Authentication for static files

400 views
Skip to first unread message

Ben Davis

unread,
Sep 26, 2009, 1:08:15 PM9/26/09
to django...@googlegroups.com
I would like to be able to serve files that were uploaded via the admin site;  for example, when someone clicks on the "Currently:" file link in the changeform.  However, I also have the following requirements:
  1. The file should only be accessible when authenticated via django's auth system
  2. Clicking the file link should not present an already authenticated user with another authentication challenge
I'm currently using a custom FileSystemStorage location and base_url for files that should be only accessible via the admin.  

I've seen this documentation: http://docs.djangoproject.com/en/dev/howto/apache-auth/,   but it deals with mod_python,   and I'm using mod_wsgi,  so I'm not sure if that will work.  Also,  I'm not sure if that solution meets requirement #2. 

Any ideas?

Graham Dumpleton

unread,
Sep 27, 2009, 12:16:13 AM9/27/09
to Django users


On Sep 27, 3:08 am, Ben Davis <bendavi...@gmail.com> wrote:
> I would like to be able to serve files that were uploaded via the admin
> site;  for example, when someone clicks on the "Currently:" file link in the
> changeform.  However, I also have the following requirements:
>
>    1. The file should only be accessible when authenticated via django's
>    auth system
>    2. Clicking the file link should not present an already authenticated
>    user with another authentication challenge
>
> I'm currently using a custom FileSystemStorage location and base_url for
> files that should be only accessible via the admin.
>
> I've seen this documentation:http://docs.djangoproject.com/en/dev/howto/apache-auth/,   but it deals with
> mod_python,   and I'm using mod_wsgi,  so I'm not sure if that will work.
> Also,  I'm not sure if that solution meets requirement #2.
>
> Any ideas?

The mod_wsgi equivalent of that page is at:

http://code.google.com/p/modwsgi/wiki/AccessControlMechanisms

Neither will help you though as they implement Basic/Digest
authentication which is distinct from Django form/session based
authentication and would as a result prompt for credentials again.

Graham

Ben Davis

unread,
Sep 27, 2009, 1:31:15 PM9/27/09
to django...@googlegroups.com
Actually, I just found out about the X-Sendfile header which I think might solve this problem.  It basically allows you to set the HttpResponse content to an empty string,  but the X-Sendfile header tells apache to send a file from the filesystem,  so apache handles the actual serving of the file, but it still allows you to do preprocessing beforehand.   I'll probably just override django.views.static.serve to support this, and use the X-Sendfile header when in production mode.
Reply all
Reply to author
Forward
0 new messages