From d56d95fd75afaa1656f969bd4e672022a3ecc2cf Mon Sep 17 00:00:00 2001
From: Chris Beer <cabeer@stanford.edu>
Date: Thu, 16 Apr 2020 13:46:35 -0700
Subject: [PATCH] Always allow streaming access to publicly viewable files

---
 app/controllers/media_controller.rb       |  5 ++++-
 spec/controllers/media_controller_spec.rb | 12 +++++++++++-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/app/controllers/media_controller.rb b/app/controllers/media_controller.rb
index 9865f1c2..2d51c615 100644
--- a/app/controllers/media_controller.rb
+++ b/app/controllers/media_controller.rb
@@ -11,10 +11,13 @@ class MediaController < ApplicationController
   end
 
   def verify_token
+    if allowed_params[:stacks_token].blank? && anonymous_ability.can?(:stream, current_media)
+      render plain: 'no token needed', status: :ok
     # the media service calling verify_token provides the end-user IP address,
     # as we care about the (user) IP address that made a request to the media service with the
     # stacks_token, not the IP address of the service checking the stacks_token.
-    if token_valid? allowed_params[:stacks_token], id, file_name, allowed_params[:user_ip]
+    elsif allowed_params[:stacks_token].present? &&
+          token_valid?(allowed_params[:stacks_token], id, file_name, allowed_params[:user_ip])
       render plain: 'valid token', status: :ok
     else
       render plain: 'invalid token', status: :forbidden
diff --git a/spec/controllers/media_controller_spec.rb b/spec/controllers/media_controller_spec.rb
index b2b96f37..c1bc9bdb 100644
--- a/spec/controllers/media_controller_spec.rb
+++ b/spec/controllers/media_controller_spec.rb
@@ -4,7 +4,7 @@
 
 RSpec.describe MediaController do
   let(:video) { StacksMediaStream.new(id: 'bb582xs1304', file_name: 'bb582xs1304_sl', format: 'mp4') }
-  before { stub_rights_xml(world_readable_rights_xml) }
+  before { stub_rights_xml(stanford_restricted_rights_xml) }
 
   describe '#verify_token' do
     let(:id) { 'ab123cd4567' }
@@ -70,6 +70,16 @@
         expect(response.body).to eq 'invalid token'
         expect(response.status).to eq 403
       end
+
+      context 'with a publicly accessible file' do
+        before { stub_rights_xml(world_readable_rights_xml) }
+
+        it 'allows a missing token' do
+          get :verify_token, params: valid_token.merge(stacks_token: '')
+          expect(response.body).to eq 'no token needed'
+          expect(response.status).to eq 200
+        end
+      end
     end
   end