upload: Allow rate limited access to spectators for uploaded files.

We allow spectators access to uploaded files in web public streams but rate limit the daily requests to 1000 per file by default.
2025-11-12 18:06:44 +00:00 · 2021-11-02 14:42:58 +00:00
parent abea1f4598
commit b799ec32b0
9 changed files with 194 additions and 21 deletions
--- a/zerver/lib/rest.py
+++ b/zerver/lib/rest.py
@@ -148,7 +148,7 @@ def rest_dispatch(request: HttpRequest, **kwargs: Any) -> HttpResponse:
                allow_webhook_access="allow_incoming_webhooks" in view_flags,
            )(target_function)
        elif (
-            request.path.startswith(("/json", "/avatar"))
+            request.path.startswith(("/json", "/avatar", "/user_uploads", "/thumbnail"))
            and "allow_anonymous_user_web" in view_flags
        ):
            # For endpoints that support anonymous web access, we do that.