-
Notifications
You must be signed in to change notification settings - Fork 121
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API response declares images as valid:true incorrectly #2015
Comments
Pretty sure this line is the issue: https://github.com/guardian/grid/blob/master/media-api/app/controllers/MediaApi.scala#L110 @kenoir if you could just confirm i'm happy to figure out what the right answer is (with another team member ofc) 💧 osmosis |
That looks likely to me. I suppose ideally it would be possible to have admin API keys vs standard API keys - but at the moment I can't think of the downside of making the API 'user' not have special privileges |
Talk to me before anyone takes a look at this. |
@blishen @NickPapacostas indeed, i'm pretty sure this is because when you use the API key it thinks you are some kind of super admin and sets the validity to true. |
@blishen Grid now has tiered API access 🎉so can support this now, if still necessary. |
@blishen Look what I have found, haha… |
Wow this email notification was a blast from the past, hey all! Hope you're doing well :) |
Hahaha, how are you Nick? Drop by when in London! At least to say hi to @itsibitzi. |
Take an image, for example a no-rights image such as:
77aec23e43f3c98c7a845bd2b6e8574a79933469
The api response in the browser for a user with no metadata editing privileges (not necessarily important, I haven't tested yet as a metadata editor) correctly flags the image as invalid
https://api.media.gutools.co.uk/images/77aec23e43f3c98c7a845bd2b6e8574a79933469
however the same image declares itself as valid when the API is queried with an API key, so for example:
curl --header "X-Gu-Media-Key:apikeyinhere" https://api.media.gutools.co.uk/images/77aec23e43f3c98c7a845bd2b6e8574a79933469
returns
This leads to InDesign users being able to access paid images for print without the picture desk granting them a lease. The API accessed with an API key should return validity based on the access levels of a non Picture desk user. So pay for images should only be valid if there is an active allow lease applied.
The text was updated successfully, but these errors were encountered: