From 93c476013f0183fec270309f0ebb7b9df65d17f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micka=C3=ABl=20Desfr=C3=AAnes?= <mickael.desfrenes@unicaen.fr> Date: Tue, 8 Apr 2025 08:10:31 +0200 Subject: [PATCH] respect api_item is_public in IIIF view --- pount/apps/iiif/views.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pount/apps/iiif/views.py b/pount/apps/iiif/views.py index bc175f7a..d9161027 100644 --- a/pount/apps/iiif/views.py +++ b/pount/apps/iiif/views.py @@ -62,12 +62,14 @@ class IIIFProxyView(ProxyView): self.http = urllib3.PoolManager(maxsize=100) def dispatch(self, request, *args, **kwargs): + file_id = request.path.lstrip("iiif/3").split(".tiled.tif")[0] + file = get_object_or_404(MediaFile, id=file_id) + if file.item.is_public: + return super().dispatch(request, *args, **kwargs) try: response = JWT_authenticator.authenticate(request) if response is not None: user, _ = response - file_id = request.path.lstrip("iiif/3").split(".tiled.tif")[0] - file = get_object_or_404(MediaFile, id=file_id) if user.has_perm(ITEM_VIEW, file.item): return super().dispatch(request, *args, **kwargs) except InvalidToken: -- GitLab