Changed mediafile protection logic (closes #3707)
This commit is contained in:
parent
198e19d3d1
commit
2220856e5d
@ -81,7 +81,7 @@ def protected_serve(request, path, document_root=None, show_indexes=False):
|
|||||||
is_special_file = mediafile.is_logo() or mediafile.is_font()
|
is_special_file = mediafile.is_logo() or mediafile.is_font()
|
||||||
is_hidden_but_no_perms = mediafile.hidden and not has_perm(request.user, 'mediafiles.can_see_hidden')
|
is_hidden_but_no_perms = mediafile.hidden and not has_perm(request.user, 'mediafiles.can_see_hidden')
|
||||||
|
|
||||||
if not can_see or (is_hidden_but_no_perms and not is_special_file):
|
if not is_special_file and (not can_see or is_hidden_but_no_perms):
|
||||||
return HttpResponseForbidden(content="Forbidden.")
|
return HttpResponseForbidden(content="Forbidden.")
|
||||||
else:
|
else:
|
||||||
return serve(request, path, document_root, show_indexes)
|
return serve(request, path, document_root, show_indexes)
|
||||||
|
Loading…
Reference in New Issue
Block a user