feat: implement protected media serving and permission checks for adventure images

backend/server/main/settings.py

@@ -157,7 +157,7 @@ STATIC_ROOT = BASE_DIR / "staticfiles"
 STATIC_URL = '/static/'
 
 MEDIA_URL = '/media/'
-MEDIA_ROOT = BASE_DIR / 'media'
+MEDIA_ROOT = BASE_DIR / 'media'  # This path must match the NGINX root
 STATICFILES_DIRS = [BASE_DIR / 'static']
 
 STORAGES = {

backend/server/main/urls.py

@@ -1,12 +1,9 @@
 from django.urls import include, re_path, path
 from django.contrib import admin
 from django.views.generic import RedirectView, TemplateView
-from django.conf import settings
-from django.conf.urls.static import static
 from users.views import IsRegistrationDisabled, PublicUserListView, PublicUserDetailView, UserMetadataView, UpdateUserMetadataView, EnabledSocialProvidersView
-from .views import get_csrf_token, get_public_url
+from .views import get_csrf_token, get_public_url, serve_protected_media
 from drf_yasg.views import get_schema_view
-
 from drf_yasg import openapi
 
 schema_view = get_schema_view(
@@ -20,6 +17,9 @@ urlpatterns = [
     path('api/', include('worldtravel.urls')),
     path("_allauth/", include("allauth.headless.urls")),
 
+    # Serve protected media files
+    re_path(r'^media/(?P<path>.*)$', serve_protected_media, name='serve-protected-media'),
+
     path('auth/is-registration-disabled/', IsRegistrationDisabled.as_view(), name='is_registration_disabled'),
     path('auth/users/', PublicUserListView.as_view(), name='public-user-list'),
     path('auth/user/<uuid:user_id>/', PublicUserDetailView.as_view(), name='public-user-detail'),
@@ -44,6 +44,5 @@ urlpatterns = [
 
     path("api/integrations/", include("integrations.urls")),
 
-    # Include the API endpoints:
-    
-] + static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)
+    # Include the API endpoints:   
+]

backend/server/main/views.py

@@ -1,10 +1,38 @@
 from django.http import JsonResponse
 from django.middleware.csrf import get_token
 from os import getenv
+from django.conf import settings
+from django.http import HttpResponse, HttpResponseForbidden
+from django.contrib.auth.decorators import login_required
+from django.views.static import serve
+from adventures.utils.check_adventure_image_permisison import checkAdventureImagePermission
 
 def get_csrf_token(request):
     csrf_token = get_token(request)
     return JsonResponse({'csrfToken': csrf_token})
 
 def get_public_url(request):
-    return JsonResponse({'PUBLIC_URL': getenv('PUBLIC_URL')})
+    return JsonResponse({'PUBLIC_URL': getenv('PUBLIC_URL')})
+
+def serve_protected_media(request, path):
+    if path.startswith('images/'):
+        image_id = path.split('/')[1]
+        user = request.user
+        if checkAdventureImagePermission(image_id, user):
+            if settings.DEBUG:
+                # In debug mode, serve the file directly
+                return serve(request, path, document_root=settings.MEDIA_ROOT)
+            else:
+                # In production, use X-Accel-Redirect
+                response = HttpResponse()
+                response['Content-Type'] = ''
+                response['X-Accel-Redirect'] = '/protectedMedia/' + path
+                return response
+        else:
+            return HttpResponseForbidden()
+    else:
+        response = HttpResponse()
+        response['Content-Type'] = ''
+        response['X-Accel-Redirect'] = '/protectedMedia/' + path
+        return response
+