Best practices for restricting media?

517 views
Skip to first unread message

Brett Thomas

unread,
Feb 21, 2010, 5:00:20 PM2/21/10
to django...@googlegroups.com
Hey, this is a pretty basic sysadmin question, but seems pretty critical for django development. What's the best way to limit media on a django site to certain users?

A typical example is a photo gallery app. Suppose you are recreating Flickr, and a user's photos should only be viewable by his/her friends. You can restrict other users from accessing the django view that presents the photo. But if the image is on a static media server, the image is still publicly accessible by its direct URL.

So, question is: can you add restrictions to a media server connected to django to say "this image can only be served in a page that was rendered by a django view"?

Thanks for the help --
Brett

Surprisingly (or not?) Facebook has no such permissions...here's a random photo from one of my friend's private albums that apparently you can see without even having a facebook account: http://photos-f.ak.fbcdn.net/photos-ak-snc1/v2681/23/22/30008/n30008_36329813_2721261.jpg

Brice Leroy

unread,
Feb 22, 2010, 11:48:21 AM2/22/10
to django...@googlegroups.com
Hello Brett,
If you use nginx you can use the X-Accel-Redirect function. Technicaly, you get the file request on django, you check if the user should have an access to the file and then you send back a header with the filename inside to your instance of NGinx. Nginx then serve the file.

http://stackoverflow.com/questions/263122/custom-http-headers-for-static-files-with-django

Have a nice day

Brice

2010/2/21 Brett Thomas <brettp...@gmail.com>

--
blog: http://www.debrice.com
project: http://www.kaaloo.com http://www.djangogenerator.com
linkedin: http://www.linkedin.com/in/bricepleroy

Brice Leroy

unread,
Feb 22, 2010, 11:50:47 AM2/22/10
to django...@googlegroups.com
Actually, this snippet should be better to explain X-Accel-Redirect feature:

http://www.djangosnippets.org/snippets/491/


2010/2/22 Brice Leroy <bbrri...@gmail.com>

David De La Harpe Golden

unread,
Feb 22, 2010, 1:00:16 PM2/22/10
to django...@googlegroups.com
On 22/02/10 16:48, Brice Leroy wrote:
> Hello Brett,
> If you use nginx you can use the X-Accel-Redirect function.

Minor: if you _don't_ use nginx but rather apache or lighttpd,
similar feature is called "X-Sendfile".

Graham Dumpleton

unread,
Feb 22, 2010, 7:24:48 PM2/22/10
to Django users

On Feb 23, 5:00 am, David De La Harpe Golden

If you are using mod_wsgi 3.X and use its daemon mode, you can also
use 'Location' response header with status of 200 just like in CGI and
wouldn't require mod_sendfile. Using 'Location' is like using 'X-Accel-
Redirect' in nginx in that it is a URL which is remapped on the
server. The difference is that in Apache you have to use a mod_rewrite
rule if you want to mark a part of URL namespace as not public, but
instead only accessible from an Apache subrequest.


Thus:

# Map URL for private files.

Alias /private/ /some/path/private/

# Block access to private files except from an Apache sub request.

RewriteCond %{IS_SUBREQ} !true
RewriteRule ^/private/ [F]

The application would then return response header:

Location: /private/secret.txt

The status code returned for the HTTP request should be '200'.

Graham

Reply all
Reply to author
Forward
0 new messages