Implement Platform Superuser UI and Fix API Role Casing

- Update API to return lowercase roles for frontend compatibility - Fix Tenant owner lookup in platform admin serializer - Update frontend App.tsx to match tarball implementation - Prioritize vite.config.js for HMR support - Include pending CSP and CORS configuration updates
2025-11-27 02:16:05 -05:00
parent 2e111364a2
commit 249a9040d2
10 changed files with 143 additions and 8 deletions
--- a/smoothschedule/config/settings/multitenancy.py
+++ b/smoothschedule/config/settings/multitenancy.py
@@ -41,6 +41,7 @@ SHARED_APPS = [
    'hijack.contrib.admin',
    'crispy_forms',
    'crispy_bootstrap5',
+    'csp',
 ]

 # Tenant-specific apps - Each tenant gets isolated data in their own schema
@@ -87,6 +88,7 @@ MIDDLEWARE = [
    
    # 2. Security middleware
    'django.middleware.security.SecurityMiddleware',
+    'csp.middleware.CSPMiddleware',
    'corsheaders.middleware.CorsMiddleware',  # Moved up for better CORS handling
    'whitenoise.middleware.WhiteNoiseMiddleware',
    
@@ -211,3 +213,40 @@ LOGGING['loggers']['smoothschedule.security.masquerade'] = {
 # Create logs directory if it doesn't exist
 import os
 os.makedirs(BASE_DIR / 'logs', exist_ok=True)
+
+# =============================================================================
+# CONTENT SECURITY POLICY (CSP)
+# =============================================================================
+# https://django-csp.readthedocs.io/en/latest/configuration.html
+
+CSP_DEFAULT_SRC = ("'self'",)
+CSP_SCRIPT_SRC = (
+    "'self'",
+    "https://js.stripe.com",
+    "https://connect-js.stripe.com",
+    "https://www.googletagmanager.com",
+    "https://www.google-analytics.com",
+    "blob:",  # Required for Stripe
+)
+CSP_STYLE_SRC = (
+    "'self'",
+    "'unsafe-inline'",  # Required for Stripe and many UI libraries
+)
+CSP_IMG_SRC = (
+    "'self'",
+    "data:",
+    "https://*.stripe.com",
+    "https://www.google-analytics.com",
+)
+CSP_CONNECT_SRC = (
+    "'self'",
+    "https://api.stripe.com",
+    "https://www.google-analytics.com",
+    "https://stats.g.doubleclick.net",
+)
+CSP_FRAME_SRC = (
+    "'self'",
+    "https://js.stripe.com",
+    "https://hooks.stripe.com",
+    "https://connect-js.stripe.com",
+)