uploads: Allow access to the /download/ variant anonymously.

This was mistakenly left off of b799ec32b0.

zerver/tests/test_upload.py

@@ -263,6 +263,15 @@ class FileUploadTest(UploadSerializeMixin, ZulipTestCase):
             response = self.client_get(url)
             self.assertEqual(response.status_code, 403)
 
+        # Check that the /download/ variant works as well
+        download_url = url.replace("/user_uploads/", "/user_uploads/download/")
+        with ratelimit_rule(86400, 1000, domain="spectator_attachment_access_by_file"):
+            response = self.client_get(download_url)
+            self.assertEqual(response.status_code, 200)
+        with ratelimit_rule(86400, 0, domain="spectator_attachment_access_by_file"):
+            response = self.client_get(download_url)
+            self.assertEqual(response.status_code, 403)
+
         # Deny random file access
         response = self.client_get(
             "/user_uploads/2/71/QYB7LA-ULMYEad-QfLMxmI2e/zulip-non-existent.txt"

zerver/views/upload.py

@@ -137,10 +137,13 @@ def serve_local(
 
 
 def serve_file_download_backend(
-    request: HttpRequest, user_profile: UserProfile, realm_id_str: str, filename: str
+    request: HttpRequest,
+    maybe_user_profile: Union[UserProfile, AnonymousUser],
+    realm_id_str: str,
+    filename: str,
 ) -> HttpResponseBase:
     return serve_file(
-        request, user_profile, realm_id_str, filename, url_only=False, force_download=True
+        request, maybe_user_profile, realm_id_str, filename, url_only=False, force_download=True
     )
 
 

zproject/urls.py

@@ -646,7 +646,7 @@ urls += [
     ),
     rest_path(
         "user_uploads/download/<realm_id_str>/<path:filename>",
-        GET=(serve_file_download_backend, {"override_api_url_scheme"}),
+        GET=(serve_file_download_backend, {"override_api_url_scheme", "allow_anonymous_user_web"}),
     ),
     rest_path(
         "user_uploads/<realm_id_str>/<path:filename>",