Fix public gallery media access bypass via session flag.

2026-05-07 14:02:09 +02:00 · 2026-05-07 14:02:09 +02:00 · 96afb9cc0b
commit 96afb9cc0b
parent 9ff8e969f4
3 changed files with 28 additions and 4 deletions
--- a/photo21/views.py
+++ b/photo21/views.py
@ -9,14 +9,34 @@ from django.contrib.auth import get_user_model
 from django.contrib.auth.mixins import LoginRequiredMixin
 from django.http import FileResponse, Http404
 from django.views.generic import ListView, View
-from photologue.models import Gallery
+from photologue.models import Gallery, Photo


 class MediaAccess(View):
    def get(self, request, path):
-        if not request.user.is_authenticated and not request.session.get('public_gallery_access'):
+        if not request.user.is_authenticated:
            from django.contrib.auth.views import redirect_to_login
-            return redirect_to_login(request.get_full_path())
+            token = request.GET.get('token')
+            if not token:
+                return redirect_to_login(request.get_full_path())
+            # Direct match (original photo file)
+            allowed = Photo.objects.filter(
+                image=path,
+                is_public=True,
+                galleries__public_token=token,
+            ).exists()
+            # Cache files (thumbnails/display) are in photos/cache/ and are
+            # derived from original photos — verify the token is valid
+            if not allowed and '/cache/' in path:
+                cache_dir = os.path.dirname(path)  # e.g. photos/cache
+                original_dir = os.path.dirname(cache_dir)  # e.g. photos
+                allowed = Photo.objects.filter(
+                    image__startswith=original_dir + '/',
+                    is_public=True,
+                    galleries__public_token=token,
+                ).exists()
+            if not allowed:
+                return redirect_to_login(request.get_full_path())
        media_root = os.path.realpath(settings.MEDIA_ROOT)
        file_path = os.path.realpath(os.path.join(media_root, path))
        if not file_path.startswith(media_root + os.sep):
--- a/photologue/templates/photologue/gallery_detail.html
+++ b/photologue/templates/photologue/gallery_detail.html
@ -91,8 +91,13 @@ SPDX-License-Identifier: GPL-3.0-or-later
    {% endif %}
    <div class="card-body p-0" id="lightgallery">
        {% for photo in photos %}
+        {% if guest_mode %}{% with t=gallery.public_token %}
+        <a class="photo-item" href="{{ photo.get_absolute_url }}" data-src="{{ photo.get_display_url }}?token={{ t }}" data-download-url="{{ photo.image.url }}?token={{ t }}" data-slide-name="{{ photo.id }}" data-owner-id="{{ photo.owner.id }}" data-is-public="{{ photo.is_public|yesno:'true,false' }}" data-width="{{ photo.image_width|default:1 }}" data-height="{{ photo.image_height|default:1 }}">
+            <img src="{{ photo.get_thumbnail_url }}?token={{ t }}" data-lazy="{{ photo.get_thumbnail_url }}?token={{ t }}" class="{% if not photo.is_public %}photo-private{% endif %}" alt="{{ photo.title }}{% if photo.date_taken %} - {{ photo.date_taken|date }} {{ photo.date_taken|time }}{% endif %}{% if photo.owner.get_full_name %} - {{ photo.owner.get_full_name }}{% else %} - {{ photo.owner.username }}{% endif %}{% if photo.license %} - {{ photo.license }}{% endif %}{% if not photo.is_public %} - !PRIVATE!{% endif %}">
+        {% endwith %}{% else %}
        <a class="photo-item" href="{{ photo.get_absolute_url }}" data-src="{{ photo.get_display_url}}" data-download-url="{{ photo.image.url }}" data-slide-name="{{ photo.id }}" data-owner-id="{{ photo.owner.id }}" data-is-public="{{ photo.is_public|yesno:'true,false' }}" data-width="{{ photo.image_width|default:1 }}" data-height="{{ photo.image_height|default:1 }}">
            <img src="{{ photo.get_thumbnail_url }}" data-lazy="{{ photo.get_thumbnail_url }}" class="{% if not photo.is_public %}photo-private{% endif %}" alt="{{ photo.title }}{% if photo.date_taken %} - {{ photo.date_taken|date }} {{ photo.date_taken|time }}{% endif %}{% if photo.owner.get_full_name %} - {{ photo.owner.get_full_name }}{% else %} - {{ photo.owner.username }}{% endif %}{% if photo.license %} - {{ photo.license }}{% endif %}{% if not photo.is_public %} - !PRIVATE!{% endif %}">
+        {% endif %}
        </a>
        {% endfor %}
    </div>
--- a/photologue/views.py
+++ b/photologue/views.py
@ -237,7 +237,6 @@ class GalleryPublicView(DetailView):
        if request.user.is_authenticated:
            gallery = self.get_object()
            return redirect("photologue:pl-gallery", slug=gallery.slug)
-        request.session['public_gallery_access'] = True
        request.guest_mode = True
        return super().get(request, *args, **kwargs)