Fix 2455: Check auth for pictrs when instance is private. (#2477)

* Fix 2455: Check auth for pictrs when instance is private. * Update, no utils function, use of existing get_local_user_view_from_jwt * rustup toolchain install nightly (ftw)
2 years ago · 7aa6d6b3e1
parent 6aa9bdebae
commit 7aa6d6b3e1
1 changed files with 18 additions and 0 deletions
--- a/crates/routes/src/images.rs
+++ b/crates/routes/src/images.rs
@ -11,6 +11,8 @@ use actix_web::{
  HttpResponse,
 };
 use futures::stream::{Stream, StreamExt};
+use lemmy_api_common::utils::{blocking, get_local_user_view_from_jwt};
+use lemmy_db_schema::source::site::Site;
 use lemmy_utils::{claims::Claims, rate_limit::RateLimit, REQWEST_TIMEOUT};
 use lemmy_websocket::LemmyContext;
 use reqwest::Body;
@ -123,6 +125,22 @@ async fn full_res(
  client: web::Data<ClientWithMiddleware>,
  context: web::Data<LemmyContext>,
 ) -> Result<HttpResponse, Error> {
+  // block access to images if instance is private and unauthorized, public
+  let site = blocking(context.pool(), Site::read_local_site).await?;
+  // The site might not be set up yet
+  if let Ok(site) = site {
+    if site.private_instance {
+      let jwt = req
+        .cookie("jwt")
+        .expect("No auth header for picture access");
+      if get_local_user_view_from_jwt(jwt.value(), context.pool(), context.secret())
+        .await
+        .is_err()
+      {
+        return Ok(HttpResponse::Unauthorized().finish());
+      };
+    }
+  }
  let name = &filename.into_inner();

  // If there are no query params, the URL is original