From c3fb28f6e46908fe658d73c6974a8c4c8be40510 Mon Sep 17 00:00:00 2001 From: Julian Lobbes Date: Sun, 4 Dec 2022 22:38:50 +0100 Subject: [PATCH] fix(usermanager): viewing user pictures requires login --- lumi2/usermanager.py | 16 ++++++++++++++-- lumi2/usermodel.py | 10 +++++----- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/lumi2/usermanager.py b/lumi2/usermanager.py index 6bfc2c3..713e607 100644 --- a/lumi2/usermanager.py +++ b/lumi2/usermanager.py @@ -6,7 +6,8 @@ from tempfile import TemporaryFile from json import loads, dumps, JSONDecodeError from flask import ( - Blueprint, render_template, abort, request, flash, redirect, url_for, current_app, g + Blueprint, render_template, abort, request, flash, redirect, url_for, + current_app, g, send_from_directory ) from PIL import Image, UnidentifiedImageError from flask_wtf import FlaskForm @@ -29,7 +30,7 @@ bp = Blueprint('usermanager', __name__) def _init_static_images(): """Purges and recreates the static images folder.""" - path_to_image_cache = Path(current_app.static_folder) / "images" / "users" + path_to_image_cache = Path(current_app.instance_path) / "protected" / "images" / "users" if path_to_image_cache.is_dir(): shutil.rmtree(path_to_image_cache) path_to_image_cache.mkdir(parents=True) @@ -52,6 +53,16 @@ def _initialize_ldap_dit(): conn.unbind() +@bp.route('/protected/') +@login_required +def protected(path_to_file): + """Returns the specified file only if the requesting client is logged in.""" + + return send_from_directory( + Path(current_app.instance_path) / "protected", path_to_file + ) + + @bp.route('/') def index(): """Home page view.""" @@ -334,6 +345,7 @@ def user_delete(username: str): if request.method == 'POST': ldap.delete_user(conn, user.username) # FIXME delete user's static image folder!!! + # currently, the images are only purged on app restart conn.unbind() flash(f"The user '{user.username}' was deleted.") for groupname in deleted_groups: diff --git a/lumi2/usermodel.py b/lumi2/usermodel.py index 7b3712c..8fb4dcc 100644 --- a/lumi2/usermodel.py +++ b/lumi2/usermodel.py @@ -372,8 +372,8 @@ class User: """Generates the static images for this User's picture on disc. The user's full profile picture and a thumbnail are written to - 'static/images/user//full.jpg' - and 'static/images/user//thumbnail.jpg' respectively. + 'protected/images/user//full.jpg' + and 'protected/images/user//thumbnail.jpg' respectively. The thumbnail's fixed size is 512x512 px. If the parameter force is set to True, existing images are overwritten. @@ -385,7 +385,7 @@ class User: Whether or not existing images on disk should be regenerated. """ - path_to_image_folder = Path(current_app.static_folder) / "images" / "users" / self.username + path_to_image_folder = Path(current_app.instance_path) / "protected" / "images" / "users" / self.username path_to_full_image = path_to_image_folder / "full.jpg" path_to_thumbnail = path_to_image_folder / "thumbnail.jpg" @@ -420,13 +420,13 @@ class User: def get_picture_url(self): """Returns the URL to this user's static profile picture image file.""" - return f'/static/images/users/{self.username}/full.jpg' + return f'/protected/images/users/{self.username}/full.jpg' def get_thumbnail_url(self): """Returns the URL to this user's static profile thumbnail image file.""" - return f'/static/images/users/{self.username}/thumbnail.jpg' + return f'/protected/images/users/{self.username}/thumbnail.jpg' def get_groups(self):