On 11 November 2010 03:19, andy <flowar...@gmail.com> wrote: > Django recommends saving images to the file system since this gives > better performance than storing the files in a database. However I > don't seen any documentation on how to restrict access to those files > by user. If someone knows the url to your image directory they could > possibly view all the content of that directory. If you create a > social network or a multi tenant application how will you handle this > issue? > > While writing this up I learned about preventing directory listing, is > this secure enough. how about obfuscating file or directory names.
This largely depends on what your HTTP server can do, but with Apache you can use the X-Sendfile header. This works like this: 0. Install mod_xsendfile and put "XSendFile On" in your Apache config. See also [1]. 1. Instead of putting the images in a location with all the other media, put it in a protected location - one which the server can read, but not associated with any Location. 2. Create a view that will check permissions for a given file. As a response return an empty HttpResponse with "X-Sendfile" header containing the full filesystem path of the file to be server, or a 403 if the person is not permitted. 3. Apache will look at the response for X-Sendfile header and if present the file that the header points to will be server as a response instead. This way you can check permission in your Django app, while still having the speed of serving static files directly by HTTP server. A similar solution is also availble for nginx[2] and probably other webservers. [1]: https://tn123.org/mod_xsendfile/ [2]: http://wiki.nginx.org/NginxXSendfile -- Łukasz Rekucki -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.