SPDT
/
sapl
mirror of https://github.com/interlegis/sapl.git
5
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

Fix serve_media to allow public DocumentoAdministrativo without auth 

Files under sapl/private/documentoadministrativo/ are public when the
AppConfig.documentos_administrativos setting is DOC_ADM_OSTENSIVO. The
previous gate blocked all sapl/private/ paths unconditionally, forcing
anonymous users to log in even for ostensivo documents.

_is_public_docadm() checks the cached AppConfig setting to exempt
ostensivo documents while keeping proposicao and restritivo documents
behind the auth redirect. Also fixes wrong import (sapl.base.apps.AppConfig
is Django's app-config class; the SAPL model is in sapl.base.models).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
rate-limiter-2026
Edward Ribeiro 21 hours ago
parent
7bbf1e5696
commit
ec0bb82f39
2 changed files with 11 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 11
      sapl/base/media.py
  2. 1
      sapl/settings.py

11
sapl/base/media.py
View File

@ -44,6 +44,15 @@ def _safe_resolve(rel_path):
return abs_path
def _is_public_docadm(path):
# Documentos Administrativos são sempre salvos na pasta /private,
# mas podem ter acesso público liberado como OSTENSIVO ou requerer
# autenticacao se for DOC_ADM_RESTRITIVO
from sapl.base.models import AppConfig, DOC_ADM_OSTENSIVO
return 'documentoadministrativo' in path and \
AppConfig.attr('documentos_administrativos') == DOC_ADM_OSTENSIVO
def serve_media(request, path):
"""
Registered in sapl/urls.py for both DEBUG and production.
@ -53,7 +62,7 @@ def serve_media(request, path):
abs_path = _safe_resolve(path)
# Auth gate for private documents — redirect to login if anonymous.
if path.startswith('sapl/private/'):
if path.startswith('sapl/private/') and not _is_public_docadm(path):
user = getattr(request, 'user', None)
if user is None or not user.is_authenticated:
from django.contrib.auth.views import redirect_to_login

1
sapl/settings.py
View File

@ -431,6 +431,7 @@ RATE_LIMIT_404_THRESHOLD = config('RATE_LIMIT_404_THRESHOLD', default=10, cast=i
# it is also exempt at the nginx layer (location block with no limit_req).
RATE_LIMIT_BYPASS_PATHS = [
r'^/painel/\d+/dados$',
r'^/voto-individual/$',
]
# API quota — daily and weekly call caps per consumer (Redis-only, no DB migration).

Write Preview
Loading…
Cancel
Save