From: sam365724 <111515092+sam365724@users.noreply.github.com> Date: Fri, 28 Oct 2022 14:43:33 +0000 (+0200) Subject: Fix 2455: Check auth for pictrs when instance is private. (#2477) X-Git-Url: http://these/git/%22https:/www.exeterceilidhs.net/%22%7B%7D/%7B%7D/%7Bcv.image_url%7D?a=commitdiff_plain;h=7aa6d6b3e1f5b102c69e8f3ce726e1e48778a852;p=lemmy.git Fix 2455: Check auth for pictrs when instance is private. (#2477) * Fix 2455: Check auth for pictrs when instance is private. * Update, no utils function, use of existing get_local_user_view_from_jwt * rustup toolchain install nightly (ftw) --- diff --git a/crates/routes/src/images.rs b/crates/routes/src/images.rs index cb7187d5..78b5a854 100644 --- a/crates/routes/src/images.rs +++ b/crates/routes/src/images.rs @@ -11,6 +11,8 @@ use actix_web::{ HttpResponse, }; use futures::stream::{Stream, StreamExt}; +use lemmy_api_common::utils::{blocking, get_local_user_view_from_jwt}; +use lemmy_db_schema::source::site::Site; use lemmy_utils::{claims::Claims, rate_limit::RateLimit, REQWEST_TIMEOUT}; use lemmy_websocket::LemmyContext; use reqwest::Body; @@ -123,6 +125,22 @@ async fn full_res( client: web::Data, context: web::Data, ) -> Result { + // block access to images if instance is private and unauthorized, public + let site = blocking(context.pool(), Site::read_local_site).await?; + // The site might not be set up yet + if let Ok(site) = site { + if site.private_instance { + let jwt = req + .cookie("jwt") + .expect("No auth header for picture access"); + if get_local_user_view_from_jwt(jwt.value(), context.pool(), context.secret()) + .await + .is_err() + { + return Ok(HttpResponse::Unauthorized().finish()); + }; + } + } let name = &filename.into_inner(); // If there are no query params, the URL is original