grid icon indicating copy to clipboard operation
grid copied to clipboard

Published 20 hours ago verified publisher icon guardian

API response declares images as valid:true incorrectly

Open blishen opened this issue 8 years ago • 8 comments

Take an image, for example a no-rights image such as:

77aec23e43f3c98c7a845bd2b6e8574a79933469

The api response in the browser for a user with no metadata editing privileges (not necessarily important, I haven't tested yet as a metadata editor) correctly flags the image as invalid

https://api.media.gutools.co.uk/images/77aec23e43f3c98c7a845bd2b6e8574a79933469 

valid: false,
invalidReasons: {
paid_image: "Paid imagery requires a lease",
no_rights: "No rights to use this image"
},
cost: "pay",

however the same image declares itself as valid when the API is queried with an API key, so for example:

curl --header "X-Gu-Media-Key:apikeyinhere" https://api.media.gutools.co.uk/images/77aec23e43f3c98c7a845bd2b6e8574a79933469

returns

"valid":true,
"invalidReasons":{
"paid_image":"Paid imagery requires a lease",
"no_rights":"No rights to use this image"
},
"cost":"pay",

This leads to InDesign users being able to access paid images for print without the picture desk granting them a lease. The API accessed with an API key should return validity based on the access levels of a non Picture desk user. So pay for images should only be valid if there is an active allow lease applied.

blishen avatar Nov 11 '16 14:11 blishen

Pretty sure this line is the issue:

https://github.com/guardian/grid/blob/master/media-api/app/controllers/MediaApi.scala#L110

@kenoir if you could just confirm i'm happy to figure out what the right answer is (with another team member ofc) 💧 osmosis

NickPapacostas avatar Nov 11 '16 16:11 NickPapacostas

That looks likely to me. I suppose ideally it would be possible to have admin API keys vs standard API keys - but at the moment I can't think of the downside of making the API 'user' not have special privileges

blishen avatar Nov 14 '16 13:11 blishen

Talk to me before anyone takes a look at this.

blishen avatar Feb 27 '17 17:02 blishen

@blishen @NickPapacostas indeed, i'm pretty sure this is because when you use the API key it thinks you are some kind of super admin and sets the validity to true.

kenoir avatar Mar 01 '17 09:03 kenoir

@blishen Grid now has tiered API access 🎉so can support this now, if still necessary.

akash1810 avatar Jun 29 '18 15:06 akash1810

@blishen Look what I have found, haha…

paperboyo avatar Oct 06 '22 00:10 paperboyo

Wow this email notification was a blast from the past, hey all! Hope you're doing well :)

NickPapacostas avatar Oct 06 '22 14:10 NickPapacostas

Hahaha, how are you Nick? Drop by when in London! At least to say hi to @itsibitzi.

paperboyo avatar Oct 06 '22 14:10 paperboyo