Implement permission checking for livestreams

477eea23 · Julian Rother · ef00c21e · 477eea23
Commit 477eea23 authored Feb 25, 2017 by Julian Rother
--- a/server.py
+++ b/server.py
@@ -559,17 +559,28 @@ def auth(): # For use with nginx auth_request
 		cookie = int(request.cookies['tracking'])
 	else:
 		cookie = random.getrandbits(8*8-1)
-	if url.endswith('jpg') or ismod() or url.startswith('pub/hls/'):
+	if url.endswith('jpg') or ismod():
 		return "OK", 200
-	perms = query('''SELECT videos.path, videos.id AS vid, perm.*
-      FROM videos
-      JOIN lectures ON (videos.lecture_id = lectures.id)
-      JOIN courses ON (lectures.course_id = courses.id)
-			LEFT JOIN perm ON ((videos.id = perm.video_id OR lectures.id = perm.lecture_id OR courses.id = perm.course_id) AND NOT perm.deleted)
-      WHERE videos.path = ?
-      AND (courses.visible AND lectures.visible AND videos.visible)
-			ORDER BY perm.video_id DESC, perm.lecture_id DESC, perm.course_id DESC''',
-			url)
+	if url.startswith('pub/hls/'):
+		handle = url[len('pub/hls/'):].split('_')[0].split('.')[0]
+		perms = query('''SELECT perm.*
+				FROM streams
+				JOIN lectures ON (streams.lecture_id = lectures.id)
+				JOIN courses ON (lectures.course_id = courses.id)
+				LEFT JOIN perm ON ((lectures.id = perm.lecture_id OR courses.id = perm.course_id) AND NOT perm.deleted)
+				WHERE streams.handle = ?
+				AND (courses.visible AND lectures.visible AND streams.visible)
+				ORDER BY perm.video_id DESC, perm.lecture_id DESC, perm.course_id DESC''', handle)
+	else:
+		perms = query('''SELECT videos.path, videos.id AS vid, perm.*
+				FROM videos
+				JOIN lectures ON (videos.lecture_id = lectures.id)
+				JOIN courses ON (lectures.course_id = courses.id)
+				LEFT JOIN perm ON ((videos.id = perm.video_id OR lectures.id = perm.lecture_id OR courses.id = perm.course_id) AND NOT perm.deleted)
+				WHERE videos.path = ?
+				AND (courses.visible AND lectures.visible AND videos.visible)
+				ORDER BY perm.video_id DESC, perm.lecture_id DESC, perm.course_id DESC''',
+				url)
 	if not perms:
 		return "Not allowed", 403
 	auth = request.authorization
@@ -579,7 +590,8 @@ def auth(): # For use with nginx auth_request
 		password = auth.password
 	if checkperm(perms, username=username, password=password):
 		try:
-			modify('INSERT INTO log (id, `time`, `date`, video, source) VALUES (?, ?, ?, ?, 1)', cookie, datetime.now(), datetime.combine(date.today(), time()), perms[0]['vid'])
+			if not url.startswith('pub/hls/'):
+				modify('INSERT INTO log (id, `time`, `date`, video, source) VALUES (?, ?, ?, ?, 1)', cookie, datetime.now(), datetime.combine(date.today(), time()), perms[0]['vid'])
 		except:
 			pass
 		r = make_response('OK', 200)