From 2586444db235e384e9773af58ab563a24b3a033a Mon Sep 17 00:00:00 2001
From: Eliot Berriot <contact@eliotberriot.com>
Date: Thu, 24 May 2018 21:34:59 +0200
Subject: [PATCH] Fix #229: removed last hardcoded settings to protect audio
 files

---
 api/config/settings/common.py          |  6 ----
 api/funkwhale_api/music/permissions.py |  3 --
 api/tests/music/test_permissions.py    | 29 ++++++----------
 api/tests/music/test_views.py          | 47 ++++++++++++++++++--------
 changes/changelog.d/229.bugfix         |  1 +
 demo/setup.sh                          |  2 --
 6 files changed, 44 insertions(+), 44 deletions(-)
 create mode 100644 changes/changelog.d/229.bugfix

diff --git a/api/config/settings/common.py b/api/config/settings/common.py
index 59aa93117..f376781b0 100644
--- a/api/config/settings/common.py
+++ b/api/config/settings/common.py
@@ -433,12 +433,6 @@ USE_X_FORWARDED_PORT = True
 REVERSE_PROXY_TYPE = env('REVERSE_PROXY_TYPE', default='nginx')
 assert REVERSE_PROXY_TYPE in ['apache2', 'nginx'], 'Unsupported REVERSE_PROXY_TYPE'
 
-# Wether we should check user permission before serving audio files (meaning
-# return an obfuscated url)
-# This require a special configuration on the reverse proxy side
-# See https://wellfire.co/learn/nginx-django-x-accel-redirects/ for example
-PROTECT_AUDIO_FILES = env.bool('PROTECT_AUDIO_FILES', default=True)
-
 # Which path will be used to process the internal redirection
 # **DO NOT** put a slash at the end
 PROTECT_FILES_PATH = env('PROTECT_FILES_PATH', default='/_protected')
diff --git a/api/funkwhale_api/music/permissions.py b/api/funkwhale_api/music/permissions.py
index 77f95c477..d31e1c5d5 100644
--- a/api/funkwhale_api/music/permissions.py
+++ b/api/funkwhale_api/music/permissions.py
@@ -10,9 +10,6 @@ from funkwhale_api.federation import models
 class Listen(BasePermission):
 
     def has_permission(self, request, view):
-        if not settings.PROTECT_AUDIO_FILES:
-            return True
-
         if not preferences.get('common__api_authentication_required'):
             return True
 
diff --git a/api/tests/music/test_permissions.py b/api/tests/music/test_permissions.py
index a5f0c4109..825d1731d 100644
--- a/api/tests/music/test_permissions.py
+++ b/api/tests/music/test_permissions.py
@@ -4,26 +4,17 @@ from funkwhale_api.federation import actors
 from funkwhale_api.music import permissions
 
 
-def test_list_permission_no_protect(anonymous_user, api_request, settings):
-    settings.PROTECT_AUDIO_FILES = False
+def test_list_permission_no_protect(preferences, anonymous_user, api_request):
+    preferences['common__api_authentication_required'] = False
     view = APIView.as_view()
     permission = permissions.Listen()
     request = api_request.get('/')
     assert permission.has_permission(request, view) is True
 
 
-def test_list_permission_protect_anonymous(
-        db, anonymous_user, api_request, settings):
-    settings.PROTECT_AUDIO_FILES = True
-    view = APIView.as_view()
-    permission = permissions.Listen()
-    request = api_request.get('/')
-    assert permission.has_permission(request, view) is False
-
-
 def test_list_permission_protect_authenticated(
-        factories, api_request, settings):
-    settings.PROTECT_AUDIO_FILES = True
+        factories, api_request, preferences):
+    preferences['common__api_authentication_required'] = True
     user = factories['users.User']()
     view = APIView.as_view()
     permission = permissions.Listen()
@@ -33,8 +24,8 @@ def test_list_permission_protect_authenticated(
 
 
 def test_list_permission_protect_not_following_actor(
-        factories, api_request, settings):
-    settings.PROTECT_AUDIO_FILES = True
+        factories, api_request, preferences):
+    preferences['common__api_authentication_required'] = True
     actor = factories['federation.Actor']()
     view = APIView.as_view()
     permission = permissions.Listen()
@@ -44,8 +35,8 @@ def test_list_permission_protect_not_following_actor(
 
 
 def test_list_permission_protect_following_actor(
-        factories, api_request, settings):
-    settings.PROTECT_AUDIO_FILES = True
+        factories, api_request, preferences):
+    preferences['common__api_authentication_required'] = True
     library_actor = actors.SYSTEM_ACTORS['library'].get_actor_instance()
     follow = factories['federation.Follow'](
         approved=True, target=library_actor)
@@ -58,8 +49,8 @@ def test_list_permission_protect_following_actor(
 
 
 def test_list_permission_protect_following_actor_not_approved(
-        factories, api_request, settings):
-    settings.PROTECT_AUDIO_FILES = True
+        factories, api_request, preferences):
+    preferences['common__api_authentication_required'] = True
     library_actor = actors.SYSTEM_ACTORS['library'].get_actor_instance()
     follow = factories['federation.Follow'](
         approved=False, target=library_actor)
diff --git a/api/tests/music/test_views.py b/api/tests/music/test_views.py
index 9328ba329..042c1f607 100644
--- a/api/tests/music/test_views.py
+++ b/api/tests/music/test_views.py
@@ -119,8 +119,8 @@ def test_album_view_filter_listenable(
 
