Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix 2455: Check auth for pictrs when instance is private. #2477

Merged
merged 3 commits into from
Oct 28, 2022
Merged

Fix 2455: Check auth for pictrs when instance is private. #2477

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3072155
Fix 2455: Check auth for pictrs when instance is private.
sam365724 Oct 3, 2022
7dac946
Update, no utils function, use of existing get_local_user_view_from_jwt
sam365724 Oct 3, 2022
f24678f
rustup toolchain install nightly (ftw)
sam365724 Oct 3, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions crates/routes/src/images.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ use actix_web::{
HttpResponse,
};
use futures::stream::{Stream, StreamExt};
use lemmy_api_common::utils::{blocking, get_local_user_view_from_jwt};
use lemmy_db_schema::source::site::Site;
use lemmy_utils::{claims::Claims, rate_limit::RateLimit, REQWEST_TIMEOUT};
use lemmy_websocket::LemmyContext;
use reqwest::Body;
Expand Down Expand Up @@ -123,6 +125,22 @@ async fn full_res(
client: web::Data<ClientWithMiddleware>,
context: web::Data<LemmyContext>,
) -> Result<HttpResponse, Error> {
// block access to images if instance is private and unauthorized, public
let site = blocking(context.pool(), Site::read_local_site).await?;
// The site might not be set up yet
if let Ok(site) = site {
if site.private_instance {
let jwt = req
.cookie("jwt")
.expect("No auth header for picture access");
if get_local_user_view_from_jwt(jwt.value(), context.pool(), context.secret())
.await
.is_err()
{
return Ok(HttpResponse::Unauthorized().finish());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think its better to return the Error(error::ErrorUnauthorized)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think in both cases we should return a HttpResponse. I'm not sure how to do that honestly.

Is replacing expect() with .map_err(error::ErrorUnauthorized) enough above?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I spose that's fine, althoug that actix errors are also HttpResponses.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dessalines I'm getting errors about types not being correct. I'm really unsure how to do that, and need help on those - sorry not yet familiar with those rust libs.

Copy link
Member

@dessalines dessalines Oct 3, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are other examples in this file of .map_err . If you run cargo check, it should tell you the exact error.

};
sam365724 marked this conversation as resolved.
Show resolved Hide resolved
}
}
let name = &filename.into_inner();

// If there are no query params, the URL is original
Expand Down