refactor: require auth for podcast endpoints, remove public check

surfsense_backend/app/routes/podcasts_routes.py

@@ -23,7 +23,7 @@ from app.db import (
     get_async_session,
 )
 from app.schemas import PodcastRead
-from app.users import current_active_user, current_optional_user
+from app.users import current_active_user
 from app.utils.rbac import check_permission
 
 router = APIRouter()
@@ -82,17 +82,14 @@ async def read_podcasts(
 async def read_podcast(
     podcast_id: int,
     session: AsyncSession = Depends(get_async_session),
-    user: User | None = Depends(current_optional_user),
+    user: User = Depends(current_active_user),
 ):
     """
     Get a specific podcast by ID.
 
-    Access is allowed if:
-    - User is authenticated with PODCASTS_READ permission, OR
-    - Podcast belongs to a publicly shared thread
+    Requires authentication with PODCASTS_READ permission.
+    For public podcast access, use /public/{share_token}/podcasts/{podcast_id}/stream
     """
-    from app.services.public_chat_service import is_podcast_publicly_accessible
-
     try:
         result = await session.execute(select(Podcast).filter(Podcast.id == podcast_id))
         podcast = result.scalars().first()
@@ -103,18 +100,13 @@ async def read_podcast(
                 detail="Podcast not found",
             )
 
-        is_public = await is_podcast_publicly_accessible(session, podcast_id)
-
-        if not is_public:
-            if not user:
-                raise HTTPException(status_code=401, detail="Authentication required")
-            await check_permission(
-                session,
-                user,
-                podcast.search_space_id,
-                Permission.PODCASTS_READ.value,
-                "You don't have permission to read podcasts in this search space",
-            )
+        await check_permission(
+            session,
+            user,
+            podcast.search_space_id,
+            Permission.PODCASTS_READ.value,
+            "You don't have permission to read podcasts in this search space",
+        )
 
         return PodcastRead.from_orm_with_entries(podcast)
     except HTTPException as he:
@@ -168,19 +160,16 @@ async def delete_podcast(
 async def stream_podcast(
     podcast_id: int,
     session: AsyncSession = Depends(get_async_session),
-    user: User | None = Depends(current_optional_user),
+    user: User = Depends(current_active_user),
 ):
     """
     Stream a podcast audio file.
 
-    Access is allowed if:
-    - User is authenticated with PODCASTS_READ permission, OR
-    - Podcast belongs to a publicly shared thread
+    Requires authentication with PODCASTS_READ permission.
+    For public podcast access, use /public/{share_token}/podcasts/{podcast_id}/stream
 
     Note: Both /stream and /audio endpoints are supported for compatibility.
     """
-    from app.services.public_chat_service import is_podcast_publicly_accessible
-
     try:
         result = await session.execute(select(Podcast).filter(Podcast.id == podcast_id))
         podcast = result.scalars().first()
@@ -188,19 +177,13 @@ async def stream_podcast(
         if not podcast:
             raise HTTPException(status_code=404, detail="Podcast not found")
 
-        is_public = await is_podcast_publicly_accessible(session, podcast_id)
-
-        if not is_public:
-            if not user:
-                raise HTTPException(status_code=401, detail="Authentication required")
-
-            await check_permission(
-                session,
-                user,
-                podcast.search_space_id,
-                Permission.PODCASTS_READ.value,
-                "You don't have permission to access podcasts in this search space",
-            )
+        await check_permission(
+            session,
+            user,
+            podcast.search_space_id,
+            Permission.PODCASTS_READ.value,
+            "You don't have permission to access podcasts in this search space",
+        )
 
         file_path = podcast.file_location