Overhaul of how protected static content works

.gitignore

@@ -1,6 +1,7 @@
 *.*~
 *.pyc
 /static/
+/media/
 /huntserver/static/huntserver/*.pdf
 /huntserver/static/huntserver/*.png
 /huntserver/static/huntserver/puzzles/*

huntserver/models.py

@@ -13,19 +13,15 @@ class Hunt(models.Model):
 
     @property
     def is_locked(self):
-        if timezone.now() < self.start_date:
-            return True
-        return False
+        return timezone.now() < self.start_date
+
     @property
     def is_open(self):
-        if timezone.now() > self.start_date and timezone.now() < self.end_date:
-            return True
-        return False
+        return timezone.now() > self.start_date and timezone.now() < self.end_date
+
     @property
     def is_public(self):
-        if timezone.now() > self.end_date:
-            return True
-        return False
+        return timezone.now() > self.end_date
 
     def __unicode__(self):
         return self.hunt_name

huntserver/puzzle.py

@@ -67,7 +67,7 @@ def unlock_puzzles(team):
 # and convert it to PNGs. It first clears the old PNGs and PDFs.
 # Has to also get number of pages so that the whole pdf doesn't become one image
 def download_puzzles(hunt):
-    directory = "static/huntserver/puzzles"
+    directory = settings.MEDIA_ROOT + "puzzles"
     # TODO: maybe move folder, see if success, then delete.
     # maybe overwrite files with wget?
 

huntserver/templates/hunt1.html

@@ -2,7 +2,7 @@
 {% block title %}Puzzles!{% endblock title %}
 
 {% block includes %}
-<link rel="stylesheet" type="text/css" media='screen and (max-width: 1200px)' href="/protected/huntserver/low-width.css">
+<link rel="stylesheet" type="text/css" media='screen and (max-width: 1200px)' href="{{ STATIC_URL }}huntserver/low-width.css">
 <style>
   body {
     padding-bottom: 0px;

huntserver/templates/puzzle.html

@@ -12,7 +12,7 @@
 <div class='puzzle'>
   <div class='info'>
     <h1> P{{ puzzle.puzzle_number }} - {{ puzzle.puzzle_name}} </h1>
-    <h3><a href='{{ STATIC_URL }}huntserver/puzzles/{{ puzzle.puzzle_id }}.pdf'>
+    <h3><a href='{{ PROTECTED_URL }}puzzles/{{ puzzle.puzzle_id }}.pdf'>
       Click here for a downloadable pdf
     </a></h3>
   </div>
@@ -49,7 +49,7 @@ <h3><a href='{{ STATIC_URL }}huntserver/puzzles/{{ puzzle.puzzle_id }}.pdf'>
   </fieldset>
   <div>
     {% for i in pages %}
-    <img id="puzzleimg" src="{{ STATIC_URL }}huntserver/puzzles/{{ puzzle.puzzle_id }}-{{i}}.png"  alt="No image here">
+    <img id="puzzleimg" src="{{ PROTECTED_URL }}puzzles/{{ puzzle.puzzle_id }}-{{i}}.png"  alt="No image here">
     {% endfor %}
   </div>
 </div>

huntserver/views.py

@@ -16,28 +16,25 @@
 from .puzzle import *
 from .redis import *
 
-# All static file requests are routed through here with file_path resembling:
-# huntserver/puzzles/001.pdf or admin/js/somefile.js etc...
+@login_required
 def protected_static(request, file_path):
     allowed = False
     levels = file_path.split("/")
-    # The only files we really have to protect are in huntserver/puzzles/*
-    if(len(levels) > 2 and levels[0] == "huntserver" and levels[1] == "puzzles"):
-        if request.user.is_authenticated():
-            puzzle_id = levels[2][0:3]
-            puzzle = get_object_or_404(Puzzle, puzzle_id=puzzle_id)
-            team = Team.objects.get(login_info=request.user);
-            # Only allowed access to the image if the puzzle is unlocked
-            # TODO: add condition for hunt is over.
-            if puzzle in team.unlocked.all():
-                allowed = True
-    # At the moment, if it's not a puzzle file, it's allowed
+    if(levels[0] == "puzzles"):
+        puzzle_id = levels[1][0:3]
+        puzzle = get_object_or_404(Puzzle, puzzle_id=puzzle_id)
+        team = Team.objects.get(login_info=request.user);
+        # Only allowed access to the image if the puzzle is unlocked
+        if (puzzle in team.unlocked.all() or puzzle.hunt.is_public or request.user.is_staff):
+            allowed = True
     else:
         allowed = True
 
     if allowed:
+        if(settings.DEBUG):
+            return redirect(settings.MEDIA_URL + file_path)
         response = HttpResponse()
-        url = '/static/' + file_path
+        url = settings.MEDIA_URL + file_path
         # let nginx determine the correct content type 
         response['Content-Type']=""
         # This is what lets django access the normally restricted /static/
@@ -186,13 +183,13 @@ def puzzle(request, puzzle_id):
             form = AnswerForm()
             # Directory for puzzle PNGs
             # TODO: what do we do if this doesn't exist
-            directory = "static/huntserver/puzzles"
+            directory = settings.MEDIA_ROOT + "puzzles"
             file_str = directory + "/" +  puzzle.puzzle_id + ".pdf"
             # Ideally this should be done some other way to reduce command calls
             print("pdfinfo " + file_str + " | grep Pages | awk '{print $2}'")
             pages = int(check_output("pdfinfo " + file_str + " | grep Pages | awk '{print $2}'", shell=True))
             context = {'form': form, 'pages': range(pages), 'puzzle': puzzle, 
-                       'submission_list': submissions}
+                       'submission_list': submissions, 'PROTECTED_URL': settings.PROTECTED_URL}
             return render(request, 'puzzle.html', context)
         else:
             return render(request, 'access_error.html')

puzzlehunt_server/settings.py

@@ -74,16 +74,15 @@
                 'django.contrib.auth.context_processors.auth',
                 'django.contrib.messages.context_processors.messages',
                 'ws4redis.context_processors.default',
+                'django.core.context_processors.media',
             ],
         },
     },
 ]
 
 TEMPLATE_LOADERS = (
-
     'django.template.loaders.filesystem.Loader',
     'django.template.loaders.app_directories.Loader',
-
 )
 
 WSGI_APPLICATION = 'ws4redis.django_runserver.application'
@@ -121,4 +120,9 @@
 # https://docs.djangoproject.com/en/1.8/howto/static-files/
 
 STATIC_ROOT = os.path.join(BASE_DIR, "static/")
-STATIC_URL = '/protected/'
+STATIC_URL = '/static/'
+
+MEDIA_ROOT = os.path.join(BASE_DIR, "media/")
+MEDIA_URL = '/media/'
+
+PROTECTED_URL = '/protected/'

puzzlehunt_server/urls.py

@@ -16,11 +16,16 @@
 from django.conf.urls import include, url
 from django.contrib import admin
 from django.contrib.auth import views as auth_views
+from django.conf import settings
+from django.conf.urls.static import static
 
 urlpatterns = [
     url(r'^admin/', include(admin.site.urls)),
-    url(r'^accounts/logout/$', auth_views.logout, name='logout', kwargs={'next_page': '/'}
-    ),
+    url(r'^accounts/logout/$', auth_views.logout, name='logout', kwargs={'next_page': '/'}),
     url(r'^accounts/login/$', auth_views.login),
     url(r'^', include('huntserver.urls', namespace="huntserver")),
 ]
+
+# Hack for using development server 
+if(settings.DEBUG):
+    urlpatterns = urlpatterns + static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)