ahmed-bakr1988/SaaS-PDF
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5310493cac7c97af0c1bcbd61be49fc7899317ac
SaaS-PDF/backend/app/routes/download.py
Your Name 3f24a7ea3e feat: Enhance task access control and session management 
- Implemented API and web task access assertions in the task status polling endpoint.
- Added functions to remember and check task access in user sessions.
- Updated task status tests to validate access control based on session data.
- Enhanced download route tests to ensure proper access checks.
- Improved SEO metadata handling with dynamic social preview images.
- Updated sitemap generation to include blog posts and new tools.
- Added a social preview SVG for better sharing on social media platforms.
2026-03-17 21:19:23 +02:00

54 lines
1.6 KiB
Python
Raw Blame History

"""Local file download route — used when S3 is not configured."""
import os
from flask import Blueprint, send_file, abort, request, current_app
from app.services.policy_service import (
PolicyError,
assert_api_task_access,
assert_web_task_access,
resolve_api_actor,
resolve_web_actor,
)
download_bp = Blueprint("download", __name__)
@download_bp.route("/<task_id>/<filename>", methods=["GET"])
def download_file(task_id: str, filename: str):
"""
Serve a processed file from local filesystem.
Only active in development (when S3 is not configured).
"""
# Security: sanitize inputs
# Only allow UUID-style task IDs and safe filenames
if ".." in task_id or "/" in task_id or "\\" in task_id:
abort(400, "Invalid task ID.")
if ".." in filename or "/" in filename or "\\" in filename:
abort(400, "Invalid filename.")
try:
if request.headers.get("X-API-Key", "").strip():
actor = resolve_api_actor()
assert_api_task_access(actor, task_id)
else:
actor = resolve_web_actor()
assert_web_task_access(actor, task_id)
except PolicyError as exc:
abort(exc.status_code, exc.message)
output_dir = current_app.config["OUTPUT_FOLDER"]
file_path = os.path.join(output_dir, task_id, filename)
if not os.path.isfile(file_path):
abort(404, "File not found or expired.")
download_name = request.args.get("name", filename)
return send_file(
file_path,
as_attachment=True,
download_name=download_name,
)
Reference in New Issue View Git Blame Copy Permalink