[Django] #37044: Mention in FileField-.upload_to-Documentation that file locations on authenticated models are not automatically authenticated.
4 views
Skip to first unread message
Django
4:50 AM (17 hours ago) 4:50 AM
to django-...@googlegroups.com
#37044: Mention in FileField-.upload_to-Documentation that file locations on
authenticated models are not automatically authenticated.
-----------------------+-----------------------------------------
Reporter: Aaron | Type: Uncategorized
Status: new | Component: Uncategorized
Version: 6.0 | Severity: Normal
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------+-----------------------------------------
Its common practice to add authentification to a model such that it can be
accessed by a subset of users. Developers might assume that the
authentification of the model covers authentification
of the "upload_to"-Field, but is does not. Therefore, any authenticated
user
who guesses any url is able to acccess the underlying file, somewhat
circumventing the authentification.
Furthermore, these urls share common patterns which might expose a lot
more files.
Suggestion:
Add a warning to the documentation of "upload_to" along the lines of:
""upload_to" does not inherit authentification from a model. This has to
be done externally".
"Authentification of the model does not include authentification of
"upload_to". Any authenticated user
might guess the urls and can access the underlying files".
"Make sure to authenticate access to the url stored in "upload_to" as
these are not covered by the model authentification. "
Looking forward to discussing this,
Aaron
--
Ticket URL: <https://code.djangoproject.com/ticket/37044>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
authenticated models are not automatically authenticated.
-----------------------+-----------------------------------------
Reporter: Aaron | Type: Uncategorized
Status: new | Component: Uncategorized
Version: 6.0 | Severity: Normal
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------+-----------------------------------------
Its common practice to add authentification to a model such that it can be
accessed by a subset of users. Developers might assume that the
authentification of the model covers authentification
of the "upload_to"-Field, but is does not. Therefore, any authenticated
user
who guesses any url is able to acccess the underlying file, somewhat
circumventing the authentification.
Furthermore, these urls share common patterns which might expose a lot
more files.
Suggestion:
Add a warning to the documentation of "upload_to" along the lines of:
""upload_to" does not inherit authentification from a model. This has to
be done externally".
"Authentification of the model does not include authentification of
"upload_to". Any authenticated user
might guess the urls and can access the underlying files".
"Make sure to authenticate access to the url stored in "upload_to" as
these are not covered by the model authentification. "
Looking forward to discussing this,
Aaron
--
Ticket URL: <https://code.djangoproject.com/ticket/37044>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
6:10 AM (16 hours ago) 6:10 AM
to django-...@googlegroups.com
#37044: Mention in FileField-.upload_to-Documentation that file locations on
authenticated models are not automatically authenticated.
--------------------------------------+------------------------------------
authenticated models are not automatically authenticated.
Reporter: Aaron | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Jacob Walls):
* component: Uncategorized => Documentation
* stage: Unreviewed => Accepted
* type: Uncategorized => Cleanup/optimization
Comment:
The suggested clarification is brief, and addresses a misconception that
comes up with frequency on the forum. (See duplicates pointing to Ken's
[https://forum.djangoproject.com/t/show-external-folder-html-content-in-
django/10429/2 excellent answer]).
I'm happy to accept if we can do this without dwelling on too many
details. Thanks.
--
Ticket URL: <https://code.djangoproject.com/ticket/37044#comment:1>
Django
6:48 AM (15 hours ago) 6:48 AM
to django-...@googlegroups.com
#37044: Mention in FileField-.upload_to-Documentation that file locations on
authenticated models are not automatically authenticated.
-------------------------------------+-------------------------------------
authenticated models are not automatically authenticated.
Reporter: Aaron | Owner: MANAS
Type: | MADESHIYA
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by MANAS MADESHIYA):
* cc: MANAS MADESHIYA (added)
* owner: (none) => MANAS MADESHIYA
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/37044#comment:2>
Reply all
Reply to author
Forward
0 new messages