Fix 2455: Check auth for pictrs when instance is private. (#2477)
* Fix 2455: Check auth for pictrs when instance is private. * Update, no utils function, use of existing get_local_user_view_from_jwt * rustup toolchain install nightly (ftw)
This commit is contained in:
parent
6aa9bdebae
commit
7aa6d6b3e1
1 changed files with 18 additions and 0 deletions
|
@ -11,6 +11,8 @@ use actix_web::{
|
||||||
HttpResponse,
|
HttpResponse,
|
||||||
};
|
};
|
||||||
use futures::stream::{Stream, StreamExt};
|
use futures::stream::{Stream, StreamExt};
|
||||||
|
use lemmy_api_common::utils::{blocking, get_local_user_view_from_jwt};
|
||||||
|
use lemmy_db_schema::source::site::Site;
|
||||||
use lemmy_utils::{claims::Claims, rate_limit::RateLimit, REQWEST_TIMEOUT};
|
use lemmy_utils::{claims::Claims, rate_limit::RateLimit, REQWEST_TIMEOUT};
|
||||||
use lemmy_websocket::LemmyContext;
|
use lemmy_websocket::LemmyContext;
|
||||||
use reqwest::Body;
|
use reqwest::Body;
|
||||||
|
@ -123,6 +125,22 @@ async fn full_res(
|
||||||
client: web::Data<ClientWithMiddleware>,
|
client: web::Data<ClientWithMiddleware>,
|
||||||
context: web::Data<LemmyContext>,
|
context: web::Data<LemmyContext>,
|
||||||
) -> Result<HttpResponse, Error> {
|
) -> Result<HttpResponse, Error> {
|
||||||
|
// block access to images if instance is private and unauthorized, public
|
||||||
|
let site = blocking(context.pool(), Site::read_local_site).await?;
|
||||||
|
// The site might not be set up yet
|
||||||
|
if let Ok(site) = site {
|
||||||
|
if site.private_instance {
|
||||||
|
let jwt = req
|
||||||
|
.cookie("jwt")
|
||||||
|
.expect("No auth header for picture access");
|
||||||
|
if get_local_user_view_from_jwt(jwt.value(), context.pool(), context.secret())
|
||||||
|
.await
|
||||||
|
.is_err()
|
||||||
|
{
|
||||||
|
return Ok(HttpResponse::Unauthorized().finish());
|
||||||
|
};
|
||||||
|
}
|
||||||
|
}
|
||||||
let name = &filename.into_inner();
|
let name = &filename.into_inner();
|
||||||
|
|
||||||
// If there are no query params, the URL is original
|
// If there are no query params, the URL is original
|
||||||
|
|
Loading…
Reference in a new issue