Remove CORS_MODEL and associated code

As per history note, and comment on #388.

HISTORY.rst

@@ -8,6 +8,13 @@ Pending
 
 * Origin is now scheme-aware. Deprecation warning has been added when origin
   without scheme is included.
+* Removed the ``CORS_MODEL`` setting, and associated class. It seems very few,
+  or no users were using it, since there were no bug reports since its move to
+  abstract in version 2.0.0 (2017-01-07). If you *are* using this
+  functionality, you can continue by changing your model to not inherit from
+  the abstract one, and add a signal handler for ``check_request_enabled`` that
+  reads from your model. Note you'll need to handle the move to scheme-aware
+  values for Origin.
 
 2.5.3 (2019-04-28)
 ------------------

README.rst

@@ -240,15 +240,6 @@ cross-domain. Change it to ``None`` to bypass this security restriction.
 
 .. _SESSION_COOKIE_SAMESITE: https://docs.djangoproject.com/en/2.1/ref/settings/#std:setting-SESSION_COOKIE_SAMESITE
 
-``CORS_MODEL``
-~~~~~~~~~~~~~~
-
-If set, this should be the path to a model to look up allowed origins, in the
-form ``app.modelname``. Defaults to ``None``.
-
-The model should inherit from ``corsheaders.models.AbstractCorsModel`` and specify
-the allowed origin in the ``CharField`` called ``cors``.
-
 CSRF Integration
 ----------------
 

corsheaders/checks.py

@@ -3,6 +3,7 @@
 import re
 from numbers import Integral
 
+from django.conf import settings
 from django.core import checks
 from django.utils import six
 
@@ -92,19 +93,19 @@ def check_settings(app_configs, **kwargs):
             )
         )
 
-    if conf.CORS_MODEL is not None and not isinstance(conf.CORS_MODEL, six.string_types):
+    if not isinstance(conf.CORS_REPLACE_HTTPS_REFERER, bool):
         errors.append(
             checks.Error(
-                "CORS_MODEL should be a string or None.",
-                id="corsheaders.E010"
+                "CORS_REPLACE_HTTPS_REFERER should be a bool.",
+                id="corsheaders.E011"
             )
         )
 
-    if not isinstance(conf.CORS_REPLACE_HTTPS_REFERER, bool):
+    if hasattr(settings, 'CORS_MODEL'):
         errors.append(
             checks.Error(
-                "CORS_REPLACE_HTTPS_REFERER should be a bool.",
-                id="corsheaders.E011"
+                "The CORS_MODEL setting has been removed - see django-cors-headers' HISTORY.",
+                id="corsheaders.E012"
             )
         )
 

corsheaders/conf.py

@@ -46,10 +46,6 @@ def CORS_EXPOSE_HEADERS(self):
     def CORS_URLS_REGEX(self):
         return getattr(settings, 'CORS_URLS_REGEX', r'^.*$')
 
-    @property
-    def CORS_MODEL(self):
-        return getattr(settings, 'CORS_MODEL', None)
-
     @property
     def CORS_REPLACE_HTTPS_REFERER(self):
         return getattr(settings, 'CORS_REPLACE_HTTPS_REFERER', False)

corsheaders/middleware.py

@@ -123,7 +123,6 @@ def process_response(self, request, response):
         if (
             not conf.CORS_ORIGIN_ALLOW_ALL
             and not self.origin_found_in_white_lists(origin, url)
-            and not self.origin_found_in_model(url)
             and not self.check_signal(request)
         ):
             return response
@@ -158,16 +157,6 @@ def regex_domain_match(self, origin):
             if re.match(domain_pattern, origin):
                 return origin
 
-    def origin_found_in_model(self, url):
-        if conf.CORS_MODEL is None:
-            return False
-        model = apps.get_model(*conf.CORS_MODEL.split('.'))
-        queryset = model.objects.filter(cors__icontains=url.netloc).values_list('cors', flat=True)
-
-        whitelisted_origins = self._get_parsed_whitelisted_origins(queryset)
-        self._check_for_origins_without_scheme(whitelisted_origins)
-        return self._url_in_whitelist(url, whitelisted_origins)
-
     def is_enabled(self, request):
         return (
             bool(re.match(conf.CORS_URLS_REGEX, request.path_info))

tests/test_checks.py

@@ -90,10 +90,10 @@ def test_cors_expose_headers_non_string(self):
     def test_cors_urls_regex_non_string(self):
         self.check_error_codes(['corsheaders.E009'])
 
