Nate wrote: > Hi all, > I've been googling for days and haven't really found a good solution > to my problem. > > I am building a site where a user can view photos and then choose > which of the photos they want to purchase. (Weddings/parties/HS > graduation etc...) My client doesn't want other users of the site to > be able to access another user's event photos. > So far the only way I can think to truly secure photos from another > user is to serve the image up through Django, but the website says > it's inefficient and insecure. Honestly, the inefficiency, I can > probably deal with as this site will be for a local photographer who > probably won't be getting millions of hits per day, but the insecurity > is what I'm worried about. > > I read django's way of protecting static files, but that only limits > it to a group of people and not an individual. > > Can anyone help me? > > Thanks! > > pure-ftpd might be worth looking at. It is an FTP server that lets you authenticate requests against a mysql database, and also write simple custom authentication backends.
http://www.pureftpd.org/project/pure-ftpd One way to use it is when someone logs into the site, give them time-limited access from the IP address they are using, which is renewed every time they view a new page, say for five minutes. This isn't perfect security, but would prevent casual attempts to view someone else's pictures. I was going to say that another way would be to embed ftp username / password info in the img tags of the pages django serves. I.e. instead of: <img src="http://static.mysite.com/path/img1.jpg";> you would have: <img src="ftp://user1:[EMAIL PROTECTED]/path/img1.jpg"> However, microsoft have added a 'feature' to IE7 which prevents it from opening URLs of this sort, in order (they say) to prevent the risk of spoofing attacks like links with the form: http://[EMAIL PROTECTED] see: http://support.microsoft.com/kb/834489 andy. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
![http://static.mysite.com/path/img1.jpg"](http://static.mysite.com/path/img1.jpg"){kind=link}