HttpResponse,
};
use futures::stream::{Stream, StreamExt};
-use lemmy_utils::{claims::Claims, rate_limit::RateLimit, REQWEST_TIMEOUT};
-use lemmy_websocket::LemmyContext;
+use lemmy_api_common::{context::LemmyContext, utils::local_user_view_from_jwt};
+use lemmy_db_schema::source::local_site::LocalSite;
+use lemmy_utils::{claims::Claims, rate_limit::RateLimitCell, REQWEST_TIMEOUT};
use reqwest::Body;
use reqwest_middleware::{ClientWithMiddleware, RequestBuilder};
use serde::{Deserialize, Serialize};
-pub fn config(cfg: &mut web::ServiceConfig, client: ClientWithMiddleware, rate_limit: &RateLimit) {
+pub fn config(
+ cfg: &mut web::ServiceConfig,
+ client: ClientWithMiddleware,
+ rate_limit: &RateLimitCell,
+) {
cfg
.app_data(web::Data::new(client))
.service(
client: web::Data<ClientWithMiddleware>,
context: web::Data<LemmyContext>,
) -> Result<HttpResponse, Error> {
+ // block access to images if instance is private and unauthorized, public
+ let local_site = LocalSite::read(&mut context.pool())
+ .await
+ .map_err(error::ErrorBadRequest)?;
+ if local_site.private_instance {
+ let jwt = req
+ .cookie("jwt")
+ .expect("No auth header for picture access");
+ if local_user_view_from_jwt(jwt.value(), &context)
+ .await
+ .is_err()
+ {
+ return Ok(HttpResponse::Unauthorized().finish());
+ };
+ }
let name = &filename.into_inner();
// If there are no query params, the URL is original
let mut url = format!("{}image/process.{}?src={}", pictrs_config.url, format, name,);
if let Some(size) = params.thumbnail {
- url = format!("{}&thumbnail={}", url, size,);
+ url = format!("{url}&thumbnail={size}",);
}
url
};
projects / lemmy.git / blobdiff