feat: implement protected media serving and permission checks for adventure images

2025-07-21 22:09:36 +02:00 · 2025-01-18 17:03:03 -05:00 · 2025-01-18 17:03:03 -05:00 · 433599dc20
commit 433599dc20
parent f10e171a8e
7 changed files with 130 additions and 55 deletions
--- a/backend/server/adventures/utils/check_adventure_image_permisison.py
+++ b/backend/server/adventures/utils/check_adventure_image_permisison.py
@ -0,0 +1,33 @@
+from adventures.models import AdventureImage
+
+def checkAdventureImagePermission(imageId, user):
+    """
+    Checks if the given user has permission to access the specified adventure image.
+
+    Args:
+        imageId (str): The ID of the image to check permissions for.
+        user (User): The user object to check permissions against.
+
+    Returns:
+        bool: True if the user has permission to access the image, False otherwise.
+
+    Raises:
+        AdventureImage.DoesNotExist: If the image with the specified ID does not exist.
+    """
+    try:
+        # Construct the full relative path to match the database field
+        image_path = f"images/{imageId}"
+        # Fetch the AdventureImage object
+        adventure = AdventureImage.objects.get(image=image_path).adventure
+        if adventure.is_public:
+            return True
+        elif adventure.user_id == user:
+            return True
+        elif adventure.collection:
+            if adventure.collection.shared_with.filter(id=user.id).exists():
+                return True
+        else:
+            return False
+    except AdventureImage.DoesNotExist:
+        print('No image')
+        return False