Re: Uploaded File Security

[Mike Dewhirst]

On 20/05/2010 11:00am, Lee Hinde wrote:
I'm working on an intranet app for a client that will have file uploads.
I'm early in the process, but have the uploading working just fine via
admin.
Once we get to deployment, I'm unclear on how to coordinate the security
that django will know about (group X has access to X's files, but not
group Y's),

When I poke around for discussions on protecting uploaded files, the
most recent and seemingly on point discussion is here:

http://stackoverflow.com/questions/2780893/django-authentication-htaccess-static

Which is basically suggesting that one hash the name and hope that
no-one guesses the resulting path.

What's best practice here?

If it has to be secure rather than just wishful thinking the webserver 
must demand credentials. If you are using Apache, that means .htaccess 
files which point to a list of credentials for each group.

Maybe you could obtain a django authentication backend which Apache can 
use as well? On an Intranet you should be able to access LDAP 
connectivity somewhere - Microsoft AD, Novell eDirectory or Linux LDAP.

I'm very interested in your progress here because I have to travel this 
road in the medium term future.

I have done a test implementation of Peter Herndon's django-ldap-groups 
with eDir and one of the next steps for me is to look at the Apache LDAP 
docs.

http://code.google.com/p/django-ldap-groups/

Good luck

Mike


Thanks.

   - Lee

--
You received this message because you are subscribed to the Google
Groups "Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.

--
You received this message because you are subscribed to the Google Groups "Django 
users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.