users: Allow spectators to view user avatars.

If realm is web_public, spectators can now view avatar of other users. There is a special exception we had to introduce in rest model to allow `/avatar` type of urls for `anonymous` access, because they don't have the /api/v1 prefix. Fixes #19838.
2025-11-02 04:53:36 +00:00 · 2021-11-01 11:21:17 +00:00
parent d6541c4724
commit 3e689ebae9
4 changed files with 92 additions and 29 deletions
--- a/zproject/urls.py
+++ b/zproject/urls.py
@@ -669,9 +669,14 @@ urls += [
    rest_path("thumbnail", GET=(backend_serve_thumbnail, {"override_api_url_scheme"})),
    # Avatars have the same constraint because their URLs are included
    # in API data structures used by both the mobile and web clients.
-    rest_path("avatar/<email_or_id>", GET=(avatar, {"override_api_url_scheme"})),
    rest_path(
-        "avatar/<email_or_id>/medium", {"medium": True}, GET=(avatar, {"override_api_url_scheme"})
+        "avatar/<email_or_id>",
+        GET=(avatar, {"override_api_url_scheme", "allow_anonymous_user_web"}),
+    ),
+    rest_path(
+        "avatar/<email_or_id>/medium",
+        {"medium": True},
+        GET=(avatar, {"override_api_url_scheme", "allow_anonymous_user_web"}),
    ),
 ]