diff --git a/src/c3nav/editor/urls.py b/src/c3nav/editor/urls.py index 9c3a592f..36f136de 100644 --- a/src/c3nav/editor/urls.py +++ b/src/c3nav/editor/urls.py @@ -3,7 +3,7 @@ from django.conf.urls import url from c3nav.editor.views.account import change_password_view, login_view, logout_view, register_view from c3nav.editor.views.changes import changeset_detail, changeset_edit -from c3nav.editor.views.edit import edit, graph_edit, level_detail, list_objects, main_index, space_detail +from c3nav.editor.views.edit import edit, graph_edit, level_detail, list_objects, main_index, sourceimage, space_detail from c3nav.editor.views.users import user_detail @@ -41,6 +41,7 @@ urlpatterns = [ url(r'^spaces/(?Pc?[0-9]+)/graph/$', graph_edit, name='editor.spaces.graph'), url(r'^changesets/(?P[0-9]+)/$', changeset_detail, name='editor.changesets.detail'), url(r'^changesets/(?P[0-9]+)/edit$', changeset_edit, name='editor.changesets.edit'), + url(r'^sourceimage/(?P[^/]+)$', sourceimage, name='editor.sourceimage'), url(r'^users/(?P[0-9]+)/$', user_detail, name='editor.users.detail'), url(r'^login$', login_view, name='editor.login'), url(r'^logout$', logout_view, name='editor.logout'), diff --git a/src/c3nav/editor/views/edit.py b/src/c3nav/editor/views/edit.py index 9a0acf99..24b0b3f2 100644 --- a/src/c3nav/editor/views/edit.py +++ b/src/c3nav/editor/views/edit.py @@ -1,12 +1,16 @@ +import mimetypes +import os import typing from contextlib import suppress +from django.conf import settings from django.contrib import messages from django.contrib.auth.views import redirect_to_login from django.core.cache import cache -from django.core.exceptions import FieldDoesNotExist, ObjectDoesNotExist +from django.core.exceptions import FieldDoesNotExist, ObjectDoesNotExist, PermissionDenied from django.db import IntegrityError, models from django.db.models import Q +from django.http import Http404, HttpResponse from django.shortcuts import get_object_or_404, redirect, render from django.urls import reverse from django.utils.translation import ugettext_lazy as _ @@ -15,6 +19,7 @@ from django.views.decorators.http import etag from c3nav.editor.forms import GraphEdgeSettingsForm, GraphEditorActionForm from c3nav.editor.views.base import etag_func, sidebar_view from c3nav.mapdata.models.access import AccessPermission +from c3nav.mapdata.utils.user import can_access_editor def child_model(request, model: typing.Union[str, models.Model], kwargs=None, parent=None): @@ -625,3 +630,17 @@ def graph_edit(request, level=None, space=None): }) return render(request, 'editor/graph.html', ctx) + + +def sourceimage(request, filename): + if not request.user.is_superuser: + raise PermissionDenied + + if not can_access_editor(request): + return PermissionDenied + + try: + return HttpResponse(open(os.path.join(settings.SOURCES_ROOT, filename), 'rb'), + content_type=mimetypes.guess_type(filename)[0]) + except FileNotFoundError: + raise Http404