photo26/photo21/views.py

# This file is part of photo21
# Copyright (C) 2021-2022  Amicale des élèves de l'ENS Paris-Saclay
# SPDX-License-Identifier: GPL-3.0-or-later

import os

from django.conf import settings
from django.contrib.auth import get_user_model
from django.contrib.auth.mixins import LoginRequiredMixin
from django.http import FileResponse, Http404
from django.views.generic import ListView, View
from photologue.models import Gallery, Photo


class MediaAccess(View):
    def get(self, request, path):
        if not request.user.is_authenticated:
            from django.contrib.auth.views import redirect_to_login
            token = request.GET.get('token')
            if not token:
                return redirect_to_login(request.get_full_path())
            # Direct match (original photo file)
            allowed = Photo.objects.filter(
                image=path,
                is_public=True,
                galleries__public_token=token,
            ).exists()
            # Cache files (thumbnails/display) are in photos/cache/ and are
            # derived from original photos — verify the token is valid
            if not allowed and '/cache/' in path:
                cache_dir = os.path.dirname(path)  # e.g. photos/cache
                original_dir = os.path.dirname(cache_dir)  # e.g. photos
                allowed = Photo.objects.filter(
                    image__startswith=original_dir + '/',
                    is_public=True,
                    galleries__public_token=token,
                ).exists()
            if not allowed:
                return redirect_to_login(request.get_full_path())
        media_root = os.path.realpath(settings.MEDIA_ROOT)
        file_path = os.path.realpath(os.path.join(media_root, path))
        if not file_path.startswith(media_root + os.sep):
            raise Http404
        if not os.path.isfile(file_path):
            raise Http404
        f = open(file_path, 'rb')
        try:
            response = FileResponse(f)
            response['Cache-Control'] = 'max-age=2678400'
            return response
        except Exception:
            f.close()
            raise


class IndexView(LoginRequiredMixin, ListView):
    queryset = Gallery.objects.all()
    paginate_by = 4
    template_name = "index.html"

    def get_context_data(self, **kwargs):
        context = super().get_context_data(**kwargs)

        # Get superusers
        user_model = get_user_model()
        superusers = user_model.objects.filter(is_superuser=True)
        context["superusers"] = superusers

        return context