Commit 477eea23 authored by Julian Rother's avatar Julian Rother
Browse files

Implement permission checking for livestreams

parent ef00c21e
......@@ -559,17 +559,28 @@ def auth(): # For use with nginx auth_request
cookie = int(request.cookies['tracking'])
else:
cookie = random.getrandbits(8*8-1)
if url.endswith('jpg') or ismod() or url.startswith('pub/hls/'):
if url.endswith('jpg') or ismod():
return "OK", 200
perms = query('''SELECT videos.path, videos.id AS vid, perm.*
FROM videos
JOIN lectures ON (videos.lecture_id = lectures.id)
JOIN courses ON (lectures.course_id = courses.id)
LEFT JOIN perm ON ((videos.id = perm.video_id OR lectures.id = perm.lecture_id OR courses.id = perm.course_id) AND NOT perm.deleted)
WHERE videos.path = ?
AND (courses.visible AND lectures.visible AND videos.visible)
ORDER BY perm.video_id DESC, perm.lecture_id DESC, perm.course_id DESC''',
url)
if url.startswith('pub/hls/'):
handle = url[len('pub/hls/'):].split('_')[0].split('.')[0]
perms = query('''SELECT perm.*
FROM streams
JOIN lectures ON (streams.lecture_id = lectures.id)
JOIN courses ON (lectures.course_id = courses.id)
LEFT JOIN perm ON ((lectures.id = perm.lecture_id OR courses.id = perm.course_id) AND NOT perm.deleted)
WHERE streams.handle = ?
AND (courses.visible AND lectures.visible AND streams.visible)
ORDER BY perm.video_id DESC, perm.lecture_id DESC, perm.course_id DESC''', handle)
else:
perms = query('''SELECT videos.path, videos.id AS vid, perm.*
FROM videos
JOIN lectures ON (videos.lecture_id = lectures.id)
JOIN courses ON (lectures.course_id = courses.id)
LEFT JOIN perm ON ((videos.id = perm.video_id OR lectures.id = perm.lecture_id OR courses.id = perm.course_id) AND NOT perm.deleted)
WHERE videos.path = ?
AND (courses.visible AND lectures.visible AND videos.visible)
ORDER BY perm.video_id DESC, perm.lecture_id DESC, perm.course_id DESC''',
url)
if not perms:
return "Not allowed", 403
auth = request.authorization
......@@ -579,7 +590,8 @@ def auth(): # For use with nginx auth_request
password = auth.password
if checkperm(perms, username=username, password=password):
try:
modify('INSERT INTO log (id, `time`, `date`, video, source) VALUES (?, ?, ?, ?, 1)', cookie, datetime.now(), datetime.combine(date.today(), time()), perms[0]['vid'])
if not url.startswith('pub/hls/'):
modify('INSERT INTO log (id, `time`, `date`, video, source) VALUES (?, ?, ?, ?, 1)', cookie, datetime.now(), datetime.combine(date.today(), time()), perms[0]['vid'])
except:
pass
r = make_response('OK', 200)
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment