media: require staff login for media access

11 months ago · a2cbae2c8e
parent 7d74e5d908
commit a2cbae2c8e
3 changed files with 21 additions and 4 deletions
--- a/docker/production/nginx/kompass.nginx.conf
+++ b/docker/production/nginx/kompass.nginx.conf
@ -12,7 +12,8 @@ server {
        alias /var/www/jdav_web/static;
    }

-    location /media {
+    location /protected {
+        internal;
        alias /var/www/jdav_web/media;
    }

--- a/jdav_web/jdav_web/urls.py
+++ b/jdav_web/jdav_web/urls.py
@ -20,13 +20,13 @@ from django.conf.urls.i18n import i18n_patterns
 from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 from django.views.generic.base import RedirectView
-
-urlpatterns = static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)
+from .views import media_access

 admin.site.index_title = _('Startpage')
 admin.site.site_header = 'Kompass'

-urlpatterns += i18n_patterns(
+urlpatterns = i18n_patterns(
+    re_path(r'^media/(?P<path>.*)', media_access, name='media'),
    re_path(r'^kompass/?', admin.site.urls, name='kompass'),
    re_path(r'^jet/', include('jet.urls', 'jet')), # Django JET URLS
    re_path(r'^admin/?', RedirectView.as_view(url='/kompass')),
--- a/jdav_web/jdav_web/views.py
+++ b/jdav_web/jdav_web/views.py
@ -0,0 +1,16 @@
+from django.http import HttpResponse
+from django.views.static import serve
+from django.conf import settings
+from django.contrib.admin.views.decorators import staff_member_required
+
+@staff_member_required
+def media_access(request, path):
+    if settings.DEBUG:
+        # if DEBUG is enabled, directly serve file
+        return serve(request, path, document_root=settings.MEDIA_ROOT)
+    # otherwise create a redirect to the internal nginx endpoint at /protected
+    response = HttpResponse()
+    # Content-type will be detected by nginx
+    del response['Content-Type']
+    response['X-Accel-Redirect'] = '/protected/' + path
+    return response