From 93c476013f0183fec270309f0ebb7b9df65d17f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micka=C3=ABl=20Desfr=C3=AAnes?=
 <mickael.desfrenes@unicaen.fr>
Date: Tue, 8 Apr 2025 08:10:31 +0200
Subject: [PATCH] respect api_item is_public in IIIF view

---
 pount/apps/iiif/views.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pount/apps/iiif/views.py b/pount/apps/iiif/views.py
index bc175f7a..d9161027 100644
--- a/pount/apps/iiif/views.py
+++ b/pount/apps/iiif/views.py
@@ -62,12 +62,14 @@ class IIIFProxyView(ProxyView):
         self.http = urllib3.PoolManager(maxsize=100)
 
     def dispatch(self, request, *args, **kwargs):
+        file_id = request.path.lstrip("iiif/3").split(".tiled.tif")[0]
+        file = get_object_or_404(MediaFile, id=file_id)
+        if file.item.is_public:
+            return super().dispatch(request, *args, **kwargs)
         try:
             response = JWT_authenticator.authenticate(request)
             if response is not None:
                 user, _ = response
-                file_id = request.path.lstrip("iiif/3").split(".tiled.tif")[0]
-                file = get_object_or_404(MediaFile, id=file_id)
                 if user.has_perm(ITEM_VIEW, file.item):
                     return super().dispatch(request, *args, **kwargs)
         except InvalidToken:
-- 
GitLab