From ea152508964a9f083bc4b7bd192afec2716386b9 Mon Sep 17 00:00:00 2001
From: Travis Ralston <travis+github@t2bot.io>
Date: Mon, 23 Dec 2024 13:19:31 -0700
Subject: [PATCH] Fix ignoredHosts (#630)

---
 CHANGELOG.md               | 1 +
 api/r0/download.go         | 4 ++--
 api/r0/thumbnail.go        | 4 ++--
 api/unstable/info.go       | 2 +-
 api/unstable/local_copy.go | 2 +-
 5 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 49712002..264b3cb5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 * Ensure the request parameters are correctly set for authenticated media client requests.
 * Ensure remote signing keys expire after at most 7 days.
 * Fixed parsing of `Authorization` headers for federated servers.
+* Ensure `ignoredHosts` is applied to unauthenticated requests.
 
 ## [1.3.7] - July 30, 2024
 
diff --git a/api/r0/download.go b/api/r0/download.go
index dc48a410..a4908025 100644
--- a/api/r0/download.go
+++ b/api/r0/download.go
@@ -74,8 +74,8 @@ func DownloadMedia(r *http.Request, rctx rcontext.RequestContext, auth _apimeta.
 		"authServerName": auth.Server.ServerName,
 	})
 
-	if auth.User.UserId != "" {
-		if !util.IsGlobalAdmin(auth.User.UserId) && util.IsHostIgnored(server) {
+	if util.IsHostIgnored(server) {
+		if auth.User.UserId == "" || !util.IsGlobalAdmin(auth.User.UserId) {
 			rctx.Log.Warn("Request blocked due to domain being ignored.")
 			return _responses.MediaBlocked()
 		}
diff --git a/api/r0/thumbnail.go b/api/r0/thumbnail.go
index 4fff646b..322b3ea8 100644
--- a/api/r0/thumbnail.go
+++ b/api/r0/thumbnail.go
@@ -67,8 +67,8 @@ func ThumbnailMedia(r *http.Request, rctx rcontext.RequestContext, auth _apimeta
 		"authServerName": auth.Server.ServerName,
 	})
 
-	if auth.User.UserId != "" {
-		if !util.IsGlobalAdmin(auth.User.UserId) && util.IsHostIgnored(server) {
+	if util.IsHostIgnored(server) {
+		if auth.User.UserId == "" || !util.IsGlobalAdmin(auth.User.UserId) {
 			rctx.Log.Warn("Request blocked due to domain being ignored.")
 			return _responses.MediaBlocked()
 		}
diff --git a/api/unstable/info.go b/api/unstable/info.go
index eb245991..647ba82d 100644
--- a/api/unstable/info.go
+++ b/api/unstable/info.go
@@ -72,7 +72,7 @@ func MediaInfo(r *http.Request, rctx rcontext.RequestContext, user _apimeta.User
 		"allowRemote": downloadRemote,
 	})
 
-	if !util.IsGlobalAdmin(user.UserId) && util.IsHostIgnored(server) {
+	if util.IsHostIgnored(server) && !util.IsGlobalAdmin(user.UserId) {
 		rctx.Log.Warn("Request blocked due to domain being ignored.")
 		return _responses.MediaBlocked()
 	}
diff --git a/api/unstable/local_copy.go b/api/unstable/local_copy.go
index f10c1adc..03684f8e 100644
--- a/api/unstable/local_copy.go
+++ b/api/unstable/local_copy.go
@@ -46,7 +46,7 @@ func LocalCopy(r *http.Request, rctx rcontext.RequestContext, user _apimeta.User
 		"allowRemote": downloadRemote,
 	})
 
-	if !util.IsGlobalAdmin(user.UserId) && util.IsHostIgnored(server) {
+	if util.IsHostIgnored(server) && !util.IsGlobalAdmin(user.UserId) {
 		rctx.Log.Warn("Request blocked due to domain being ignored.")
 		return _responses.MediaBlocked()
 	}