From 3380b73b9c0383e4c71d2ef29e52ec8aab172ce8 Mon Sep 17 00:00:00 2001
From: Dennis Wambua <dennis.wambua@gmail.com>
Date: Tue, 7 Feb 2017 18:13:46 +0300
Subject: [PATCH 1/2] DW/UK: Force authentication for linked dataset media
 attachment

Signed-off-by: Dennis Wambua <dennis.wambua@gmail.com>
---
 onadata/apps/api/viewsets/xform_list_viewset.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/onadata/apps/api/viewsets/xform_list_viewset.py b/onadata/apps/api/viewsets/xform_list_viewset.py
index 14426784ce..12d3f1a361 100644
--- a/onadata/apps/api/viewsets/xform_list_viewset.py
+++ b/onadata/apps/api/viewsets/xform_list_viewset.py
@@ -140,8 +140,13 @@ def media(self, request, *args, **kwargs):
 
         meta_obj = get_object_or_404(
             MetaData, data_type='media', object_id=self.object.pk, pk=pk)
+        response = get_media_file_response(meta_obj, request)
 
-        return get_media_file_response(meta_obj, request)
+        if response.status_code == 403 and request.user.is_anonymous():
+            # raises a permission denied exception, forces authentication
+            self.permission_denied(request)
+        else:
+            return response
 
 
 class PreviewXFormListViewSet(XFormListViewSet):

From 0c64926667c4c26bc7adf9d7b0a4caf39a29ff15 Mon Sep 17 00:00:00 2001
From: Dennis Wambua <dennis.wambua@gmail.com>
Date: Wed, 8 Feb 2017 16:53:54 +0300
Subject: [PATCH 2/2] Test assert added

Signed-off-by: Dennis Wambua <dennis.wambua@gmail.com>
---
 onadata/apps/api/tests/viewsets/test_xform_list_viewset.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/onadata/apps/api/tests/viewsets/test_xform_list_viewset.py b/onadata/apps/api/tests/viewsets/test_xform_list_viewset.py
index 8a9a90ffda..5b3b4aac40 100644
--- a/onadata/apps/api/tests/viewsets/test_xform_list_viewset.py
+++ b/onadata/apps/api/tests/viewsets/test_xform_list_viewset.py
@@ -535,6 +535,11 @@ def test_retrieve_xform_media_linked_xform(self):
         self.view = XFormListViewSet.as_view({
             "get": "media"
         })
+        request = self.factory.get('/')
+        response = self.view(request, pk=self.xform.pk,
+                             metadata=self.metadata.pk, format='csv')
+        self.assertEqual(response.status_code, 401)
+
         request = self.factory.head('/')
         response = self.view(request, pk=self.xform.pk,
                              metadata=self.metadata.pk, format='csv')