From 11ec3eb446a1208c62bbf83fef5a330ca5c51352 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simon=20K=C3=BCnzel?= <simonk@fsmpi.rwth-aachen.de>
Date: Fri, 2 May 2025 03:05:18 +0200
Subject: [PATCH] Return 401 for internal auth if lecture is not found
---
api/src/api/routes/resources.py | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/api/src/api/routes/resources.py b/api/src/api/routes/resources.py
index 68c7e75..ea478f2 100644
--- a/api/src/api/routes/resources.py
+++ b/api/src/api/routes/resources.py
@@ -21,7 +21,7 @@ if _FILE_URI_PREFIX_PATH is None:
_API_RESOURCE_RATE_LIMITERS = create_configured_host_rate_limiters("resources", api.config["API_RESOURCES_RATE_LIMIT"])
-def _check_access_medium_file(course_handle: str, medium_file_id: int) -> MediumFile:
+def _check_access_medium_file(course_handle: str, medium_file_id: int, not_found_as_unauthorized: bool = False) -> MediumFile:
is_mod = is_moderator()
medium_file = database.query_one_or_none_and_expunge(
MediumFile.select(
@@ -40,7 +40,10 @@ def _check_access_medium_file(course_handle: str, medium_file_id: int) -> Medium
medium_file = None
if medium_file is None:
- raise ApiClientException(ERROR_UNKNOWN_OBJECT_OR_NO_ACCESS)
+ if not_found_as_unauthorized:
+ raise ApiClientException(ERROR_UNAUTHORIZED)
+ else:
+ raise ApiClientException(ERROR_UNKNOWN_OBJECT_OR_NO_ACCESS)
if not are_view_permissions_fulfilled(medium_file.lecture.effective_view_permissions):
raise ApiClientException(ERROR_UNAUTHORIZED)
@@ -99,7 +102,7 @@ def api_route_resource_internal_auth_check():
except ValueError:
raise ApiClientException(ERROR_REQUEST_INVALID_PARAMETER("URL.co_ha", "Unable to parse handle"))
- medium_file = _check_access_medium_file(course_handle, medium_file_id)
+ medium_file = _check_access_medium_file(course_handle, medium_file_id, not_found_as_unauthorized=True)
if url_result.path != f"{_FILE_URI_PREFIX_PATH}/{medium_file.file_path}":
raise ApiClientException(ERROR_BAD_REQUEST("Url does not match medium location"))
--
GitLab