Require auth for room image uploads

2026-01-28 04:59:27 +05:30
parent 35174aa7dc
commit e966d1ec16
2 changed files with 2 additions and 2 deletions
--- a/src/main/kotlin/com/android/trisolarisserver/security/FirebaseAuthFilter.kt
+++ b/src/main/kotlin/com/android/trisolarisserver/security/FirebaseAuthFilter.kt
@@ -26,7 +26,7 @@ class FirebaseAuthFilter(
            return true
        }
        return path.matches(Regex("^/properties/[^/]+/rooms/[^/]+/images/[^/]+/file$"))
-            || path.matches(Regex("^/properties/[^/]+/rooms/[^/]+/images$"))
+            || (path.matches(Regex("^/properties/[^/]+/rooms/[^/]+/images$")) && request.method.equals("GET", true))
            || (path.matches(Regex("^/properties/[^/]+/room-types$")) && request.method.equals("GET", true))
            || path.matches(Regex("^/properties/[^/]+/room-types/[^/]+/images$"))
            || (path == "/image-tags" && request.method.equals("GET", true))
--- a/src/main/kotlin/com/android/trisolarisserver/security/SecurityConfig.kt
+++ b/src/main/kotlin/com/android/trisolarisserver/security/SecurityConfig.kt
@@ -27,7 +27,7 @@ class SecurityConfig(
            .authorizeHttpRequests {
                it.requestMatchers("/", "/health", "/auth/**").permitAll()
                it.requestMatchers("/properties/*/rooms/*/images/*/file").permitAll()
-                it.requestMatchers("/properties/*/rooms/*/images").permitAll()
+                it.requestMatchers(org.springframework.http.HttpMethod.GET, "/properties/*/rooms/*/images").permitAll()
                it.requestMatchers(org.springframework.http.HttpMethod.GET, "/properties/*/room-types").permitAll()
                it.requestMatchers("/properties/*/room-types/*/images").permitAll()
                it.requestMatchers(org.springframework.http.HttpMethod.GET, "/image-tags").permitAll()