Anyone can get an AWS signature without any control check

[FrancoisDupayrat]

There is no access control in get_aws_v4_signature view, meaning anyone who can obtain a csrf token (including anonymous users who view a login page with a csrf token for example) can upload everywhere this user has access too.

This is a serious vulnerability, as well as being sub-optimal (2 requests where one is enough).

Proposed fix: merge with get_upload_params so that the signature is returned directly when requesting an upload URL.

[bluppfisk]

Wow, good find. This should be fixed indeed. Can one add @staff_member_required instead of merging these?