fix(usermanager): viewing user pictures requires login

2022-12-04 22:38:50 +01:00 · 2022-12-04 22:38:50 +01:00 · c3fb28f6e4
commit c3fb28f6e4
parent a9a01e5e6f
2 changed files with 19 additions and 7 deletions
--- a/lumi2/usermanager.py
+++ b/lumi2/usermanager.py
@ -6,7 +6,8 @@ from tempfile import TemporaryFile
 from json import loads, dumps, JSONDecodeError

 from flask import (
-    Blueprint, render_template, abort, request, flash, redirect, url_for, current_app, g
+    Blueprint, render_template, abort, request, flash, redirect, url_for,
+    current_app, g, send_from_directory
 )
 from PIL import Image, UnidentifiedImageError
 from flask_wtf import FlaskForm
@ -29,7 +30,7 @@ bp = Blueprint('usermanager', __name__)
 def _init_static_images():
    """Purges and recreates the static images folder."""

-    path_to_image_cache = Path(current_app.static_folder) / "images" / "users"
+    path_to_image_cache = Path(current_app.instance_path) / "protected" / "images" / "users"
    if path_to_image_cache.is_dir():
        shutil.rmtree(path_to_image_cache)
    path_to_image_cache.mkdir(parents=True)
@ -52,6 +53,16 @@ def _initialize_ldap_dit():
    conn.unbind()


+@bp.route('/protected/<path:path_to_file>')
+@login_required
+def protected(path_to_file):
+    """Returns the specified file only if the requesting client is logged in."""
+
+    return send_from_directory(
+        Path(current_app.instance_path) / "protected", path_to_file
+    )
+
+
@bp.route('/')
 def index():
    """Home page view."""
@ -334,6 +345,7 @@ def user_delete(username: str):
    if request.method == 'POST':
        ldap.delete_user(conn, user.username)
        # FIXME delete user's static image folder!!!
+        # currently, the images are only purged on app restart
        conn.unbind()
        flash(f"The user '{user.username}' was deleted.")
        for groupname in deleted_groups:
--- a/lumi2/usermodel.py
+++ b/lumi2/usermodel.py
@ -372,8 +372,8 @@ class User:
        """Generates the static images for this User's picture on disc.

        The user's full profile picture and a thumbnail are written to
-        'static/images/user/<username>/full.jpg'
-        and 'static/images/user/<username>/thumbnail.jpg' respectively.
+        'protected/images/user/<username>/full.jpg'
+        and 'protected/images/user/<username>/thumbnail.jpg' respectively.
        The thumbnail's fixed size is 512x512 px.

        If the parameter force is set to True, existing images are overwritten.
@ -385,7 +385,7 @@ class User:
            Whether or not existing images on disk should be regenerated.
        """

-        path_to_image_folder = Path(current_app.static_folder) / "images" / "users" / self.username
+        path_to_image_folder = Path(current_app.instance_path) / "protected" / "images" / "users" / self.username
        path_to_full_image = path_to_image_folder / "full.jpg"
        path_to_thumbnail = path_to_image_folder / "thumbnail.jpg"

@ -420,13 +420,13 @@ class User:
    def get_picture_url(self):
        """Returns the URL to this user's static profile picture image file."""

-        return f'/static/images/users/{self.username}/full.jpg'
+        return f'/protected/images/users/{self.username}/full.jpg'


    def get_thumbnail_url(self):
        """Returns the URL to this user's static profile thumbnail image file."""

-        return f'/static/images/users/{self.username}/thumbnail.jpg'
+        return f'/protected/images/users/{self.username}/thumbnail.jpg'


    def get_groups(self):