feat: implement protected media serving and permission checks for adventure images

2025-07-23 06:49:37 +02:00 · 2025-01-18 17:03:03 -05:00 · 2025-01-18 17:03:03 -05:00 · 433599dc20
commit 433599dc20
parent f10e171a8e
7 changed files with 130 additions and 55 deletions
--- a/backend/server/main/views.py
+++ b/backend/server/main/views.py
@ -1,10 +1,38 @@
 from django.http import JsonResponse
 from django.middleware.csrf import get_token
 from os import getenv
+from django.conf import settings
+from django.http import HttpResponse, HttpResponseForbidden
+from django.contrib.auth.decorators import login_required
+from django.views.static import serve
+from adventures.utils.check_adventure_image_permisison import checkAdventureImagePermission

 def get_csrf_token(request):
    csrf_token = get_token(request)
    return JsonResponse({'csrfToken': csrf_token})

 def get_public_url(request):
-    return JsonResponse({'PUBLIC_URL': getenv('PUBLIC_URL')})
+    return JsonResponse({'PUBLIC_URL': getenv('PUBLIC_URL')})
+
+def serve_protected_media(request, path):
+    if path.startswith('images/'):
+        image_id = path.split('/')[1]
+        user = request.user
+        if checkAdventureImagePermission(image_id, user):
+            if settings.DEBUG:
+                # In debug mode, serve the file directly
+                return serve(request, path, document_root=settings.MEDIA_ROOT)
+            else:
+                # In production, use X-Accel-Redirect
+                response = HttpResponse()
+                response['Content-Type'] = ''
+                response['X-Accel-Redirect'] = '/protectedMedia/' + path
+                return response
+        else:
+            return HttpResponseForbidden()
+    else:
+        response = HttpResponse()
+        response['Content-Type'] = ''
+        response['X-Accel-Redirect'] = '/protectedMedia/' + path
+        return response
+