diff --git a/src/registrar/config/settings.py b/src/registrar/config/settings.py index 9d707a533..73aecad7a 100644 --- a/src/registrar/config/settings.py +++ b/src/registrar/config/settings.py @@ -356,9 +356,18 @@ CSP_FORM_ACTION = allowed_sources # strict CSP by allowing scripts to run from their domain # and inline with a nonce, as well as allowing connections back to their domain. # Note: If needed, we can embed chart.js instead of using the CDN -CSP_SCRIPT_SRC_ELEM = ["'self'", "https://www.googletagmanager.com/", "https://cdn.jsdelivr.net/npm/chart.js"] -CSP_CONNECT_SRC = ["'self'", "https://www.google-analytics.com/"] -CSP_INCLUDE_NONCE_IN = ["script-src-elem"] +CSP_DEFAULT_SRC = ("'self'",) +CSP_STYLE_SRC = ["'self'", "https://www.ssa.gov/accessibility/andi/andi.css"] +CSP_SCRIPT_SRC_ELEM = [ + "'self'", + "https://www.googletagmanager.com/", + "https://cdn.jsdelivr.net/npm/chart.js", + "https://www.ssa.gov", + "https://ajax.googleapis.com", +] +CSP_CONNECT_SRC = ["'self'", "https://www.google-analytics.com/", "https://www.ssa.gov/accessibility/andi/andi.js"] +CSP_INCLUDE_NONCE_IN = ["script-src-elem", "style-src"] +CSP_IMG_SRC = ["'self'", "https://www.ssa.gov/accessibility/andi/icons/"] # Cross-Origin Resource Sharing (CORS) configuration # Sets clients that allow access control to manage.get.gov diff --git a/src/registrar/config/urls.py b/src/registrar/config/urls.py index 59f52cd95..413449896 100644 --- a/src/registrar/config/urls.py +++ b/src/registrar/config/urls.py @@ -65,6 +65,11 @@ urlpatterns = [ views.PortfolioDomainsView.as_view(), name="domains", ), + path( + "no-organization-domains/", + views.PortfolioNoDomainsView.as_view(), + name="no-portfolio-domains", + ), path( "requests/", views.PortfolioDomainRequestsView.as_view(), diff --git a/src/registrar/registrar_middleware.py b/src/registrar/registrar_middleware.py index 2af331bc9..3bcb1dc23 100644 --- a/src/registrar/registrar_middleware.py +++ b/src/registrar/registrar_middleware.py @@ -151,8 +151,7 @@ class CheckPortfolioMiddleware: if request.user.has_domains_portfolio_permission(): portfolio_redirect = reverse("domains") else: - # View organization is the lowest access - portfolio_redirect = reverse("organization") + portfolio_redirect = reverse("no-portfolio-domains") return HttpResponseRedirect(portfolio_redirect) diff --git a/src/registrar/templates/includes/domains_table.html b/src/registrar/templates/includes/domains_table.html index 73331c3f0..d3d7317f2 100644 --- a/src/registrar/templates/includes/domains_table.html +++ b/src/registrar/templates/includes/domains_table.html @@ -5,16 +5,16 @@ {% comment %} Stores the json endpoint in a url for easier access {% endcomment %} {% url 'get_domains_json' as url %} -
-
- {% if not has_domains_portfolio_permission %} +
+
+ {% if not portfolio %}

Domains

{% else %} {% endif %} -