From ec0bb82f3950726898df5c3dcf01b82bac68f43c Mon Sep 17 00:00:00 2001 From: Edward Oliveira Date: Mon, 4 May 2026 14:48:43 -0300 Subject: [PATCH] Fix serve_media to allow public DocumentoAdministrativo without auth Files under sapl/private/documentoadministrativo/ are public when the AppConfig.documentos_administrativos setting is DOC_ADM_OSTENSIVO. The previous gate blocked all sapl/private/ paths unconditionally, forcing anonymous users to log in even for ostensivo documents. _is_public_docadm() checks the cached AppConfig setting to exempt ostensivo documents while keeping proposicao and restritivo documents behind the auth redirect. Also fixes wrong import (sapl.base.apps.AppConfig is Django's app-config class; the SAPL model is in sapl.base.models). Co-Authored-By: Claude Sonnet 4.6 --- sapl/base/media.py | 11 ++++++++++- sapl/settings.py | 1 + 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/sapl/base/media.py b/sapl/base/media.py index 535da47db..058dc87ea 100644 --- a/sapl/base/media.py +++ b/sapl/base/media.py @@ -44,6 +44,15 @@ def _safe_resolve(rel_path): return abs_path +def _is_public_docadm(path): + # Documentos Administrativos são sempre salvos na pasta /private, + # mas podem ter acesso público liberado como OSTENSIVO ou requerer + # autenticacao se for DOC_ADM_RESTRITIVO + from sapl.base.models import AppConfig, DOC_ADM_OSTENSIVO + return 'documentoadministrativo' in path and \ + AppConfig.attr('documentos_administrativos') == DOC_ADM_OSTENSIVO + + def serve_media(request, path): """ Registered in sapl/urls.py for both DEBUG and production. @@ -53,7 +62,7 @@ def serve_media(request, path): abs_path = _safe_resolve(path) # Auth gate for private documents — redirect to login if anonymous. - if path.startswith('sapl/private/'): + if path.startswith('sapl/private/') and not _is_public_docadm(path): user = getattr(request, 'user', None) if user is None or not user.is_authenticated: from django.contrib.auth.views import redirect_to_login diff --git a/sapl/settings.py b/sapl/settings.py index 7c3d834ce..a44045e99 100644 --- a/sapl/settings.py +++ b/sapl/settings.py @@ -431,6 +431,7 @@ RATE_LIMIT_404_THRESHOLD = config('RATE_LIMIT_404_THRESHOLD', default=10, cast=i # it is also exempt at the nginx layer (location block with no limit_req). RATE_LIMIT_BYPASS_PATHS = [ r'^/painel/\d+/dados$', + r'^/voto-individual/$', ] # API quota — daily and weekly call caps per consumer (Redis-only, no DB migration).