diff --git a/CHANGES.txt b/CHANGES.txt index 568dd97..5795ac9 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -6,6 +6,8 @@ $Id$ 1.1 --- +- media assets: allow for access restriction for viewing larger than a + given maximum size (via option ``media.unauthorized_max_size``) - external editor functionality: include title field in data in order to make it work correctly with the current version of the client module - suppress node view reload when node has been modified in management interface diff --git a/media/browser/asset.py b/media/browser/asset.py index 40caa91..978f8b9 100644 --- a/media/browser/asset.py +++ b/media/browser/asset.py @@ -26,6 +26,7 @@ $Id$ from zope.app.pagetemplate import ViewPageTemplateFile from zope.cachedescriptors.property import Lazy +from zope.security.interfaces import Unauthorized from loops.browser.node import NodeView from loops.browser.resource import ResourceView, resource_macros @@ -49,6 +50,8 @@ class MediaAssetView(ResourceView): versionId = self.request.get('v') obj = self.adapted data = obj.getData(versionId) + if not self.hasImagePermission(data): + raise Unauthorized(str(self.contextInfo)) contentType = obj.getContentType(versionId) response = self.request.response response.setHeader('Content-Type', contentType) @@ -63,6 +66,21 @@ class MediaAssetView(ResourceView): 'attachment; filename=%s' % filename) return data + def hasImagePermission(self, data): + if not 'image/' in self.context.contentType: + return True + if not self.isAnonymous: + # TODO: replace with real permission (loops.ViewRestrictedMedia) check + return True + maxSize = self.typeOptions('media.unauthorized_max_size') + if maxSize: + (w, h) = self.adapted.getImageSize(data=data) + if w > int(maxSize[0]): + return False + if len(maxSize) > 1 and h > int(maxSize[1]): + return False + return True + class MediaAssetNodeView(NodeView):