Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API response declares images as valid:true incorrectly #2015

Open
blishen opened this issue Nov 11, 2016 · 8 comments
Open

API response declares images as valid:true incorrectly #2015

blishen opened this issue Nov 11, 2016 · 8 comments
Labels
To Review PRs that need to be reviewed

Comments

@blishen
Copy link
Contributor

blishen commented Nov 11, 2016

Take an image, for example a no-rights image such as:

77aec23e43f3c98c7a845bd2b6e8574a79933469

The api response in the browser for a user with no metadata editing privileges (not necessarily important, I haven't tested yet as a metadata editor) correctly flags the image as invalid

https://api.media.gutools.co.uk/images/77aec23e43f3c98c7a845bd2b6e8574a79933469

valid: false,
invalidReasons: {
paid_image: "Paid imagery requires a lease",
no_rights: "No rights to use this image"
},
cost: "pay",

however the same image declares itself as valid when the API is queried with an API key, so for example:

curl --header "X-Gu-Media-Key:apikeyinhere" https://api.media.gutools.co.uk/images/77aec23e43f3c98c7a845bd2b6e8574a79933469

returns

"valid":true,
"invalidReasons":{
"paid_image":"Paid imagery requires a lease",
"no_rights":"No rights to use this image"
},
"cost":"pay",

This leads to InDesign users being able to access paid images for print without the picture desk granting them a lease. The API accessed with an API key should return validity based on the access levels of a non Picture desk user. So pay for images should only be valid if there is an active allow lease applied.

@NickPapacostas
Copy link
Contributor

Pretty sure this line is the issue:

https://github.com/guardian/grid/blob/master/media-api/app/controllers/MediaApi.scala#L110

@kenoir if you could just confirm i'm happy to figure out what the right answer is (with another team member ofc) 💧 osmosis

@blishen
Copy link
Contributor Author

blishen commented Nov 14, 2016

That looks likely to me. I suppose ideally it would be possible to have admin API keys vs standard API keys - but at the moment I can't think of the downside of making the API 'user' not have special privileges

@blishen
Copy link
Contributor Author

blishen commented Feb 27, 2017

Talk to me before anyone takes a look at this.

@kenoir
Copy link
Contributor

kenoir commented Mar 1, 2017

@blishen @NickPapacostas indeed, i'm pretty sure this is because when you use the API key it thinks you are some kind of super admin and sets the validity to true.

@akash1810
Copy link
Member

@blishen Grid now has tiered API access 🎉so can support this now, if still necessary.

@sihil sihil added the To Review PRs that need to be reviewed label Sep 8, 2020
@paperboyo
Copy link
Contributor

@blishen Look what I have found, haha…

@NickPapacostas
Copy link
Contributor

Wow this email notification was a blast from the past, hey all! Hope you're doing well :)

@paperboyo
Copy link
Contributor

Hahaha, how are you Nick? Drop by when in London! At least to say hi to @itsibitzi.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
To Review PRs that need to be reviewed
Projects
None yet
Development

No branches or pull requests

6 participants