From 7aa6d6b3e1f5b102c69e8f3ce726e1e48778a852 Mon Sep 17 00:00:00 2001 From: sam365724 <111515092+sam365724@users.noreply.github.com> Date: Fri, 28 Oct 2022 16:43:33 +0200 Subject: [PATCH] Fix 2455: Check auth for pictrs when instance is private. (#2477) * Fix 2455: Check auth for pictrs when instance is private. * Update, no utils function, use of existing get_local_user_view_from_jwt * rustup toolchain install nightly (ftw) --- crates/routes/src/images.rs | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/crates/routes/src/images.rs b/crates/routes/src/images.rs index cb7187d55..78b5a8545 100644 --- a/crates/routes/src/images.rs +++ b/crates/routes/src/images.rs @@ -11,6 +11,8 @@ use actix_web::{ HttpResponse, }; use futures::stream::{Stream, StreamExt}; +use lemmy_api_common::utils::{blocking, get_local_user_view_from_jwt}; +use lemmy_db_schema::source::site::Site; use lemmy_utils::{claims::Claims, rate_limit::RateLimit, REQWEST_TIMEOUT}; use lemmy_websocket::LemmyContext; use reqwest::Body; @@ -123,6 +125,22 @@ async fn full_res( client: web::Data, context: web::Data, ) -> Result { + // block access to images if instance is private and unauthorized, public + let site = blocking(context.pool(), Site::read_local_site).await?; + // The site might not be set up yet + if let Ok(site) = site { + if site.private_instance { + let jwt = req + .cookie("jwt") + .expect("No auth header for picture access"); + if get_local_user_view_from_jwt(jwt.value(), context.pool(), context.secret()) + .await + .is_err() + { + return Ok(HttpResponse::Unauthorized().finish()); + }; + } + } let name = &filename.into_inner(); // If there are no query params, the URL is original