Always allow streaming access to publicly viewable files

app/controllers/media_controller.rb

@@ -11,10 +11,13 @@ class MediaController < ApplicationController
   end
 
   def verify_token
+    if allowed_params[:stacks_token].blank? && anonymous_ability.can?(:stream, current_media)
+      render plain: 'no token needed', status: :ok
     # the media service calling verify_token provides the end-user IP address,
     # as we care about the (user) IP address that made a request to the media service with the
     # stacks_token, not the IP address of the service checking the stacks_token.
-    if token_valid? allowed_params[:stacks_token], id, file_name, allowed_params[:user_ip]
+    elsif allowed_params[:stacks_token].present? &&
+          token_valid?(allowed_params[:stacks_token], id, file_name, allowed_params[:user_ip])
       render plain: 'valid token', status: :ok
     else
       render plain: 'invalid token', status: :forbidden

spec/controllers/media_controller_spec.rb

@@ -4,7 +4,7 @@
 
 RSpec.describe MediaController do
   let(:video) { StacksMediaStream.new(id: 'bb582xs1304', file_name: 'bb582xs1304_sl', format: 'mp4') }
-  before { stub_rights_xml(world_readable_rights_xml) }
+  before { stub_rights_xml(stanford_restricted_rights_xml) }
 
   describe '#verify_token' do
     let(:id) { 'ab123cd4567' }
@@ -70,6 +70,16 @@
         expect(response.body).to eq 'invalid token'
         expect(response.status).to eq 403
       end
+
+      context 'with a publicly accessible file' do
+        before { stub_rights_xml(world_readable_rights_xml) }
+
+        it 'allows a missing token' do
+          get :verify_token, params: valid_token.merge(stacks_token: '')
+          expect(response.body).to eq 'no token needed'
+          expect(response.status).to eq 200
+        end
+      end
     end
   end