Add support for restricted viewer assets via viewer_asset resource permissions

Author: manisandro

src/qwc2_viewer.py

@@ -631,13 +631,27 @@ def __update_service_urls(self, themes):
         for subdir in themes.get('subdirs', []):
             self.__update_service_urls(subdir)
 
-    def qwc2_assets(self, path, lang):
+    def qwc2_assets(self, path, identity, lang):
         """Return QWC2 asset from assets/ or temporary image dir.
 
         :param str path: Asset path
         :param str lang: Asset language
         """
+        restricted_viewer_assets = self.resources['qwc2_config'].get(
+            'restricted_viewer_assets', []
+        )
+
+        # get permitted viewer tasks
+        permitted_viewer_assets = self.permissions_handler.resource_permissions(
+            'viewer_assets', identity
+        )
+
+        if path in restricted_viewer_assets and not path in permitted_viewer_assets:
+            self.logger.debug("Asset %s is not permitted, returning 404" % path)
+            return abort(404)
+
         if not path.startswith(self.BASE64_IMAGE_ROUTE_PREFIX):
+
             # Special case for ui files: return translated UI
             if path.lower().endswith('.ui'):
                 return self.translate_designer_form(path, lang)

src/server.py

@@ -100,11 +100,12 @@ def qwc2_themes():
 
 
 @app.route('/assets/<path:path>')
+@optional_auth
 # lang: Optional, asset language, i.e. en-US
 def qwc2_assets(path):
     qwc2_viewer = qwc2_viewer_handler()
     lang = request.args.get('lang', None)
-    return qwc2_viewer.qwc2_assets(path, lang)
+    return qwc2_viewer.qwc2_assets(path, get_identity(), lang)
 
 @app.route('/data/<path:path>')
 def qwc2_data(path):