version 4.2.5 Environment production Database adapter PostgreSQL SCM: Subversion 1.8.8 Darcs 2.8.4 Mercurial 2.8.2 Cvs 1.12.13 Bazaar 2.7.0 Git 2.7.2 Filesystem Redmine plugins: redmine_agile 1.4.0 redmine_people 1.2.0
Replies (1)
RE: Cross-Origin issue creation - Added by Herberts Markuns over 7 years ago
Issue resolved!
acosonic from IRC channel, directed me to an article about allowing these kind of requests in apache tomcat (which is used as gateway between client and redmine in our case).
Had to add the fallowing to my apache configuration to make it work:
# Always set these headers. Header always set Access-Control-Allow-Origin "*" Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT" Header always set Access-Control-Max-Age "1000" Header always set Access-Control-Allow-Headers "Content-Type, authorization" # Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request. RewriteEngine On RewriteCond %{REQUEST_METHOD} OPTIONS RewriteRule ^(.*)$ $1 [R=200,L]
Credit to Benjamin Horn, you can find his article on his website, if you google "setting-cors-cross-origin-resource-sharing-on-apache-with-correct-response-headers-allowing-everything-through".