DJBarnes
commented
2 years ago Fixed. Now skips checking for permissions / login required for all requests that start with a URL that matches the MEDIA_URL setting. One caveat is that if the MEDIA_URL is left with the default value, it will not allow media files through. This is because the default is effectively '/', the root of the site, and more than likely all actual media will be in a separate URL such as '/media/' anyway. Allowing it to work with the MEDIA_URL setting set to the default value would essentially invalidate all protection since every single URL in the site will start with '/'. Hence why it still blocks if the MEDIA_URL is the default and not set to something else.
If you are trying to serve Media files with manage.py runserver, it is impossible to get the media files to serve properly when Login Required and/or Strict Policy is turned on. This is because there is no way to add the media URL to the Whitelists.
Should maybe just add some additional logic to the Middleware to look at the media URL and count anything that starts with that URL as valid. Use a regex to ensure URLs start with the media URL.
Not sure if static files could also be affected?