diff --git a/seatable_thumbnail/permissions.py b/seatable_thumbnail/permissions.py index 991d7bc..2694d1e 100644 --- a/seatable_thumbnail/permissions.py +++ b/seatable_thumbnail/permissions.py @@ -38,13 +38,15 @@ def set_cache_permission(self): def has_dtable_asset_read_permission(self): # four ways to access asset - # 1. through external link to get image + # 1. through external link or external app to get image # 2. through collection table to get image # 3. through dtable perm, including dtable share, dtable custom share # 4. through view share perm if self.can_access_image_through_external_link(): return True + if self.can_access_image_through_external_app(): + return True if self.has_collection_table_permission(): return True if self.check_dtable_permission(): @@ -62,6 +64,14 @@ def can_access_image_through_external_link(self): return self.external_link['dtable_uuid'] == self.dtable_uuid + def can_access_image_through_external_app(self): + if not hasattr(self, 'external_app'): + return False + if not self.external_app.get('dtable_uuid'): + return False + + return self.external_app['dtable_uuid'] == self.dtable_uuid + def has_collection_table_permission(self): if not hasattr(self, 'collection_table'): return False diff --git a/seatable_thumbnail/serializers.py b/seatable_thumbnail/serializers.py index a52cc5a..7ace092 100644 --- a/seatable_thumbnail/serializers.py +++ b/seatable_thumbnail/serializers.py @@ -51,10 +51,11 @@ def session_check(self): username = self.session_data.get('_auth_user_name') external_link = self.session_data.get('external_link') collection_table = self.session_data.get('collection_table') + external_app = self.session_data.get('external_app') if username: self.session_data['username'] = username - if not username and not external_link and not collection_table: + if not username and not external_link and not collection_table or not external_app: raise AssertionError(400, 'django session invalid.') def get_enable_file_type(self):