Skip to content

Commit

Permalink
Always allow streaming access to publicly viewable files
Browse files Browse the repository at this point in the history
  • Loading branch information
cbeer committed Apr 16, 2020
1 parent 1a0416c commit d0e63bf
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 2 deletions.
4 changes: 3 additions & 1 deletion app/controllers/media_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,12 @@ class MediaController < ApplicationController
end

def verify_token
if allowed_params[:stacks_token].blank? && anonymous_ability.can?(:stream, current_media)
render plain: 'no token needed', status: :ok
# the media service calling verify_token provides the end-user IP address,
# as we care about the (user) IP address that made a request to the media service with the
# stacks_token, not the IP address of the service checking the stacks_token.
if token_valid? allowed_params[:stacks_token], id, file_name, allowed_params[:user_ip]
elsif allowed_params[:stacks_token].present? && token_valid?(allowed_params[:stacks_token], id, file_name, allowed_params[:user_ip])
render plain: 'valid token', status: :ok
else
render plain: 'invalid token', status: :forbidden
Expand Down
13 changes: 12 additions & 1 deletion spec/controllers/media_controller_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

RSpec.describe MediaController do
let(:video) { StacksMediaStream.new(id: 'bb582xs1304', file_name: 'bb582xs1304_sl', format: 'mp4') }
before { stub_rights_xml(world_readable_rights_xml) }
before { stub_rights_xml(stanford_restricted_rights_xml) }

describe '#verify_token' do
let(:id) { 'ab123cd4567' }
Expand Down Expand Up @@ -70,6 +70,17 @@
expect(response.body).to eq 'invalid token'
expect(response.status).to eq 403
end

context 'with a publicly accessible file' do
before { stub_rights_xml(world_readable_rights_xml) }

it 'allows a missing token' do
get :verify_token, params: valid_token.merge(stacks_token: '')
expect(response.body).to eq 'no token needed'
expect(response.status).to eq 200

end
end
end
end

Expand Down

0 comments on commit d0e63bf

Please sign in to comment.