cco/loops
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

- media assets: allow for access restriction for viewing larger than a

Browse source 
given maximum size (via option media.unauthorized_max_size)
This commit is contained in:
Helmut Merz 2011-08-14 10:11:56 +02:00
parent 61a859f317
commit d1faad7e2a
2 changed files with 20 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
CHANGES.txt
View file

@ -6,6 +6,8 @@ $Id$
1.1 1.1
--- ---
- media assets: allow for access restriction for viewing larger than a
given maximum size (via option ``media.unauthorized_max_size``)
- external editor functionality: include title field in data in order to - external editor functionality: include title field in data in order to
make it work correctly with the current version of the client module make it work correctly with the current version of the client module
- suppress node view reload when node has been modified in management interface - suppress node view reload when node has been modified in management interface

18
media/browser/asset.py
View file

@ -26,6 +26,7 @@ $Id$
from zope.app.pagetemplate import ViewPageTemplateFile from zope.app.pagetemplate import ViewPageTemplateFile
from zope.cachedescriptors.property import Lazy from zope.cachedescriptors.property import Lazy
from zope.security.interfaces import Unauthorized
from loops.browser.node import NodeView from loops.browser.node import NodeView
from loops.browser.resource import ResourceView, resource_macros from loops.browser.resource import ResourceView, resource_macros
@ -49,6 +50,8 @@ class MediaAssetView(ResourceView):
versionId = self.request.get('v') versionId = self.request.get('v')
obj = self.adapted obj = self.adapted
data = obj.getData(versionId) data = obj.getData(versionId)
if not self.hasImagePermission(data):
raise Unauthorized(str(self.contextInfo))
contentType = obj.getContentType(versionId) contentType = obj.getContentType(versionId)
response = self.request.response response = self.request.response
response.setHeader('Content-Type', contentType) response.setHeader('Content-Type', contentType)
@ -63,6 +66,21 @@ class MediaAssetView(ResourceView):
'attachment; filename=%s' % filename) 'attachment; filename=%s' % filename)
return data return data
def hasImagePermission(self, data):
if not 'image/' in self.context.contentType:
return True
if not self.isAnonymous:
# TODO: replace with real permission (loops.ViewRestrictedMedia) check
return True
maxSize = self.typeOptions('media.unauthorized_max_size')
if maxSize:
(w, h) = self.adapted.getImageSize(data=data)
if w > int(maxSize[0]):
return False
if len(maxSize) > 1 and h > int(maxSize[1]):
return False
return True
class MediaAssetNodeView(NodeView): class MediaAssetNodeView(NodeView):