-    @override_settings(CORS_MODEL=object)
-    def test_cors_model_failure(self):
-        self.check_error_codes(['corsheaders.E010'])
-
     @override_settings(CORS_REPLACE_HTTPS_REFERER=object)
     def test_cors_replace_https_referer_failure(self):
         self.check_error_codes(['corsheaders.E011'])
+
+    @override_settings(CORS_MODEL='something')
+    def test_cors_model_failure(self):
+        self.check_error_codes(['corsheaders.E012'])

tests/test_middleware.py

@@ -11,7 +11,6 @@
     ACCESS_CONTROL_ALLOW_CREDENTIALS, ACCESS_CONTROL_ALLOW_HEADERS, ACCESS_CONTROL_ALLOW_METHODS,
     ACCESS_CONTROL_ALLOW_ORIGIN, ACCESS_CONTROL_EXPOSE_HEADERS, ACCESS_CONTROL_MAX_AGE
 )
-from tests.testapp.models import CorsModel
 
 from .utils import append_middleware, prepend_middleware, temporary_check_request_hander
 
@@ -141,37 +140,6 @@ def test_options_will_not_add_origin_when_domain_not_found_in_origin_regex_white
         resp = self.client.options('/', HTTP_ORIGIN='http://foo.example.com')
         assert ACCESS_CONTROL_ALLOW_ORIGIN not in resp
 
-    @override_settings(CORS_MODEL='testapp.CorsModel')
-    def test_get_when_custom_model_enabled(self):
-        CorsModel.objects.create(cors='http://example.com')
-        resp = self.client.get('/', HTTP_ORIGIN='http://example.com')
-        assert resp[ACCESS_CONTROL_ALLOW_ORIGIN] == 'http://example.com'
-        assert ACCESS_CONTROL_ALLOW_CREDENTIALS not in resp
-
-    @override_settings(CORS_MODEL='testapp.CorsModel')
-    def test_get_when_custom_model_enabled_without_scheme(self):
-        with warnings.catch_warnings(record=True) as warn:
-            CorsModel.objects.create(cors='example.com')
-            resp = self.client.get('/', HTTP_ORIGIN='http://example.com')
-
-            assert resp[ACCESS_CONTROL_ALLOW_ORIGIN] == 'http://example.com'
-            assert len(warn) == 1
-            assert issubclass(warn[-1].category, DeprecationWarning)
-            assert 'Passing origins without scheme will be deprecated.' in str(warn[-1].message)
-
-    @override_settings(CORS_MODEL='testapp.CorsModel')
-    def test_get_when_custom_model_enabled_with_different_scheme(self):
-        CorsModel.objects.create(cors='https://example.com')
-        resp = self.client.get('/', HTTP_ORIGIN='http://example.com')
-        assert ACCESS_CONTROL_ALLOW_ORIGIN not in resp
-
-    @override_settings(CORS_MODEL='testapp.CorsModel', CORS_ALLOW_CREDENTIALS=True)
-    def test_get_when_custom_model_enabled_and_allow_credentials(self):
-        CorsModel.objects.create(cors='http://example.com')
-        resp = self.client.get('/', HTTP_ORIGIN='http://example.com')
-        assert resp[ACCESS_CONTROL_ALLOW_ORIGIN] == 'http://example.com'
-        assert resp[ACCESS_CONTROL_ALLOW_CREDENTIALS] == 'true'
-
     def test_options(self):
         resp = self.client.options(
             '/',
@@ -190,22 +158,6 @@ def test_options_no_header(self):
         resp = self.client.options('/')
         assert resp.status_code == 404
 
-    @override_settings(CORS_MODEL='testapp.CorsModel')
-    def test_options_when_custom_model_enabled(self):
-        CorsModel.objects.create(cors='http://example.com')
-        resp = self.client.options(
-            '/',
-            HTTP_ORIGIN='http://example.com',
-            HTTP_ACCESS_CONTROL_REQUEST_METHOD='value',
-        )
-        assert ACCESS_CONTROL_ALLOW_HEADERS in resp
-
-    @override_settings(CORS_MODEL='testapp.CorsModel')
-    def test_process_response_when_custom_model_enabled(self):
-        CorsModel.objects.create(cors='http://foo.google.com')
-        response = self.client.get('/', HTTP_ORIGIN='http://foo.google.com')
-        assert response.get(ACCESS_CONTROL_ALLOW_ORIGIN, None) == 'http://foo.google.com'
-
     @override_settings(
         CORS_ALLOW_CREDENTIALS=True,
         CORS_ORIGIN_ALLOW_ALL=True,