serving client uploaded files
242 views
Skip to first unread message
Nenad Cikic
May 1, 2012, 4:23:30 AM5/1/12
to django...@googlegroups.com
Hello,
how can i serve the file uploaded files (images)? What I mean I have few model with images, and I see images in the change form.
The problem is that I can see the same images by writing directly the media path in the web address. And since the model is designed to have data split between the users I do not want the images to be seen that way.
I have looked and found
https://docs.djangoproject.com/en/dev/howto/static-files/?from=olddocs#staticfiles-other-directories
What I have done is to add to the url the following
url(r'^media/(?P<path>.*)$', "registracija.views.myuploadedfileview", {'document_root': settings.MEDIA_ROOT,}),
and then the view is something as:
#parse the request and try to undestand if the image is mine
if yes:
return serve(request, path, document_root, show_indexes)
else:
return HttpResponseNotFound()
This is working; what bothers me is that the serve function is, as in docs, stated to be used only in development.
But if I serve the images directly by the web server, would I bypass my security checks?
Is there any other way to achieve my means?
Thanks
Nenad
how can i serve the file uploaded files (images)? What I mean I have few model with images, and I see images in the change form.
The problem is that I can see the same images by writing directly the media path in the web address. And since the model is designed to have data split between the users I do not want the images to be seen that way.
I have looked and found
https://docs.djangoproject.com/en/dev/howto/static-files/?from=olddocs#staticfiles-other-directories
What I have done is to add to the url the following
url(r'^media/(?P<path>.*)$', "registracija.views.myuploadedfileview", {'document_root': settings.MEDIA_ROOT,}),
and then the view is something as:
#parse the request and try to undestand if the image is mine
if yes:
return serve(request, path, document_root, show_indexes)
else:
return HttpResponseNotFound()
This is working; what bothers me is that the serve function is, as in docs, stated to be used only in development.
But if I serve the images directly by the web server, would I bypass my security checks?
Is there any other way to achieve my means?
Thanks
Nenad
Kurtis Mullins
May 1, 2012, 10:47:58 AM5/1/12
to django...@googlegroups.com
You could use a pseudo-random filename so that it's very unlikely people will be able to easily find other's photos.
If you're very concerned with users being authenticated before viewing the media (which to me, sounds like there won't be a huge load on that segment of your web application) then you can easily use Django to simply store the files to a private directory and let Django handle serving the images. It's not the most efficient technique in terms of speed but it's a reasonable compromise for the security you're looking for.
Nenad
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/qJAqbma_ZdAJ.
To post to this group, send email to django...@googlegroups.com.
To unsubscribe from this group, send email to django-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Nenad Cikic
May 1, 2012, 11:13:26 AM5/1/12
to django...@googlegroups.com
OK, thanks
Tino de Bruijn
May 1, 2012, 11:37:33 AM5/1/12
to django...@googlegroups.com
You probably want to implement this with X-Sendfile (or X-Accel-Redirect for Nginx) headers. Those tell the frontend server to serve a specific file.
This explains it a bit. http://stackoverflow.com/questions/1156246/having-django-serve-downloadable-files
By googling you will find many examples.
Tino
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
Nenad Cikic
May 1, 2012, 9:36:58 PM5/1/12
to django...@googlegroups.com
This looks interesting, thanks
Reply all
Reply to author
Forward
0 new messages