feat: add Attachment model and implement file permission checks for media access

2025-07-23 06:49:37 +02:00 · 2025-01-18 20:06:12 -05:00 · 2025-01-18 20:06:12 -05:00 · aa216f5688
commit aa216f5688
parent 433599dc20
7 changed files with 93 additions and 46 deletions
--- a/backend/server/main/views.py
+++ b/backend/server/main/views.py
@ -3,9 +3,8 @@ from django.middleware.csrf import get_token
 from os import getenv
 from django.conf import settings
 from django.http import HttpResponse, HttpResponseForbidden
-from django.contrib.auth.decorators import login_required
 from django.views.static import serve
-from adventures.utils.check_adventure_image_permisison import checkAdventureImagePermission
+from adventures.utils.file_permissions import checkFilePermission

 def get_csrf_token(request):
    csrf_token = get_token(request)
@ -14,16 +13,19 @@ def get_csrf_token(request):
 def get_public_url(request):
    return JsonResponse({'PUBLIC_URL': getenv('PUBLIC_URL')})

+protected_paths = ['images/', 'attachments/']
+
 def serve_protected_media(request, path):
-    if path.startswith('images/'):
+    if any([path.startswith(protected_path) for protected_path in protected_paths]):
        image_id = path.split('/')[1]
        user = request.user
-        if checkAdventureImagePermission(image_id, user):
+        media_type =  path.split('/')[0] + '/'
+        if checkFilePermission(image_id, user, media_type):
            if settings.DEBUG:
                # In debug mode, serve the file directly
                return serve(request, path, document_root=settings.MEDIA_ROOT)
            else:
-                # In production, use X-Accel-Redirect
+                # In production, use X-Accel-Redirect to serve the file using Nginx
                response = HttpResponse()
                response['Content-Type'] = ''
                response['X-Accel-Redirect'] = '/protectedMedia/' + path
@ -31,8 +33,10 @@ def serve_protected_media(request, path):
        else:
            return HttpResponseForbidden()
    else:
-        response = HttpResponse()
-        response['Content-Type'] = ''
-        response['X-Accel-Redirect'] = '/protectedMedia/' + path
-        return response
-    
+        if settings.DEBUG:
+            return serve(request, path, document_root=settings.MEDIA_ROOT)
+        else:
+            response = HttpResponse()
+            response['Content-Type'] = ''
+            response['X-Accel-Redirect'] = '/protectedMedia/' + path
+            return response