Merge commit from fork

Require authentication for thumbnail image access

Author: jneilliii

octoprint_prusaslicerthumbnails/__init__.py

@@ -345,13 +345,37 @@ def get_extension_tree(self, *args, **kwargs):
 
 	# ~~ Routes hook
 	def route_hook(self, server_routes, *args, **kwargs):
-		from octoprint.server.util.tornado import LargeResponseHandler, path_validation_factory
+		from octoprint.server import app
+		from octoprint.server.util.flask import (
+			permission_validator,
+		)
+		from octoprint.server.util.tornado import (
+			LargeResponseHandler,
+			access_validation_factory,
+			path_validation_factory,
+		)
 		from octoprint.util import is_hidden_path
+
 		thumbnail_root_path = self._file_manager.path_on_disk("local", "") if self._settings.get_boolean(["use_uploads_folder"]) else self.get_plugin_data_folder()
+
 		return [
-			(r"thumbnail/(.*)", LargeResponseHandler,
-			 {'path': thumbnail_root_path, 'as_attachment': False, 'path_validation': path_validation_factory(
-				 lambda path: not is_hidden_path(path), status_code=404)})
+			(
+				r"thumbnail/(.*)",
+				LargeResponseHandler,
+				{
+					'path': thumbnail_root_path,
+					'as_attachment': False,
+					'path_validation': path_validation_factory(
+						lambda path: not is_hidden_path(path),
+						status_code=404
+					),
+					"access_validation": access_validation_factory(
+						app,
+						permission_validator,
+						Permissions.FILES_LIST,
+					),
+				}
+			)
 		]
 
 	# ~~ Server API Before Request Hook

setup.py

@@ -14,7 +14,7 @@
 plugin_name = "Slicer Thumbnails"
 
 # The plugin's version. Can be overwritten within OctoPrint's internal data via __plugin_version__ in the plugin module
-plugin_version = "1.1.0"
+plugin_version = "1.2.0"
 
 # The plugin's description. Can be overwritten within OctoPrint's internal data via __plugin_description__ in the plugin
 # module