aboutsummaryrefslogtreecommitdiff
path: root/server/src/routes/ui/assets.rs
diff options
context:
space:
mode:
Diffstat (limited to 'server/src/routes/ui/assets.rs')
-rw-r--r--server/src/routes/ui/assets.rs7
1 files changed, 4 insertions, 3 deletions
diff --git a/server/src/routes/ui/assets.rs b/server/src/routes/ui/assets.rs
index f88faa4..5789685 100644
--- a/server/src/routes/ui/assets.rs
+++ b/server/src/routes/ui/assets.rs
@@ -8,7 +8,7 @@ use crate::{
routes::ui::{account::session::Session, error::MyError, CacheControlFile},
};
use anyhow::{anyhow, Context};
-use jellybase::AssetLocationExt;
+use jellybase::{AssetLocationExt, permission::NodePermissionExt};
use jellycommon::AssetLocation;
use log::info;
use rocket::{get, http::ContentType, FromFormField, State, UriDisplayQuery};
@@ -25,7 +25,7 @@ pub enum AssetRole {
#[get("/n/<id>/asset?<role>&<width>")]
pub async fn r_item_assets(
- _sess: Session,
+ session: Session,
db: &State<Database>,
id: &str,
role: AssetRole,
@@ -34,13 +34,14 @@ pub async fn r_item_assets(
let node = db
.node
.get(&id.to_string())?
+ .only_if_permitted(&session.user.permissions)
.ok_or(anyhow!("node does not exist"))?;
let mut asset = match role {
AssetRole::Backdrop => node.private.backdrop,
AssetRole::Poster => node.private.poster,
};
if let None = asset {
- if let Some(parent) = &node.public.parent {
+ if let Some(parent) = &node.public.path.last() {
let parent = db.node.get(parent)?.ok_or(anyhow!("node does not exist"))?;
asset = match role {
AssetRole::Backdrop => parent.private.backdrop,
generated by cgit v1.2.3-70-g09d2 (git 2.51.0) at 2025-10-08 14:42:05 +0000