CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

Allow inline PDF display in CSP header

Browse Source
This commit is contained in:
Raphael Michel
2017-05-08 09:36:55 +02:00
parent 962cdef69a
commit 3de85975d6
2 changed files with 29 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/pretix/control/views/event.py
View File

@@ -316,7 +316,8 @@ class InvoicePreview(EventPermissionRequiredMixin, View):
def get(self, request, *args, **kwargs):
pdf = build_preview_invoice_pdf(request.event)
resp = HttpResponse(pdf, content_type='application/pdf')
resp['Content-Disposition'] = 'attachment; filename="invoice-preview.pdf"'
resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; object-src 'self'"
resp['Content-Disposition'] = 'inline; filename="invoice-preview.pdf"'
return resp
@@ -527,7 +528,11 @@ class TicketSettingsPreview(EventPermissionRequiredMixin, View):
fname, mimet, data = tickets.preview(self.request.event.pk, self.output.identifier)
resp = HttpResponse(data, content_type=mimet)
ftype = fname.split(".")[-1]
resp['Content-Disposition'] = 'attachment; filename="ticket-preview.{}"'.format(ftype)
if mimet == "application/pdf":
resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; object-src 'self'"
resp['Content-Disposition'] = 'inline; filename="ticket-preview.{}"'.format(ftype)
else:
resp['Content-Disposition'] = 'attachment; filename="ticket-preview.{}"'.format(ftype)
return resp
def get_error_url(self) -> str:

30
src/pretix/presale/views/order.py
View File

@@ -580,9 +580,15 @@ class OrderDownload(EventViewMixin, OrderDetailMixin, View):
return render(self.request, "pretixbase/cachedfiles/pending.html", {})
else:
resp = FileResponse(ct.file.file, content_type=ct.type)
resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}{}"'.format(
self.request.event.slug.upper(), self.order.code, self.output.identifier, ct.extension
)
if ct.type == "application/pdf":
resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; object-src 'self'"
resp['Content-Disposition'] = 'inline; filename="{}-{}-{}{}"'.format(
self.request.event.slug.upper(), self.order.code, self.output.identifier, ct.extension
)
else:
resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}{}"'.format(
self.request.event.slug.upper(), self.order.code, self.output.identifier, ct.extension
)
return resp
def _download_position(self):
@@ -613,10 +619,17 @@ class OrderDownload(EventViewMixin, OrderDetailMixin, View):
return render(self.request, "pretixbase/cachedfiles/pending.html", {})
else:
resp = FileResponse(ct.file.file, content_type=ct.type)
resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}{}"'.format(
self.request.event.slug.upper(), self.order.code, self.order_position.positionid,
self.output.identifier, ct.extension
)
if ct.type == "application/pdf":
resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; object-src 'self'"
resp['Content-Disposition'] = 'inline; filename="{}-{}-{}-{}{}"'.format(
self.request.event.slug.upper(), self.order.code, self.order_position.positionid,
self.output.identifier, ct.extension
)
else:
resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}{}"'.format(
self.request.event.slug.upper(), self.order.code, self.order_position.positionid,
self.output.identifier, ct.extension
)
return resp
@@ -646,5 +659,6 @@ class InvoiceDownload(EventViewMixin, OrderDetailMixin, View):
return redirect(self.get_order_url())
resp = FileResponse(invoice.file.file, content_type='application/pdf')
resp['Content-Disposition'] = 'attachment; filename="{}.pdf"'.format(invoice.number)
resp['Content-Security-Policy'] = "style-src 'unsafe-inline'; object-src 'self'"
resp['Content-Disposition'] = 'inline; filename="{}.pdf"'.format(invoice.number)
return resp