Can't access images in private objects without logging-in to the backend

[cekk]

I have a private News Item in a Plone site where i'm not logged in.

If i use Volto and i login with it, i can access the News (because the token), but i can't see its image.
That's because the url in src tag points directly to the plone instance (in a separate domain) where i'm not logged in, and the response is the plone_login form.

If i login also in the backend, then i can get the resource without problems.

I don't know how to fix that, because the problem is that i'm logged in volto with the token, but not on Plone. We don't have the _ac cookie for the backend, so every call without the token is an anonymous call for Plone.

That's also a problem with files inside a private folder.

[sneridagh]

@cekk Indeed this is one of the major issues (in fact at the plone.restapi level) that we should find a proper elegant way to solve. I eve think there's already an issue there:

plone/plone.restapi#148

This should be a priority in the next sprints. I think that in Guillotina it's already solved in an appropiate way. /cc @bloodbare @vangheem

We are using a custom PAS plugin in our projects to workaround that since images will be accessed via a normal img tag, the token can't be injected. This plugin just takes the cookie created by Volto and validates it (given the fact that it's on the same server/port env).

[vangheem]

Yup, guillotina cms actually just sets an auth cookie value to get around this for now.

It works with Authorization header bearer and/or cookie value.

Not sure if there is a different, more clever way to do this.

[sneridagh]

Fixed by #653.