From 96c900343a67e345ab7280782ab744344716b4d2 Mon Sep 17 00:00:00 2001 From: Alix JEUDI--LEMOINE Date: Tue, 20 May 2025 14:26:00 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20Fix=20image=20access=20without?= =?UTF-8?q?=20permission?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/routes/images.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app/routes/images.py b/app/routes/images.py index c28a802..a8c5100 100644 --- a/app/routes/images.py +++ b/app/routes/images.py @@ -48,9 +48,9 @@ def check_image_permissions(image_id: str, current_user: User): if not image: raise HTTPException(status_code=404, detail="Image not found") - # Si l'image n'est pas associée à un pin, n'importe qui peut y accéder + # Si l'image n'est pas associée à un pin, personne ne peut y accéder if not image.get("pin_id"): - return image + raise HTTPException(status_code=403, detail="Image is not associated with any pin") # Récupérer le pin associé pin = pins_collection.find_one({"_id": ObjectId(image["pin_id"])}) @@ -165,7 +165,7 @@ async def add_image( @images_router.get( path="/{id}", - responses={401: {"model": HTTPError}, 404: {"model": HTTPError}} + responses={401: {"model": HTTPError}, 403: {"model": HTTPError}, 404: {"model": HTTPError}} ) async def get_image(id: str, current_user: User = Depends(get_current_user)): image = check_image_permissions(id, current_user)