On Wed, Jun 23, 2010 at 11:06 PM, Robert Coup
<robert.c...@koordinates.com> wrote:
> On Thu, Jun 24, 2010 at 4:24 AM, Waldemar Kornewald
> <wkornew...@gmail.com> wrote:
>> FileField gets a new method prepare_upload() which takes the following
>> arguments:
>> * request
>> * upload_url: the target URL of the upload view
>> * private: should this be only privately accessibly or also publicly?
>> (default: False; whether this actually works depends on the chosen
>> backend's capabilities and your hosting setup)
>
> There are many shades of grey between public & private, I'm not sure a
> boolean will cut it here for the long term.
>
> - anyone on the net
> - registered users
> - members of a group
> - the uploader & admins...
>
> Can/should we tie this into object-level permissions?
The boolean is sufficient because those permission checks should be
done in the download view (or a router backend):
if request.user.is_authenticated:
return file.serve()
else:
# user has no permissions
This can only work if the upload handler knows whether the file should
be publicly accessible or private. If you want to be able to do
permission checks you say private=True. Only if you know that a
certain file will always be public you should use private=False which
is nothing more than an optimization, so the download URL (via
file.public_download_url()) doesn't point to Django, but directly to
the file server.
> There are also different URLs as well, which could all be valid for
> the same object:
> - public, nice urls: http://example.com/alex/photos/mycar.jpg
That's what a normal public_download_url() backend would return.
> - obscured urls: http://example.com/asdfgh123456/mycar.jpg
What's the purpose of obscuring the URL?
* If you want shorter URLs and your file server understands that URL
format it can be handled by file.public_download_url(), possibly with
a custom backend.
* If you want short URLs and your file server doesn't understand that
obscured format you can write a custom file.serve() backend or a
custom view which just redirects from the obscured URL to the real
URL.
> - URLs valid for some time (I'm thinking S3/etc):
> http://example.com/alex/photos/mycar.jpg?auth=123456
This should not be file.public_download_url() because this URL will
expire (thus it will not be public forever). Such URLs should be
generated by file.serve() (returning an HttpResponseRedirect) in the
download view.
Bye,
Waldemar Kornewald
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-develop...@googlegroups.com.
To unsubscribe from this group, send email to
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
