From bf08408f8916608f9891d90b9a0a5984825bc534 Mon Sep 17 00:00:00 2001
From: monodo <olivier.monod@yverdon-les-bains.ch>
Date: Wed, 15 May 2024 10:47:21 +0200
Subject: [PATCH] allow configuration in .env

---
 .env.example        | 2 ++
 docker-compose.yml  | 1 +
 geocity/settings.py | 2 ++
 3 files changed, 5 insertions(+)

diff --git a/.env.example b/.env.example
index 3c093d69e..855246ae4 100644
--- a/.env.example
+++ b/.env.example
@@ -104,3 +104,5 @@ USE_THUMBOR=false
 # For dockerized thumbor service not exposed over the Internet, attache Geocity to its network with this override on top of this file:
 # COMPOSE_FILE=docker-compose.yml:docker-compose.thumbor.yml
 THUMBOR_SERVICE_URL="http://nginx-proxy"
+# https://docs.djangoproject.com/en/5.0/ref/settings/#csrf-trusted-origins
+CSRF_TRUSTED_ORIGINS=https://yoursite.geocity
diff --git a/docker-compose.yml b/docker-compose.yml
index 7c0cc4ddd..147a7cbaa 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -79,6 +79,7 @@ services:
       SITE_DOMAIN:
       USE_THUMBOR:
       THUMBOR_SERVICE_URL:
+      CSRF_TRUSTED_ORIGINS:
     ports:
       - "${DJANGO_DOCKER_PORT}:9000"
     networks:
diff --git a/geocity/settings.py b/geocity/settings.py
index 335b0d585..0a0c4f62f 100644
--- a/geocity/settings.py
+++ b/geocity/settings.py
@@ -42,6 +42,8 @@
 
 SESSION_COOKIE_SECURE = True
 CSRF_COOKIE_SECURE = True
+CSRF_TRUSTED_ORIGINS = os.getenv("CSRF_TRUSTED_ORIGINS").split(",")
+
 
 # SESSION TIMEOUT
 # default session time is one hour