From 13f8cdac02478d9181f6082c9302bf9030cd63bc Mon Sep 17 00:00:00 2001
From: Nikola <nikola@r-digital.tech>
Date: Wed, 4 Jan 2023 13:22:53 +0100
Subject: [PATCH] Fix for Access control header

---
 extensions/components/com_redcore/admin/config.xml     | 10 ++++++++++
 .../admin/language/en-GB/en-GB.com_redcore.sys.ini     |  2 ++
 .../libraries/redcore/api/hal/document/document.php    |  5 ++++-
 .../libraries/redcore/api/soap/document/document.php   |  5 ++++-
 4 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/extensions/components/com_redcore/admin/config.xml b/extensions/components/com_redcore/admin/config.xml
index 232613d9..6718c1e4 100644
--- a/extensions/components/com_redcore/admin/config.xml
+++ b/extensions/components/com_redcore/admin/config.xml
@@ -211,6 +211,16 @@
             <option value="1">JYES</option>
             <option value="0">JNO</option>
         </field>
+        <field
+                name="enable_access_control_header"
+                class="btn-group"
+                type="radio"
+                default="1"
+                label="COM_REDCORE_CONFIG_WEBSERVICES_ENABLE_ACCESS_CONTROL_HEADER"
+                description="COM_REDCORE_CONFIG_WEBSERVICES_ENABLE_ACCESS_CONTROL_HEADER_DESC">
+            <option value="1">JYES</option>
+            <option value="0">JNO</option>
+        </field>
     </fieldset>
     <fieldset name="REDCORE_OAUTH2_SERVER_OPTIONS"
               addfieldpath="/libraries/redcore/form/fields"
diff --git a/extensions/components/com_redcore/admin/language/en-GB/en-GB.com_redcore.sys.ini b/extensions/components/com_redcore/admin/language/en-GB/en-GB.com_redcore.sys.ini
index d7e0521f..739ab32f 100644
--- a/extensions/components/com_redcore/admin/language/en-GB/en-GB.com_redcore.sys.ini
+++ b/extensions/components/com_redcore/admin/language/en-GB/en-GB.com_redcore.sys.ini
@@ -63,6 +63,8 @@ COM_REDCORE_CONFIG_WEBSERVICES_ENABLE_DEBUG="Enable debug"
 COM_REDCORE_CONFIG_WEBSERVICES_ENABLE_DEBUG_DESC="If you enable debugging, it will display notifications and warnings in the webservice output."
 COM_REDCORE_CONFIG_WEBSERVICES_ENABLE_GZIP_COMPRESSION="Enable Gzip compression feature"
 COM_REDCORE_CONFIG_WEBSERVICES_ENABLE_GZIP_COMPRESSION_DESC="Gzip compression will only be available to Clients that request Gzip compression in their headers. It is best to have this option always enabled if the server supports Gzip compression."
+COM_REDCORE_CONFIG_WEBSERVICES_ENABLE_ACCESS_CONTROL_HEADER="Enable Access Control Header"
+COM_REDCORE_CONFIG_WEBSERVICES_ENABLE_ACCESS_CONTROL_HEADER_DESC="Disabel if you need to remove the Access-Control-Allow-Origin header."
 
 ; OAuth2 Server
 COM_REDCORE_CONFIG_OAUTH2_SERVER_OPTIONS="OAuth2 Server options"
diff --git a/extensions/libraries/redcore/api/hal/document/document.php b/extensions/libraries/redcore/api/hal/document/document.php
index 140ec140..58bb0810 100644
--- a/extensions/libraries/redcore/api/hal/document/document.php
+++ b/extensions/libraries/redcore/api/hal/document/document.php
@@ -119,7 +119,10 @@ public function render($cache = false, $params = array())
 
 		$app->setHeader('Status', $this->hal->statusCode . ' ' . $this->hal->statusText, true);
 		$app->setHeader('Server', '', true);
-		$app->setHeader('Access-Control-Allow-Origin', '*', true);
+        if (RBootstrap::$config->get('enable_access_control_header', '1') == '1')
+        {
+            $app->setHeader('Access-Control-Allow-Origin', '*', true);
+        }
 		$app->setHeader('Pragma', 'public', true);
 		$app->setHeader('Expires', '0', true);
 		$app->setHeader('Cache-Control', 'must-revalidate, post-check=0, pre-check=0', true);
diff --git a/extensions/libraries/redcore/api/soap/document/document.php b/extensions/libraries/redcore/api/soap/document/document.php
index b3cd85a7..8c094ac6 100644
--- a/extensions/libraries/redcore/api/soap/document/document.php
+++ b/extensions/libraries/redcore/api/soap/document/document.php
@@ -108,7 +108,10 @@ public function render($cache = false, $params = array())
 		$app->setHeader('Status', $this->soap->statusCode . ' ' . $this->soap->statusText, true);
 		$app->setHeader('Server', '', true);
 		$app->setHeader('X-Runtime', $runtime, true);
-		$app->setHeader('Access-Control-Allow-Origin', '*', true);
+        if (RBootstrap::$config->get('enable_access_control_header', '1') == '1')
+        {
+            $app->setHeader('Access-Control-Allow-Origin', '*', true);
+        }
 		$app->setHeader('Pragma', 'public', true);
 		$app->setHeader('Expires', '0', true);
 		$app->setHeader('Cache-Control', 'must-revalidate, post-check=0, pre-check=0', true);