fix: improve error handling for image import and permission validation

2026-05-08 23:15:11 -04:00 · 2026-04-04 22:24:43 -04:00
parent fe127b5097
commit f1548d1fb0
2 changed files with 24 additions and 5 deletions
--- a/backend/server/adventures/views/location_image_view.py
+++ b/backend/server/adventures/views/location_image_view.py
@@ -29,6 +29,17 @@ class ImageProxyThrottle(UserRateThrottle):
    scope = 'image_proxy'


+def _public_import_error_message(exc):
+    """Return a safe, user-facing import error without exposing internal details."""
+    if isinstance(exc, ValueError):
+        return "Invalid image URL"
+    if isinstance(exc, requests.exceptions.Timeout):
+        return "Download timeout"
+    if isinstance(exc, requests.exceptions.RequestException):
+        return "Failed to fetch image from the remote server"
+    return "Image import failed"
+
+
 def _is_safe_url(image_url):
    """
    Validate a URL for safe proxy use.
@@ -154,7 +165,12 @@ def import_remote_images_for_object(content_object, urls, owner=None, max_worker
                file_data = future.result()
                downloaded_results.append((index, image_url, file_data, None))
            except Exception as exc:
-                downloaded_results.append((index, image_url, None, str(exc)))
+                logger.warning(
+                    "Image import failed for URL %s",
+                    image_url,
+                    exc_info=True,
+                )
+                downloaded_results.append((index, image_url, None, _public_import_error_message(exc)))

    downloaded_results.sort(key=lambda item: item[0])

@@ -338,8 +354,8 @@ class ContentImageViewSet(viewsets.ModelViewSet):
            image_data = download_remote_image(str(image_url).strip())
            return HttpResponse(image_data['content'], content_type=image_data['content_type'], status=200)

-        except ValueError as exc:
-            return Response({"error": str(exc)}, status=status.HTTP_400_BAD_REQUEST)
+        except ValueError:
+            return Response({"error": "Invalid image URL"}, status=status.HTTP_400_BAD_REQUEST)

        except requests.exceptions.Timeout:
            logger.error("Timeout fetching image from URL %s", image_url)
--- a/backend/server/adventures/views/location_view.py
+++ b/backend/server/adventures/views/location_view.py
@@ -594,8 +594,11 @@ class LocationViewSet(viewsets.ModelViewSet):

        try:
            self._validate_collection_permissions([collection])
-        except PermissionDenied as exc:
-            return Response({"error": str(exc)}, status=status.HTTP_403_FORBIDDEN)
+        except PermissionDenied:
+            return Response(
+                {"error": "You do not have permission to add this location to the selected collection."},
+                status=status.HTTP_403_FORBIDDEN,
+            )

        return collection