Skip to content

Commit

Permalink
Update settings / docs
Browse files Browse the repository at this point in the history
  • Loading branch information
SchrodingersGat committed Feb 8, 2024
1 parent 1d89630 commit b32a5b3
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 5 deletions.
6 changes: 5 additions & 1 deletion InvenTree/InvenTree/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,11 @@
'INVENTREE_CORS_ORIGIN_ALLOW_ALL', config_key='cors.allow_all', default_value=DEBUG
)

CORS_ALLOW_CREDENTIALS = True
CORS_ALLOW_CREDENTIALS = get_boolean_setting(
'INVENTREE_CORS_ALLOW_CREDENTIALS',
config_key='cors.allow_credentials',
default_value=True,
)

# Only allow CORS access to API and media endpoints
CORS_URLS_REGEX = r'^/(api|media|static)/.*$'
Expand Down
3 changes: 1 addition & 2 deletions InvenTree/config_template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -188,10 +188,9 @@ use_x_forwarded_port: false

# Cross Origin Resource Sharing (CORS) settings (see https://github.com/adamchainz/django-cors-headers)
cors:
# CORS_ALLOW_ALL_ORIGINS - If True, the whitelist will not be used and all origins will be accepted.
allow_all: True
allow_credentials: True,

# CORS_ALLOWED_ORIGINS - A list of origins that are authorized to make cross-site HTTP requests. Defaults to []
# whitelist:
# - https://example.com
# - https://sub.example.com
Expand Down
14 changes: 12 additions & 2 deletions docs/docs/start/config.md
Original file line number Diff line number Diff line change
Expand Up @@ -196,18 +196,28 @@ A list of currency codes (e.g. *AUD*, *CAD*, *JPY*, *USD*) can be specified usin
!!! tip "More Info"
Read the [currencies documentation](../settings/currency.md) for more information on currency support in InvenTree

## Allowed Hosts / CORS
## Server Access

By default, all hosts are allowed, and CORS requests are enabled from any origin.
Depending on how your InvenTree installation is configured, you will need to pay careful attention to the following settings. If you are running your server behind a proxy, or want to adjust support for CORS requests, one or more of the following settings may need to be adjusted.

!!! warning "Advanced Users"
The following settings require a certain assumed level of knowledge. You should also refer to the [django documentation](https://docs.djangoproject.com/en/4.2/ref/settings/) for more information.

!!! danger "Not Secure"
Allowing access from any host is not secure, and should be adjusted for your installation.

!!! info "Environment Variables"
Note that a provided environment variable will override the value provided in the configuration file.

| Environment Variable | Configuration File | Description | Default |
| --- | --- | --- | --- |
| INVENTREE_ALLOWED_HOSTS | allowed_hosts | List of allowed hosts | `*` |
| INVENTREE_TRUSTED_ORIGINS | trusted_origins | List of trusted origins | *Empty list* |
| INVENTREE_USE_X_FORWARDED_HOST | use_x_forwarded_host | Use forwarded host header | False |
| INVENTREE_USE_X_FORWARDED_PORT | use_x_forwarded_port | Use forwarded port header | False |
| INVENTREE_CORS_ORIGIN_ALLOW_ALL | cors.allow_all | Allow all remote URLS for CORS checks | False |
| INVENTREE_CORS_ORIGIN_WHITELIST | cors.whitelist | List of whitelisted CORS URLs | *Empty list* |
| INVENTREE_CORS_ALLOW_CREDENTIALS | cors.allow_credentials | Allow cookies in cross-site requests | True |

!!! info "Configuration File"
Allowed hosts and CORS options must be changed in the configuration file, and cannot be set via environment variables
Expand Down

0 comments on commit b32a5b3

Please sign in to comment.