Implement permission checking for livestreams

server.py

@@ -559,8 +559,19 @@ def auth(): # For use with nginx auth_request
 		cookie = int(request.cookies['tracking'])
 	else:
 		cookie = random.getrandbits(8*8-1)
-	if url.endswith('jpg') or ismod() or url.startswith('pub/hls/'):
+	if url.endswith('jpg') or ismod():
 		return "OK", 200
+	if url.startswith('pub/hls/'):
+		handle = url[len('pub/hls/'):].split('_')[0].split('.')[0]
+		perms = query('''SELECT perm.*
+				FROM streams
+				JOIN lectures ON (streams.lecture_id = lectures.id)
+				JOIN courses ON (lectures.course_id = courses.id)
+				LEFT JOIN perm ON ((lectures.id = perm.lecture_id OR courses.id = perm.course_id) AND NOT perm.deleted)
+				WHERE streams.handle = ?
+				AND (courses.visible AND lectures.visible AND streams.visible)
+				ORDER BY perm.video_id DESC, perm.lecture_id DESC, perm.course_id DESC''', handle)
+	else:
 		perms = query('''SELECT videos.path, videos.id AS vid, perm.*
 				FROM videos
 				JOIN lectures ON (videos.lecture_id = lectures.id)
@@ -579,6 +590,7 @@ def auth(): # For use with nginx auth_request
 		password = auth.password
 	if checkperm(perms, username=username, password=password):
 		try:
+			if not url.startswith('pub/hls/'):
 				modify('INSERT INTO log (id, `time`, `date`, video, source) VALUES (?, ?, ?, ?, 1)', cookie, datetime.now(), datetime.combine(date.today(), time()), perms[0]['vid'])
 		except:
 			pass