fix: enhance authentication fallback for protected media access

2026-03-24 09:11:43 -04:00 · 2026-03-17 09:22:45 -04:00
parent d93027ac1e
commit b15724f021
1 changed files with 14 additions and 1 deletions
--- a/backend/server/main/views.py
+++ b/backend/server/main/views.py
@@ -19,7 +19,20 @@ def serve_protected_media(request, path):
    if any([path.startswith(protected_path) for protected_path in protected_paths]):
        image_id = path.split('/')[1]
        user = request.user
-        media_type =  path.split('/')[0] + '/'
+
+        # Session auth won't populate request.user for API key requests, so
+        # attempt API key authentication as a fallback.
+        if not user.is_authenticated:
+            from users.authentication import APIKeyAuthentication
+            from rest_framework.exceptions import AuthenticationFailed
+            try:
+                result = APIKeyAuthentication().authenticate(request)
+                if result is not None:
+                    user, _ = result
+            except AuthenticationFailed:
+                return HttpResponseForbidden()
+
+        media_type = path.split('/')[0] + '/'
        if checkFilePermission(image_id, user, media_type):
            if settings.DEBUG:
                # In debug mode, serve the file directly