From: Guillaume Pellerin <guillaume.pellerin@parisson.com>
Date: Mon, 12 Feb 2024 15:03:32 +0000 (+0100)
Subject: add referer to media access to avoid any downloading
X-Git-Tag: 2.9.0~37^2
X-Git-Url: https://git.parisson.com/?a=commitdiff_plain;h=refs%2Fheads%2Ffeature%2Fmedia-security;p=teleforma.git

add referer to media access to avoid any downloading
---

diff --git a/teleforma/templates/teleforma/course_media.html b/teleforma/templates/teleforma/course_media.html
index e2a36774..a4833bc9 100644
--- a/teleforma/templates/teleforma/course_media.html
+++ b/teleforma/templates/teleforma/course_media.html
@@ -100,13 +100,15 @@ $(document).ready(function(){
         id="my_video_1"
         class="video-js vjs-theme-fantasy"
         controls
-        preload="auto"
+        preload="none"
         width="100%"
         height="auto"
         data-setup='{"playbackRates": [1, 1.25, 1.5, 2]}'
         {% if media.poster_file %}{% thumbnail media.poster_file '640' as im %}poster="{{ im.url }}"{% endthumbnail %}{% endif %}
         >
-        <source src="{{ MEDIA_URL }}{{ media.file }}" type="{{ media.mime_type }}" />
+        <!--<source src="{{ media_url }}{{ media.file }}" type="{{ media.mime_type }}" /> -->
+        <source src="{% url 'teleforma-media-stream' period.id media.id %}" type="{{ media.mime_type }}" />
+
         <p class="vjs-no-js">
           To view this video please enable JavaScript, and consider upgrading to a
           web browser that
diff --git a/teleforma/urls.py b/teleforma/urls.py
index 3f11100f..73a91d74 100644
--- a/teleforma/urls.py
+++ b/teleforma/urls.py
@@ -156,7 +156,7 @@ urlpatterns = [
         CourseView.as_view(),
         name="teleforma-desk-period-course"),
 
-
+    # Media
     url(r'^desk/periods/(?P<period_id>.*)/medias/transcode/(?P<pk>.*)/detail/$',
         MediaTranscodedView.as_view(), name="teleforma-media-transcoded"),
     url(r'^desk/periods/(?P<period_id>.*)/medias/transcode/(?P<pk>.*)/download/$',
diff --git a/teleforma/views/core.py b/teleforma/views/core.py
index 23af60c3..153224e2 100644
--- a/teleforma/views/core.py
+++ b/teleforma/views/core.py
@@ -683,9 +683,12 @@ class MediaView(CourseAccessMixin, DetailView):
     def stream(self, request, period_id, pk, streaming=True):
         courses = get_courses(request.user)
         media = Media.objects.get(id=pk)
-        if get_access(media, courses):
-            media_path = media.file.path
-            return serve_media(media_path, content_type=media.mime_type, streaming=streaming)
+        referer = request.META.get('HTTP_REFERER')
+        media_detail_url = request.build_absolute_uri(reverse("teleforma-media-detail", kwargs={"period_id": period_id, "pk": media.id}))
+        #print(referer)
+        #print(media_detail_url)
+        if get_access(media, courses) and referer == media_detail_url:
+            return serve_media(media.file.path, content_type=media.mime_type, streaming=streaming)
         else:
             raise Http404("You don't have access to this media.")