Rewrote video permission checking

bc071d3e · Julian Rother · 066ffe2d · bc071d3e
Commit bc071d3e authored Oct 09, 2016 by Julian Rother
--- a/server.py
+++ b/server.py
@@ -69,6 +69,72 @@ def mod_required(func):
 			return func(*args, **kwargs)
 	return decorator

+def evalauth(auths):
+	cauths = []
+	lauths = []
+	vauths = []
+	for auth in auths:
+		if auth['course_id']:
+			cauths.append(auth)
+		elif auth['lecture_id']:
+			lauths.append(auth)
+		elif auth['video_id']:
+			vauths.append(auth)
+	if vauths:
+		return vauths
+	elif lauths:
+	 	return lauths
+	elif cauths:
+		return cauths
+	return [{'auth_type': 'public'}]
+
+@app.template_filter()
+def checkauth(auths, username=None, password=None):
+	auths = evalauth(auths)
+	for auth in auths:
+		if auth['auth_type'] == 'public':
+			return True
+		elif auth['auth_type'] == 'password':
+			if auth['auth_user'] == username and auth['auth_password'] == password:
+				return True
+		elif auth['auth_type'] == 'l2p':
+			if auth['auth_param'] in session.get('l2p_courses', []):
+				return True
+		elif auth['auth_type'] == 'rwth':
+			if session.get('rwthintern', False):
+				return True
+	return False
+
+@app.template_filter()
+def authdescr(auths):
+	auths = evalauth(auths)
+	public = False
+	password = False
+	l2p_courses = []
+	rwth_intern = False
+	for auth in auths:
+		if auth['auth_type'] == 'public':
+			public = True
+		elif auth['auth_type'] == 'password':
+			password = True
+		elif auth['auth_type'] == 'l2p':
+			l2p_courses.append(auth['auth_param'])
+		elif auth['auth_type'] == 'rwth':
+			rwth_intern = True
+	if public or not auths:
+		return 'public', 'Öffentlich verfügbar'
+	if rwth_intern:
+		if password:
+			return 'rwth', 'Nur für RWTH-Angehörige und Nutzer mit Passwort verfügbar'
+		return 'rwth', 'Nur für RWTH-Angehörige verfügbar'
+	if l2p_courses:
+		if password:
+			return 'rwth', 'Nur für Teilnehmer der Veranstaltung und Nutzer mit Passwort verfügbar'
+		return 'rwth', 'Nur für Teilnehmer der Veranstaltung verfügbar'
+	if password:
+		return 'password', 'Nur für Nutzer mit Passwort verfügbar'
+	return 'public', 'Öffentlich verfügbar'
+
 app.jinja_env.globals['navbar'] = []
 # iconlib can be 'bootstrap'
 # ( see: http://getbootstrap.com/components/#glyphicons )
@@ -361,7 +427,7 @@ def auth(): # For use with nginx auth_request
 	ip = request.headers.get('X-Real-IP', '')
 	if url.endswith('jpg'):
 		return "OK", 200
-	videos = query('''SELECT videos.path, videos.id, lectures.id AS lecture_id, courses.id AS course_id, auth.*
+	videos = query('''SELECT videos.path, videos.id, auth.*
      FROM videos
      JOIN lectures ON (videos.lecture_id = lectures.id)
      JOIN courses ON (lectures.course_id = courses.id)
@@ -372,34 +438,20 @@ def auth(): # For use with nginx auth_request
 			url, ismod())
 	if not videos:
 		return "Not allowed", 403
-	allowed = False
-	types = []
 	auth = request.authorization
-	for video in videos:
-		if videos[0] and ((videos[0]['video_id'] and not video['video_id']) \
-				or (videos[0]['lecture_id'] and not video['lecture_id'])):
-			break
-		types.append(video['auth_type'])
-		if video['auth_type'] == 'public':
-			allowed = True
-			break
-		elif video['auth_type'] == 'password':
-			if auth and video['auth_user'] == auth.username and video['auth_passwd'] == auth.password:
-				allowed = True
-				break
-		elif video['auth_type'] == 'l2p':
-			if video['auth_param'] in session.get('l2p_courses', []):
-				allowed = True
-				break
-		elif video['auth_type'] == 'rwth':
-			if session.get('rwthintern', False):
-				allowed = True
-				break
-	if not types[0] or allowed or ismod() or \
-			(auth and check_mod(*ldapauth(auth.username, auth.password))):
+	username = password = None
+	if auth:
+		username = auth.username
+		password = auth.password
+	if checkauth(videos, username=username, password=password):
 		return 'OK', 200
 		modify('INSERT INTO log VALUES (?, "", ?, "video", ?, ?)', ip, datetime.now(), videos[0]['id'], url)
-	elif 'password' in types:
+	password_auth = False
+	for video in videos:
+		if video['auth_type'] == 'password':
+			password_auth = True
+			break
+	if password_auth:
 		return Response("Login required", 401, {'WWW-Authenticate': 'Basic realm="Login Required"'})
 	return "Not allowed", 403