oss/conduit
oss/conduit
1
0
Fork 0
mirror of https://gitlab.com/famedly/conduit.git synced 2025-06-27 16:35:59 +00:00
Code Wiki Activity

feat: freeze unauthenticated media

Browse source
This commit is contained in:
Matthias Ahouansou 2025-03-23 15:57:17 +00:00
parent 70d7f77363
commit 66a14ac802
No known key found for this signature in database
3 changed files with 57 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

31
src/api/client_server/media.rs
View file

@ -166,7 +166,13 @@ pub async fn get_content_route(
file, file,
content_disposition, content_disposition,
content_type, content_type,
} = get_content(&body.server_name, body.media_id.clone(), body.allow_remote).await?; } = get_content(
&body.server_name,
body.media_id.clone(),
body.allow_remote,
false,
)
.await?;
Ok(media::get_content::v3::Response { Ok(media::get_content::v3::Response {
file, file,
@ -182,19 +188,23 @@ pub async fn get_content_route(
pub async fn get_content_auth_route( pub async fn get_content_auth_route(
body: Ruma<get_content::v1::Request>, body: Ruma<get_content::v1::Request>,
) -> Result<get_content::v1::Response> { ) -> Result<get_content::v1::Response> {
get_content(&body.server_name, body.media_id.clone(), true).await get_content(&body.server_name, body.media_id.clone(), true, true).await
} }
async fn get_content( async fn get_content(
server_name: &ServerName, server_name: &ServerName,
media_id: String, media_id: String,
allow_remote: bool, allow_remote: bool,
authenticated: bool,
) -> Result<get_content::v1::Response, Error> { ) -> Result<get_content::v1::Response, Error> {
if let Ok(Some(FileMeta { if let Ok(Some(FileMeta {
content_disposition, content_disposition,
content_type, content_type,
file, file,
})) = services().media.get(server_name, &media_id).await })) = services()
.media
.get(server_name, &media_id, authenticated)
.await
{ {
Ok(get_content::v1::Response { Ok(get_content::v1::Response {
file, file,
@ -231,6 +241,7 @@ pub async fn get_content_as_filename_route(
body.media_id.clone(), body.media_id.clone(),
body.filename.clone(), body.filename.clone(),
body.allow_remote, body.allow_remote,
false,
) )
.await?; .await?;
@ -253,6 +264,7 @@ pub async fn get_content_as_filename_auth_route(
body.media_id.clone(), body.media_id.clone(),
body.filename.clone(), body.filename.clone(),
true, true,
true,
) )
.await .await
} }
@ -262,10 +274,14 @@ async fn get_content_as_filename(
media_id: String, media_id: String,
filename: String, filename: String,
allow_remote: bool, allow_remote: bool,
authenticated: bool,
) -> Result<get_content_as_filename::v1::Response, Error> { ) -> Result<get_content_as_filename::v1::Response, Error> {
if let Ok(Some(FileMeta { if let Ok(Some(FileMeta {
file, content_type, .. file, content_type, ..
})) = services().media.get(server_name, &media_id).await })) = services()
.media
.get(server_name, &media_id, authenticated)
.await
{ {
Ok(get_content_as_filename::v1::Response { Ok(get_content_as_filename::v1::Response {
file, file,
@ -311,6 +327,7 @@ pub async fn get_content_thumbnail_route(
body.method.clone(), body.method.clone(),
body.animated, body.animated,
body.allow_remote, body.allow_remote,
false,
) )
.await?; .await?;
@ -336,10 +353,12 @@ pub async fn get_content_thumbnail_auth_route(
body.method.clone(), body.method.clone(),
body.animated, body.animated,
true, true,
true,
) )
.await .await
} }
#[allow(clippy::too_many_arguments)]
async fn get_content_thumbnail( async fn get_content_thumbnail(
server_name: &ServerName, server_name: &ServerName,
media_id: String, media_id: String,
@ -348,6 +367,7 @@ async fn get_content_thumbnail(
method: Option<Method>, method: Option<Method>,
animated: Option<bool>, animated: Option<bool>,
allow_remote: bool, allow_remote: bool,
authenticated: bool,
) -> Result<get_content_thumbnail::v1::Response, Error> { ) -> Result<get_content_thumbnail::v1::Response, Error> {
if let Some(FileMeta { if let Some(FileMeta {
file, file,
@ -364,6 +384,7 @@ async fn get_content_thumbnail(
height height
.try_into() .try_into()
.map_err(|_| Error::BadRequest(ErrorKind::InvalidParam, "Height is invalid."))?, .map_err(|_| Error::BadRequest(ErrorKind::InvalidParam, "Height is invalid."))?,
authenticated,
) )
.await? .await?
{ {
@ -372,7 +393,7 @@ async fn get_content_thumbnail(
content_type, content_type,
content_disposition: Some(content_disposition), content_disposition: Some(content_disposition),
}) })
} else if server_name != services().globals.server_name() && allow_remote { } else if server_name != services().globals.server_name() && allow_remote && authenticated {
let thumbnail_response = match services() let thumbnail_response = match services()
.sending .sending
.send_federation_request( .send_federation_request(

3
src/api/server_server.rs
View file

@ -2227,7 +2227,7 @@ pub async fn get_content_route(
file, file,
}) = services() }) = services()
.media .media
.get(services().globals.server_name(), &body.media_id) .get(services().globals.server_name(), &body.media_id, true)
.await? .await?
{ {
Ok(get_content::v1::Response::new( Ok(get_content::v1::Response::new(
@ -2264,6 +2264,7 @@ pub async fn get_content_thumbnail_route(
body.height body.height
.try_into() .try_into()
.map_err(|_| Error::BadRequest(ErrorKind::InvalidParam, "Width is invalid."))?, .map_err(|_| Error::BadRequest(ErrorKind::InvalidParam, "Width is invalid."))?,
true,
) )
.await? .await?
else { else {

34
src/service/media/mod.rs
View file

@ -87,14 +87,23 @@ impl Service {
} }
/// Fetches a local file and it's metadata /// Fetches a local file and it's metadata
pub async fn get(&self, servername: &ServerName, media_id: &str) -> Result<Option<FileMeta>> { pub async fn get(
&self,
servername: &ServerName,
media_id: &str,
authenticated: bool,
) -> Result<Option<FileMeta>> {
let DbFileMeta { let DbFileMeta {
sha256_digest, sha256_digest,
filename, filename,
content_type, content_type,
unauthenticated_access_permitted: _, unauthenticated_access_permitted,
} = self.db.search_file_metadata(servername, media_id)?; } = self.db.search_file_metadata(servername, media_id)?;
if !(authenticated || unauthenticated_access_permitted) {
return Ok(None);
}
let file = get_file(&hex::encode(sha256_digest)).await?; let file = get_file(&hex::encode(sha256_digest)).await?;
Ok(Some(FileMeta { Ok(Some(FileMeta {
@ -133,17 +142,22 @@ impl Service {
media_id: &str, media_id: &str,
width: u32, width: u32,
height: u32, height: u32,
authenticated: bool,
) -> Result<Option<FileMeta>> { ) -> Result<Option<FileMeta>> {
if let Some((width, height, crop)) = self.thumbnail_properties(width, height) { if let Some((width, height, crop)) = self.thumbnail_properties(width, height) {
if let Ok(DbFileMeta { if let Ok(DbFileMeta {
sha256_digest, sha256_digest,
filename, filename,
content_type, content_type,
unauthenticated_access_permitted: _, unauthenticated_access_permitted,
}) = self }) = self
.db .db
.search_thumbnail_metadata(servername, media_id, width, height) .search_thumbnail_metadata(servername, media_id, width, height)
{ {
if !(authenticated || unauthenticated_access_permitted) {
return Ok(None);
}
// Using saved thumbnail // Using saved thumbnail
let file = get_file(&hex::encode(sha256_digest)).await?; let file = get_file(&hex::encode(sha256_digest)).await?;
@ -152,13 +166,19 @@ impl Service {
content_type, content_type,
file, file,
})) }))
} else if !authenticated {
return Ok(None);
} else if let Ok(DbFileMeta { } else if let Ok(DbFileMeta {
sha256_digest, sha256_digest,
filename, filename,
content_type, content_type,
unauthenticated_access_permitted: _, unauthenticated_access_permitted,
}) = self.db.search_file_metadata(servername, media_id) }) = self.db.search_file_metadata(servername, media_id)
{ {
if !(authenticated || unauthenticated_access_permitted) {
return Ok(None);
}
let content_disposition = content_disposition(filename.clone(), &content_type); let content_disposition = content_disposition(filename.clone(), &content_type);
// Generate a thumbnail // Generate a thumbnail
let file = get_file(&hex::encode(sha256_digest)).await?; let file = get_file(&hex::encode(sha256_digest)).await?;
@ -252,12 +272,16 @@ impl Service {
sha256_digest, sha256_digest,
filename, filename,
content_type, content_type,
unauthenticated_access_permitted: _, unauthenticated_access_permitted,
}) = self.db.search_file_metadata(servername, media_id) }) = self.db.search_file_metadata(servername, media_id)
else { else {
return Ok(None); return Ok(None);
}; };
if !(authenticated || unauthenticated_access_permitted) {
return Ok(None);
}
let file = get_file(&hex::encode(sha256_digest)).await?; let file = get_file(&hex::encode(sha256_digest)).await?;
Ok(Some(FileMeta { Ok(Some(FileMeta {