issue2551203 - Add support for CORS preflight request Add support for unauthenticated CORS preflight and fix headers for CORS. client.py: pass through unauthenticated CORS preflight to rest backend. Normal rest OPTION handlers (including tracker defined extensions) can see and handle the request. make some error cases return error json with crrect mime type rather than plain text tracebacks. create new functions to verify origin and referer that filter using allowed origins setting. remove tracker base url from error message is referer is not at an allowed origin. rest.py: fix up OPTION methods handlers to include Access-Control-Allow-Methods that are the same as the Allow header. set cache to one week for all Access-Control headers for CORS preflight only. remove self.client.setHeader("Access-Control-Allow-Origin", "*") and set Access-Control-Allow-Origin to the client supplied origin if it passes allowed origin checks. Required for CORS otherwise data isn't available to caller. Set for all responses. set Vary header now includes Origin as responses can differ based on Origin for all responses. set Access-Control-Allow-Credentials to true on all responses. test_liveserver.py: run server with setting to enforce origin csrf header check run server with setting to enforce x-requested-with csrf header check run server with setting for allowed_api_origins requests now set required csrf headers test preflight request on collections check new headers and Origin is no longer '*' rewrite all compression checks to use a single method with argument to use different compression methods. Reduce a lot of code duplication and makes updating for new headers easier. test_cgi: test new error messages in client.py account for new headers test preflight and new code paths

def preset_new(db, cl, nodeid, newvalues):
    """ Make sure the status is set on new issues"""

    if 'status' in newvalues and newvalues['status']:
        return

    new = db.status.lookup('new')
    newvalues['status'] = new

def update_pending(db, cl, nodeid, newvalues):
    ''' If the issue is currently 'pending' and person other than assigned
        updates it, then set it to 'open'.
    '''
    # don't fire if there's no new message (ie. update)
    if 'messages' not in newvalues:
        return
    if newvalues['messages'] == cl.get(nodeid, 'messages'):
        return

    # get the open state ID
    try:
        open_id = db.status.lookup('open')
    except KeyError:
        # no open state, ignore all this stuff
        return

    # get the current value
    current_status = cl.get(nodeid, 'status')

    # see if there's an explicit change in this transaction
    if 'status' in newvalues:
        # yep, skip
        return

    assignee = cl.get(nodeid, 'assignee')
    if assignee == db.getuid():
        # this change is brought to you by the assignee and number 4
        # so don't change status.
        return

    # determine the id of 'pending'
    fromstates = []
    for state in 'pending'.split():
        try:
            fromstates.append(db.status.lookup(state))
        except KeyError:
            pass

    # ok, there's no explicit change, so check if we are in a state that
    # should be changed
    if current_status in fromstates + [None]:
        # yep, we're now open
        newvalues['status'] = open_id

def init(db):
    # fire before changes are made
    db.issue.audit('create', preset_new)
    db.issue.audit('set', update_pending)