a

2026-04-24 00:08:07 -04:00 · 2026-04-20 10:21:36 +03:00
parent 2f90381000
commit 3a48dd5bfa
2 changed files with 21 additions and 26 deletions
@@ -168,25 +168,28 @@ class ProfileMediaPage extends Page {
        });

        if (isSelected) {
-            if (window.parent !== window) {
-                const baseUrl = window.location.origin;
-                const embedUrl = `${baseUrl}/embed?m=${mediaId}`;
+            const baseUrl = window.location.origin;
+            const embedUrl = `${baseUrl}/embed?m=${mediaId}`;

-                window.parent.postMessage({
-                    type: 'videoSelected',
-                    embedUrl: embedUrl,
-                    videoId: mediaId,
-                }, '*');
-            }
+            const sendPostMessage = () => {
+                if (window.parent !== window) {
+                    window.parent.postMessage({
+                        type: 'videoSelected',
+                        embedUrl: embedUrl,
+                        videoId: mediaId,
+                    }, '*');
+                }
+            };

-            // Mark media as shared so LTI users in the course can access it
+            // Share first, then notify parent — postMessage can cause parent to navigate away
+            // which would cancel an in-flight fetch if called in the wrong order
            fetch(`/api/v1/media/${mediaId}/share`, {
                method: 'POST',
                headers: {
                    'X-CSRFToken': this.props.bulkActions.getCsrfToken(),
                    'Content-Type': 'application/json',
                },
-            }).catch(() => {});
+            }).then(sendPostMessage).catch(sendPostMessage);
        }
    }

@@ -695,7 +695,10 @@ class EmbedMediaLTIView(View):
        media = get_object_or_404(Media, friendly_token=friendly_token)

        lti_session = validate_lti_session(request)
-        can_view = False
+        if media.state in ["public", "unlisted"]:
+            can_view = True
+        else:
+            can_view = False

        if lti_session and request.user.is_authenticated:
            context_id = lti_session.get('context_id')
@@ -717,6 +720,7 @@ class EmbedMediaLTIView(View):
                            rbac_group=resource_link.rbac_group,
                        ).exists()
                        if has_course_access:
+                            # create an entry so it shows up under shared with me
                            MediaPermission.objects.get_or_create(
                                user=request.user,
                                media=media,
@@ -729,20 +733,8 @@ class EmbedMediaLTIView(View):
                except Exception:
                    logger.exception('EmbedMediaLTIView: error checking course access for user=%s media=%s', request.user, friendly_token)

-            if not can_view and media.state == 'private':
-                has_rbac_access = media.category.filter(
-                    is_rbac_category=True,
-                    rbac_groups__members=request.user,
-                ).exists()
-                has_direct_permission = MediaPermission.objects.filter(
-                    media=media,
-                    user=request.user,
-                ).exists()
-                if has_rbac_access or has_direct_permission:
-                    can_view = True
-
-        if not can_view and media.state in ["public", "unlisted"]:
-            can_view = True
+            if not can_view and request.user.has_member_access_to_media(media):
+                can_view = True

        if not can_view:
            return JsonResponse({'error': 'Access denied', 'message': 'You do not have permission to view this media'}, status=403)