If you are using apache. you can simple disable the indexing of files. in your apache conf directory directive.
This will give forbidden 403 if u try to access the directory from apache. hence no files are seen. <Directory /home/directory/ > Options -Indexes </Directory> I hope this helps. Regards //Vikalp 2010/11/11 Łukasz Rekucki <lreku...@gmail.com> > On 11 November 2010 03:19, andy <flowar...@gmail.com> wrote: > > Django recommends saving images to the file system since this gives > > better performance than storing the files in a database. However I > > don't seen any documentation on how to restrict access to those files > > by user. If someone knows the url to your image directory they could > > possibly view all the content of that directory. If you create a > > social network or a multi tenant application how will you handle this > > issue? > > > > While writing this up I learned about preventing directory listing, is > > this secure enough. how about obfuscating file or directory names. > > This largely depends on what your HTTP server can do, but with Apache > you can use the X-Sendfile header. This works like this: > > 0. Install mod_xsendfile and put "XSendFile On" in your Apache config. > See also [1]. > > 1. Instead of putting the images in a location with all the other > media, put it in a protected location - one which the server can read, > but not associated with any Location. > > 2. Create a view that will check permissions for a given file. As a > response return an empty HttpResponse with "X-Sendfile" header > containing the full filesystem path of the file to be server, or a 403 > if the person is not permitted. > > 3. Apache will look at the response for X-Sendfile header and if > present the file that the header points to will be server as a > response instead. > > This way you can check permission in your Django app, while still > having the speed of serving static files directly by HTTP server. A > similar solution is also availble for nginx[2] and probably other > webservers. > > [1]: https://tn123.org/mod_xsendfile/ > [2]: http://wiki.nginx.org/NginxXSendfile > > -- > Łukasz Rekucki > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To post to this group, send email to django-us...@googlegroups.com. > To unsubscribe from this group, send email to > django-users+unsubscr...@googlegroups.com<django-users%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/django-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.