def render_article(request, article, current_language, slug): """ Renders an article """ context = {} context['article'] = article context['lang'] = current_language context['current_article'] = article context['has_change_permissions'] = article.has_change_permission(request) response = TemplateResponse(request, article.template, context) response.add_post_render_callback(set_page_cache) # Add headers for X Frame Options - this really should be changed upon moving to class based views xframe_options = article.tree.get_xframe_options() # xframe_options can be None if there's no xframe information on the page # (eg. a top-level page which has xframe options set to "inherit") if xframe_options == Page.X_FRAME_OPTIONS_INHERIT or xframe_options is None: # This is when we defer to django's own clickjacking handling return response # We want to prevent django setting this in their middlewear response.xframe_options_exempt = True if xframe_options == Page.X_FRAME_OPTIONS_ALLOW: # Do nothing, allowed is no header. return response elif xframe_options == Page.X_FRAME_OPTIONS_SAMEORIGIN: response['X-Frame-Options'] = 'SAMEORIGIN' elif xframe_options == Page.X_FRAME_OPTIONS_DENY: response['X-Frame-Options'] = 'DENY' return response
def render_page(request, page, current_language, slug): """ Renders a page """ template_name = get_template_from_request(request, page, no_current_page=True) # fill the context context = {} context["lang"] = current_language context["current_page"] = page context["has_change_permissions"] = user_can_change_page(request.user, page) context["has_view_permissions"] = user_can_view_page(request.user, page) if not context["has_view_permissions"]: return _handle_no_page(request, slug) response = TemplateResponse(request, template_name, context) response.add_post_render_callback(set_page_cache) # Add headers for X Frame Options - this really should be changed upon moving to class based views xframe_options = page.get_xframe_options() # xframe_options can be None if there's no xframe information on the page # (eg. a top-level page which has xframe options set to "inherit") if xframe_options == Page.X_FRAME_OPTIONS_INHERIT or xframe_options is None: # This is when we defer to django's own clickjacking handling return response # We want to prevent django setting this in their middlewear response.xframe_options_exempt = True if xframe_options == Page.X_FRAME_OPTIONS_ALLOW: # Do nothing, allowed is no header. return response elif xframe_options == Page.X_FRAME_OPTIONS_SAMEORIGIN: response["X-Frame-Options"] = "SAMEORIGIN" elif xframe_options == Page.X_FRAME_OPTIONS_DENY: response["X-Frame-Options"] = "DENY" return response