Fix for issue r0man#5. wrap-cors should return nil if the underlying …

…handler returns nil per the existing tests. This wasn't occuring properly if allow-methods were specified and the request headers had an origin. Added a check for a nil response and corresponding test.
scottyw · Oct 16, 2014 · e50554c · e50554c
1 parent 833206f
commit e50554c
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 9 deletions.
diff --git a/src/ring/middleware/cors.clj b/src/ring/middleware/cors.clj
@@ -42,12 +42,13 @@
 (defn add-access-control
   "Add the access control headers using the request's origin to the response."
   [request response access-control]
-  (if-let [origin (origin request)]
-    (update-in response [:headers] merge
-               (->> origin
-                    (assoc access-control :access-control-allow-origin)
-                    (normalize-headers)))
-    response))
+  (if ((complement nil?) response)
+    (if-let [origin (origin request)]
+      (update-in response [:headers] merge
+                 (->> origin
+                      (assoc access-control :access-control-allow-origin)
+                      (normalize-headers)))
+      response)))
 
 (defn wrap-cors
   "Middleware that adds Cross-Origin Resource Sharing headers.

diff --git a/test/ring/middleware/cors_test.clj b/test/ring/middleware/cors_test.clj
@@ -4,7 +4,7 @@
 
 (deftest test-allow-request?
   (testing "with empty vector"
-    (is (not (allow-request? {:headers {"origin" "http://eample.com"}}
+    (is (not (allow-request? {:headers {"origin" "http://example.com"}}
                              {:access-control-allow-origin []}))))
   (testing "with one regular expressions"
     (are [origin expected]
@@ -72,9 +72,25 @@
 
 (deftest test-no-cors-header-when-handler-returns-nil
   (is (nil? ((wrap-cors (fn [_] nil)
-                        :access-control-allow-origin #".*example.com")
+               :access-control-allow-origin #".*example.com")
              {:request-method
-              :get :uri "/"
+                       :get :uri "/"
+              :headers {"origin" "http://example.com"}}))))
+
+(deftest test-no-cors-header-when-handler-returns-nil-and-matching-methods-supplied
+  (is (nil? ((wrap-cors (fn [_] nil)
+               :access-control-allow-origin #".*example.com"
+               :access-control-allow-methods [:get])
+             {:request-method
+                       :get :uri "/"
+              :headers {"origin" "http://example.com"}}))))
+
+(deftest test-no-cors-header-when-handler-returns-nil-and-unmatching-methods-supplied
+  (is (nil? ((wrap-cors (fn [_] nil)
+               :access-control-allow-origin #".*example.com"
+               :access-control-allow-methods [:post])
+             {:request-method
+                       :get :uri "/"
               :headers {"origin" "http://example.com"}}))))
 
 (deftest test-options-without-cors-header