What you want to do is first restrict access to the model instance to which the file is associated. Presumably this model has a foreign key to your User model which you'd associate with the uploading user. Then your view will return some non-200 response, like a 401 response if the requesting user doesn't match the associated user.
Your view for accessing the file could return the file itself (not ideal), redirect to the actual file name (security by obscurity), or act as a guard for the file server (let's do that). Presuming you're working with Nginx or Apache and local files, you can use X-Accel-Redirects or X-Sendfile to do this. Basically the request for a file is made to your Django app, e.g. /files/some-file-name.doc, and the app checks if the user can access it. If so, the app returns the request with a new header (x-accel-redirect) and the file path - this isn't immediately sent to the client, but is instead resolved by the web server (i.e. Nginx or Apache) by returning the file from its location on the file system. Django verifies, Nginx/Apache does the file serving (full explanation here: http://wellfireinteractive.com/blog/nginx-django-x-accel-redirects/). You can follow a similar strategy for private S3 files, but instead of serving them from the web server, generate a temporary access URL to the S3 resource and return that to the client (http://www.gyford.com/phil/writing/2012/09/26/django-s3-temporary.php). On Tuesday, October 21, 2014 7:14:17 AM UTC-4, Gaurav Gupta wrote: > > What is the best way to restrict access of files to specific users. I want > to give read access to the user who uploaded the files. > In the normal django implementation there seems to be no way to restrict > access to file uploads in MEDIA_ROOT. What's the best way to achieve this? > Ideally I would also like to send files to S3 and restrict access in the > cloud as well. > > Thanks for your help. > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/26840b7c-a227-41c6-8f70-a7fef85fcfe3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
