Evaluate file access permissions

ram/ram/__init__.py

@@ -1,4 +1,4 @@
 from ram.utils import git_suffix
 
-__version__ = "0.19.7"
+__version__ = "0.19.6"
 __version__ += git_suffix(__file__)

ram/ram/settings.py

@@ -206,9 +206,6 @@ ROLLING_STOCK_TYPES = [
 
 FEATURED_ITEMS_MAX = 6
 
-# If True, use X-Accel-Redirect (Nginx)
-USE_X_ACCEL_REDIRECT = False
-
 try:
     from ram.local_settings import *
 except ImportError:

ram/ram/urls.py

@@ -28,15 +28,11 @@ handler404 = Render404.as_view()
 
 urlpatterns = [
     path("", lambda r: redirect("portal/")),
-    path("admin/", admin.site.urls),
     path("tinymce/", include("tinymce.urls")),
     path("tinymce/upload_image", UploadImage.as_view(), name="upload_image"),
-    path(
-        "media/files/<path:filename>",
-        DownloadFile.as_view(),
-        name="download_file",
-    ),
     path("portal/", include("portal.urls")),
+    path("admin/", admin.site.urls),
+    path("media/files/<path:filename>", DownloadFile.as_view(), name="download_file"),
 ] + static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)
 
 # Enable the "/dcc" routing only if the "driver" app is active
@@ -60,7 +56,6 @@ if settings.DEBUG:
     if settings.REST_ENABLED:
         from django.views.generic import TemplateView
         from rest_framework.schemas import get_schema_view
-
         urlpatterns += [
             path(
                 "swagger/",

ram/ram/views.py

@@ -9,7 +9,6 @@ from django.apps import apps
 from django.conf import settings
 from django.http import (
     Http404,
-    HttpResponse,
     HttpResponseBadRequest,
     HttpResponseForbidden,
     FileResponse,
@@ -77,7 +76,7 @@ class UploadImage(View):
 
 
 class DownloadFile(View):
-    def get(self, request, filename, disposition="inline"):
+    def get(self, request, filename):
         # Clean up the filename to prevent directory traversal attacks
         filename = os.path.basename(filename)
 
@@ -88,26 +87,15 @@ class DownloadFile(View):
                 try:
                     doc = model.objects.get(file__endswith=filename)
                     if doc.private and not request.user.is_staff:
-                        break
+                        raise Http404("File not found")
 
-                    file = doc.file
+                    file_path = doc.file.path
-                    if not os.path.exists(file.path):
+                    if not os.path.exists(file_path):
-                        break
+                        raise Http404("File not found")
-
-                    if getattr(settings, "USE_X_ACCEL_REDIRECT", False):
-                        response = HttpResponse()
-                        response["Content-Type"] = ""
-                        response["X-Accel-Redirect"] = file.url
-                    else:
-                        response = FileResponse(
-                            open(file.path, "rb"), as_attachment=True
-                        )
 
+                    response = FileResponse(open(file_path, "rb"), as_attachment=True)
                     response["Content-Disposition"] = (
-                        '{}; filename="{}"'.format(
+                        f'attachment; filename="{smart_str(os.path.basename(file_path))}"'
-                            disposition,
-                            smart_str(os.path.basename(file.path))
-                        )
                     )
                     return response
                 except model.DoesNotExist: