I think Xsendfile is what you want
On Wed, Sep 25, 2013 at 12:51 PM, Mattias Linnap <mattias@linnap.com> wrote:
> Are there any obvious solutions that I have over looked? Or am I stuck having to use django to serve the files?
Depending on the security that you aim to achieve, one option would be to add a custom file storage implementation that overrides https://github.com/django/django/blob/master/django/core/files/storage.py#L63 to give all uploads randomly generated filenames - and therefore unguessable URLs. In addition, Apache can be configured to redirect any accesses to non-existing files in the media directory to a login page.Only the original uploading user would know the URL, and be able to access the file. However, this approach would still allow the user to share a direct link to the file to other people.Mattias--On Tue, Sep 24, 2013 at 9:53 PM, J Y <prismicg@gmail.com> wrote:
I am buliding a tool that needs to have the ability to allow user to upload a file, and the file should only be accessible by the user who uploaded it. It seems that the MEDIA_ROOT directory must be placed in the public www directory for front end web servers Apache to serve the file, which currently does not restrict access to any of the uploaded files. What I am looking for is a way that I can lock it down so that if they try to access the file directly, I would bring up a login screen and they must authenticate before I give them access to it.--I did some searching around, and found various solutions to the problem, but none of them sounds like it would work for me. My requirements are:1. My front-end web server must be Apache2. Apache setup and config cannot be changed to accommodate my site alone (unless it's a config I can easily override in .htaccess)3. Users should not have to log in twice (If they authenticated against django already, no reason to ask them to login to Apache again)3. Use django to serve the files as a last resortHere are some of the solutions I found:1. Update nginx/apache config to hook into django's user's database. This looks like it would ask the user to login again via Apache's login mechanism, plus it doesn't look like it would work with alternative authentication backend (I am using django-auth-ldap)2. Use django-sendfile, not possible because it requires installing plugins to Apache3. Serve files through django. Not recommended by django, so I am loath to try it4. Override the MEDIA_ROOT behavior in urls.py and implement my own file serving behavior. This sounds not all that far off from #3.Are there any obvious solutions that I have over looked? Or am I stuck having to use django to serve the files?Thanks for any advice,Jack
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
For more options, visit https://groups.google.com/groups/opt_out.
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
For more options, visit https://groups.google.com/groups/opt_out.
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
For more options, visit https://groups.google.com/groups/opt_out.
No comments:
Post a Comment