app: re-enable authorization checks on static files

Image files (.png) are still granted unauthorized access, however all other files require that the request be authorized. Signed-off-by: Eric Callahan <arksine.code@gmail.com>
2021-05-20 17:07:48 -04:00 · 2021-05-20 17:07:48 -04:00 · 5d783a743a
parent c335b62d26
commit 5d783a743a
1 changed files with 10 additions and 1 deletions
--- a/moonraker/app.py
+++ b/moonraker/app.py
@ -56,6 +56,7 @@ RESERVED_ENDPOINTS = [
 # 50 MiB Max Standard Body Size
 MAX_BODY_SIZE = 50 * 1024 * 1024
 EXCLUDED_ARGS = ["_", "token", "access_token", "connection_id"]
+AUTHORIZED_EXTS = [".png"]
 DEFAULT_KLIPPY_LOG_PATH = "/tmp/klippy.log"

 class MutableRouter(tornado.web.ReversibleRuleRouter):
@ -383,7 +384,7 @@ class AuthorizedFileHandler(tornado.web.StaticFileHandler):

    def prepare(self) -> None:
        auth: AuthComp = self.server.lookup_component('authorization', None)
-        if auth is not None and self.request.method != "GET":
+        if auth is not None and self._check_need_auth():
            self.current_user = auth.check_authorized(self.request)

    def options(self, *args, **kwargs) -> None:
@ -401,6 +402,14 @@ class AuthorizedFileHandler(tornado.web.StaticFileHandler):
                traceback.format_exception(*kwargs['exc_info']))
        self.finish({'error': err})

+    def _check_need_auth(self) -> bool:
+        if self.request.method != "GET":
+            return True
+        ext = os.path.splitext(self.request.path)[-1].lower()
+        if ext in AUTHORIZED_EXTS:
+            return False
+        return True
+
 class DynamicRequestHandler(AuthorizedRequestHandler):
    def initialize(
        self,