Re: Securing files held by FileField.
Thanks a lot, Javier! There were a few caveats to getting this to work for me, but I've gotten there, finally! For anyone else who wants to use this solution, check out this posting by a bloke named Andre, who was extremely helpful when I emailed him asking for a bit of a hand: http://andre.liquidmm.com/blog/2009/mar/24/secure-downloads/ Also, here is the homepage for the module: http://tn123.ath.cx/mod_xsendfile/ And here is a .deb for all you Debian based people: http://www.screenage.de/blog/2008/02/22/libapache2-mod-xsendfile-processes-x-sendfile-headers-with-apache2/ One extra note: if you are going above your DocumentRoot, you must use XSendFileAllowAbove On - for some reason I thought this was optional, and it caused me a couple of hours of 404s. Of course, Andre was helpful in helping realise my silliness. So, thanks to you all. This finishes my project for me =D Brenton. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Securing files held by FileField.
On Thu, Aug 13, 2009 at 3:43 PM, stupidgeek wrote: > Thanks to both of you for the advice - Ben, yours seems to be like a > step four to Javier's solution. I like it, but will only say I'll > maybe try it once I've got the serving done Javier's way. what i get from Ben's comment is more like my step 2, but with a couple extra hoops to get to the URL. doesn't do anything for security, since in he ends serving the file with Django anyway. > Javier, could you post some example code? I'm pretty sure this is bang- > on what I want, although as I said, I'm using apache. this is what i do on views.py: http://dpaste.com/80251/ for Apache, you have to use 'X-Sendfile' instead of 'X-Accel-Redirect'. i don't know if you have to add the private directory to some configuration. (in nginx i had to register the directory with a 'private' flag) -- Javier --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Securing files held by FileField.
Thanks to both of you for the advice - Ben, yours seems to be like a step four to Javier's solution. I like it, but will only say I'll maybe try it once I've got the serving done Javier's way. Javier, could you post some example code? I'm pretty sure this is bang- on what I want, although as I said, I'm using apache. Cheers, Brenton. On Aug 13, 3:10 pm, BenW wrote: > If you want to prevent hotlinking to your documents or illicit access, > then I would suggest writing a view that generates a unique URL per > access. For instance, a user hits your view, they get a randomly > generated link to access the file. You store that random link in > their session as a one-to-one mapping to the pk of the file they want > to download -- then you have a url/view that will take that random > link and lookup the file. Afterward that random link is purged from > their session. Of course, this also means that Django would have to > either serve the file itself, or you would have to rename the file on > disk after every access .. which would be lame. > > On Aug 13, 11:00 am, stupidgeek wrote: > > > Hi there, > > > So I'm practically done with my first django site (i've worked with > > PHP for years, and I'm so glad I found django), but I am having some > > trouble with securing files; let me explain: > > > I've written a faculty review system, with tight checks on access for > > reviews, based on committees, etc. Each review contains a document, > > held by a models.FileField, and I would like to restrict access to the > > file; ie not put it under my DocumentRoot (/var/www), so that it can > > only be accessed from within django only (and, of course, access will > > be limited by my views). > > > Is this possible? As far as I understand, when you access a FileField, > > you get back the filename, which you then use somehow to link to it. > > This of course means that the file must be under the document root, > > which doesn't secure it for me (as anyone with the URL will be able to > > access it) - this is NOT an option. > > > I'd be happy if someone could even link me to relevant docs. > > > Thanks, > > Brenton. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Securing files held by FileField.
If you want to prevent hotlinking to your documents or illicit access, then I would suggest writing a view that generates a unique URL per access. For instance, a user hits your view, they get a randomly generated link to access the file. You store that random link in their session as a one-to-one mapping to the pk of the file they want to download -- then you have a url/view that will take that random link and lookup the file. Afterward that random link is purged from their session. Of course, this also means that Django would have to either serve the file itself, or you would have to rename the file on disk after every access .. which would be lame. On Aug 13, 11:00 am, stupidgeek wrote: > Hi there, > > So I'm practically done with my first django site (i've worked with > PHP for years, and I'm so glad I found django), but I am having some > trouble with securing files; let me explain: > > I've written a faculty review system, with tight checks on access for > reviews, based on committees, etc. Each review contains a document, > held by a models.FileField, and I would like to restrict access to the > file; ie not put it under my DocumentRoot (/var/www), so that it can > only be accessed from within django only (and, of course, access will > be limited by my views). > > Is this possible? As far as I understand, when you access a FileField, > you get back the filename, which you then use somehow to link to it. > This of course means that the file must be under the document root, > which doesn't secure it for me (as anyone with the URL will be able to > access it) - this is NOT an option. > > I'd be happy if someone could even link me to relevant docs. > > Thanks, > Brenton. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Securing files held by FileField.
On Thu, Aug 13, 2009 at 1:00 PM, stupidgeek wrote: > I've written a faculty review system, with tight checks on access for > reviews, based on committees, etc. Each review contains a document, > held by a models.FileField, and I would like to restrict access to the > file; ie not put it under my DocumentRoot (/var/www), so that it can > only be accessed from within django only (and, of course, access will > be limited by my views). i've done this, three steps: 1.- move your files out of the dirs normally accesible by the HTTP server. now you can't access them anymore, your site is broken. 2.- add the urls to urls.py to make Django itself manage the file serving. add your own views (maybe as wrappers to the normal media handling views), so that you can check the required privileges. Now you can again access the files and your site is functional again; but it's unbearably slow, and quite possibly breaks on big files. 3.- replace the data-serving (last) step on your views with the server-specific headers on the response object that tell your HTTP server to serve the file. be sure to delete (or comment) the part where you put the file's content in the response. done! in my case, i'm using NginX, so i had to add an 'X-Accel-Redirect' with the path to the file. i think for Apache and lightttpd you do something similar, but pass an URL instead of a local path. be sure to make that URL work only when asked locally. -- Javier --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Securing files held by FileField.
Hi there, So I'm practically done with my first django site (i've worked with PHP for years, and I'm so glad I found django), but I am having some trouble with securing files; let me explain: I've written a faculty review system, with tight checks on access for reviews, based on committees, etc. Each review contains a document, held by a models.FileField, and I would like to restrict access to the file; ie not put it under my DocumentRoot (/var/www), so that it can only be accessed from within django only (and, of course, access will be limited by my views). Is this possible? As far as I understand, when you access a FileField, you get back the filename, which you then use somehow to link to it. This of course means that the file must be under the document root, which doesn't secure it for me (as anyone with the URL will be able to access it) - this is NOT an option. I'd be happy if someone could even link me to relevant docs. Thanks, Brenton. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
