users: Allow spectators to view user avatars.

If realm is web_public, spectators can now view avatar of other users. There is a special exception we had to introduce in rest model to allow `/avatar` type of urls for `anonymous` access, because they don't have the /api/v1 prefix. Fixes #19838.
2025-11-16 03:41:58 +00:00 · 2021-11-01 11:21:17 +00:00
parent d6541c4724
commit 3e689ebae9
4 changed files with 92 additions and 29 deletions
--- a/zerver/lib/rest.py
+++ b/zerver/lib/rest.py
@@ -147,7 +147,10 @@ def rest_dispatch(request: HttpRequest, **kwargs: Any) -> HttpResponse:
            target_function = authenticated_rest_api_view(
                allow_webhook_access="allow_incoming_webhooks" in view_flags,
            )(target_function)
-        elif request.path.startswith("/json") and "allow_anonymous_user_web" in view_flags:
+        elif (
+            request.path.startswith(("/json", "/avatar"))
+            and "allow_anonymous_user_web" in view_flags
+        ):
            # For endpoints that support anonymous web access, we do that.
            # TODO: Allow /api calls when this is stable enough.
            auth_kwargs = dict(allow_unauthenticated=True)