You can do this with Apache. You need to add mod_xsendfile (http://tn123.ath.cx/mod_xsendfile/ ) to your Apache config, then control access to the files with a Django view. A quick search of this group turns up references to mod_xsendfile, but no example view, so here's what it might look like for your project:
@login_required def sendfile(request, id): project_file = get_object_or_404(ProjectFile, id=id) if not (request.user.is_staff or request.user in project_file.project.members.all()): return HttpResponseForbidden('No. Sorry.') response = HttpResponse() response['X-Sendfile'] = os.path.join(settings.MEDIA_ROOT, project_file.file) content_type, encoding = mimetypes.guess_type(project_file.get_file_url()) if not content_type: content_type = 'application/octet-stream' response['Content-Type'] = content_type response['Content-Length'] = project_file.get_file_size() response['Content-Disposition'] = 'attachment; filename="%s"' % os.path.basename(project_file.get_file_url()) return response You get the idea. The Apache config denies access to the upload subdirectory altogether; mod_xsendfile overrides that when it sees the X-Sendfile header in the response from the Django view. You get to use Django for the complex authorization, then it lets Apache handle the grunt work of shipping the file. Pretty nice; I thought this might have been the requirement that finally pushed me over to nginx or lighty, but not yet.... John On May 15, 2008, at 7:38 PM, Julien wrote: > > Hi, > > I'm building a website where users can create projects and upload > files for their projects. I already have a system in place so that > only members of a project can access the project related pages. Now, > I'd like it to be more secure by only giving access to the files of a > project to its members. > > It appears to me that simply serving the files with Apache is not > enough. Does Django provide a way to achieve that? Does it mean I'll > have to serve the files with 'static.serve' with a layer of > authorization checking? > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---