On Thu, Aug 13, 2009 at 1:00 PM, stupidgeek<thestupidg...@gmail.com> wrote: > I've written a faculty review system, with tight checks on access for > reviews, based on committees, etc. Each review contains a document, > held by a models.FileField, and I would like to restrict access to the > file; ie not put it under my DocumentRoot (/var/www), so that it can > only be accessed from within django only (and, of course, access will > be limited by my views).
i've done this, three steps: 1.- move your files out of the dirs normally accesible by the HTTP server. now you can't access them anymore, your site is broken. 2.- add the urls to urls.py to make Django itself manage the file serving. add your own views (maybe as wrappers to the normal media handling views), so that you can check the required privileges. Now you can again access the files and your site is functional again; but it's unbearably slow, and quite possibly breaks on big files. 3.- replace the data-serving (last) step on your views with the server-specific headers on the response object that tell your HTTP server to serve the file. be sure to delete (or comment) the part where you put the file's content in the response. done! in my case, i'm using NginX, so i had to add an 'X-Accel-Redirect' with the path to the file. i think for Apache and lightttpd you do something similar, but pass an URL instead of a local path. be sure to make that URL work only when asked locally. -- Javier --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
