adds checking auth/perms to tiles route

containers.py

@@ -288,19 +288,15 @@ class Container(base.RequestHandler):
     def get_tile(self, cid):
         """fetch info about a tiled tiff, or retrieve a specific tile."""
         _id = bson.ObjectId(cid)
-        montage_info = self.dbc.find_one(
-            {
-                '_id': _id,
-                '$and': [
-                    {'files.kinds': ['montage']},
-                    {'files.ext': '.zip'},
-                ],
-            },
-            ['files.$'],
-        )
+        container, _ = self._get(_id, 'ro')  # need at least read access to view tiles
+        montage_info = None
+        for f in container.get('files'):
+            if f['kinds'] == ['montage'] and f['ext'] == '.zip':
+                montage_info = f
+                break
         if not montage_info:
             self.abort(404, 'montage zip not found')
-        fn = montage_info['files'][0]['name'] + montage_info['files'][0]['ext']
+        fn = montage_info['name'] + montage_info['ext']
         fp = os.path.join(self.app.config['data_path'], cid[-3:], cid, fn)
         z = self.request.get('z')
         x = self.request.get('x')