From f838a71d05f21ccef5744829303a22aa751d040e Mon Sep 17 00:00:00 2001
From: Edward Oliveira <edwardr@senado.gov.br>
Date: Fri, 24 Apr 2026 18:55:16 -0300
Subject: [PATCH] Fix norma etag field and media private path

- _norma_last_modified: use ultima_edicao instead of data_ultima_atualizacao
- serve_media: gate on sapl/private/ instead of documentos_privados/
- plan: update norma freshness field reference

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 plan/RATE-LIMITER-PLAN.md | 2 +-
 sapl/base/media.py        | 4 ++--
 sapl/norma/views.py       | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/plan/RATE-LIMITER-PLAN.md b/plan/RATE-LIMITER-PLAN.md
index c7111d3ba..a49a637a7 100644
--- a/plan/RATE-LIMITER-PLAN.md
+++ b/plan/RATE-LIMITER-PLAN.md
@@ -1008,7 +1008,7 @@ class DetailView(AnonCachePageMixin, Crud.DetailView):
 ```
 
 `NormaCrud.DetailView` follows the same pattern with `_norma_last_modified` /
-`_norma_etag` querying `NormaJuridica.data_ultima_atualizacao`.
+`_norma_etag` querying `NormaJuridica.ultima_edicao`.
 
 **On a cache hit**: one `VALUES` query fires, Django returns `304` — view body,
 template render, and ORM work are all skipped.
diff --git a/sapl/base/media.py b/sapl/base/media.py
index 7b9cd5d4e..6bc8f7eff 100644
--- a/sapl/base/media.py
+++ b/sapl/base/media.py
@@ -3,7 +3,7 @@ serve_media — X-Accel-Redirect gate for all /media/ files.
 
 Production flow (nginx proxies /media/ to Gunicorn):
   1. Django middleware runs (IP rate-limit, bot UA check, etc.).
-  2. serve_media() runs auth check for documentos_privados/, writes
+  2. serve_media() runs auth check for sapl/private/, writes
      URL-path counter to Redis DB 1, then returns X-Accel-Redirect.
      Nginx serves the bytes directly from disk — Gunicorn worker freed immediately.
 
@@ -51,7 +51,7 @@ def serve_media(request, path):
     abs_path = _safe_resolve(path)
 
     # Auth gate for private documents — redirect to login if anonymous.
-    if path.startswith('documentos_privados/'):
+    if path.startswith('sapl/private/'):
         user = getattr(request, 'user', None)
         if user is None or not user.is_authenticated:
             from django.contrib.auth.views import redirect_to_login
diff --git a/sapl/norma/views.py b/sapl/norma/views.py
index 3cfba9942..0bef4a494 100644
--- a/sapl/norma/views.py
+++ b/sapl/norma/views.py
@@ -281,7 +281,7 @@ class NormaTaView(IntegracaoTaView):
 def _norma_last_modified(request, *args, **kwargs):
     return NormaJuridica.objects.filter(
         pk=kwargs['pk']
-    ).values_list('data_ultima_atualizacao', flat=True).first()
+    ).values_list('ultima_edicao', flat=True).first()
 
 
 def _norma_etag(request, *args, **kwargs):