apunkt/SurfSense
1
0
Fork 0
mirror of https://github.com/MODSetter/SurfSense.git synced 2026-04-30 03:16:25 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

refactor: require auth for podcast endpoints, remove public check

Browse source
This commit is contained in:
CREDO23 2026-01-29 20:49:05 +02:00
parent 005ceaa2e8
commit fb73a2e69f
1 changed files with 21 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

31
surfsense_backend/app/routes/podcasts_routes.py
View file

@ -23,7 +23,7 @@ from app.db import (
get_async_session, get_async_session,
) )
from app.schemas import PodcastRead from app.schemas import PodcastRead
from app.users import current_active_user, current_optional_user from app.users import current_active_user
from app.utils.rbac import check_permission from app.utils.rbac import check_permission
router = APIRouter() router = APIRouter()
@ -82,17 +82,14 @@ async def read_podcasts(
async def read_podcast( async def read_podcast(
podcast_id: int, podcast_id: int,
session: AsyncSession = Depends(get_async_session), session: AsyncSession = Depends(get_async_session),
user: User | None = Depends(current_optional_user), user: User = Depends(current_active_user),
): ):
""" """
Get a specific podcast by ID. Get a specific podcast by ID.
Access is allowed if: Requires authentication with PODCASTS_READ permission.
- User is authenticated with PODCASTS_READ permission, OR For public podcast access, use /public/{share_token}/podcasts/{podcast_id}/stream
- Podcast belongs to a publicly shared thread
""" """
from app.services.public_chat_service import is_podcast_publicly_accessible
try: try:
result = await session.execute(select(Podcast).filter(Podcast.id == podcast_id)) result = await session.execute(select(Podcast).filter(Podcast.id == podcast_id))
podcast = result.scalars().first() podcast = result.scalars().first()
@ -103,11 +100,6 @@ async def read_podcast(
detail="Podcast not found", detail="Podcast not found",
) )
is_public = await is_podcast_publicly_accessible(session, podcast_id)
if not is_public:
if not user:
raise HTTPException(status_code=401, detail="Authentication required")
await check_permission( await check_permission(
session, session,
user, user,
@ -168,19 +160,16 @@ async def delete_podcast(
async def stream_podcast( async def stream_podcast(
podcast_id: int, podcast_id: int,
session: AsyncSession = Depends(get_async_session), session: AsyncSession = Depends(get_async_session),
user: User | None = Depends(current_optional_user), user: User = Depends(current_active_user),
): ):
""" """
Stream a podcast audio file. Stream a podcast audio file.
Access is allowed if: Requires authentication with PODCASTS_READ permission.
- User is authenticated with PODCASTS_READ permission, OR For public podcast access, use /public/{share_token}/podcasts/{podcast_id}/stream
- Podcast belongs to a publicly shared thread
Note: Both /stream and /audio endpoints are supported for compatibility. Note: Both /stream and /audio endpoints are supported for compatibility.
""" """
from app.services.public_chat_service import is_podcast_publicly_accessible
try: try:
result = await session.execute(select(Podcast).filter(Podcast.id == podcast_id)) result = await session.execute(select(Podcast).filter(Podcast.id == podcast_id))
podcast = result.scalars().first() podcast = result.scalars().first()
@ -188,12 +177,6 @@ async def stream_podcast(
if not podcast: if not podcast:
raise HTTPException(status_code=404, detail="Podcast not found") raise HTTPException(status_code=404, detail="Podcast not found")
is_public = await is_podcast_publicly_accessible(session, podcast_id)
if not is_public:
if not user:
raise HTTPException(status_code=401, detail="Authentication required")
await check_permission( await check_permission(
session, session,
user, user,