Tuesday, May 1, 2012

Re: serving client uploaded files

You could use a pseudo-random filename so that it's very unlikely people will be able to easily find other's photos. 

If you're very concerned with users being authenticated before viewing the media (which to me, sounds like there won't be a huge load on that segment of your web application) then you can easily use Django to simply store the files to a private directory and let Django handle serving the images. It's not the most efficient technique in terms of speed but it's a reasonable compromise for the security you're looking for.

On Tue, May 1, 2012 at 4:23 AM, Nenad Cikic <nenad.cikic@gmail.com> wrote:
Hello,
how can i serve the file uploaded files (images)? What I mean I have few model with images, and I see images in the change form.
The problem is that I can see the same images by writing directly the media path in the web address. And since the model is designed to have data split between the users I do not want the images to be seen that way.
I have looked and found
https://docs.djangoproject.com/en/dev/howto/static-files/?from=olddocs#staticfiles-other-directories
What I have done is to add to the url the following
url(r'^media/(?P<path>.*)$', "registracija.views.myuploadedfileview", {'document_root': settings.MEDIA_ROOT,}),

and then the view is something as:
  #parse the request and try to undestand if the image is mine
  if yes:
     return serve(request, path, document_root, show_indexes)
  else:
     return HttpResponseNotFound()

This is working; what bothers me is that the serve function is, as in docs, stated to be used only in development.
But if I serve the images directly by the web server, would I bypass my security checks?
Is there any other way to achieve my means?
Thanks
Nenad

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/qJAqbma_ZdAJ.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)