 
 def test_can_serve_track_file_as_remote_library(
-        factories, authenticated_actor, settings, api_client):
-    settings.PROTECT_AUDIO_FILES = True
+        factories, authenticated_actor, api_client, settings, preferences):
+    preferences['common__api_authentication_required'] = True
     library_actor = actors.SYSTEM_ACTORS['library'].get_actor_instance()
     follow = factories['federation.Follow'](
         approved=True,
@@ -137,8 +137,8 @@ def test_can_serve_track_file_as_remote_library(
 
 
 def test_can_serve_track_file_as_remote_library_deny_not_following(
-        factories, authenticated_actor, settings, api_client):
-    settings.PROTECT_AUDIO_FILES = True
+        factories, authenticated_actor, settings, api_client, preferences):
+    preferences['common__api_authentication_required'] = True
     track_file = factories['music.TrackFile']()
     response = api_client.get(track_file.path)
 
@@ -152,12 +152,18 @@ def test_can_serve_track_file_as_remote_library_deny_not_following(
     ('nginx', '/app/music', '/_protected/music/hello/world.mp3'),
 ])
 def test_serve_file_in_place(
-        proxy, serve_path, expected, factories, api_client, settings):
+        proxy,
+        serve_path,
+        expected,
+        factories,
+        api_client,
+        preferences,
+        settings):
     headers = {
         'apache2': 'X-Sendfile',
         'nginx': 'X-Accel-Redirect',
     }
-    settings.PROTECT_AUDIO_FILES = False
+    preferences['common__api_authentication_required'] = False
     settings.PROTECT_FILE_PATH = '/_protected/music'
     settings.REVERSE_PROXY_TYPE = proxy
     settings.MUSIC_DIRECTORY_PATH = '/app/music'
@@ -179,8 +185,14 @@ def test_serve_file_in_place(
     ('nginx', '/app/music', '/_protected/music/hello/worldéà.mp3'),
 ])
 def test_serve_file_in_place_utf8(
-        proxy, serve_path, expected, factories, api_client, settings):
-    settings.PROTECT_AUDIO_FILES = False
+        proxy,
+        serve_path,
+        expected,
+        factories,
+        api_client,
+        settings,
+        preferences):
+    preferences['common__api_authentication_required'] = False
     settings.PROTECT_FILE_PATH = '/_protected/music'
     settings.REVERSE_PROXY_TYPE = proxy
     settings.MUSIC_DIRECTORY_PATH = '/app/music'
@@ -198,12 +210,18 @@ def test_serve_file_in_place_utf8(
     ('nginx', '/app/music', '/_protected/media/tracks/hello/world.mp3'),
 ])
 def test_serve_file_media(
-        proxy, serve_path, expected, factories, api_client, settings):
+        proxy,
+        serve_path,
+        expected,
+        factories,
+        api_client,
+        settings,
+        preferences):
     headers = {
         'apache2': 'X-Sendfile',
         'nginx': 'X-Accel-Redirect',
     }
-    settings.PROTECT_AUDIO_FILES = False
+    preferences['common__api_authentication_required'] = False
     settings.MEDIA_ROOT = '/host/media'
     settings.PROTECT_FILE_PATH = '/_protected/music'
     settings.REVERSE_PROXY_TYPE = proxy
@@ -220,8 +238,8 @@ def test_serve_file_media(
 
 
 def test_can_proxy_remote_track(
-        factories, settings, api_client, r_mock):
-    settings.PROTECT_AUDIO_FILES = False
+        factories, settings, api_client, r_mock, preferences):
+    preferences['common__api_authentication_required'] = False
     track_file = factories['music.TrackFile'](federation=True)
 
     r_mock.get(track_file.library_track.audio_url, body=io.BytesIO(b'test'))
@@ -236,8 +254,9 @@ def test_can_proxy_remote_track(
     assert library_track.audio_file.read() == b'test'
 
 
-def test_serve_updates_access_date(factories, settings, api_client):
-    settings.PROTECT_AUDIO_FILES = False
+def test_serve_updates_access_date(
+        factories, settings, api_client, preferences):
+    preferences['common__api_authentication_required'] = False
     track_file = factories['music.TrackFile']()
     now = timezone.now()
     assert track_file.accessed_date is None
diff --git a/changes/changelog.d/229.bugfix b/changes/changelog.d/229.bugfix
new file mode 100644
index 000000000..118ed6af2
--- /dev/null
+++ b/changes/changelog.d/229.bugfix
@@ -0,0 +1 @@
+Ensure anonymous users can use the app if the instance is configured accordingly (#229)
diff --git a/demo/setup.sh b/demo/setup.sh
index b96f517b3..e33bdf290 100644
--- a/demo/setup.sh
+++ b/demo/setup.sh
@@ -23,8 +23,6 @@ echo "DJANGO_SECRET_KEY=demo" >> .env
 echo "DJANGO_ALLOWED_HOSTS=demo.funkwhale.audio" >> .env
 echo "FUNKWHALE_VERSION=$version" >> .env
 echo "FUNKWHALE_API_PORT=5001" >> .env
-echo "FEDERATION_MUSIC_NEEDS_APPROVAL=False" >>.env
-echo "PROTECT_AUDIO_FILES=False" >> .env
 /usr/local/bin/docker-compose pull
 /usr/local/bin/docker-compose up -d postgres redis
 sleep 5