Re: Secure file access with contrib.auth

Sat, 17 May 2008 10:27:37 -0700 

You can do this with Apache. You need to add mod_xsendfile 
(http://tn123.ath.cx/mod_xsendfile/ 
) to your Apache config, then control access to the files with a  
Django view. A quick search of this group turns up references to  
mod_xsendfile, but no example view, so here's what it might look like  
for your project:

@login_required
def sendfile(request, id):
     project_file = get_object_or_404(ProjectFile, id=id)

     if not (request.user.is_staff or request.user in  
project_file.project.members.all()):
         return HttpResponseForbidden('No. Sorry.')

     response = HttpResponse()
     response['X-Sendfile'] =  os.path.join(settings.MEDIA_ROOT,  
project_file.file)
     content_type, encoding =  
mimetypes.guess_type(project_file.get_file_url())
     if not content_type:
         content_type = 'application/octet-stream'
     response['Content-Type'] = content_type
     response['Content-Length'] = project_file.get_file_size()
     response['Content-Disposition'] = 'attachment; filename="%s"' %  
os.path.basename(project_file.get_file_url())
     return response

You get the idea.

The Apache config denies access to the upload subdirectory altogether;  
mod_xsendfile overrides that when it sees the X-Sendfile header in the  
response from the Django view. You get to use Django for the complex  
authorization, then it lets Apache handle the grunt work of shipping  
the file. Pretty nice; I thought this might have been the requirement  
that finally pushed me over to nginx or lighty, but not yet....

John

On May 15, 2008, at 7:38 PM, Julien wrote:

>
> Hi,
>
> I'm building a website where users can create projects and upload
> files for their projects. I already have a system in place so that
> only members of a project can access the project related pages. Now,
> I'd like it to be more secure by only giving access to the files of a
> project to its members.
>
> It appears to me that simply serving the files with Apache is not
> enough. Does Django provide a way to achieve that? Does it mean I'll
> have to serve the files with 'static.serve' with a layer of
> authorization checking?
>


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to